Privacy Policy
Version 2026-05-30 · Effective 2026-05-30
1. Who we are
Folkery is operated by FOLKERY LTD (Folkery), a company registered in the United Kingdom at TODO_REGISTERED_OFFICE_ADDRESS. We are registered with the UK Information Commissioner's Office under registration number TODO_ICO_REGISTRATION_NUMBER.
For privacy questions or to exercise your rights, contact TODO_PRIVACY_CONTACT_EMAIL.
2. The two roles we play
Folkery is a personal relationship manager. That means we handle two very different categories of personal data, and the law treats them differently:
- Account data — we are the controller. This is the data we need to give you an account: your email address, password hash, billing information, session and device metadata, audit logs, support correspondence, and your product preferences.
- Contact data you store about other people — we are the processor; you are the controller. When you add contacts, notes, relationships, tags, groups, events, or research briefs about a third party, you decide what to record, why, and for how long. We process that data on your instructions, only to run the product for you. The Terms of Service set out the obligations that go with being a controller (lawful basis, transparency, responding to data-subject requests).
3. What we collect and why
| Category | Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Email, password hash, age self-attestation | Create and secure your account; verify you are 16+ as required for self-consent under UK GDPR. | Contract (Art. 6(1)(b)). |
| Billing identifiers, plan, subscription state | Take payment, issue receipts, manage the lifecycle of paid access. | Contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)). |
| Device sessions, IP address, user-agent, audit log | Detect abuse, enforce session limits, investigate incidents. | Legitimate interests in keeping the service secure (Art. 6(1)(f)). |
| Contact records, notes, relationships, tags, groups, events, research briefs | Store and present the data you choose to record. We are the processor; you are the controller. | Whatever lawful basis you, as controller, rely on (commonly legitimate interests for personal address-book use). |
| Google Calendar tokens and synced events (only if you connect the integration) | Two-way calendar sync. Tokens are encrypted at rest with Fernet using a server-side secret. | Consent (Art. 6(1)(a)) — you can revoke it at any time from Settings. |
| Research-query inputs (only when you run AI research) | Generate the research brief; passed to Exa, Firecrawl, and OpenAI for that single request. | Contract (Art. 6(1)(b)) for performing the feature you invoked. |
4. Sub-processors
Folkery uses the third-party services listed below to deliver the product. Where a sub-processor is located outside the UK, transfers take place under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the UK IDTA / SCCs).
| Provider | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Render | Application hosting and managed Postgres database. | All account data and user-stored contact data at rest (processed inside EU region; see provider docs for region). | European Union (Frankfurt) — confirm region in render.yaml | If the deployed region is outside the UK/EEA, transfers rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs / IDTA). |
| Stripe | Subscription billing, payment processing, and invoicing. | Account email, billing name, billing/postal address, and payment-method metadata. Card numbers are entered directly into Stripe Elements and never reach Folkery servers. | United States (with EU/UK processing affiliates) | UK IDTA / EU SCCs as published in Stripe's Data Processing Agreement. |
| Resend | Transactional email delivery (invites, receipts, lifecycle notices). | Recipient email address and message body of transactional emails sent by Folkery. | United States | UK IDTA / EU SCCs per Resend's DPA. |
| Google (Calendar API) | Optional, user-initiated calendar synchronisation. Tokens are encrypted at rest with Fernet derived from a server-side secret. | OAuth tokens scoped to Google Calendar, plus calendar/event data the user chooses to sync. No Google data is shared with other sub-processors. | United States | Google's standard contractual clauses for Workspace/Cloud APIs. |
| Exa | Web search backend for the AI research feature. | The free-text research query the user submits, plus the contact-derived terms expanded into the query. | United States | UK IDTA / EU SCCs per Exa's DPA. |
| Firecrawl | Web-page fetching and extraction for the AI research feature. | URLs returned by search, plus extracted page content used to build the research brief. | United States | UK IDTA / EU SCCs per Firecrawl's DPA. |
| OpenAI | LLM inference for the AI research feature (summarisation, extraction). Requests are sent with zero-retention API settings where supported. | Research query plus retrieved page snippets needed to draft the research brief. | United States | UK IDTA / EU SCCs per OpenAI's API Data Processing Addendum. |
We notify users of material changes to the sub-processor list by updating this page and bumping the policy version, which prompts a fresh acceptance on next sign-in.
5. Retention
- Account, subscription, and contact data are retained for as long as your account exists.
- After cancellation or non-payment, accounts move through grace, read-only, and locked states as described in the product. Locked accounts are scheduled for deletion at the date shown on your billing page.
- Audit logs are retained for up to 24 months for security purposes.
- Billing records are retained for at least 6 years to meet UK tax-law obligations.
- Research-query content sent to OpenAI uses zero-retention API settings where supported; otherwise it is retained per the provider's standard policy.
6. Your rights
You have the right to access, rectify, erase, restrict, port, and object to processing of personal data we hold about you as account holder. You can also withdraw consent to optional features (such as Google Calendar sync) at any time. To exercise any of these rights, email TODO_PRIVACY_CONTACT_EMAIL.
You can also complain to the UK Information Commissioner's Office at ico.org.uk.
7. If you are a contact stored by a Folkery user
If someone else has stored information about you in Folkery, that user is the data controller for that information — not us. To access, correct, or delete it, please contact the user directly (the same person who would already hold your address or phone number).
If you cannot reach them, or you have reason to believe the data was added unlawfully, email TODO_PRIVACY_CONTACT_EMAIL. We will pass the request on to the relevant account holder and, if appropriate, take action under our Acceptable Use rules in the Terms of Service. We cannot independently verify your identity against a third-party's address book, so we may ask for information that helps us locate the right record without disclosing other users' data.
8. Security
- Transport encryption (HTTPS) on all traffic.
- Passwords stored as salted hashes; never in plain text.
- Google OAuth tokens encrypted at rest using Fernet keys derived from a server-side secret.
- Per-user session tokens with device-level revocation and admin audit trail.
- Strict Content Security Policy with nonces; no inline event handlers.
- Daily database backups; environment isolation between development and production.
9. Changes to this policy
When this policy changes in any material way, we update the version number at the top and re-prompt every active user to accept the new version on their next sign-in. The previous version is available on request.