This Privacy Policy explains how Sew Sustainable, a company registered in England and Wales under company number TBC, with its registered office at Albany
Western Australia
("we", "us", or "our") collects, uses, stores, and protects your personal data when you use the sew-sustainable.com website, platform, and related services (the "Service").
We are the data controller for the personal data described in this policy. This means we are responsible for deciding how your personal data is processed.
This Privacy Policy should be read alongside our Terms of Service, which govern your use of the Service.
1.1. Account information. When you create an account, we collect your name, email address, and password. We may in future offer sign-up via third-party authentication providers (such as Google or GitHub), in which case we would receive your name and email address from that provider.
1.2. Service inputs. When you use the Service, we collect the content, data, prompts, descriptions, and other materials you submit ("Your Content"). This may include text descriptions, configuration details, project data, and any other information you provide through the Service.
1.3. Payment information. When you make a purchase or add a payment method, your payment card details are collected and processed directly by our payment processor, Stripe. We do not receive or store your full card number, CVV, or other sensitive payment data. We receive from Stripe a record of the transaction, the last four digits of your card, the card type, and the billing address associated with your payment method.
1.4. Communications. When you contact us for support or feedback, we collect the content of your messages, your email address, and any attachments you provide.
1.5. Usage data. We automatically collect information about how you use the Service, including pages visited, features used, actions taken, timestamps, and session duration.
1.6. Device and connection data. We collect your IP address, browser type and version, operating system, device type, and referring URL.
1.7. Cookies and similar technologies. We use cookies and similar technologies as described in Section 8 of this policy.
1.8. Generated output. The Service may generate output based on Your Content, including code, configurations, text, data, estimates, assessments, or other materials ("Generated Output"). We store Generated Output to provide Service features such as build history and iteration.
2.1. We use your personal data for the following purposes:
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Providing the Service to you, including processing your inputs and generating output | Account information, Your Content, Generated Output | Contract — necessary for the performance of our contract with you (Terms of Service) |
| Processing payments and managing your billing | Account information, payment information, usage data | Contract — necessary to fulfil our billing obligations |
| Providing customer support | Account information, communications, usage data | Contract — necessary to provide the Service |
| Sending you Service-related communications (account notifications, security alerts, billing notices, subscription renewal reminders) | Account information (name, email) | Contract — necessary to operate the Service |
| Sending you marketing communications about our products and services | Account information (name, email) | Consent — only with your explicit opt-in. You can withdraw consent at any time (see Section 5) |
| Improving the Service, including analysing usage patterns, fixing bugs, and developing new features | Usage data, device data (anonymised and aggregated where possible) | Legitimate interests — our interest in improving and maintaining the Service. Analytics are processed entirely in-house and no analytics data is shared with third parties. We do not use Your Content or identifiable data for this purpose without anonymisation |
| Preventing fraud, abuse, and security threats | Account information, usage data, device and connection data | Legitimate interests — our interest in protecting the Service and our users |
| Complying with legal obligations (tax records, regulatory requests, law enforcement) | Account information, payment information, usage data | Legal obligation — required by applicable law |
2.2. We do not sell your personal data to third parties.
2.3. We do not use your personal data for advertising purposes or share it with advertisers.
2.4. We do not use Your Content or Generated Output to train AI models.
3.1. We share your personal data with the following categories of recipients, only to the extent necessary for the stated purpose:
| Recipient | Data Shared | Purpose | Location |
|---|---|---|---|
| Stripe (payment processor) | Payment details, billing address, transaction records | Processing payments and managing subscriptions | United States |
| Amazon Web Services (AWS Bedrock) (AI processing) | Your Content (inputs and prompts submitted to AI-powered features) | Generating output based on your inputs | United States (us-east-1) and United Kingdom (eu-west-2). Additional regions may be used in future depending on contractual or operational requirements. |
| Amazon Web Services (AWS) (hosting) | All data stored by the Service (encrypted at rest) | Hosting and operating the Service | United States (us-east-1) and United Kingdom (eu-west-2). Additional regions may be used in future depending on contractual or operational requirements. |
3.2. We may also share personal data:
3.3. We do not share Your Content or Generated Output with any third party except as described in Section 3.1 (where necessary to generate output and to store data). AI processing via AWS Bedrock is subject to AWS's data processing terms, under which your inputs are not used by AWS to train or improve AI models. We do not permit any provider to use Your Content for their own purposes.
3.4. We operate our own in-house analytics systems. Analytics data is processed and stored entirely within our own infrastructure and is not shared with any third-party analytics provider.
4.1. Some of our third-party service providers are located outside the United Kingdom. When your personal data is transferred to countries outside the UK, we ensure that appropriate safeguards are in place as required by UK GDPR, including:
4.2. You may request a copy of the safeguards we have in place for international transfers by contacting us at sew-sustainable at stackboard.co.uk.
5.1. Under UK GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | You have the right to request a copy of the personal data we hold about you. |
| Rectification | You have the right to request that we correct inaccurate personal data or complete incomplete personal data. |
| Erasure | You have the right to request that we delete your personal data in certain circumstances (for example, where the data is no longer necessary for the purpose it was collected, or where you withdraw consent). |
| Restriction of processing | You have the right to request that we restrict the processing of your personal data in certain circumstances (for example, where you contest the accuracy of the data). |
| Data portability | You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. |
| Objection | You have the right to object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Withdraw consent | Where we process your data based on consent (such as marketing communications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. |
| Automated decision-making | You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently make such decisions. |
5.2. To exercise any of these rights, please contact us at sew-sustainable at stackboard.co.uk. We will respond to your request within one month. In exceptional cases (for example, where your request is complex), we may extend this by a further two months, in which case we will notify you of the extension and the reasons for it.
5.3. There is no fee for exercising your rights. We may charge a reasonable fee or refuse a request if it is manifestly unfounded or excessive.
5.4. We may ask you to verify your identity before processing your request to ensure the security of your personal data.
6.1. We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of your account + 90 days after closure | Necessary to provide the Service and allow data export on closure |
| Your Content and Generated Output | Duration of your account + 90 days after closure | Necessary to provide Service features (history, iteration). Permanently deleted 90 days after account closure |
| Payment and billing records | 6 years after the transaction | Required by UK tax law (HMRC record-keeping requirements) |
| Support communications | 2 years after the conversation, or duration of your account (whichever is longer) | Necessary to provide ongoing support and resolve disputes |
| Usage data and analytics | 26 months from collection | Necessary for Service improvement. Anonymised and aggregated where possible |
| Device and connection data (logs) | 12 months from collection | Security monitoring and abuse prevention |
6.2. When data reaches the end of its retention period, it is permanently deleted or anonymised so that it can no longer be associated with you.
6.3. You may request deletion of your data at any time by contacting us (see Section 5). Deletion requests are subject to our legal retention obligations (for example, we must retain tax records for 6 years regardless of an erasure request).
7.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
7.2. While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7.3. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with UK GDPR Article 34. We will also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware of them, as required by UK GDPR Article 33.
8.1. We use cookies and similar technologies on the Service. A cookie is a small text file stored on your device that helps us provide and improve the Service.
8.2. We use the following categories of cookies:
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly necessary | Essential for the Service to function (authentication, security, session management). The Service cannot operate without these. | No — these are exempt under PECR |
| Functional | Remember your preferences and settings (such as language or display options). | Yes |
| Analytics | Help us understand how the Service is used so we can improve it. We use our own in-house analytics systems. No analytics data is shared with third parties or leaves our infrastructure. | Yes |
8.3. We do not use marketing or advertising cookies. We do not use cookies to track you across third-party websites.
8.4. You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse non-essential cookies or delete cookies that have already been set. Please note that disabling strictly necessary cookies may prevent the Service from functioning correctly.
8.5. For more information about cookies and how to manage them, visit www.aboutcookies.org.
9.1. The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
9.2. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe we have collected data from a child, please contact us at sew-sustainable at stackboard.co.uk.
10.1. The Service may contain links to websites or services operated by third parties. We are not responsible for the privacy practices or content of those third-party websites. We encourage you to read the privacy policies of any third-party website you visit.
11.1. We may update this Privacy Policy from time to time. When we make material changes, we will:
11.2. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
12.1. If you are unhappy with how we have handled your personal data, we encourage you to contact us first so we can try to resolve your concern.
12.2. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
This Privacy Policy was last reviewed and updated on .