This draft is written for a UK-first MVP using Cloudflare, Stripe, Resend, D1, and R2. Replace placeholders with your actual controller details before launch.
Replace this with your legal trading name, contact email, and business/service address where required. This business is the controller for personal data entered into WasteProof, PrivateWaterLog, WildWorks, LicencePaws, SalonSafeFolder, FGasVault, EventPermitPack, AllergenMatrix, FireDoorLog, LegionellaLog, and related admin/support systems.
We may collect your email address, product selected, answers entered into screeners, project notes, payment status, access-token metadata, exported pack metadata, support messages, and, when uploads are enabled, files or photos you choose to upload. Payment card details are handled by Stripe and are not stored by us.
The tools may involve property, waste, water-supply, ecology, animal-care, salon-safety, equipment, event, food-allergen, fire-door, water-control, or project information. Avoid entering unnecessary personal data about other people. Do not upload confidential, unlawful, or excessive material unless it is genuinely needed for your evidence pack.
We use data to provide the screener, generate evidence packs, process payment, send access links, maintain security, provide support, improve the product, meet accounting/legal obligations, and prevent misuse or fraud.
Typical legal bases are contract performance for paid services, legitimate interests for security, service improvement and fraud prevention, consent where required for optional communications or analytics, and legal obligation for accounting or compliance records.
Expected processors include Cloudflare for hosting, D1 database, R2 storage and analytics; Stripe for payments; Resend for transactional email; and any support/accounting tools you later connect. Add exact processor names and regions before launch.
Draft projects may be deleted after a short period if unpaid or abandoned. Paid project records, exports, order metadata, and accounting information may be kept for longer where needed for access, support, dispute handling, tax, and legal obligations. Add exact retention periods before launch.
Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, or request a copy of your personal data. You can contact support using the email listed in the controller section.
Access links should be treated like passwords. We hash access tokens where practical, use HTTPS, and rely on Cloudflare/Stripe/Resend infrastructure. No online service can guarantee perfect security.
Cloud services may process data outside the UK/EEA. Where required, appropriate safeguards such as standard contractual clauses or vendor transfer mechanisms should apply. Confirm this in each processor’s current documentation before launch.
If you are in the UK, you may have the right to complain to the Information Commissioner’s Office. You should contact us first so we can try to resolve the issue.