1. Who we are
Describe the data controller (your company name, address, registration). Provide a contact email for privacy requests.
2. What data we process
Account data (name, email, role), project content, messages, usage and analytics as applicable, technical logs, and any data from optional integrations.
3. Why we process it (lawful bases)
For UK GDPR: contract, legitimate interests, legal obligation, consent where required — specify per processing activity. For PDPL: align with applicable articles after legal review.
4. How long we keep data
Retention periods for accounts, projects, backups, and logs. Deletion after contract end or user request subject to exceptions.
5. Sharing and subprocessors
List categories of recipients and link to a current subprocessor list. Describe international transfers and safeguards.
6. Your rights
Access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority — as applicable under UK GDPR / PDPL and your role as controller or processor.
7. Children
If the service is used in schools, describe age thresholds, institutional consent, and parental involvement per your policy.
8. Changes
How you notify users of material changes to this policy.