Privacy policy
Last updated: 13 May 2026
This policy explains what personal data GridAtlas Ltd (“GridAtlas”, “we”, “us”) collects about you, why we collect it, how we use it, and the rights you have over it. It applies to gridatlas.com and all related services. We act as the data controller for the personal data described below.
1. What we collect
We collect the following categories of personal data:
- Account data: email address, password hash and display name when you create an account.
- Profile data: any optional information you add to your profile (e.g. organisation, job title).
- Billing data: limited subscription metadata (plan, status, renewal date). Card details are handled directly by Stripe and never stored on our servers.
- Product data: your saved searches, watchlists, alert preferences, exports and notes.
- Technical data: IP address, browser user agent, and request logs needed to operate and secure the service.
- Communications: emails you send us and any support-related correspondence.
2. Why we use it (lawful bases)
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Provide and maintain the service, sign you in, sync your data | Performance of a contract |
| Process payments and prevent fraud | Performance of a contract / legal obligation |
| Send service emails (alerts, receipts, password resets) | Performance of a contract |
| Operate logs, rate limits and security controls | Legitimate interests (securing the service) |
| Comply with tax, accounting and legal obligations | Legal obligation |
| Send optional product updates or marketing | Consent (you can withdraw any time) |
3. Who we share it with
We share personal data only with sub-processors that help us run the service. Each is bound by a written data processing agreement.
- Supabase (database, authentication, file storage). Hosted in the EU.
- Vercel (application hosting and CDN).
- Stripe (payments and subscription management).
- Postmark (transactional email delivery).
We do not sell personal data, and we do not share it with third-party advertisers.
4. International transfers
Some of our sub-processors operate outside the UK or EEA. Where they do, transfers are protected by the UK's International Data Transfer Addendum and/or the EU Standard Contractual Clauses.
5. How long we keep it
- Account & profile data: while your account is active. Deleted on request, or after a prolonged period of inactivity.
- Billing data: at least 6 years where required by UK tax law.
- Product data (saved searches, watchlists, etc.): until you delete it or close your account.
- Technical logs: typically 30–90 days.
6. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (the “right to be forgotten”);
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw any consent you have given;
- complain to the UK Information Commissioner's Office at ico.org.uk.
To exercise any of these rights, email us at the address below. We respond within 30 days.
7. Security
We use Row Level Security at the database layer, encrypted transport (TLS), encrypted storage, server-side authorisation checks for all paid and admin features, and DB-backed rate limiting on sensitive endpoints. No service can guarantee absolute security, but we take it seriously and review our controls regularly.
8. Children
GridAtlas is not directed at children under 16. We do not knowingly collect personal data from children.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced in-app and by email where appropriate. The “Last updated” date at the top will always reflect the current version.
10. Contact
Data controller: GridAtlas Ltd
Email: privacy@gridatlas.com