Legal

Privacy policy

Last updated: 19 April 2026

Frameboard Limited ("Frameboard", "we", "us") is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, the legal bases we rely on, and the rights you have over your data. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the EU GDPR where it applies, and the Data Protection Act 2018.

This policy covers personal data processed through myframeboard.app, myframeboard.io, frameboard.co.uk and related subdomains, apps, and services (the "Service"). For our customers' clients and other third parties whose data passes through the Service, see section 6 "Data you upload about others".

1. Who we are (Data Controller)

Frameboard Limited is a company registered in England and Wales, company number 17154107. We are the data controller for personal data about our customers, prospects, and website visitors. For personal data our customers upload into the Service about their clients, Frameboard acts as a data processor under our Data Processing Agreement.

You can contact us about any privacy matter at privacy@myframeboard.app. We have not appointed a Data Protection Officer because we are not required to under Article 37 UK GDPR.

2. What we collect

Account data

Name and email address (required to create an account)
Company name, job title, industry, team size (optional, for personalisation and plan matching)
Authentication credentials - passwords are salted and hashed with bcrypt; we never store them in clear text
Single sign-on (SSO) identifiers if you sign in via Google or an enterprise provider

Product data

Proposals, briefs, catalogue items, templates, project content, messages and other content you create or upload
Client contact details you add to proposals (see section 6)
Files you upload (images, videos via Mux, documents)
Usage telemetry - page views, feature interactions, error logs, device and browser metadata - for product improvement and security
Audit logs of administrative actions taken within your account

Billing data

Billing name, address, country and VAT status (for invoices)
Stripe customer and subscription identifiers
Payment card data is processed directly by Stripe and never stored on our servers; we only receive a tokenised reference

Support and communications

Support tickets, emails and chat transcripts you send us
Product feedback and survey responses
In-app AI-assistant transcripts (stored short-term to debug and improve the assistant)

Cookies and similar technologies

See our Cookie policy for the full list. In short: a session cookie for authentication, Plausible (a privacy-first, cookieless analytics tool), and local storage for UI preferences. No advertising cookies, no cross-site tracking.

3. Legal bases (why we process)

Under UK GDPR Article 6, we rely on the following legal bases:

Contract (Art 6(1)(b)) - to provide and operate the Service, process payments, and manage your subscription.
Legitimate interests (Art 6(1)(f)) - to secure the Service, prevent fraud and abuse, improve features, and send operational or relationship emails to existing customers. You have the right to object.
Consent (Art 6(1)(a)) - for optional marketing emails and non-essential cookies. You can withdraw consent at any time without affecting prior processing.
Legal obligation (Art 6(1)(c)) - to retain invoices and comply with tax, accounting, and regulatory requirements.

4. How we use your data

Provide, operate, and maintain the Service
Process payments, issue invoices, manage subscriptions and top-ups
Send transactional email (approvals, receipts, password resets, usage-limit warnings)
Send product updates and roadmap announcements (you can unsubscribe in one click)
Detect, prevent and respond to fraud, abuse, security incidents and service outages
Improve the Service through aggregated usage analytics and A/B tests
Provide customer support and respond to your enquiries
Comply with legal obligations and defend legal claims

5. AI processing

Frameboard uses third-party large language models (currently Anthropic Claude, operated by Anthropic, PBC) to generate proposal copy, answer in-app help questions, and assist with catalog setup. When you submit a brief or message, the relevant text is sent to Anthropic's API under a zero-retention commercial agreement. Anthropic does not train models on your prompts or outputs, and retains them only transiently for abuse monitoring in line with its commercial terms.

We do not use your content to train third-party models or any Frameboard-owned models.

6. Data you upload about others (client data)

When you use Frameboard to generate proposals and run projects, you may upload personal data about your clients and prospects (name, email, company, job title, etc.). For that data, you are the data controller and Frameboard is a data processor. Our processing of that data is governed by our Data Processing Agreement, which is automatically incorporated into our Terms of Service.

You confirm that you have a lawful basis (typically legitimate interest or contract) to transfer that data to us.

7. Sub-processors

We only share Customer Data with sub-processors who are necessary to deliver the Service. Each is contractually bound to protect your data:

Stripe Payments Europe Ltd (Ireland) - payment processing and subscription management
Netlify Inc. (USA) - hosting, edge functions, blob storage for daily backups
Airtable, Inc. (USA) - primary operational data store
Resend (USA) - transactional email delivery
Anthropic, PBC (USA) - AI inference for proposal and in-app assistant
Mux, Inc. (USA) - video hosting for proposal examples and catalogue media
Plausible Insights OÜ (Estonia) - privacy-first, cookieless website analytics
Cloudflare, Inc. (USA) - DNS, CDN, and DDoS protection via Netlify
Google Workspace (Ireland/USA) - internal email and document collaboration

We never sell your data. We publish a sub-processor change log in our changelog and will give customers at least 14 days' notice of new or changed sub-processors affecting Customer Data.

8. International transfers

Some sub-processors are based outside the UK, including in the United States. Where data is transferred internationally we rely on (a) the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, (b) transfers to countries with a UK adequacy decision, or (c) other safeguards permitted by UK GDPR. Copies of the relevant transfer mechanism are available on request.

9. Data retention

Account data - retained for the lifetime of your account plus 90 days.
Customer Data - retained until you delete it or close your account, then permanently deleted within 90 days except where retention is required by law.
Invoices and tax records - retained for 6 years to comply with HMRC requirements.
Security and audit logs - retained for 12 months.
Anonymised usage analytics - retained indefinitely (cannot be linked back to an identifiable person).
Support correspondence - retained for 3 years from the last interaction.

10. Security

We implement technical and organisational security measures appropriate to the risk, including:

TLS 1.2+ for all data in transit
Salted and hashed passwords (bcrypt); we never store plaintext passwords
Role-based access controls and least-privilege for employee access
Audit logging of administrative actions
Daily automated backups to separate infrastructure (Netlify Blobs)
IP allowlisting and SSO for Enterprise customers
Annual review of security controls and sub-processors

11. Data breach notification

If we become aware of a confirmed personal data breach likely to result in risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware, consistent with UK GDPR Article 33. Notification will describe the nature of the breach, likely consequences, measures taken, and the point of contact.

12. Your rights

Under UK GDPR you have the right to:

Access - request a copy of the personal data we hold about you
Rectification - correct inaccurate or incomplete data
Erasure - request deletion where our legal basis no longer applies
Restriction - ask us to stop processing while a dispute is resolved
Portability - receive your data in a machine-readable format
Object - object to processing based on legitimate interests, including direct marketing
Withdraw consent - at any time, for any processing based on consent
Not be subject to solely automated decision-making that produces legal or similarly significant effects

To exercise any of these rights, email privacy@myframeboard.app. We will respond within one month. There is no charge except for manifestly unfounded or excessive requests.

You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority.

13. Automated decision-making

We do not use your personal data for solely automated decisions that produce legal or similarly significant effects. AI-generated proposal copy is a drafting aid reviewed and approved by you before being sent to any recipient.

14. Children

The Service is not intended for or directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

15. Marketing

We may send you occasional product updates, tips, and announcements. Every marketing email includes a one-click unsubscribe link. Transactional emails (receipts, password resets, usage warnings) are not marketing and cannot be opted out of while you hold an active account.

16. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the account owner at least 14 days before they take effect, or in-app where email is not appropriate. The "Last updated" date at the top of this page reflects the latest version. Past versions are available on request.

17. Contact

Privacy enquiries and rights requests: privacy@myframeboard.app
Security concerns: security@myframeboard.app
Postal address: available on request to the above email