privacy policy

/privacy

What we collect, why we're allowed to, and where it goes — the whole of it, stated plainly enough to be held against us. The panel to the right is the machine-readable version of everything written below.

last_updated · 2026-07-04

privacy.json · read-only
$ cat privacy.json
{
"policy": "geecloud_privacy",
"version": "1.0.0",
"last_updated": "2026-07-04",
"user_data": "encrypted_at_rest",
"analytics_engine": "umami_self_hosted",
"third_party_trackers": 0,
"tracking_cookies": 0,
"advertising_cookies": 0,
"data_sold": false,
"data_shared_for_ads": false,
"data_location": ["UK_Coventry", "UK_Maidenhead"],
"hosting": "dedicated_uk",
"your_rights": "UK_GDPR_full",
"admin_snooping": "disabled"
}

the difference

Corporate cloud vs the vault.

The same question — where does your data actually go? — asked of a typical Big Tech cloud, then of the way GeeCloud is built.

metric Big Tech Cloud The Vault · GeeCloud
Data location Scattered across global data centres UK dedicated · Coventry & Maidenhead
Analytics Google Analytics + ad-tracking cookies Self-hosted Umami · zero cookies
Cookies Tracking & advertising cookies Essential session only · none for tracking
Access to your data AI scanning · algorithmic profiling Isolated Docker containers · zero admin snooping
Ownership Monetised, shared with partners Yours — never sold, never shared for ads
Third-party trackers Many 0

what we collect

The short list. Nothing hidden beneath it.

website analytics
Umami — a self-hosted, open-source analytics tool — runs on our own UK hardware, not a third party's. It is cookieless by design and counts page views anonymously: page URL, referrer, approximate country, browser and device type, and nothing that identifies you. Nothing is sent to Google, Meta or any advertising network. Your IP is used for a moment to derive country and a daily-rotating hash that de-duplicates a visit, then discarded — never stored. We publish no visitor figures; the point is that the data barely exists, not that it's on display.
account data
If you hold a plan, we process only what's needed to run it: your email, username, chosen tier, authentication handled by our own Authentik SSO, and the storage figures required to enforce your quota.
when you email us
We keep your message and address to reply and for our records — nothing more.
what we never collect
No advertising pixels, no fingerprinting, no social embeds, no cross-site tracking, no data brokers. There is no profile of you here to sell, because we never build one.

why we're allowed to

Lawful basis, in plain terms.

controller
GeeCloud is the data controller under UK GDPR. We rely on four lawful bases and nothing else.
legitimate interests
Aggregate, anonymous analytics that never identify you — used only to see which pages earn their place.
contract
The processing required to give you the account you signed up for.
legal obligation
Records we're required to keep, such as billing and tax.
consent
Only where we ask for it explicitly and separately.

where it lives

On our hardware. Inside the UK.

where data lives
On our own machines in two UK data centres — Coventry and Maidenhead. Encrypted backups stay inside that footprint. Data at rest never leaves the UK.
in fairness
Where Cloudflare's proxy fronts a route, the initial request may transit its global edge before reaching our UK servers; the stored data itself stays in the UK. We'd rather say so than overclaim.
sub-processors
Kept to a minimum. Cloudflare handles DNS and edge protection; Brevo delivers transactional email — enrolment, recovery and security notices. Neither receives anything for advertising.
retention
We keep personal data only as long as the purpose needs and the law requires, then delete it. The analytics carry no identifier to expire.
who can read your files
Data is encrypted at rest, and backups are encrypted before they leave the machine. Access to tenant data is limited to what running the service actually requires — no algorithmic snooping, no browsing out of curiosity.

your rights

Your data, your call.

your rights
Under UK GDPR you can ask for access, correction, deletion, restriction, a portable copy, or object to processing. We action valid requests without fuss.
how to exercise them
Email [email protected]. We may need to confirm it's really you before acting on account data.
the regulator
You can complain to the Information Commissioner's Office at ico.org.uk at any time — though we'd like the chance to put things right first.
changes
If this policy changes materially, the version and last_updated date at the top change with it.