Privacy Policy
Status: Draft v1 — closed beta only. This policy covers the closed-beta deployment of DewBee. It is pending review by a qualified IP / digital-services solicitor before any public launch. The processing described below is limited to a small invited cohort (≤ 8 households) of consenting parents.
Last updated: 21 May 2026 Effective date: From the date you submit your email to the waitlist or accept an invite. Data controller: Tim Houghton (founder), trading as DewBee. Contact: hello@dewbee.co.uk. ICO registration: ZC140847
What this policy covers
This policy explains what personal data we collect when you:
- Join our waitlist via the public landing page
- Receive a closed-beta invite and create an account
- Use the closed-beta product behind authentication
It does not yet cover the full v1 product (extraction, scheduler, dashboard, sync) — those features ship in subsequent slices, and this policy will be updated as data flows expand. We will email closed-beta participants any material change.
What we collect, why, and the lawful basis
| Data | When we collect it | Why | Lawful basis |
|---|---|---|---|
| Email address | Waitlist signup; invite acceptance; sign-in | Issuing closed-beta invites; sending you product updates if you opted in; authenticating you on sign-in | Contract (Art. 6(1)(b)) for waitlist invite + sign-in; Consent (Art. 6(1)(a)) for marketing emails |
| Marketing-consent boolean + timestamp | Waitlist signup | Demonstrating valid consent for marketing emails (optional, not required) | Consent |
| Source attribution | Waitlist signup | Understanding where signups originate | Legitimate interest (Art. 6(1)(f)) — minimal, non-tracking |
| Year-group (optional) | Waitlist signup | Cohort segmentation for prioritised invite send-out | Legitimate interest — service prioritisation |
| Free-text "why" (optional) | Waitlist signup | Understanding what brought you to DewBee, prioritising founding families who reference our wedge | Legitimate interest — service prioritisation |
| IP address | Waitlist signup; admin actions; sign-in | Rate limiting (anti-abuse); security audit log | Legitimate interest — security |
| Authentication cookies | After sign-in | Maintaining your signed-in session | Strictly necessary |
We do not collect:
- Children's personal data. Closed-beta accounts are issued to parents only.
- Payment data. There are no paid plans during closed beta.
- Special-category data (health, religion, biometric, etc.).
Marketing emails
We send two categories of email:
- Transactional (sent to everyone on the waitlist): your invite when it's ready; service-related notices; one-off research outreach related to fulfilling the waitlist promise. Lawful basis: contract.
- Marketing broadcasts (only sent if you ticked the optional consent checkbox): early-access news, occasional revision tips, product updates, research-input requests. Lawful basis: consent. You can withdraw consent at any time by clicking unsubscribe in any marketing email or emailing us.
Sub-processors
| Processor | What they do | Where data is processed |
|---|---|---|
| Supabase Inc. | Database + authentication + email-sending | EU / Frankfurt; SOC 2 Type 2; ISO 27001 |
| Vercel Inc. | Application hosting | EU / Frankfurt; SOC 2 Type 2; ISO 27001 |
| Kit | Marketing email broadcasts (only with your consent) | United States; UK→US under DPF + UK extension |
| Upstash Inc. | Redis-backed rate limiting | EU / Frankfurt where available; SOC 2 Type 2 |
How long we keep it
| Data | Retention |
|---|---|
| Waitlist email + consent timestamp + year-group + why | Until you ask us to delete it, or 24 months after your last interaction |
| Account record | For the active life of the closed beta + 30 days after closure |
| Authentication session cookies | 7 days from last sign-in |
| Audit log (admin actions) | 12 months |
| Rate-limit data | < 60 seconds per request |
| Marketing list (Kit) | Until you unsubscribe, or 24 months after last engagement |
Your rights under UK GDPR
You have the right to: Access, Rectification, Erasure, Restriction, Portability, Object to processing, and Withdraw consent. For closed beta, all rights requests are handled manually by Tim. Email hello@dewbee.co.uk and we will respond within 30 days.
You can also complain to the UK Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.
How we secure your data
- All connections use HTTPS / TLS 1.2+
- Authentication is by magic link only — no passwords stored
- Session cookies are httpOnly + Secure + SameSite=Lax
- Database access is governed by Postgres Row-Level Security
- Service-role keys are scoped to server-side code only
- Rate limits enforced on every public POST endpoint
- Hosted in EU / Frankfurt only
- Audit log records every administrative action with the actor's IP
Cookies
See our Cookie Policy for the full inventory and consent posture.
Children's data
Closed-beta service is provided to parents. We do not knowingly accept signups from anyone under 18. Future slices that involve student access will publish a separate Children's Privacy Notice and complete a full DPIA covering the ICO Children's Code.
Changes to this policy
We will email closed-beta participants of any material change. Material changes that affect lawful basis or sub-processors will be notified at least 14 days before they take effect.
Contact
- Privacy questions: hello@dewbee.co.uk
- DSAR / Erasure: hello@dewbee.co.uk (subject "DSAR" or "Erasure")
- ICO complaints: ico.org.uk
Disclaimer
This Privacy Policy is a draft prepared by the founder for the closed-beta deployment of DewBee. It has not yet been reviewed by qualified legal counsel. Before any public launch, this policy must be reviewed and updated by a qualified IP / digital-services solicitor familiar with UK GDPR, the ICO Children's Code, PECR, and UGC platform safe-harbour. It is not legal advice; it is a working draft.