Privacy & Security
Last updated: 1st March, 2026
We are committed to protecting the privacy, security, and trust of our customers. This policy sets out how we handle data, safeguard your information, and maintain transparency in our practices.
1. Data We Collect
- Account data: organisation name, and names and email addresses of application users.
- Billing data: subscription information processed by our payment providers (we do not collect payment details).
- Service data: content you upload or test using Preflight, along with system logs for performance and error monitoring.
2. How We Use Data
- Provide and improve our services.
- Process payments and manage subscriptions.
- Communicate service updates or important notices.
- Monitor performance, reliability, and security.
We do not sell customer data to third parties.
3. Subprocessors
We work with carefully selected subprocessors (such as hosting, payment, and email delivery providers) to run our services. A full, up-to-date list of subprocessors and their compliance information is provided below.
| Subprocessor | Purpose | Compliance |
|---|---|---|
| CloudFlare | Content Delivery, Networking, DDoS protection | ISO 27001, ISO 27018, ISO 27701, SOC 2 Type II |
| DigitalOcean | Cloud hosting & infrastructure. Our data and servers are all located in their UK datacentre. We use the global content delivery network for generated image assets. | ISO 27001, SOC 2, GDPR |
| Postmark | Transactional email delivery. | GDPR, SOC 2 |
| Sentry | Error and performance tracking. | GDPR, SOC 2 |
| Simple Analytics | Privacy-first page and event tracking. | GDPR, PECR, CCPA, HIPAA, TTDSG |
| Paddle | Merchant of Record. Handle payments, tax and related compliance. | SOC 2, PCI DSS 4.0.1, GDPR, CCPA |
4. Security Measures
- Encryption of data in transit and at rest.
- Access controls and authentication.
- Regular monitoring and security reviews.
- Data minimisation practices.
5. Data Retention & Deletion
- We retain customer data only for as long as necessary to provide our services or as required by law.
- Customers may request deletion of their data at any time, in line with our obligations under data protection laws.
- If an account is cancelled or suspended for non-payment, all associated data will be permenantly deleted within 5 working days.
6. International Transfers
Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).
7. Your Rights
- Request access to your personal data.
- Ask us to correct or delete your data.
- Withdraw consent to processing where applicable.
Requests can be sent to hello@preflight.qa.
8. Changes to This Policy
We may update this policy from time to time. If changes are significant, we will notify you by email or through our service.
9. Contact
If you have any questions about this policy or how we handle your data, please contact us at hello@preflight.qa.
Cookies
Preflight observes GDPR and the ePrivacy Directive, only using strictly necessary cookies to manage signup, authentication, and customer sessions within the application.
Preflight does not currently use any first or third-party cookies for other purposes.