Privacy Policy

Last updated: 15 April 2025

1. Introduction

This Privacy Policy explains how Barnacle Innovation Ltd ("we", "us", "our"), a company registered in England and Wales (company number 15143064), collects, uses, and protects personal data when you use the Barnacle AI platform ("Service"). The Service is an invitation-only application provided to authorised users of our client organisations.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

Barnacle Innovation Ltd is the data controller for the personal data processed through the Service. If you have questions about data protection, please contact us at info@barnacle.com.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

  • Full name
  • Email address
  • Organisation affiliation
  • Role and permissions within the Service

3.2 Authentication Data

  • Sign-in credentials managed by our authentication provider (Clerk)
  • Session tokens and authentication logs

3.3 Usage Data

  • Interactions with the Service (pages visited, features used)
  • Files uploaded and content created within the platform
  • Chat conversations with AI assistants
  • Timestamps and activity logs

3.4 Technical Data

  • IP address
  • Browser type and version
  • Device information

4. Lawful Basis for Processing

We process your personal data on the following legal bases:

  • Legitimate interests — to provide, maintain, and improve the Service for authorised users and their organisations.
  • Contractual necessity — to fulfil our obligations under service agreements with your organisation.
  • Legal obligation — to comply with applicable laws and regulations.

5. How We Use Your Data

We use your personal data to:

  • Provide and operate the Service
  • Authenticate your identity and manage access permissions
  • Process and index files and documents on your behalf
  • Provide AI-powered assistance and responses
  • Monitor and improve the Service's performance and security
  • Communicate important updates about the Service
  • Comply with legal obligations

6. Data Sharing and Third Parties

We may share your personal data with the following categories of third parties, solely for the purposes described in this policy:

  • Authentication provider — Clerk, for secure sign-in and identity management.
  • Cloud infrastructure — Google Cloud Platform, for hosting, storage, and data processing.
  • AI service providers — OpenAI and Anthropic, for AI-powered features. Content sent to these providers is processed in accordance with their data processing agreements.
  • Your organisation — administrators within your organisation may have visibility of your activity within the Service.

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our service providers are based outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR requirements.

8. Data Retention

We retain your personal data for as long as your account remains active or as needed to provide the Service. When your access is revoked or your organisation's agreement ends, we will delete or anonymise your personal data within 90 days, unless retention is required by law.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your data where appropriate.
  • Right to restrict processing — request limitation of how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.

To exercise any of these rights, please contact us at info@barnacle.com. We will respond within one month of receiving your request.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS) and at rest
  • Role-based access controls
  • Regular security reviews
  • Invitation-only access model

11. Cookies

The Service uses strictly necessary cookies for authentication and session management. We do not use tracking or advertising cookies.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify affected users of material changes via the Service or email. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy, please contact:

Barnacle Innovation Ltd
Email: info@barnacle.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.