Personal Data Breach Notification Policy

1. What counts as a personal data breach

A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (UK GDPR Art 4(12)).

Examples include: unauthorised database access, lost or stolen device with platform credentials, accidental public exposure of customer data, ransomware encryption of production data, or compromise of a sub-processor.

2. Our response timeline

1. Hour 0 — Detection. Breach detected via monitoring, internal report, sub-processor notification, or external disclosure.
2. Hour 0–4 — Containment. Restrict access, rotate credentials, isolate affected systems. Begin forensic capture.
3. Hour 4–24 — Assessment. Determine: what data, how many subjects, what risk to those subjects, was the data encrypted at rest?
4. Hour 24–72 — ICO notification. If the breach poses any risk to data subjects' rights and freedoms, notify the UK Information Commissioner's Office at ico.org.uk/for-organisations/report-a-breach.
5. Without undue delay — Subject notification. If the breach is likely to result in high risk to data subjects, notify each affected user directly via the email on their account, with: nature of the breach, contact for queries, likely consequences, and steps we are taking to mitigate.
6. After resolution — Internal review. Document the incident, root cause, action taken, and lessons learned. Update controls to prevent recurrence.

3. What we will tell you

If you are a data subject affected by a breach, our notification will include:

• The nature of the breach
• Categories and approximate number of data subjects and records affected
• Likely consequences for you
• Measures we have taken or propose to take to address the breach and mitigate its effects
• Contact point for further queries

4. When we may not need to notify you

Under UK GDPR Article 34(3), we are not required to notify individual data subjects if any of the following applies:

• Affected data was rendered unintelligible to unauthorised persons (e.g. strong encryption with keys not compromised)
• We have taken subsequent measures that ensure the high risk is no longer likely to materialise
• Individual notification would involve disproportionate effort — in which case we use a public communication or equivalent measure instead

5. Sub-processor breaches

If one of our sub-processors (AWS, Stripe, Resend, OpenAI) reports a breach affecting our customers' data, we treat it as our own breach for the purposes of this policy and follow the same timeline.

Each sub-processor has its own breach notification commitments to us under our data processing agreement with them. See the sub-processor list.

6. Your role — reporting suspected breaches

If you believe you have identified a security issue or suspect a personal data breach, please report it via our contact form (Security / breach disclosure) with as much detail as you can safely share. We acknowledge security reports within 24 hours.

Responsible disclosure is welcomed; we will not pursue legal action against good-faith security researchers who follow industry-standard responsible disclosure practices.