Data Protection (UK GDPR)

Last updated 2 June 2026

Our approach to data protection

Grace's stated principles (draft from the product's real data principles; must be true and reviewed before publish): per-channel/per-topic consent, right-to-erasure handling, audit trail, and data-protection-by-design. [Reviewed legal wording required.]

Data subject rights

How to exercise your rights under UK GDPR. [Reviewed legal wording required.]

Roles — controller vs processor

When Grace acts as a controller vs a processor. [confirm]

Sub-processors

The marketing-site processor list (confirm final list): Plausible, Meta Pixel, PostHog, Resend, Cal.com or Calendly, Vercel, Notion or Airtable. Updates to this list: [where to find updates — reviewed legal wording required.]

Data Processing Agreement (DPA)

Availability and how customers request the binding DPA (counsel-drafted contract artefact — this page links to/offers it, does not reproduce it). [Reviewed legal wording required.]

Complaints and contact

Data Protection Officer / privacy contact: use our contact form and choose Privacy / data protection. You have the right to lodge a complaint with the ICO. Grace is not yet registered with the ICO; [reviewed legal wording required.]