Privacy Policy

Last updated: June 30, 2026

Before you publish: complete the bracketed fields ([Company Legal Name], contacts, sub-processor list, retention periods) and have this policy reviewed by qualified privacy counsel. It is written to address the EU/UK GDPR and the California CCPA/CPRA, but it is a template, not legal advice. Keep it consistent with what your application actually does.

Who we are (Controller)

[Company Legal Name] (“we”, “us”) is the controller of personal data processed through our Service. Contact: privacy@[yourdomain].com, [registered postal address]. Data Protection Officer (where appointed): [DPO name/email, if appointed]. EU/UK representative (where applicable under Art. 27 GDPR): [EU/UK representative, if you have no EU/UK establishment].

Data we collect

  • Account data you provide: name, email address, password (stored only as a hash), and profile photo.
  • Workspace & content data: workspaces, members, invitations, and content you create in the Service.
  • Billing data: plan and subscription status. Card details are handled by our payment processor — we do not store full card numbers.
  • Technical & usage data: IP address, device/browser information, log and security-activity data (e.g. sign-ins, security events).
  • Cookies: strictly necessary cookies to keep you signed in and prevent CSRF (see “Cookies” below).

How and why we use data (purposes & GDPR legal bases)

  • Provide and secure the Service, authenticate you, and operate workspaces — performance of a contract (Art. 6(1)(b)).
  • Process payments and manage subscriptions — contract and legal obligation (Art. 6(1)(b), (c)).
  • Send transactional/service emails (verification, password reset, security alerts) — contract and our legitimate interests (Art. 6(1)(f)).
  • Send optional product/marketing emails — only with your consent (Art. 6(1)(a)) or where otherwise permitted; you can opt out at any time.
  • Maintain security, prevent abuse/fraud, and keep audit logs — legitimate interests and legal obligation.
  • Comply with law and respond to lawful requests — legal obligation.

Sharing and processors

We do not sell your personal data. We share it only with service providers (“processors”) acting on our behalf under contract, including: [hosting provider], [payment processor, e.g. Stripe], [email provider], and [error/analytics provider, if any]. We may also disclose data to comply with law, enforce our terms, or protect rights and safety, and in connection with a merger or acquisition (with notice where required).

International transfers

We may process data in countries other than yours, including the United States. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or an adequacy decision. Contact us for a copy of the safeguards.

Retention

We keep personal data for as long as your account is active and as needed to provide the Service, then delete or anonymize it, subject to limited retention for legal, accounting, or security purposes (e.g. [billing records: X years], [audit logs: Y days]). You can delete your account at any time from your profile.

Your rights (EU/UK – GDPR)

If you are in the EEA or UK, you have the right to:

  • access your data and obtain a copy (portability);
  • rectify inaccurate data and complete incomplete data;
  • erase your data (“right to be forgotten”);
  • restrict or object to processing, including profiling;
  • withdraw consent at any time (without affecting prior processing);
  • lodge a complaint with your supervisory authority.

You can exercise access, export, and deletion directly from your profile settings, or by emailing privacy@[yourdomain].com. We respond within the timeframes required by law (generally one month under the GDPR).

Your rights (California – CCPA/CPRA)

If you are a California resident, you have the right to:

  • know what personal information we collect and how it’s used and shared;
  • access and delete your personal information;
  • correct inaccurate personal information;
  • opt out of the “sale” or “sharing” of personal information, and limit use of sensitive personal information;
  • not be discriminated against for exercising your rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise your rights, use your profile settings or email privacy@[yourdomain].com; you may use an authorized agent. We will verify your request before acting on it.

Cookies

We use strictly necessary cookies to keep you signed in (session cookie) and to protect against cross-site request forgery (CSRF token). These are required for the Service to function and are not used for advertising. If we add analytics or marketing cookies in the future, we will request consent where required.

Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, hashed passwords (Argon2id), hashed tokens at rest, access controls, and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and will notify you and regulators of breaches where required by law.

Children

The Service is not directed to children under 16 (or the applicable age of digital consent), and under 13 in the United States. We do not knowingly collect their data; if you believe a child has provided us data, contact privacy@[yourdomain].com and we will delete it.

Changes to this policy

We may update this policy from time to time. For material changes we will provide notice (e.g. by email or in-app) and update the “Last updated” date above.

Contact

Privacy questions or requests: [Company Legal Name], privacy@[yourdomain].com, [registered postal address]. EU/UK representative: [EU/UK representative, if you have no EU/UK establishment].