Privacy policy
Last updated: 9 July 2026
This policy explains how Craig McQueen, trading as Guddle (“Guddle”, “we”, “us”) collects, uses and protects personal data when you use guddle.net and app.guddle.net (the “Service”). It reflects the UK GDPR and the Data Protection Act 2018.
1. Who we are
The controller is Craig McQueen, trading as Guddle, a sole trader based in England, of 1 Near Birch Road, Houlton, Rugby, CV23 1DY, United Kingdom. Registered with the UK Information Commissioner’s Office (ICO), registration reference ZA417411. Privacy contact: hello@guddle.net.
2. The personal data we collect
You give us:
- Account and profile data — name, email, password (stored only as a secure hash), and optionally phone number and profile photo.
- Organisation data — organisation name, your role, team membership.
- Content you create — projects, stages, tasks, risks, issues, quality and review records, lessons, business cases, calendar events and comments, which may contain personal data you include.
- Contacts you record — names, companies, roles, emails, phone numbers and notes about people you reference on a project.
- Communications — messages you send us.
We collect automatically:
- Authentication data — if you sign in with Google or Apple, we receive your name and email to create or match your account.
- Usage and diagnostic data — limited technical data to run and secure the Service, plus error/crash reports linked only to your user ID (not used for advertising).
- Audit logs — a record of key actions (who did what and when) for security and your project history.
We do not intentionally collect special category data; please don’t enter it in free-text fields.
3. How we use your data and our lawful bases
- Create and run your account and provide the Service — performance of a contract.
- Send service emails (confirmation, password reset, invitations, notifications) — contract and legitimate interests.
- Secure the Service, prevent abuse, keep audit logs — legitimate interests.
- Diagnose and fix errors — legitimate interests.
- Process payments and manage subscriptions — contract and legal obligation.
- Provide support — legitimate interests and contract.
- Optional product or marketing updates (if offered) — consent, which you can withdraw.
- Comply with the law — legal obligation.
4. Who we share data with
We do not sell your personal data. We use trusted providers under contract:
- Supabase — database, authentication and file storage.
- Vercel — web hosting and content delivery.
- Brevo — sending transactional emails.
- Sentry — error and crash monitoring.
- Google / Apple — sign-in, only if you choose social sign-in.
- Stripe — payment and subscription processing for paid plans.
- A third-party AI you connect — only if you choose to; it accesses your data under your account’s permissions and is a separate controller under your own agreement.
We may also disclose data to comply with the law or protect rights, and to a successor in a business sale (we will notify you).
5. International transfers
Some providers may process data outside the UK. Where that happens we rely on an appropriate safeguard, such as UK adequacy regulations or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses. Ask us for details.
6. Your rights
You have the right to access, rectify, erase, restrict or object to processing (including direct marketing), to data portability, and to withdraw consent. To exercise a right, contact hello@guddle.net; we respond within the statutory time limit (generally one month). You can delete your account from within the Service. We may retain limited data where the law requires, and content you added to shared projects may remain visible to that project’s team for continuity, with your identifying details removed or anonymised where appropriate.
7. How long we keep data
- Account and profile data — while your account is active and a reasonable period after, then deleted or anonymised.
- Project content — until you or your organisation delete it, or your account closes.
- Audit logs — up to 24 months.
- Billing records — as required by tax law (generally six years in the UK).
- Error/diagnostic data — a short period, then deleted.
8. Contacts and other people’s data you add
When you record details about other people, you are responsible for having a lawful basis to do so and for any notices required. We process this data on your behalf to provide the Service. If you are one of those people, contact the Guddle user or organisation holding your data, or contact us and we will help.
9. Controller and processor roles
We are the controller of account, profile, authentication, billing and diagnostic data. For project content you input, you are the controller and we act as your processor. Business customers needing a Data Processing Agreement can contact us.
10. Security
We use reasonable measures including encryption in transit (HTTPS/TLS), hashed passwords, row-level database access controls, and access logging. No system is perfectly secure, but we work to protect your data and to notify you and the regulator of a breach where the law requires.
11. Cookies and local storage
We use essential cookies and local browser storage to keep you signed in and remember basic preferences. We do not use advertising cookies or sell data to advertisers.
12. Children
The Service is for business users aged 18 or over and is not directed at children. We do not knowingly collect children’s data.
13. Changes
We may update this policy and will notify you of material changes and update the date above.
14. Contact and complaints
Privacy questions or to exercise your rights: hello@guddle.net. Craig McQueen, trading as Guddle, 1 Near Birch Road, Houlton, Rugby, CV23 1DY, United Kingdom.
If you are unhappy with how we handle your data, please contact us first — we operate an internal complaint-handling process and will acknowledge and respond. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk (helpline 0303 123 1113), or to the data protection authority where you live or work in the EU.