← Back to home

Privacy Policy

Last updated: February 24, 2026

1. Data Controller

PrivacyCache (“we”, “our”, or “us”) is the data controller responsible for your personal data. PrivacyCache is a privacy compliance management platform that helps organisations manage GDPR evidence, DSARs, and audit readiness.

Contact: contact@privacycache.com

2. What Data We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Authentication data (via email/password or Google Sign-In)
  • Organisation name

Compliance Data

When you use our compliance features, we process:

  • Evidence files and associated metadata
  • Data inventory entries
  • DSAR case information
  • Audit logs and verification records
  • SHA-256 hashes of evidence for integrity

Free Tool Usage (DSAR Calculator)

When you use our free DSAR Deadline Calculator, we may collect your email address if you opt in to receive your results. Calculator inputs (jurisdiction, request type, dates) are processed client-side and not stored on our servers.

Automatically Collected Data

With your consent (via our cookie banner), we collect analytics data through PostHog:

  • Pages visited and interactions
  • Browser type, device type, and screen size
  • Approximate location (country/region level)

This data is only collected if you accept analytics cookies. If you reject cookies, no analytics data is collected.

3. Legal Bases for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing your account and compliance data to provide the service you signed up for
  • Consent (Art. 6(1)(a)): Analytics cookies (PostHog) and optional email capture for free tools — you can withdraw consent at any time
  • Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and service improvement
  • Legal obligation (Art. 6(1)(c)): Retaining audit logs and evidence records where required by law

4. Sub-Processors

We use the following third-party services to provide PrivacyCache. All are bound by Data Processing Agreements (DPAs):

ServicePurposeLocation
NeonPostgreSQL database hostingEU (Frankfurt)
Cloudflare R2Evidence file storageEU
RailwayApplication hostingEU
AnthropicSmart Evidence Capture (AI metadata extraction)US (no data retention)
Polar.shSubscription paymentsEU
PostHogProduct analytics (consent-based)EU
ResendTransactional email delivery (reports, alerts)US (SCCs in place)
Better AuthAuthenticationSelf-hosted (EU)

5. Cookies

We use the following types of cookies:

Strictly Necessary

Session cookies for authentication and cookie consent preference. These are required for the platform to function and cannot be disabled.

Analytics (Consent Required)

PostHog analytics cookies to understand how you use our platform. These are only set if you accept analytics cookies via our consent banner. You can change your preference at any time by clearing your browser cookies and revisiting the site.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services:

  • Account data: Until account deletion (soft-deleted, then permanently removed after 30 days)
  • Compliance evidence: As long as needed for your compliance records, or until you request deletion
  • Audit logs: Retained for 7 years per regulatory requirements (append-only, cannot be modified)
  • Analytics data: Automatically deleted after 12 months

7. Your Rights (GDPR Art. 15–22)

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate personal data
  • Right to erasure (Art. 17): Request deletion of your personal data
  • Right to restriction (Art. 18): Request restriction of processing your data
  • Right to data portability (Art. 20): Request your data in a machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at contact@privacycache.com. We will respond within 30 days as required by the GDPR.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS) and at rest
  • SHA-256 cryptographic hashing for evidence integrity
  • Multi-tenant data isolation (tenant-scoped queries)
  • EU-only data hosting (no data leaves the European Union except for AI processing via Anthropic, which has zero data retention)
  • Append-only audit logs for accountability

9. International Data Transfers

All core data processing occurs within the EU (Frankfurt). When evidence is processed by Anthropic's Smart Evidence Capture feature, image data is sent to Anthropic's API (US) for metadata extraction. Anthropic does not retain this data after processing. This transfer is covered by Standard Contractual Clauses (SCCs) and a Data Processing Agreement.

10. Children's Privacy

PrivacyCache is a B2B service designed for organisations. We do not knowingly collect personal information from children under 16 years of age. If you believe a child has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will notify you via email.

12. Supervisory Authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

13. Contact Us

For any questions about this Privacy Policy or to exercise your data subject rights:

Email: contact@privacycache.com