Privacy Policy

1. Who we are

needs-to-stay is operated by Mark McCracken, trading as Cracksoft (cracksoft.dev). For the personal data we process about you as a user of the Service, we are the data controller. You can contact us about privacy matters at mark@cracksoft.dev.

This policy explains how we collect, use, share and protect personal data, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. The data we collect and why

• Your email address — collected when you sign in. We use it to send your passwordless magic-link sign-in emails, to operate your account, and to send service-related (transactional) messages such as payment receipts and notices that a page is about to expire.
• The content you enter — the text, names, job titles, quotes, testimonials, performance metrics, images and other material you add to a page. This often includes personal data about third parties (see section 4).
• The company domain you enter for branding — used to derive colours and a logo so your page can be auto-branded.
• Payment information — when you pay, our payment processor (Stripe) collects and processes your payment details. We do not receive or store your full card number; we receive confirmation of payment and limited transaction metadata.
• Technical and usage data — limited information needed to operate and secure the Service, such as your session and basic request/edge logs handled by our hosting provider.

3. Lawful bases

We rely on the following lawful bases under Article 6 of the UK GDPR:

• Performance of a contract — to provide the Service to you: creating and hosting your page, processing your payment, and sending transactional emails.
• Legitimate interests — to operate, secure, debug and improve the Service, to prevent abuse, and to enforce our terms. Where we rely on legitimate interests we have considered your rights and freedoms.
• Consent — where consent is the appropriate basis (for example, if we ever ask you to opt in to non-essential communications). You can withdraw consent at any time.
• Legal obligation — to comply with law, including keeping records relating to payments.

4. Personal data about other people

A page typically contains personal data about people other than you — the subject of the page, and often colleagues, managers, referees or others whose names, roles, quotes or metrics you include.

For that third-party personal data, you are the data controller and we act as your data processor: we process it on your behalf and on your instructions in order to host and display your page. You are responsible for having a lawful basis to use that information and for obtaining any consent that is required, for ensuring it is accurate and fair, and for responding to any rights requests from the people concerned. Our Terms of Service and Acceptable Use Policy set out these responsibilities in more detail. We will assist you, so far as reasonably possible, in meeting your obligations as a controller, and we will only process this data to provide the Service unless the law requires otherwise.

5. Sub-processors and third parties

We use a small number of trusted service providers (sub-processors) to run the Service. They process personal data on our behalf under appropriate contractual terms:

• Cloudflare — hosting, serverless compute (Workers), database (D1), edge caching, and email routing.
• Stripe — payment processing.
• Resend — delivery of transactional email (including magic-link sign-in emails).

Some of these providers may process data outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards recognised under UK data protection law — such as UK adequacy regulations or the International Data Transfer Agreement / the UK Addendum to the EU Standard Contractual Clauses — to ensure your data remains protected.

We may also disclose personal data where we are legally required to do so, or to establish, exercise or defend legal claims.

6. Retention

• Page content — your Content is removed or made inaccessible after the paid publication window ends, following a short grace period of up to 30 days during which you can renew the page or recover your work. After that grace period we delete or render the Content inaccessible, subject to backups being overwritten in the ordinary course.
• Your email address and account — kept for as long as your account remains active. If you close your account or are inactive for an extended period, we delete or anonymise your account data, subject to any data we must retain by law.
• Payment records — retained for as long as required to meet our legal and accounting obligations.

7. Cookies

We use a single, strictly necessary session cookie to keep you signed in and to operate the Service securely. We do not use advertising, analytics or cross-site tracking cookies. Because this cookie is essential to provide a service you have requested, no cookie-consent banner is required. We mention it here for transparency.

8. Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you;
• Rectification of inaccurate or incomplete data;
• Erasure of your data in certain circumstances;
• Restriction of processing in certain circumstances;
• Object to processing based on our legitimate interests;
• Data portability — to receive certain data in a portable format; and
• Withdraw consent at any time where we rely on consent.

To exercise any of these rights, email mark@cracksoft.dev. We will respond within the timeframes required by law (normally one month). Note that where we act as a processor for third-party personal data on a page, requests from those individuals should ordinarily be directed to the user who created the page (the controller); we will help that user respond and will pass on requests we receive.

9. Complaints

If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk or by calling its helpline.

10. Security

We take appropriate technical and organisational measures to protect personal data, including encryption in transit, restricted access, and reliance on reputable infrastructure providers. No online service can be guaranteed completely secure, but we work to protect your data and to handle any incident promptly and responsibly.

11. Changes to this policy

We may update this Privacy Policy from time to time. The current version, with its "last updated" date, is always published here. Material changes will take effect when published.

12. Contact

For any privacy question or to exercise your rights, contact mark@cracksoft.dev.