Privacy Policy

1. Introduction

This Privacy Policy explains how Damon Randall trading as Darkstar Design (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Arqor platform and Arqor SiteRecord application (the “Service”).

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data controller

The data controller responsible for your personal data is:

Damon Randall

Trading as Darkstar Design

Email: damon@darkstardesign.co.uk

ICO Registration: [To be added upon registration]

3. What data we collect

3.1 Account data

When you create an account, we collect your email address. If you provide additional information in your company profile (company name, logo, address), we collect that too.

3.2 Photo and job data

When you or your trades upload photos through the Service, we collect and store the photos themselves along with embedded metadata including GPS coordinates (latitude and longitude), date and time stamps, and device information extracted from EXIF data. We also store notes, phase tags, area descriptions, floor plan pin locations, and trade/worker names associated with each photo.

3.3 Trade user data

Trades who access the Service via QR code provide their name and trade type. This information is stored in the browser (localStorage) and associated with photos they upload. Trade users do not have accounts and we do not collect their email addresses.

3.4 Payment data

Payment processing is handled entirely by Stripe. We do not store your full card number, CVV, or other sensitive payment details. We receive and store your Stripe customer ID and subscription status.

3.5 Usage data

We collect basic usage data including pages visited, features used, and error logs to help us improve the Service. This data is collected via Vercel Analytics and is not used for advertising or sold to third parties.

4. How we use your data

We use your personal data for the following purposes:

To provide the Service — storing and displaying your photos, generating share links and PDF reports, authenticating your account, and processing payments.

To communicate with you — sending magic link login emails, billing notifications, trial reminders, and service updates.

To improve the Service — analysing usage patterns to identify bugs, improve performance, and develop new features.

We do not use your data for advertising, profiling, or automated decision-making. We do not sell your data to third parties.

5. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

Contract performance (Article 6(1)(b)) — processing necessary to provide the Service you have subscribed to.

Legitimate interests (Article 6(1)(f)) — improving the Service, preventing fraud, and ensuring security.

Legal obligation (Article 6(1)(c)) — where we are required to retain data for tax, accounting, or legal compliance.

6. Who we share data with

We share data with the following third-party processors who help us provide the Service:

Supabase (database and authentication) — data stored in EU region on AWS infrastructure.

Vercel (application hosting and analytics) — edge network with data processing in the EU and US.

Stripe (payment processing) — PCI-DSS compliant payment processor.

We also share data when you choose to — for example, when you generate a share link, the recipient can view job photos and associated metadata.

We will disclose personal data if required to do so by law or in response to a valid legal request from a public authority.

7. Data retention

We retain your account data and content for as long as your account is active. After account closure or subscription cancellation, we retain your data for 30 days to allow for reactivation, after which it is permanently deleted.

Payment records are retained for 7 years as required by HMRC for tax purposes.

Waitlist email addresses are retained until the individual subscribes or requests removal.

8. Data security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.2+), encryption at rest, access controls via Row Level Security in our database, and regular security reviews.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

9. Your rights

Under UK GDPR, you have the following rights:

Right of access — request a copy of your personal data.

Right to rectification — request correction of inaccurate data.

Right to erasure — request deletion of your data (subject to legal retention requirements).

Right to data portability — receive your data in a machine-readable format.

Right to restrict processing — request limitation of how we use your data.

Right to object — object to processing based on legitimate interests.

To exercise any of these rights, contact us at damon@darkstardesign.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data appropriately.

10. International transfers

Your data is primarily stored in the EU (Supabase on AWS eu-west). Some processing may occur in the US through Vercel and Stripe, both of which maintain appropriate safeguards including Standard Contractual Clauses and data processing agreements.

11. Children

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The date at the top of this policy indicates when it was last updated.

13. Contact

For privacy-related queries, contact:

Damon Randall trading as Darkstar Design

Email: damon@darkstardesign.co.uk