Data & privacy
Privacy Policy
How we collect, use, share and protect personal data — and your rights over it.
Effective 2 July 2026 · Version 1.0 · Gbeya
This Privacy Policy explains how Gbeya (“Gbeya”, “we”, “us”, “our”) collects, uses, discloses and safeguards personal data when you visit gbeya.com, create a workspace, or use our platform and related services (collectively, the “Services”). We process personal data lawfully, fairly and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended (CCPA/CPRA), and other applicable data-protection laws.
1. Our two roles: controller and processor
Gbeya is a multi-tenant software-as-a-service platform, so our responsibilities depend on whose data is processed:
- As a data controller — for personal data of workspace owners, team members and visitors to gbeya.com (e.g. when you register, subscribe, contact us or browse our marketing site), we determine the purposes and means of processing.
- As a data processor — when a customer (a “Workspace”) uses the Services to manage data about their own audience and end-customers (bookings, course enrolments, subscribers, leads, link analytics), that Workspace is the controller and we process on their behalf and under their instructions, governed by our Data Processing Addendum (available on request). End-customers should direct requests about that data to the relevant Workspace.
2. Personal data we collect
- Account & workspace data: name, email, password (stored only as a salted hash), business/brand name, workspace subdomain, role and team membership.
- Billing data: plan, subscription status and billing identifiers. Card details are collected and stored by our payment processor (Stripe); we do not store full card numbers.
- Content you provide: media, text, links, connected mailboxes and other content you upload or generate in your Workspace.
- Usage & technical data: IP address, device/browser information, pages viewed, referring URLs and diagnostic logs, collected via cookies and similar technologies (see our Cookie Policy).
- Communications: messages, enquiries and support requests.
- Third-party connections: where you connect an external account (e.g. a Google/YouTube app or a mailbox), the tokens and metadata needed for that integration, stored encrypted at rest.
3. How we use personal data and our legal bases
- Provide the Services — create and operate your Workspace, authenticate you, deliver features (performance of a contract).
- Process payments and manage subscriptions (contract; legal obligation).
- Secure, maintain and improve the platform, prevent fraud/abuse, enforce isolation (legitimate interests).
- Communicate about service, security and transactional matters (contract; legitimate interests).
- Marketing where you have opted in, which you may withdraw at any time (consent).
- Comply with legal obligations and enforce our Terms (legal obligation; legitimate interests).
4. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and secure, and limited analytics cookies to improve the Services. Workspaces may deploy their own tracking on their public pages, governed by their own notice. See our Cookie Policy for detail and controls.
5. Sharing and sub-processors
We do not sell personal data. We share it only with:
- Sub-processors under written data-protection terms — payment processing (Stripe), infrastructure/hosting, transactional email/SMTP and geolocation. A current list is available on request.
- Integrations you authorise, only to the extent needed to provide the feature.
- Authorities or third parties where required by law, to protect rights, or in a corporate transaction (with safeguards).
6. International transfers
Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.
7. Security and tenant isolation
We apply technical and organisational measures appropriate to the risk — encryption in transit, encryption of sensitive credentials at rest, hashed passwords, least-privilege access, and database-level row-level-security so each Workspace’s data is isolated and cannot be accessed by another Workspace. No method of storage or transmission is completely secure.
8. Data retention
We retain personal data while your account or Workspace is active and thereafter only as necessary to meet legal obligations, resolve disputes and enforce agreements. When you delete your Workspace, we delete or anonymise associated personal data within a commercially reasonable period, subject to backup rotation and legal retention.
9. Your rights
Subject to applicable law, you may: access, correct, update or delete your data; object to or restrict certain processing and withdraw consent; request portability; opt out of marketing and, where applicable, of the “sale” or “sharing” of personal data (we do not sell personal data); and lodge a complaint with your supervisory authority (e.g. the UK ICO). To exercise these rights email hello@gbeya.com. If your request concerns data held by a Workspace, we will refer you to, or act on the instructions of, that Workspace as controller.
10. Children
The Services are not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this Policy. Material changes will be notified via the Services or by email and the effective date revised. Continued use after an update constitutes acceptance.
12. Contact us
For privacy questions or to exercise your rights, contact hello@gbeya.com. We respond within the timeframes required by applicable law.
Related documents
- Cookie Policy — The cookies and similar technologies we use, why, and how to control them.
- Terms & Conditions — The master agreement governing your access to and use of the Gbeya platform and Services.
- Copyright & DMCA Policy — How to report copyright infringement, our takedown and counter-notice process.
