Privacy Policy

Last updated: June 2026

This policy explains what personal data Seamstack collects, why, and what your rights are under UK GDPR and the UK Data Protection Act 2018.

Who we are

Seamstack is operated at seamstack.io. We are in the process of registering with the Information Commissioner's Office (ICO) as required.

Two layers of data processing

Seamstack operates two distinct roles depending on whose data is involved:

• Data we collect from you (the community owner): When you sign up and manage your account on seamstack.io, Seamstack is the data controller. This policy covers that data.
• Data collected by your community site: When your community members interact with the site you build on Seamstack, you (the community owner) are the data controller for their personal data. Seamstack acts as your data processor under Article 28 UK GDPR. You are responsible for having a lawful basis for processing your members' data and for maintaining your own privacy policy for your community site.

If you are a community owner looking for guidance on your members' data obligations, contact us at privacy@seamstack.io.

What data we collect and why

Account and sign-in

If you sign in, we collect your email address and store a session record. We use this solely to authenticate you. We do not send marketing emails. The legal basis is the performance of a contract (providing you access to member features you have requested).

Server logs

Like all web servers, our hosting provider automatically records standard access logs (IP address, browser type, pages visited, timestamps). These are retained for up to 30 days for security and diagnostic purposes. The legal basis is legitimate interests.

Analytics

We do not currently use any third-party analytics or tracking cookies.

Cookies

We use a single session cookie (authjs.session-token) if you sign in. This is a strictly necessary cookie and does not require your consent. We do not use advertising, analytics, or tracking cookies.

Who we share data with

We share your email address with Resend (our email delivery provider) solely to send you sign-in links. We do not sell, rent, or share your data with third parties for marketing purposes. Our database is hosted by Neon (EU region).

How long we keep your data

Account data is kept for as long as you have an account. If you request deletion, we will erase your account and associated data within 30 days. Server logs are deleted after 30 days.

Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (“right to be forgotten”)
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent

To exercise any of these rights, email us at privacy@seamstack.io. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk.

Security

We use HTTPS for all data in transit. Our database provider encrypts data at rest. We use passwordless authentication (magic links) so no passwords are ever stored. We review security practices regularly.

Changes to this policy

We will update this page if our practices change. Continued use of the site after a change constitutes acceptance of the updated policy.

This policy is provided for transparency. It is not professional legal advice. If you have questions, contact us at privacy@seamstack.io.