Privacy Policy
Last updated: 7 December 2025
1. Introduction
This Privacy Policy explains how Tom Griffiths, trading as pkts.app ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our inventory management service ("Service").
Data Controller: Tom Griffiths, trading as pkts.app
Contact: tom@pkts.app
Location: London, United Kingdom
This policy should be read alongside our Terms of Service.
2. Information We Collect
Under UK GDPR, we must inform you about what personal data we collect, why we collect it, and who we share it with. Below is a detailed breakdown:
2.1 Account Information (Collected During Sign-Up)
| Data Type | What We Collect | Purpose | Legal Basis |
|---|---|---|---|
| Identity Data | Name, profile picture | To create and maintain your account | Contract performance (necessary to provide the Service) |
| Contact Data | Email address | Account management, essential communications, password resets | Contract performance |
| OAuth Data | Provider user ID (GitHub or Google), OAuth tokens | Authentication and secure sign-in | Contract performance |
Source: Collected directly from you via OAuth providers (GitHub or Google) when you sign in.
2.2 Inventory Data (Voluntarily Provided by You)
| Data Type | What We Collect | Purpose | Legal Basis |
|---|---|---|---|
| Item Information | Item names, descriptions, locations, categories | To organize and display your inventory | Contract performance |
| Images | Photos of your items | Visual identification and reference | Contract performance |
| Documents | Proof of purchase PDFs | Record keeping and reference | Contract performance |
| Organizational Data | Custom categories, sites, container structures | To organize your inventory according to your preferences | Contract performance |
Source: Voluntarily uploaded by you through the Service.
2.3 Technical and Usage Data (Automatically Collected)
| Data Type | What We Collect | Purpose | Legal Basis |
|---|---|---|---|
| Authentication Cookies | Session tokens, CSRF tokens | Secure authentication and session management | Strictly necessary (exempt from consent under PECR) |
| Log Data | IP address, browser type, device information, access times | Security, fraud prevention, troubleshooting | Legitimate interest (security and service improvement) |
| Usage Data | Features used, pages visited, errors encountered | Service improvement and optimization | Legitimate interest (improving Service quality) |
Source: Automatically collected through cookies and server logs when you use the Service.
2.4 Payment Information (For Paid Subscriptions)
| Data Type | What We Collect | Purpose | Legal Basis |
|---|---|---|---|
| Subscription Data | Plan type, subscription status, billing dates | To manage your subscription | Contract performance |
| Payment Transaction Data | Transaction IDs, payment status (NOT card details) | Record keeping and customer support | Contract performance and legal obligation (tax records) |
Important: We do NOT collect or store your payment card details. All payment processing is handled by Paddle.com Market Limited, our Merchant of Record. Your payment information is subject to Paddle's Privacy Policy.
Source: Received from Paddle when you subscribe to a paid plan.
3. How We Use Your Information
We process your personal data for the following purposes:
3.1 To Provide the Service (Contract Performance)
- Create and maintain your user account
- Store and organize your inventory data
- Display your uploaded images and documents
- Enable search and organization features
- Process AI features (speech-to-text, natural language search)
- Enable collaboration features when you choose to share sites
3.2 To Communicate With You (Contract Performance)
- Send essential service notifications (account creation, password resets)
- Notify you of subscription changes or payment issues
- Respond to your support requests
- Inform you of Terms of Service or Privacy Policy updates
We do NOT send marketing emails. All communications are essential for the Service.
3.3 For Security and Fraud Prevention (Legitimate Interest)
- Detect and prevent unauthorized access
- Identify and prevent abuse of the Service
- Monitor for security vulnerabilities
- Maintain logs for security incident investigation
3.4 To Improve the Service (Legitimate Interest)
- Analyze usage patterns to identify bugs and improve features
- Optimize performance and user experience
- Develop new features based on aggregated usage data
3.5 To Comply With Legal Obligations (Legal Obligation)
- Respond to valid legal requests (court orders, subpoenas)
- Comply with tax and accounting requirements
- Meet data protection law obligations
4. AI Processing and Third-Party Processors
Your data may be processed by third-party service providers acting as data processors on our behalf. We have Data Processing Agreements (DPAs) in place with all processors.
4.1 OpenAI (AI Processing) - United States
What data is processed: When you use AI features, we send:
- Item names and descriptions (for search and organization)
- Voice input (for speech-to-text conversion)
- Your queries and commands
Purpose: To provide AI-powered search, organization, and voice input features
Data location: United States (temporary processing only)
Safeguards: Standard Contractual Clauses (SCCs) with OpenAI, covered by their Cloud DPA
Important: OpenAI does NOT use your data to train their models under our agreement. Your data is processed only to provide the Service features you request.
4.2 Neon (Database Hosting) - United Kingdom
What data is stored:
- All account information (name, email, OAuth data)
- All inventory data (item details, locations, categories)
- Subscription information
Purpose: Secure storage of your data
Data location: AWS Europe West 2 (London, UK)
Safeguards: Neon's DPA ensures UK GDPR compliance
4.3 Vercel (Hosting and File Storage) - United Kingdom
What data is stored:
- Images you upload
- PDF documents (proof of purchase)
- Session data (via cookies)
Purpose: Secure file storage and service hosting
Data location: lhr1 (London, UK) for Blob storage; London for serverless functions
Safeguards: Vercel's DPA ensures UK GDPR compliance
4.4 Paddle (Payment Processing) - Multiple Locations
What data is processed:
- Payment information (handled directly by Paddle, not by us)
- Subscription management data
- Billing information
Purpose: Process payments and manage subscriptions
Data location: Paddle operates globally as Merchant of Record
Privacy Policy: Paddle's Privacy Policy
5. International Data Transfers
When transferring personal data outside the UK, we must implement appropriate safeguards.
5.1 Data Storage Locations
Your core data stays in the UK:
- Database (Neon): London, UK
- Files (Vercel Blob): London, UK
- Application (Vercel Functions): London, UK
International transfers:
- OpenAI (AI Processing): United States - only temporary processing when you use AI features
5.2 Safeguards for US Transfers
For data transferred to OpenAI in the United States, we have implemented:
- Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA)
- OpenAI's Cloud Data Processing Addendum
- Strict contractual controls ensuring data is processed only for providing our Service
5.3 Your Rights Regarding International Transfers
You have the right to:
- Request information about safeguards in place for international transfers
- Object to specific transfers (though this may limit Service functionality)
- Obtain a copy of the safeguards we use
6. Data Sharing and Disclosure
We do NOT sell, rent, or trade your personal data.
6.1 Who We Share Data With
Service Providers (Data Processors):
- OpenAI - AI processing (US)
- Neon - Database hosting (UK)
- Vercel - Hosting and file storage (UK)
- Paddle - Payment processing (as Merchant of Record)
All processors are bound by DPAs requiring them to protect your data and use it only as instructed.
Collaboration Feature Users: When you explicitly share a site with another user:
- They can view items in that site
- They can edit item details, download images and PDFs
- They remain bound by our Terms of Service regarding data use
Legal Requirements: We may disclose your data if required by law, such as:
- Valid court orders or subpoenas
- Legal obligations (e.g., tax authorities)
- To protect rights, property, or safety (ours, yours, or others)
- In connection with legal proceedings
Business Transfers: If we sell or transfer our business, your data may be transferred to the new owner as part of that transaction. You will be notified of any such change.
6.2 Who We Do NOT Share Data With
- Advertisers or marketing companies
- Data brokers
- Social media platforms (beyond OAuth authentication)
- Analytics providers (we don't use third-party analytics)
7. Data Retention
7.1 Active Accounts
We retain your data for as long as your account is active and you continue using the Service.
7.2 Cancelled Accounts
- 30-day grace period: After you cancel your subscription or delete your account, we retain your data for 30 days
- Purpose: Allows you to reactivate if you change your mind
- After 30 days: All data is permanently deleted from active systems
7.3 Backups
- Data may persist in encrypted backups for up to 90 days after deletion
- Backup data is only accessible for disaster recovery purposes
- After 90 days, data is permanently removed from all systems
7.4 Legal Retention
Some data may be retained longer if required by law:
- Tax and accounting records: Up to 7 years (UK legal requirement)
- Legal dispute records: Until the dispute is resolved plus statutory limitation period
7.5 Deletion Process
When you delete your account:
- Immediate: Account marked for deletion, access disabled
- 30 days: Data deleted from production database and file storage
- 90 days: Data purged from all backup systems
8. Your Rights Under UK GDPR
Under UK GDPR, you have several rights regarding your personal data:
8.1 Right of Access (Article 15)
You can request:
- Confirmation that we process your personal data
- A copy of your personal data
- Information about how and why we process it
How to exercise: Email tom@pkts.app with "Data Access Request" in the subject line
Response time: Within 30 days (may be extended by 2 months for complex requests)
Free of charge for the first request; reasonable fees may apply for repeated or excessive requests
8.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete data.
How to exercise:
- Most data can be corrected directly in your account settings
- For other corrections, email tom@pkts.app
Response time: Without undue delay, typically within 30 days
8.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your data when:
- It's no longer necessary for the purposes we collected it
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Legal obligation requires erasure
How to exercise:
- Delete your account through account settings, OR
- Email tom@pkts.app with "Data Deletion Request"
Exceptions: We may retain data where required by law (e.g., tax records) or for legal claims
8.4 Right to Restriction of Processing (Article 18)
You can request we limit how we use your data while:
- Verifying accuracy of data you've challenged
- Processing is unlawful but you don't want erasure
- We no longer need the data but you need it for legal claims
- You've objected to processing and we're verifying legitimate grounds
How to exercise: Email tom@pkts.app
8.5 Right to Data Portability (Article 20)
You can request your data in a structured, machine-readable format (JSON) and have it transmitted to another service.
Applies to: Data you provided where processing is based on consent or contract, and carried out by automated means
How to exercise: Email tom@pkts.app with "Data Portability Request"
Format: We provide data in JSON format
8.6 Right to Object (Article 21)
You can object to processing based on:
- Legitimate interests (we must stop unless we have compelling legitimate grounds)
- Direct marketing (we must stop immediately)
How to exercise: Email tom@pkts.app
8.7 Rights Related to Automated Decision-Making (Article 22)
We do NOT use automated decision-making or profiling that produces legal or similarly significant effects. AI features are tools that you control and direct.
8.8 Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you can withdraw it at any time.
Note: Most of our processing is based on contract performance or legitimate interests, not consent.
8.9 How to Exercise Your Rights
Email: tom@pkts.app
Subject line: Clearly state which right you're exercising (e.g., "Data Access Request")
Include: Your account email and any details to help us locate your data
Response time: Within 30 days (may extend by 2 months if complex)
Verification: We may ask for proof of identity to protect your data security
Free of charge: We don't charge fees unless requests are manifestly unfounded or excessive
9. Cookies and Tracking Technologies
We use cookies strictly for essential Service functionality. Under UK GDPR, we must provide clear information about cookies.
9.1 Strictly Necessary Cookies
These cookies are essential for the Service to function and cannot be disabled:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
next-auth.session-token (or __Secure-next-auth.session-token) | Stores encrypted session token for authentication | 30 days | HTTP-only, Secure |
next-auth.csrf-token (or __Host-next-auth.csrf-token) | CSRF protection during OAuth sign-in | Session | HTTP-only, Secure |
next-auth.callback-url | Stores return URL after authentication | Session | Secure |
CookieConsent | Records your cookie consent preference | 365 days | Standard |
9.2 Third-Party Cookies
OAuth Providers (GitHub and Google):
- May set their own cookies during the sign-in process
- Governed by their respective privacy policies
- GitHub Privacy Statement
- Google Privacy Policy
9.3 No Analytics or Marketing Cookies
We do NOT use:
- Google Analytics or other analytics services
- Marketing or advertising cookies
- Social media tracking pixels
- Cross-site tracking technologies
9.4 Managing Cookies
Browser Settings: You can configure your browser to block or delete cookies, but note that:
- Blocking authentication cookies will prevent you from signing in
- The Service requires cookies to function
Cookie Consent: Since we only use strictly necessary cookies, we display a simple notice rather than requesting opt-in consent (as permitted under UK PECR regulations).
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
10.1 Technical Measures
- Encryption in transit: All data transmitted over HTTPS/TLS
- Encryption at rest: Database and file storage encrypted
- Secure authentication: OAuth 2.0 with CSRF protection
- Session security: HTTP-only, Secure cookies prevent XSS attacks
- Access controls: Role-based access to systems and data
- Regular updates: Security patches applied promptly
10.2 Organizational Measures
- Minimal access: Only essential personnel can access systems
- Data Processing Agreements: All processors contractually bound
- Security monitoring: Logs reviewed for suspicious activity
- Incident response: Procedures in place for data breaches
10.3 Data Breach Notification
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms:
- We will notify the ICO within 72 hours of becoming aware
- We will notify you without undue delay if the breach is likely to result in high risk to you
- Notification will include: Nature of the breach, likely consequences, measures taken/proposed
10.4 Limitations
No security system is 100% secure. While we implement industry-standard measures, we cannot guarantee absolute security. You should:
- Keep your OAuth account credentials secure
- Use strong passwords for your OAuth provider accounts
- Log out when using shared devices
- Report suspicious activity to tom@pkts.app
11. Children's Privacy
11.1 Age Requirement
The Service is not intended for children under 13 years of age. You must be at least 13 (or the age of digital consent in your country) to use the Service.
11.2 No Knowing Collection
We do not knowingly collect personal data from children under 13. Our OAuth providers (GitHub and Google) also require users to be at least 13.
11.3 If You Believe We Have Data From a Child
If you believe we have inadvertently collected data from a child under 13, please contact tom@pkts.app immediately. We will:
- Verify the age of the account holder
- Delete the account and all associated data if under 13
- Take steps to prevent future collection
12. Changes to This Privacy Policy
12.1 How We Update This Policy
We may update this Privacy Policy to reflect:
- Changes to the Service or features
- Changes in legal or regulatory requirements
- Changes to our data processing practices
- Industry best practices
12.2 Notification of Changes
Material changes will be notified via:
- Email to your registered email address
- Prominent notice in the Service
- At least 30 days before changes take effect
Minor changes (typos, clarifications, formatting) may be made without advance notice.
12.3 Reviewing Changes
We recommend reviewing this Privacy Policy periodically. The "Last updated" date at the top shows when it was last revised.
12.4 Your Options
If you do not agree with changes:
- You may delete your account before changes take effect
- Continued use after changes constitutes acceptance
13. Legal Basis for Processing
Under UK GDPR, we must have a legal basis for processing your personal data. Our legal bases are:
| Processing Activity | Legal Basis | Reference |
|---|---|---|
| Account creation and management | Contract performance (Article 6(1)(b)) | Necessary to provide the Service |
| Storing inventory data | Contract performance | Necessary to provide the Service |
| AI processing features | Contract performance | Features you request as part of the Service |
| Payment processing | Contract performance | Necessary to manage subscriptions |
| Security monitoring | Legitimate interests (Article 6(1)(f)) | Protecting our systems and users |
| Service improvement | Legitimate interests | Improving Service quality |
| Tax and accounting | Legal obligation (Article 6(1)(c)) | Required by UK tax law |
| Responding to legal requests | Legal obligation | Required by law |
Legitimate interests assessment: Where we rely on legitimate interests, we have assessed that our interests or those of third parties do not override your rights and freedoms.
14. Supervisory Authority
14.1 Right to Lodge a Complaint
You have the right to lodge a complaint with the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Live Chat: Available on ICO website
Postal Address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
14.2 When to Contact the ICO
You can contact the ICO if you believe:
- We are not complying with UK GDPR
- We have not responded adequately to your rights requests
- You are not satisfied with our response to a complaint
14.3 We Encourage Contact First
While you have the absolute right to contact the ICO directly, we encourage you to contact us first at tom@pkts.app so we can attempt to resolve any concerns.
15. Contact Us
For any questions about this Privacy Policy, to exercise your rights, or for any data protection queries:
Email: tom@pkts.app
Service Provider: Tom Griffiths, trading as pkts.app
Location: London, United Kingdom
Typical response time: Within 5 business days for general queries; within 30 days for formal rights requests (access, deletion, etc.)
We take all data protection matters seriously and will work to resolve any concerns promptly.
This Privacy Policy was last updated on 7 December 2025. You can always find the most current version at pkts.app/legal/privacy.