Data & privacy

Privacy Policy

How we collect, use, share and protect personal data — and your rights over it.

Effective 2 July 2026 · Version 1.0 · Gbeya

This Privacy Policy explains how Gbeya (“Gbeya”, “we”, “us”, “our”) collects, uses, discloses and safeguards personal data when you visit gbeya.com, create a workspace, or use our platform and related services (collectively, the “Services”). We process personal data lawfully, fairly and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended (CCPA/CPRA), and other applicable data-protection laws.

1. Our two roles: controller and processor

Gbeya is a multi-tenant software-as-a-service platform, so our responsibilities depend on whose data is processed:

  • As a data controller — for personal data of workspace owners, team members and visitors to gbeya.com (e.g. when you register, subscribe, contact us or browse our marketing site), we determine the purposes and means of processing.
  • As a data processor — when a customer (a “Workspace”) uses the Services to manage data about their own audience and end-customers (bookings, course enrolments, subscribers, leads, link analytics), that Workspace is the controller and we process on their behalf and under their instructions, governed by our Data Processing Addendum (available on request). End-customers should direct requests about that data to the relevant Workspace.

2. Personal data we collect

  • Account & workspace data: name, email, password (stored only as a salted hash), business/brand name, workspace subdomain, role and team membership.
  • Billing data: plan, subscription status and billing identifiers. Card details are collected and stored by our payment processor (Stripe); we do not store full card numbers.
  • Content you provide: media, text, links, connected mailboxes and other content you upload or generate in your Workspace.
  • Usage & technical data: IP address, device/browser information, pages viewed, referring URLs and diagnostic logs, collected via cookies and similar technologies (see our Cookie Policy).
  • Communications: messages, enquiries and support requests.
  • Third-party connections: where you connect an external account (e.g. a Google/YouTube app or a mailbox), the tokens and metadata needed for that integration, stored encrypted at rest.

3. How we use personal data and our legal bases

  • Provide the Services — create and operate your Workspace, authenticate you, deliver features (performance of a contract).
  • Process payments and manage subscriptions (contract; legal obligation).
  • Secure, maintain and improve the platform, prevent fraud/abuse, enforce isolation (legitimate interests).
  • Communicate about service, security and transactional matters (contract; legitimate interests).
  • Marketing where you have opted in, which you may withdraw at any time (consent).
  • Comply with legal obligations and enforce our Terms (legal obligation; legitimate interests).

4. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and secure, and limited analytics cookies to improve the Services. Workspaces may deploy their own tracking on their public pages, governed by their own notice. See our Cookie Policy for detail and controls.

5. Sharing and sub-processors

We do not sell personal data. We share it only with:

  • Sub-processors under written data-protection terms — payment processing (Stripe), infrastructure/hosting, transactional email/SMTP and geolocation. A current list is available on request.
  • Integrations you authorise, only to the extent needed to provide the feature.
  • Authorities or third parties where required by law, to protect rights, or in a corporate transaction (with safeguards).

6. International transfers

Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

7. Security and tenant isolation

We apply technical and organisational measures appropriate to the risk — encryption in transit, encryption of sensitive credentials at rest, hashed passwords, least-privilege access, and database-level row-level-security so each Workspace’s data is isolated and cannot be accessed by another Workspace. No method of storage or transmission is completely secure.

8. Data retention

We retain personal data while your account or Workspace is active and thereafter only as necessary to meet legal obligations, resolve disputes and enforce agreements. When you delete your Workspace, we delete or anonymise associated personal data within a commercially reasonable period, subject to backup rotation and legal retention.

9. Your rights

Subject to applicable law, you may: access, correct, update or delete your data; object to or restrict certain processing and withdraw consent; request portability; opt out of marketing and, where applicable, of the “sale” or “sharing” of personal data (we do not sell personal data); and lodge a complaint with your supervisory authority (e.g. the UK ICO). To exercise these rights email hello@gbeya.com. If your request concerns data held by a Workspace, we will refer you to, or act on the instructions of, that Workspace as controller.

10. Children

The Services are not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this Policy. Material changes will be notified via the Services or by email and the effective date revised. Continued use after an update constitutes acceptance.

12. Contact us

For privacy questions or to exercise your rights, contact hello@gbeya.com. We respond within the timeframes required by applicable law.

Related documents

  • Cookie PolicyThe cookies and similar technologies we use, why, and how to control them.
  • Terms & ConditionsThe master agreement governing your access to and use of the Gbeya platform and Services.
  • Copyright & DMCA PolicyHow to report copyright infringement, our takedown and counter-notice process.
Questions about this document? Email hello@gbeya.com or visit our contact page.