2. What Data We Collect

We collect the following categories of personal data:

• Account information: When you register for an account, we collect your name and email address. If you subscribe to a paid plan, we also collect your billing address.
• Usage data: We collect information about how you use the Platform, including pages visited, features accessed, analytics queries made, timestamps, and general interaction patterns.
• Payment data: Payments are processed by Stripe. We do not store your credit card details on our servers. Stripe may collect and process payment information in accordance with their own privacy policy.
• Communication data: When you submit a contact form on our website or subscribe to our newsletter, we collect the information you provide, including your name, email address, and message content.
• Technical data: We may collect your IP address, browser type, operating system, and device information for security and service improvement purposes.

3. How We Use Your Data

We use your personal data for the following purposes:

• To provide and operate the Drusus platform, including delivering analytics, processing queries, and maintaining your account.
• To process payments and manage your subscription.
• To send you product updates, service announcements, and newsletter communications (only with your consent for marketing communications).
• To improve our Services, including analysing usage patterns and developing new features.
• To respond to your enquiries submitted through our contact form.
• To comply with legal obligations and protect our legitimate interests.

4. Legal Basis for Processing

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Services you have requested, including account management, subscription billing, and platform access.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security monitoring, and fraud prevention, where such interests are not overridden by your rights and freedoms.
• Consent (Article 6(1)(a)): Where you have given explicit consent, such as subscribing to our newsletter or opting in to marketing communications. You may withdraw consent at any time.

5. Data Sharing

We share your personal data with the following third-party service providers, solely for the purposes of operating our Services:

• Supabase — Database hosting. Data is stored in the EU region (eu-north-1).
• Vercel — Website hosting and content delivery.
• Stripe — Payment processing for subscriptions.
• Resend — Transactional and marketing email delivery.

We do not sell your personal data to third parties. We only share data with the providers listed above, and each provider processes data in accordance with their own privacy policies and applicable data protection agreements.

6. Data Retention

• Account data: Retained for the duration of your active account plus 12 months following account closure or deletion.
• Contact form submissions: Retained for 24 months from the date of submission.
• Email subscriber data: Retained until you unsubscribe from our mailing list.
• Payment records: Retained as required by applicable tax and accounting regulations.
• Usage data: Retained in anonymised or aggregated form for analytical purposes.

7. Your Rights Under GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to our legal obligations.
• Right to restriction: You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, please contact us at contact@gravenos.com. We shall respond to your request within one month, as required by law. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed.

8. Cookies

The Platform uses essential cookies that are strictly necessary for authentication and core functionality. These cookies enable you to remain signed in and navigate the Platform securely.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No personal data is shared with advertising networks.

9. International Transfers

Your data may be processed outside the United Kingdom and European Economic Area (EEA) by our service providers. Specifically:

• Vercel processes data in the United States.
• Supabase stores data in the EU region (eu-north-1).

Where data is transferred outside the UK/EEA, we ensure that appropriate safeguards are in place, including standard contractual clauses approved by the relevant authorities, to protect your personal data.

10. Children

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we shall take steps to delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We shall notify registered users of material changes by email. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

12. Contact

For data protection enquiries, requests to exercise your rights, or any questions about this Privacy Policy, please contact us at contact@gravenos.com.

Gravenos · London, United Kingdom