1. Who we are
Viaduct Industries Limited is the data controller for personal data collected through Stuffly. We are registered in England and Wales, with our registered office at 3rd Floor, 86–90 Paul Street, London, EC2A 4NE.
For any privacy-related enquiry, contact us at hello@stuffly.io.
We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is ZC122777.
2. What data we collect
2.1 Account data
When you create a Stuffly account, we collect:
| Data | Why we collect it |
|---|---|
| Name | To identify your account and personalise your experience. |
| Email address | To verify your identity, send account communications, and allow you to log in. If you sign in via Google or Apple, we receive only the email address associated with that account. |
| Billing information | To process Plus plan payments via Stripe. We do not store card numbers — these are handled entirely by Stripe. |
We do not collect your address, phone number, date of birth, or any other personal information beyond the above.
2.2 Asset content
The items, images, documents, warranty records, and other data you add to your Stuffly databases ("Your Content") are not personal data about you — they are content you choose to store in the Service. We process this data solely to provide the Service. See Section 5 for more detail.
2.3 Technical data
We may collect limited technical data such as device type, browser type, app version, and usage logs. This is used only to maintain and improve the Service and is not linked to your personal profile for any other purpose.
3. How we use your data
| Purpose | Data used |
|---|---|
| Creating and managing your account | Name, email address |
| Verifying your identity at login | Email address (or Google/Apple identity) |
| Providing and operating the Service | All account data and Your Content |
| Enabling database sharing with collaborators | Email address (to send invitations) |
| Processing Plus plan payments | Billing information (via Stripe) |
| Sending account and service communications | Email address |
| Maintaining security and preventing misuse | Technical and account data |
| Complying with legal obligations | As required by applicable law |
We do not use your data for advertising, profiling, or any purpose beyond those listed above.
4. Legal basis for processing
| Legal basis | When we rely on it |
|---|---|
| Contract performance | Processing necessary to provide the Service you have signed up for — account creation, storing and displaying your databases, managing subscriptions. |
| Legitimate interests | Maintaining the security and integrity of the Service, preventing misuse, and improving the platform through anonymised technical data. |
| Legal obligation | Where we are required to retain or disclose data under applicable law (e.g. financial records required by HMRC). |
5. Your content
Your Content — the assets, images, documents, and records you add to Stuffly — belongs to you. We process it solely to operate the Service. We do not analyse, share, or use Your Content for any purpose other than displaying it back to you and any collaborators you have authorised.
If you delete a database or close your account, Your Content is permanently deleted and cannot be recovered (subject to the retention periods in Section 9).
6. Sharing data with third parties
We do not sell personal data. We do not share Your Content with any third party. We share limited account data only with the following processors, who act on our instructions under written data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing for Plus plan subscriptions | USA (Standard Contractual Clauses apply) |
| Cloudflare, Inc. | Security, DDoS protection, content delivery | USA (Standard Contractual Clauses apply) |
| Krystal Hosting Ltd | Web hosting and infrastructure | United Kingdom |
Your asset data is not shared with Stripe, Cloudflare, or any other third party. Stripe receives only the billing information necessary to process your payment. Cloudflare and Krystal Hosting handle the infrastructure through which all data passes, under strict data processing terms.
We may disclose data where required to do so by law or to protect the rights, property, or safety of Viaduct Industries Limited, our users, or others.
7. Data storage & location
All Stuffly data — including your account information and Your Content — is stored on servers located in the United Kingdom. We do not transfer your asset data outside the UK.
Payment data is processed by Stripe, which operates in the USA. This transfer is governed by Standard Contractual Clauses in accordance with UK GDPR requirements. Cloudflare's network may route traffic through international points of presence, but this is limited to transit and does not involve storage of your data outside the UK.
8. Cookies and similar technologies
The Stuffly web app uses a small number of cookies that are strictly necessary to operate the Service. We do not use advertising or tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your login session while using the app | Deleted when browser closes |
| Authentication token | Keeps you logged in between visits if selected | Up to 30 days |
| [Analytics — if applicable] | [Anonymised usage analytics] | [Duration] |
The desktop and iOS apps do not use browser cookies but may use equivalent local storage mechanisms solely to maintain your session. You can control these through your device or app settings.
9. How long we keep data
| Data type | Retention period |
|---|---|
| Account data (name, email) | For the duration of your account, plus 3 years after closure. |
| Your Content (databases, items, images, documents) | Deleted within 30 days of database deletion or account closure. |
| Payment records | 7 years, as required by HMRC regulations. |
| Technical/server logs | Up to 90 days, then automatically deleted or anonymised. |
You may request early deletion of your personal data at any time by contacting hello@stuffly.io. We will action requests within 30 days, subject to any legal obligations to retain certain records.
10. Security
We take reasonable technical and organisational measures to protect your data, including:
- all data in transit is encrypted using TLS;
- data at rest is encrypted on our hosting infrastructure;
- access to personal data within our systems is restricted to those who need it to operate the Service;
- authentication via email verification code or established OAuth providers (Google, Apple) reduces credential risk; and
- our infrastructure is protected by Cloudflare's security and DDoS mitigation services.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay, as required by UK GDPR.
11. Your rights
Under UK GDPR, you have the following rights regarding personal data we hold about you:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Ask us to delete your personal data where there is no longer a valid reason to keep it. |
| Restriction | Ask us to limit how we use your data while a concern is being resolved. |
| Portability | Receive your data in a structured, machine-readable format on request. |
| Objection | Object to processing based on our legitimate interests. |
To exercise any of these rights, email hello@stuffly.io. We will respond within one calendar month. There is no charge for making a request.
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
12. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 14 days before they take effect. The current version is always available at stuffly.io/legal/privacy.
13. Contact
For any questions about this Privacy Policy or how we handle your data:
- Email: hello@stuffly.io
- Post: Viaduct Industries Limited, 3rd Floor, 86–90 Paul Street, London, EC2A 4NE
We aim to respond to all privacy enquiries within 5 business days.