Privacy Policy

Last updated: March 2026

1. Introduction

Yarn Digital ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Yarn Digital Dashboard ("Service"), in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Yarn Digital is the data controller for personal data processed through the Service. For any data protection queries, contact us through the dashboard.

3. Data We Collect

We collect the following categories of personal data:

Account information: Name, email address, password (hashed), profile photo
Business data: Contact details, project information, invoices, contracts, and other CRM data you enter
Usage data: Login timestamps, feature usage, browser type, IP address
Calendar data: Calendar events synced via Google Calendar integration (when enabled)
Communication data: Messages sent through the platform

4. Legal Basis for Processing

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide the Service you have subscribed to
Legitimate interests: Service improvement, security, and fraud prevention
Consent: Optional integrations (e.g., Google Calendar) and marketing communications
Legal obligation: Compliance with applicable laws and regulations

5. How We Use Your Data

To provide, maintain, and improve the Service
To authenticate your identity and secure your account
To send transactional emails (password resets, account notifications)
To provide customer support
To detect and prevent fraud or abuse

6. Data Storage and Security

Your data is stored securely using Google Firebase/Firestore infrastructure. We implement appropriate technical and organisational measures to protect your data, including:

Encryption of data in transit (TLS/SSL)
Password hashing using bcrypt
JWT-based authentication with secure, HTTP-only cookies
Regular security reviews and updates

7. Data Sharing

We do not sell your personal data. We may share data with:

Service providers: Google Cloud (hosting), Resend (email delivery) — bound by data processing agreements
Legal requirements: When required by law, regulation, or legal process

8. International Transfers

Your data may be processed in countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we will delete or anonymise your data within 30 days, except where retention is required by law.

10. Your Rights

Under UK GDPR, you have the following rights:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request restriction of processing
Portability: Request transfer of your data in a machine-readable format
Objection: Object to processing based on legitimate interests
Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us through the dashboard. We will respond within 30 days.

11. Cookies

We use the following cookies:

auth_token: Essential authentication cookie (HTTP-only, secure) — required for the Service to function
cookie_consent: Records your cookie preferences

We do not use third-party tracking cookies or analytics cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

13. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.