Privacy Policy

1. Data controller

For the purposes of the UK GDPR and the Data Protection Act 2018, the data controller responsible for your personal data is:

• SummitHQ Ltd
• Registered in England and Wales
• Company number: 17036574
• Registered office: 118 Hall Lane, Walsall Wood, Walsall, England, WS9 9AP
• Email: support@summithq.co.uk

If you have any questions about how your data is processed, please contact us using the details above.

2. Data we collect

We collect the following categories of data when you use SummitHQ:

• Account data — your email address and a securely hashed password, collected when you create an account.
• Business data — information you enter into the service, including client details, project information, invoices, tasks, expenses, and VAT data. If you choose to add bank details, these are provided by you and used solely for display on your invoices. They are not used for payment processing.
• Usage data — limited operational and security-related information, such as pages visited, features used, timestamps, and error logs. This data is collected solely to operate and improve the service. SummitHQ does not use third-party tracking, behavioural analytics, or advertising profiling of any kind.
• Payment data — subscription payments are processed by Stripe, Inc. on our behalf. We do not store your full card number or sensitive payment credentials. We retain only limited billing metadata necessary to manage your subscription, including your Stripe customer ID, subscription status, and billing history. If you also connect a Stripe account to receive invoice payments from your own clients, we additionally store your Stripe account identifier and connection status.
• Terms acceptance — a timestamp and version reference recording when you accepted our Terms of Service.

3. How we use your data

We use your data for the following purposes:

• To provide, operate, and maintain the SummitHQ service.
• To authenticate your identity and secure your account.
• To process and display your business data as requested.
• To generate invoices, tax estimates, and expense summaries.
• To improve the service, fix issues, and develop features.
• To communicate with you about your account, service updates, or support requests.
• To comply with legal obligations and enforce our terms.

4. Lawful basis for processing (GDPR)

We process your personal data on the following lawful bases:

• Contractual necessity — processing required to provide the service you have signed up for.
• Legitimate interest — limited and proportionate processing for service improvement, security, and fraud prevention, carried out only where our interests do not override your rights and freedoms.
• Consent — where you have opted in to receive marketing or promotional communications. You may withdraw consent at any time.
• Legal obligation — processing required to comply with applicable laws.

5. Data processors

We use the following third-party processors to operate SummitHQ. Each processor is bound by data processing agreements and appropriate safeguards:

• Supabase — database hosting, authentication, and data storage.
• Stripe — payment processing for invoice payments and subscription billing. Stripe only processes your data where you have enabled payments or connected a Stripe account.
• Resend — transactional email delivery for invoices and notifications.
• Vercel — application hosting and deployment.

6. Data storage and security

We implement reasonable technical and organisational safeguards to protect your data, including encryption in transit (TLS), secure authentication, and access controls. Each user can only access their own data — logical access controls are enforced so that your information is not visible to other users of the service. However, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

7. Data retention

We retain your data for as long as your account is active and as needed to provide the service. If you close your account, we will delete or anonymise your personal data within a reasonable timeframe, unless we are required to retain it for legal, regulatory, or legitimate business purposes. In particular, we may retain certain financial records, invoice data, and transaction history to comply with UK accounting, tax, and financial record-keeping obligations (including requirements under the Companies Act 2006 and HMRC record-keeping rules), or to resolve disputes. Where a deletion request conflicts with a legal retention obligation, we will retain only the minimum data required and will inform you accordingly.

8. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data, subject to legal retention requirements.
• Data portability — request a copy of your data in a structured, commonly used format.
• Objection — object to processing based on legitimate interest.
• Restriction — request that we restrict processing in certain circumstances.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at support@summithq.co.uk. We may need to verify your identity before fulfilling your request. We will respond within one month, as required by law. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Automated decision-making

SummitHQ does not use automated decision-making or profiling that produces legal or similarly significant effects on users. Any calculations, estimates, or summaries presented by the service are for informational purposes only and do not constitute automated decisions about you or your rights.

10. Cookies

SummitHQ uses essential cookies required for the service to function, including authentication and session management. We do not use third-party advertising or tracking cookies. Essential cookies do not require consent under UK GDPR as they are strictly necessary for the service to operate.

11. International data transfers

Some of our data processors may store or process data outside the United Kingdom or European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, to protect your data in accordance with UK GDPR requirements.

12. Data sharing

We do not sell, rent, or trade your personal data. We only share your data with the third-party processors listed above, as necessary to operate the service, or where required by law or legal process.

13. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority without undue delay, in accordance with applicable law.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The “last updated” date at the top of this page will be revised accordingly. Your continued use of SummitHQ after changes take effect constitutes acceptance of the updated policy.

15. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@summithq.co.uk