Privacy policy.

The short version: we collect what we need to send your reports, nothing more. We don’t sell anything to anyone. You can take your data and leave whenever you like.

Who we are

SendTidings is a product of Prystine Web Solutions Ltd, a company registered in England and Wales (Company No. 12513859, VAT No. GB421674703) with its registered office at 23 Barberry Drive, Didcot, OX11 6JY.

Prystine Web Solutions Ltd is the data controller for personal data processed in connection with the SendTidings service. We are registered with the UK Information Commissioner’s Office (ICO) under registration reference ZA935628.

For any privacy-related question, write to privacy@sendtidings.com.

What we collect

When you use SendTidings, we hold:

  • Your account details: name, email address, hashed password (or your OAuth identifier if you sign in with Google or GitHub), your organisation name, and your billing address if you’re on a paid plan.
  • Your client and site list: the names, domains, and recipient email addresses you set up so we can post a report each month.
  • Connected analytics data: visitor counts, top pages, referrers and similar metrics pulled from the data sources you connect (Plausible, GA4, Matomo, Cloudflare Web Analytics, etc.). We pull only what we need to render the report.
  • Integration credentials: API keys, OAuth tokens, and other secrets you provide so we can fetch your analytics. These are encrypted at rest using AES-256.
  • Light usage data: when you log in, which sections of the app you use, and basic error logs so we can fix bugs.

What we don’t collect

We don’t use third-party advertising trackers, fingerprinting, or cross-site tracking. The marketing site you’re reading uses no cookies and no third-party analytics; we do record anonymous aggregate traffic via a self-hosted Plausible Analytics instance running on our own infrastructure (no personal data, no IP addresses retained, no identification of individual visitors). We don’t sell or rent contact details. We don’t train AI models on your client data. We don’t read the body of any email you send through us beyond what we render to deliver it.

Why we collect it (lawful basis)

Under Article 6 of the UK GDPR, our lawful bases for processing your personal data are:

  • Performance of a contract: to provide the service you signed up for: rendering reports, sending emails, billing.
  • Legitimate interests: keeping the service secure, preventing abuse, and improving features (we balance this carefully against your privacy and you can object at any time).
  • Legal obligation: keeping records required by UK tax and accounting law.
  • Consent: for any marketing email, which is opt-in only. You can withdraw consent at any time.

Who else processes your data (subprocessors)

We use a small number of trusted vendors to run the service. Each of them is bound by a data processing agreement and uses your data only to provide their part of the service.

  • Paddle (Paddle.com Market Limited, UK): payments and subscription management. Paddle is the Merchant of Record for SendTidings, which means they handle your payment relationship, invoicing, and any sales tax / VAT. They receive the billing details you provide at checkout.
  • Vercel (Vercel Inc., USA): hosting for the SendTidings dashboard at app.sendtidings.com.
  • Cloudflare (Cloudflare, Inc., USA / EU): hosting for the marketing site at sendtidings.com, plus DNS, edge caching, and DDoS protection across the platform.
  • Neon (Neon Inc., USA, with EU-region database): our primary Postgres database. Your account data, client list, and encrypted integration credentials live here.
  • Resend (Resend, Inc., USA): transactional and report emails. Resend processes the recipient addresses and report content for the time it takes to deliver each message.
  • Trigger.dev (Trigger.dev Ltd, UK): background jobs that fetch analytics and dispatch monthly reports.
  • OAuth providers — if you sign in with Google or GitHub, or connect a Google Analytics property, the relevant provider receives the standard authentication scopes. We never store your provider password.

A current, more detailed subprocessor list is available on request to privacy@sendtidings.com.

International transfers

Some of our subprocessors are based in the United States (Vercel, Cloudflare, Neon, Resend). Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement and / or the EU Standard Contractual Clauses with the UK Addendum, supplemented by the technical safeguards described above (encryption in transit and at rest).

Google API disclosure

SendTidings’ use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke SendTidings’ access to your Google account at any time by visiting your Google Account permissions page. Once revoked, SendTidings can no longer pull data from the scopes you previously granted; any data already retrieved is handled in line with the retention rules below.

How long we keep it

For as long as you have an account with us. If you cancel, we keep billing records for the period required by UK accounting law (currently six years) and delete everything else within thirty days. You can request immediate deletion of your account data at any time.

Your rights

Under UK GDPR you have the right to:

  • access a copy of the personal data we hold about you;
  • correct anything that’s wrong;
  • delete your data (subject to the retention rules above);
  • object to or restrict our processing in certain circumstances;
  • export your data in a portable format;
  • complain to the Information Commissioner’s Office at ico.org.uk if you think we’ve mishandled it.

Email privacy@sendtidings.com to exercise any of these. We aim to respond within seven days and always within thirty.

Cookies and tracking

The marketing site (sendtidings.com) sets no cookies. We record anonymous aggregate traffic — page views, referrers, country, device type — via a self-hosted Plausible Analytics instance on our own infrastructure. Plausible is cookieless, doesn’t use fingerprinting, doesn’t track visitors across sites, and doesn’t retain raw IP addresses. Because the instance is self-hosted, no analytics data is shared with a third-party processor.

The dashboard (app.sendtidings.com) sets a single first-party cookie to keep you logged in. We do not use third-party advertising or analytics cookies anywhere.

Children

SendTidings is a tool for businesses and is not intended for children under 18. We don’t knowingly collect personal data from children. If you believe we have, please email privacy@sendtidings.com and we’ll remove it.

Changes

If we change this policy in a way that materially affects your privacy, we’ll email account holders before the change takes effect. The “last updated” date above always reflects the current version.