Privacy policy

This privacy policy explains how CollectivAlly Limited ("CollectivAlly", "we", "our" or "us") collects, uses and protects personal data when you visit our website, sign up for an account, or use our platform. We are committed to handling your information transparently and only using it in ways you would reasonably expect.

This policy is written in plain English. Where we use specific legal terms (such as data controller or legal basis) we are using the meanings given in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1. Who we are

CollectivAlly Limited is the data controller for the personal data described in this policy. We are a private limited company registered in England and Wales.

• Company number: 16758116
• Registered office: Glove Factory Studios, 1 Brook Lane, Holt, Trowbridge, England, BA14 6RL
• ICO registration: [Registration number, to be added before launch]
• Contact: hello@collectivally.com

We are not required to appoint a Data Protection Officer, but our founders are directly responsible for data protection and are reachable at the address above.

2. What this policy covers

This policy applies to personal data we process through:

• our marketing website at collectivally.com;
• our CollectivAlly platform (sometimes called "the app" or "the service"); and
• any communications you send to us (including email and form submissions).

It does not cover third-party websites we link to. Those sites have their own privacy policies and we encourage you to read them.

3. Personal data we collect

3.1 When you visit the marketing website

• Newsletter sign-ups: your email address, and the time of your sign-up.
• Contact form submissions: your name, email address, organisation (if you choose to share it), the reason you are contacting us, and the contents of your message.
• Aggregate analytics: we use Vercel Analytics to collect anonymised page-view data. This does not use cookies and does not identify individual visitors.

3.2 When you use the CollectivAlly platform

• Account information: your name, email address, organisation, password (stored as a salted hash), and any profile details you add.
• Service usage: the projects, tasks, personas and reports you create, along with the URLs you test and the tasks you define.
• Conversations with personas: the messages you send when using the chat feature, and the responses generated by our AI models.
• Technical data: IP address, device and browser information, log files, and timestamps. We use this to keep the service running and to investigate problems.
• Billing information: when paid plans launch, we will process payment-related information through our payment provider. We do not store full card numbers ourselves.

3.3 What we do not collect

We do not knowingly collect special-category personal data (such as health, religion, or biometric data) about you. We do not collect information from people we know to be under 16 years old. If you believe a child has shared personal data with us, please contact us so we can remove it.

4. How we use your data, and our legal basis

Under UK GDPR we need a lawful basis to process your personal data. We rely on the following bases depending on the purpose:

• To provide the service to you (legal basis: performance of a contract). For example: creating and maintaining your account, running tests, generating reports, and providing customer support.
• To send you the newsletter (legal basis: consent). You can unsubscribe at any time using the link in any newsletter email, or by emailing us.
• To respond to your enquiries (legal basis: legitimate interest in answering people who contact us).
• To improve our platform (legal basis: legitimate interest in developing our product). We may use anonymised and aggregated information about how the service is used to make the platform better. Anonymised data is not personal data and cannot be linked back to you.
• To keep the service secure (legal basis: legitimate interest, and where applicable, legal obligation). For example, detecting suspicious activity and preventing abuse.
• To comply with our legal obligations (legal basis: legal obligation). For example, keeping accounting records where the law requires it.

Where we rely on legitimate interests, we have considered the impact on your rights and freedoms. You can ask us about our balancing assessment at any time.

5. Who we share your data with

We do not sell your personal data. We share it only with the service providers we need to run our business, and where the law requires us to.

Our main processors include:

• Supabase: authentication and database hosting for the platform. Data is stored in their EU region.
• Vercel: hosting for the marketing website and anonymised analytics.
• Formspree: secure processing of contact form and newsletter submissions.
• AI model providers (such as OpenAI and Anthropic): used to generate persona responses and reports when you use the chat and audit features. We send only the content needed to produce each response and we do not use customer prompts to train those models unless you have explicitly opted in.
• Browser automation provider (such as Browserbase): used to run the live website tests that produce your reports.

We have data processing agreements in place with each of our processors, and we review them before relying on their services.

We may also disclose your information if we are required to by law, by a court, or by a regulator; or if we sell, restructure or transfer the business (in which case we will tell you and the new owner will be bound by this policy or one with equivalent protections).

6. International data transfers

The bulk of personal data is stored on servers in the UK or the European Economic Area. Some of our AI processors and other service providers are based outside the UK/EEA, including in the United States.

Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place. This typically involves:

• the UK Government's adequacy regulations (where the destination country has been recognised as providing adequate protection); or
• the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or equivalent contracts approved by the ICO.

You can ask us for more details about the safeguards we use for any specific transfer.

7. How long we keep your data

• Account data: kept for as long as your account is active. When you close your account, we delete your personal data within 90 days, except where we need to keep some information for legal or accounting reasons (for example, invoices and tax records, which we keep for up to 6 years).
• Newsletter subscriptions: kept until you unsubscribe.
• Contact form messages: kept for up to 2 years to manage ongoing correspondence, then deleted.
• Backups: may contain your data for up to 35 days after deletion, in line with our backup retention period.
• Anonymised data: may be kept indefinitely. It cannot identify you.

8. Your rights

Under UK GDPR you have the following rights:

• Access: ask for a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure: ask us to delete your personal data, where we no longer need it for the purpose we collected it.
• Restriction: ask us to limit how we use your data while a question about it is being resolved.
• Portability: ask for your data in a structured, commonly used, machine-readable format so you can move it elsewhere.
• Objection: object to processing we are doing on the basis of legitimate interests.
• Withdraw consent: if we are relying on your consent (for example, for the newsletter), you can withdraw it at any time.
• Decisions made by automated means: ask us about, and challenge, any decisions made solely by automated processing that have a significant effect on you. We do not currently make any such decisions.

To exercise any of these rights, email hello@collectivally.com. We will respond within one month. We may need to verify your identity before acting on your request.

9. Cookies and similar technologies

The CollectivAlly marketing website does not currently use any tracking cookies. Our analytics provider (Vercel) collects anonymised page-view information without using cookies.

When you sign in to the CollectivAlly platform, we use cookies that are strictly necessary to keep you signed in and to keep the service working. These are not used for tracking and you cannot opt out of them without losing access to the service.

If we add any non-essential cookies in future, we will ask for your consent first and update this policy.

10. Security

We take the security of your data seriously. We use encryption in transit (HTTPS) and at rest, strict access controls, and regular reviews of our service providers. No system is completely secure, but we work hard to protect what you share with us.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where appropriate, let you know directly.

11. Changes to this policy

We may update this policy from time to time, for example to reflect changes in our service, the law, or our processors. The "Last updated" date at the top of this page tells you when the latest version took effect. If we make material changes, we will tell you by email or through the platform before they take effect.

12. How to complain

We hope we never give you cause to complain, but if you believe we have mishandled your personal data, please tell us first by emailing hello@collectivally.com. We will do our best to put things right.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time:

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113