Privacy Policy

1. Introduction

This privacy policy explains how Square Plan Limited ("we", "us", "our") collects, uses, and protects your personal data when you visit our website at squareplan.com (the "Website") and when you use our SquarePlan App (the "App"). This policy applies to both services.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Information You Provide to Us

On Our Website:

• Contact Forms: When you submit a contact or support form, we collect your name and email address.

In the SquarePlan App:

• Account Information: When you create an account, we collect your email address and a securely hashed password (we never store passwords in plain text).
• User Content: Information you create and store in the App, including your business plans, financial projections, and related content.
• Profile Information: Any additional profile details you choose to provide.

3.2 Information We Collect Automatically

• Analytics Data: We use Matomo Analytics (self-hosted) to collect anonymised usage data, including pages visited, time spent, and general navigation patterns. Your IP address is anonymised before being stored.
• Technical Information: Browser type, device information, operating system, and referring website.
• Log Data: Our servers automatically record information such as IP addresses (anonymised), access times, and error logs for security and troubleshooting purposes.

3.3 Information We Do NOT Collect

We do not directly collect, store, or have access to your full payment card information. Payment card data is securely collected and stored by Stripe, Inc., our PCI DSS Level 1 compliant payment processor. See Section 7 below for details.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract: Processing is necessary to provide our services to you (App functionality, user accounts).
• Legitimate Interests: We process data for analytics, security, and improving our services, where your interests do not override ours.
• Consent: Where required, we obtain your explicit consent (e.g., for marketing communications).
• Legal Obligation: To comply with legal requirements, such as tax and accounting obligations.

5. How We Use Your Information

We use your personal data for the following purposes:

• To provide and maintain our Website and App services.
• To respond to your enquiries and support requests.
• To send you transactional emails (e.g., account notifications, password resets).
• To analyse and improve our services through anonymised analytics.
• To ensure the security and integrity of our systems.
• To comply with legal obligations.

6. Third-Party Services and Data Processors

We work with the following third-party service providers who process data on our behalf:

7. Payment Processing - Stripe

Payment processing for SquarePlan App subscriptions is handled by Stripe, Inc. ("Stripe"), our payment service provider.

Data Controller Responsibilities

• Square Plan Limited is the merchant and data controller for your billing relationship and subscription information.
• Stripe acts as our data processor for payment card information.

Payment Card Security

Stripe collects and securely stores your payment card details using PCI DSS Level 1 compliant infrastructure, the highest level of security certification in the payments industry.

We do not have direct access to your full payment card numbers - we only receive limited information (last 4 digits, card brand, expiry date) necessary for subscription management and customer support.

International Data Transfers

Stripe is based in the United States but maintains EU/UK data processing agreements. Stripe is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses to ensure adequate protection for international data transfers in compliance with UK GDPR.

Stripe's Privacy Policy

For detailed information on how Stripe handles payment data, please review their privacy policy: https://stripe.com/privacy

8. Data Retention

We retain your personal data only for as long as necessary:

• Account Data: Retained while your account is active. If you delete your account, we will delete your personal data within 30 days, except where we must retain it for legal or accounting purposes.
• Contact Form Submissions: Retained for up to 2 years for customer service purposes.
• Analytics Data: Anonymised analytics data is retained for up to 26 months.
• Logs and Security Data: Retained for up to 90 days for security and troubleshooting.

9. International Data Transfers

All of our data processing takes place within the United Kingdom. We do not transfer your personal data outside the UK. Our service providers (Supabase, AWS SES) use UK-based servers, ensuring your data remains within UK jurisdiction.

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data (subject to legal obligations).
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us. We will respond within one month of your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include:

• Encryption of data in transit (HTTPS/TLS) and at rest.
• Secure password hashing using industry-standard algorithms.
• Row-level security in our database to isolate user data.
• Regular security audits and monitoring.
• Access controls limiting who can access personal data.

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Cookies and Tracking Technologies

Our use of cookies and similar technologies is detailed in our separate Cookies Policy. In summary:

• We use Matomo Analytics, which is self-hosted with IP anonymisation and configured without cross-site tracking cookies.
• Essential cookies are used for App functionality and user authentication.
• Our analytics setup does not require consent under UK GDPR due to the privacy-preserving configuration.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also notify you by email if you have an account with us.

We encourage you to review this policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us: