Privacy Policy

Effective date: 29 April 2026. Last updated: 29 April 2026.

1. Who we are

Grid Social is a trading name of A Mackay (Publisher) Ltd, a private limited company registered in Scotland under company number SC858624.

For the purposes of UK GDPR and the Data Protection Act 2018, A Mackay (Publisher) Ltd is the data controller of any personal data collected through this website and our services.

[REVIEW BY GUS — confirm whether A Mackay (Publisher) Ltd is currently registered with the Information Commissioner's Office (ICO) and add registration number here. If not yet registered, register at ico.org.uk before processing customer data.]

2. What personal data we collect

We collect the minimum data needed to deliver our services. Specifically:

2.1 When you buy the £97 audit

• Your name and email address (provided directly or via Stripe checkout)
• Your billing address (collected by Stripe for invoice / VAT compliance)
• The Facebook Page URL and Instagram handle you submit for audit
• The Facebook Page ID we resolve from that URL (public data)
• The audit PDF and recorded loom we generate for you
• Optional notes you add to the submission form

2.2 When you subscribe to a paid plan

• Account email, business name, contact details
• OAuth tokens you grant for connected platforms (Facebook Pages, Instagram, LinkedIn, TikTok, Google Business Profile, Pinterest) — stored encrypted
• The content you create, schedule and publish through Grid Social
• Stripe customer ID and subscription metadata (Stripe holds the card details, we do not)

2.3 When you visit gridsocial.co.uk

• Standard server logs (IP address, user agent, request path) retained for security and debugging — typically 30 days
• Essential cookies only (no third-party advertising cookies, no tracking pixels by default)

3. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (Article 6(1)(b)) — to deliver the audit or subscription service you bought
• Legal obligation (Article 6(1)(c)) — to keep invoice and tax records as required by HMRC
• Legitimate interests (Article 6(1)(f)) — fraud prevention, service security, and improving our service quality. We balance this against your rights and freedoms.
• Consent (Article 6(1)(a)) — for any optional marketing communications, which you can withdraw at any time

4. How long we keep it

• Audit deliverables and invoices: 7 years (UK statutory record-keeping for limited companies under Companies Act 2006 s388 and HMRC requirements)
• Stripe checkout sessions that did not complete: 30 days, then deleted
• Waitlist signups: until the launch email is sent, then deleted unless you become a customer
• OAuth tokens for platform integrations: until you disconnect, your subscription ends, or 90 days of inactivity (whichever is earliest)
• Server logs: 30 days
• Closed accounts: contact details retained for 7 years for tax purposes; everything else deleted within 30 days of cancellation request

5. Who we share it with

We share personal data only with the following processors, each under a written data processing agreement:

• Stripe Payments UK Ltd — payment processing. Stripe is the data controller for card data; we receive only summary metadata.
• Netlify Inc. — website and serverless function hosting
• Supabase Inc. — database and authentication backend
• Meta Platforms (Facebook, Instagram), Google (Business Profile), LinkedIn, TikTok, Pinterest — only when you connect those accounts and only via their official APIs
• HMRC and our accountant — where legally required for tax filing

We do not sell your personal data and we do not share it for advertising purposes.

6. International transfers

Some of our processors (notably Stripe, Netlify, Supabase and the social-platform APIs) are based outside the UK, principally in the United States. Where this is the case we rely on UK International Data Transfer Agreements, the EU Standard Contractual Clauses (with UK Addendum), or equivalent safeguards approved by the ICO.

[REVIEW BY GUS — confirm Supabase region (eu-west-2 London per brain notes), and whether all Stripe processing for UK customers is routed through Stripe Payments UK Ltd or via Stripe Inc. in the US]

7. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data (subject to our legal record-keeping obligations)
• Restrict processing in certain circumstances
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time where we rely on it
• Lodge a complaint with the Information Commissioner's Office at ico.org.uk/make-a-complaint or by calling 0303 123 1113

To exercise any of these rights, email hello@gridsocial.co.uk. We respond within one calendar month, free of charge.

If you connected a Facebook or Instagram account and want us to delete the data we received from that connection, see our data deletion page.

8. Cookies

Grid Social uses only essential cookies needed to keep you logged in and to remember your preferences during a session. We do not use third-party advertising cookies, marketing pixels, or cross-site tracking by default.

[REVIEW BY GUS — if any analytics tool (Plausible, Google Analytics, Cloudflare Analytics) is wired up, list it here with link to its own privacy policy]

9. Security

We use HTTPS across all pages, encrypted-at-rest databases, OAuth token encryption, and the principle of least privilege for any human or system access. We patch dependencies regularly and review access quarterly. No system is perfectly secure — if you become aware of a vulnerability, please email hello@gridsocial.co.uk.

10. Children

Grid Social is a B2B service. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data, contact us and we will delete it.

11. Changes to this policy

If we make material changes, we will update the effective date at the top and, where the change is significant, notify existing customers by email. Minor wording or clarification changes are made silently. The current version is always the version at this URL.

12. Contact

Email: hello@gridsocial.co.uk
Post: A Mackay (Publisher) Ltd, 87 Knightscliffe Avenue, Glasgow, G13 2RX, United Kingdom