Legal

Privacy Policy

Last updated: 1 January 2025

Your privacy matters to us. This policy explains what personal data Seedling collects, why we collect it, how we use it, and your rights regarding that data. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who is responsible for your data

Seedling is the data controller for the personal data you provide when using this platform. If you have questions about how we handle your data, please contact us or email privacy@seedlingcrowdfund.com.

2. What data we collect

2.1 Account data

When you create an account, we collect your name, email address, and (if you sign in with Google) your Google profile information.

2.2 Campaign data

If you create a campaign, we store the content you submit: title, description, funding goal, category, and any images you upload.

2.3 Payment data

When you make a pledge, your payment is processed by Stripe. Seedling does not store your card details. We receive from Stripe: the amount pledged, the currency, a session ID, and confirmation of payment status. We also record the GBP equivalent of your pledge for campaign totals.

2.4 Contact form data

When you submit a message via our contact form, we store your name, email address, subject, and message content.

2.5 Usage data

We use Google Analytics (Firebase) to collect anonymised data about how users navigate the site, including pages visited and time on site. This data does not personally identify you.

3. How we use your data

We use the data we collect to:

  • Provide and operate the Seedling platform
  • Process pledges and update campaign totals
  • Send you emails related to your account (e.g. password resets)
  • Respond to support and contact form submissions
  • Detect and prevent fraud or misuse of the platform
  • Improve the platform using anonymised analytics data

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling.

4. Legal basis for processing

We process your personal data on the following legal bases:

  • Contract: processing necessary to provide the service you signed up for
  • Legitimate interests: analytics and fraud prevention
  • Legal obligation: retaining certain financial records as required by law

5. Third parties we share data with

We share data with the following third-party services where necessary to operate the platform:

  • Google Firebase — authentication, database (Firestore), file storage, and analytics. Data may be stored on servers within the EEA or USA under standard contractual clauses.
  • Stripe — payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
  • Open Exchange Rates API — real-time currency conversion. No personal data is shared with this service.

6. Cookies and tracking

Seedling uses the following cookies and similar technologies:

  • Firebase Auth session cookie — keeps you logged in. Essential for the platform to function.
  • Google Analytics cookies — anonymised usage analytics. You may opt out via your browser settings or a browser extension such as the Google Analytics Opt-out Add-on.
  • SessionStorage — used to cache exchange rate data locally for performance. This data is cleared when you close your browser tab.

7. How long we keep your data

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are legally required to retain certain records (such as financial transaction records, which we keep for 7 years in line with UK tax law).

Contact form submissions are retained for up to 2 years.

8. Your rights

Under UK GDPR, you have the following rights:

  • Access: you can request a copy of the personal data we hold about you
  • Rectification: you can ask us to correct inaccurate data
  • Erasure: you can ask us to delete your data ("right to be forgotten")
  • Restriction: you can ask us to limit how we use your data
  • Portability: you can request your data in a machine-readable format
  • Objection: you can object to processing based on legitimate interests

To exercise any of these rights, contact us. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Security

We take reasonable technical and organisational measures to protect your data. This includes HTTPS encryption on all pages, Firebase Security Rules restricting data access, and Stripe handling all payment card data — meaning card numbers never touch our servers.

No system is completely secure. If you discover a security issue, please report it to security@seedlingcrowdfund.com.

10. Children

Seedling is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and notify registered users by email. Continued use of the platform after changes take effect means you accept the updated policy.

12. Contact

For any privacy-related questions or requests, please contact us or email privacy@seedlingcrowdfund.com.