Privacy Policy
This Privacy Policy explains what personal data we collect when you use Hearth & Crate and how we handle it. We operate under UK GDPR and the Data Protection Act 2018.
1. Who we are
OBN Enterprise Ltd., the operator of Hearth & Crate. Data controller for account-level data; data processor for workspace records you upload. Contact: info@obnenterprise.co.uk.
2. What we collect
- Account data: name, email, password hash (bcrypt), workspace name, role.
- Workspace records: the data you choose to store (logs, audits, batches, staff, invoices, etc.).
- Billing data: Stripe customer ID, subscription status, current period end. Card numbers are not stored — they live with Stripe.
- Technical: minimal HTTP-only auth cookies, IP addresses in server logs (rolling 30 days).
3. Why we process it
- To deliver the Service (contract): authentication, storing your records, generating reports.
- To take payment (contract): subscription billing via Stripe.
- To notify you (legitimate interest): daily digest emails via Brevo if you've enabled them.
- Security (legitimate interest): detecting abuse, debugging.
4. Sub-processors
- Stripe — payments processor (USA / EU). stripe.com/privacy
- Brevo (Sendinblue) — transactional email (EU). brevo.com/legal/privacypolicy
- Google Cloud / hosting — infrastructure for the Service.
5. How long we keep your data
For as long as your workspace exists. After you delete the workspace there is a 30-day grace period; then every record (records, attachments, users, audit templates, payment history, etc.) is permanently purged.
6. Your rights
You have the right to access, rectify, port, restrict and erase your personal data. Most of these are self-service in Settings → Account (Export and Delete). For anything else, email us.
7. Cookies
We only use strictly-necessary cookies (auth session). No analytics, no advertising trackers. See Cookies.
8. International transfers
Data may be processed in the EU and/or USA via our sub-processors. We rely on Standard Contractual Clauses where applicable.
9. Complaints
If you believe we've mishandled your data you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.