Privacy Policy

Vidual Spaces is operated by Where Beagles Dare Ltd(“Vidual”, “we”, “us”), a company registered in England and Wales (company no. 11038022). Our registered office is at the foot of this page.

We act in two different roles in relation to personal data:

• Controller for the personal data we collect about you in order to operate the service — your email address, account and billing details, technical logs and your use of the product. This is the data described in section 2 below.
• Processor for the personal data contained inside the files, metadata and other content you upload to your workspace. In respect of that content, you (or the workspace owner) are the controller; we process it only on your instructions and only to provide the service. Our obligations as processor are set out in section 11 below.

References in this policy to “personal data”, “controller”, “processor”, “processing” and other defined terms carry the meaning given to them by the UK GDPR and the EU GDPR (Regulation 2016/679).

We collect and process the following categories of personal data about you as a Vidual Spaces customer or user:

• Account data — the email address you sign up with, the name and subdomain of your workspace, and the role you hold within it.
• Billing data — the billing email, billing address, country of residence and tax identifiers you provide, together with a payment-method token returned to us by our payment processor (Stripe). We do not see or store your card number, CVV, or full bank account details.
• Technical data — IP address, browser type and version, device type, operating system, referrer, time of request and similar information automatically logged when you use the service.
• Product-usage data — pages visited within the application, actions taken (uploads, downloads, searches, shares, permission changes), and timestamps associated with them.
• Support data — the contents of any email, form or message you send us when contacting us for support or other purposes.

We process the data described in section 2 for the following purposes, relying on the lawful bases shown:

• Authenticating you and operating your account — performance of the contract you enter into when you create a workspace (UK/EU GDPR Article 6(1)(b)).
• Billing, tax and accounting records — performance of contract (Article 6(1)(b)) and compliance with our own legal obligations (Article 6(1)(c)).
• Providing the file-storage service, including storing, serving, transmitting, backing up, generating previews and indexing the content you upload — performance of contract (Article 6(1)(b)).
• Security, abuse prevention, fraud detection and trust-and-safety — our legitimate interests in operating a secure service, and compliance with our legal obligations (Article 6(1)(c) and (f)).
• Improving the product — our legitimate interests in understanding how the service is used and where it can be made better (Article 6(1)(f)).
• Sending transactional communications (sign-in links, billing notices, security alerts) — performance of contract and legitimate interests.
• Sending marketing communications — your consent, which you can withdraw at any time by clicking the unsubscribe link in any marketing email (Article 6(1)(a)).
• Responding to legal process and complying with applicable law — compliance with legal obligation (Article 6(1)(c)) and, where relevant, our legitimate interests in protecting our service, our customers and third parties (Article 6(1)(f)).

We do not sell your personal data. We do not use your content to train shared or third-party artificial-intelligence models. We do not use automated decision-making, including profiling, in a way that produces legal or similarly significant effects on you.

File content is stored on Cloudflare R2. When you create a workspace, you choose a data-residency jurisdiction. The default is the European Union; the United Kingdom and the United States are also available.

Where you choose UK or EU residency, your file content is held in data centres in that jurisdiction and does not leave it as part of ordinary service operation. Where you choose US residency, your file content is held in data centres in the United States; that transfer is made on the basis of the EU–US Data Privacy Framework (and the UK extension to it) where applicable, and otherwise on the basis of the Standard Contractual Clauses adopted by the European Commission and the International Data Transfer Addendum issued by the UK Information Commissioner. Copies of those transfer mechanisms are available on request to legal@vidualspaces.com.

Account, billing, technical and support data may be processed in the United Kingdom, the European Union or the United States in the ordinary course of running our infrastructure. Transfers outside the UK and EEA in respect of that data rely on the same mechanisms.

To power search inside your workspace, the contents of your files may be processed to generate text embeddings and to detect named entities (people, organisations, places, dates, products, financial figures). The output is stored alongside the files within your workspace and is used only to serve your own search experience within that workspace. It is not shared with other customers and it is not used to train any model.

Where the underlying AI processing is performed by a sub-processor (see section 6), that sub-processor is bound by contract to use the content only to deliver the requested processing to us, and not for its own purposes, training, or improvement of its own services.

We use a small number of sub-processors to operate Vidual Spaces. Each is bound to written processor terms and to the same data-protection obligations that bind us.

• Cloudflare R2 — file storage. Data centres in the jurisdiction you choose at signup (EU, UK or US).
• Stripe — payments processing. United States and Ireland.
• Resend — transactional email delivery (sign-in links, billing notices). United States.
• Railway — application hosting and database. Region matches workspace residency where the provider offers it.
• Our AI provider — for embedding generation and entity detection (current provider and location available on request, contractually bound to a no-training, no-retention posture for our content).

We may change sub-processors from time to time. For B2B customers we will give 30 days’ notice of any new sub-processor on request and provide a mechanism to object.

We do not share your personal data with third parties except as described in this policy. We may share data:

• with sub-processors, as described in section 6, to the limited extent necessary for them to deliver the service to us on your behalf;
• with our professional advisors (accountants, lawyers, insurers, auditors) where reasonably necessary and under appropriate duties of confidentiality;
• with law enforcement, regulators and other competent authorities in response to valid legal process, as described in section 6 of the Terms of Service and in section 12 of this policy;
• with a successor entity in connection with a merger, acquisition, reorganisation or sale of substantially all of our assets, where that successor agrees to be bound by this policy or by terms at least as protective of you.

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Files in storage are encrypted at rest by our storage provider; connections to and from the service are encrypted in transit using TLS. Access to production systems is limited to a small number of named staff and is logged.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner’s Office (or other relevant supervisory authority) within the 72-hour window required by law, and we will notify affected customers without undue delay.

We retain your personal data only for as long as we need it for the purposes set out in section 3, or for as long as the law requires.

• Active workspaces — account, billing, technical and product-usage data is retained for the life of the workspace.
• Cancelled workspaces — workspace content is retained for 90 days after cancellation so that you can recover or export it, then permanently deleted. Backups containing the data are deleted in the ordinary course of our backup cycle within a further 30 days.
• Files deleted from an active workspace — recoverable for 30 days from a per-workspace trash, then permanently deleted.
• Audit and security logs — 24 months, after which logs are deleted or anonymised.
• Billing records — kept for seven years after the end of the tax year in which the relevant transaction occurred, in accordance with UK statutory record-keeping requirements.
• Support correspondence — kept for three years from the last interaction.

If you are in the United Kingdom or the European Union, you have the following rights in respect of your personal data:

• Right of access — to a copy of the personal data we hold about you;
• Right to rectification — to ask us to correct inaccurate or incomplete data;
• Right to erasure — to ask us to delete your data in certain circumstances;
• Right to restriction — to ask us to stop using your data in certain circumstances;
• Right to portability — to receive a machine- readable copy of data you provided to us;
• Right to object — to processing we carry out on the basis of legitimate interests, and to marketing communications at any time;
• Right to withdraw consent — where we rely on consent, at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to hello@vidualspaces.com. We will respond within one month; for complex requests we may extend that period by a further two months and will tell you if we do.

If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or, if you are based in the European Union, with the data- protection supervisory authority of the country where you live or work. We would appreciate the opportunity to address your concerns first by writing to hello@vidualspaces.com, before you approach the regulator.

For the personal data contained in the files and metadata you upload, we act as your processor and we will:

• process the content only on your documented instructions, which are the instructions contained in your use of the product and in these terms;
• ensure that personnel authorised to access the content are under appropriate confidentiality obligations;
• implement appropriate technical and organisational measures to protect the content (see section 8);
• engage sub-processors only as described in section 6 and on back-to-back contractual terms;
• assist you, to the extent reasonably possible, in responding to data-subject requests addressed to you;
• assist you with data-protection impact assessments and prior consultation with the regulator where required;
• notify you without undue delay of any personal data breach affecting your content;
• on termination of your workspace, delete or return the content in accordance with section 9.

These obligations are set out in our Data Processing Agreement, which is incorporated into the Terms of Service and applies to every customer without separate signature. Customers who require a signed copy may request one from legal@vidualspaces.com.

We will respond to lawful requests for information from law enforcement, regulators and other competent authorities as described in section 6 of the Terms of Service. Where we are legally permitted to do so, we will give the affected customer reasonable advance notice of any disclosure; where we are prohibited from giving notice, we will not.

Authorities should direct legal process to legal@vidualspaces.com.

Vidual Spaces uses a small number of strictly-necessary cookies to keep you signed in, to maintain your session, and to remember minor user-interface preferences. We do not use third-party advertising cookies and we do not use analytics that profile you across other websites.

Because the cookies we use are strictly necessary for the service you have asked for, we rely on the strictly-necessary exemption under the UK Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive; we do not display a cookie banner. If we ever introduce non-essential cookies we will obtain consent before doing so.

Vidual Spaces is intended for use by adults working in or with creative studios. We do not knowingly collect personal data from anyone under the age of 16. If you believe that a child has provided us with personal data, please contact us at hello@vidualspaces.com and we will take steps to delete it.

We may update this policy from time to time. For material changes affecting how we process your personal data, we will give at least 30 days’ advance notice by email and in-product before the change takes effect.

Privacy questions or rights requests can be sent to hello@vidualspaces.com. Legal process and formal requests from authorities should go to legal@vidualspaces.com.

Where Beagles Dare Ltd
Unit 6 Heritage Business Centre, Belper, Derbyshire, DE56 1SW, United Kingdom
Registered in England and Wales · Company No. 11038022
VAT No. 307323727