Data Protection (UK GDPR)
Last updated 2 June 2026
Our approach to data protection
Grace's stated principles (draft from the product's real data principles; must be true and reviewed before publish): per-channel/per-topic consent, right-to-erasure handling, audit trail, and data-protection-by-design. [Reviewed legal wording required.]
Data subject rights
How to exercise your rights under UK GDPR. [Reviewed legal wording required.]
Roles — controller vs processor
When Grace acts as a controller vs a processor. [confirm]
Sub-processors
The marketing-site processor list (confirm final list): Plausible, Meta Pixel, PostHog, Resend, Cal.com or Calendly, Vercel, Notion or Airtable. Updates to this list: [where to find updates — reviewed legal wording required.]
Data Processing Agreement (DPA)
Availability and how customers request the binding DPA (counsel-drafted contract artefact — this page links to/offers it, does not reproduce it). [Reviewed legal wording required.]
Complaints and contact
Data Protection Officer / privacy contact: use our contact form and choose Privacy / data protection. You have the right to lodge a complaint with the ICO. Grace is not yet registered with the ICO; [reviewed legal wording required.]