handlebot

Audit

Policies

Vault

Footprint

Infringements

Trust Index

Features

About

Resources

Legal

Login

handlebot

Audit

Policies

Vault

Footprint

Infringements

Trust Index

Features

About

Resources

Legal

Login

handles.org Privacy Policy

handles.org Privacy Policy

handles.org Privacy Policy

Effective Date: 29/05/2025

This Privacy Policy explains how @ Ltd ("Handles, "we," "our") collects, uses, shares and protects personal data when you ("Customer" or "you") visit handles.org, create an account, or otherwise use our social‑media operating‑system services (the "Service"). It also describes your privacy rights and how UK data‑protection law applies.

Handles Group Ltd is registered in England & Wales with its registered office at Suite 5 Manor House, 1 Macauley Road, Broadstone, BH18 8AS, United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, Handles is the data controller of the personal data described below.

1. Personal Data We Collect

Category

Examples

Source

Purpose

Account Data

Name, business email address, job title, organisation, OAuth identity‑provider ID, profile picture (if supplied by IdP)

Provided by you or your employer via OAuth

Create and administer Workspace accounts, authenticate users, provide support

Social‑Media Data

Access tokens, account IDs, channel metadata, post analytics

Pulled via authorised API connections to third‑party social‑media platforms

Enable workspace features, schedule posts, generate analytics

Billing Data

Payment method, card‑holder name, last four digits, billing address, VAT number

You directly to our payment processor (Stripe)

Process subscription fees, detect fraud, comply with tax laws

Usage & Device Data

Log files, IP address, browser type, device identifiers, pages viewed, actions taken

Collected automatically via cookies and server logs

Service security, performance, and product analytics

Support Data

Contact details, summary of issue, diagnostic logs

You via email or chat

Respond to enquiries and resolve incidents

We do not intentionally collect or require sensitive data (special categories) or personal data of children. The Service is restricted to enterprise users aged 18 years or older.

2. How We Use Personal Data (Legal Bases)

Purpose

Legal Basis (UK GDPR Article 6)

Provide, secure and maintain the Service

Contract (Art. 6 (1)(b))

Process subscription payments

Contract; Legal obligation for accounting (Art. 6 (1)(c))

Detect, prevent or investigate fraud and abuse

Legitimate interests (Art. 6 (1)(f))

Improve and develop our products

Legitimate interests

Send service‑related communications

Contract

Send optional marketing communications (e.g., product updates, webinars)

Consent (Art. 6 (1)(a)); you may opt out at any time

Comply with applicable laws, court orders, or regulatory requirements

Legal obligation

3. Sharing & Disclosure

We share personal data only as described:

  1. Service Providers (Processors). Hosting (e.g., AWS UK/EU), payment processing (Stripe), email delivery, analytics, and customer‑support platforms.

  2. Social‑Media Platforms. When you connect a social‑media account, we disclose OAuth tokens and content to that platform as necessary to deliver the Service.

  3. Corporate Affiliates. Within the Handles corporate group on a need‑to‑know basis.

  4. Business Transfers. In connection with a merger, acquisition, or sale of assets (you will be notified before data is transferred).

  5. Legal & Compliance. Where required to comply with law, enforce agreements, or protect rights, property or safety.

We do not sell personal data.

4. International Transfers

Your personal data may be transferred outside the UK/EEA (e.g., to AWS regions or Stripe in the United States). Where we do so, we rely on UK Addendum‑approved Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, and we implement appropriate safeguards.

5. Data Security

We employ administrative, technical, and organisational measures designed to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for core databases

  • OAuth 2.0 / OpenID Connect authentication

  • Role‑based access controls and least‑privilege principles

  • Routine penetration testing and vulnerability management

  • ISO 27001‑aligned security policies (audit pending)

However, no internet transmission is completely secure; you acknowledge that risk when using the Service.

6. Data Retention

Data Category

Default Retention Period

Account & Workspace data

For the duration of the subscription + 90 days

Social‑media access tokens & analytics

Rotated or deleted upon workspace deletion or token revocation

Billing records

7 years to comply with HMRC accounting requirements

Support tickets & logs

2 years after ticket closure

Backup archives

Encrypted; purged on a rolling 30‑day schedule

We may retain data longer if required to establish, exercise or defend legal claims.

7. Your Rights

Subject to certain limitations, you have the following rights under UK GDPR:

  1. Access – obtain a copy of your personal data.

  2. Rectification – have inaccurate or incomplete data corrected.

  3. Erasure – request deletion where we have no lawful basis to continue processing.

  4. Restriction – limit processing under certain circumstances.

  5. Portability – receive your data in a structured, machine‑readable format.

  6. Objection – object to processing based on legitimate interests or direct marketing.

  7. Withdraw consent – where processing is based on consent.

To exercise any right, email privacy@handles.org. We may need to verify your identity. If you are not satisfied with how we handle your request, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Maintain session authentication (strictly necessary)

  • Collect anonymised usage analytics via Matomo or Google Analytics (analytics)

You can manage cookie preferences through your browser settings or via the in‑app cookie banner at first login.

9. Third‑Party Links

The Service may contain links to third‑party sites. We are not responsible for their privacy practices. We encourage you to read their privacy notices.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or in‑app message at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

11. Contact Us

If you have questions about this Policy or our privacy practices, please contact us at:

Data Protection Officer (DPO)
Handles Group Ltd
Suite 5 Manor House, 1 Macauley Road
Broadstone, BH18 8AS, United Kingdom
Email: privacy@handles.org

© Handles Group Ltd, 2025. All rights reserved.

Ready to take control of your social handles?  Let Handles.org help you protect and optimize your brand across social platforms.