privacy policy
/privacy
What we collect, why we're allowed to, and where it goes — the whole of it, stated plainly enough to be held against us. The panel to the right is the machine-readable version of everything written below.
last_updated · 2026-07-04
$ cat privacy.json
{
"policy": "geecloud_privacy",
"version": "1.0.0",
"last_updated": "2026-07-04",
"user_data": "encrypted_at_rest",
"analytics_engine": "umami_self_hosted",
"third_party_trackers": 0,
"tracking_cookies": 0,
"advertising_cookies": 0,
"data_sold": false,
"data_shared_for_ads": false,
"data_location": ["UK_Coventry", "UK_Maidenhead"],
"hosting": "dedicated_uk",
"your_rights": "UK_GDPR_full",
"admin_snooping": "disabled"
}
the difference
Corporate cloud vs the vault.
The same question — where does your data actually go? — asked of a typical Big Tech cloud, then of the way GeeCloud is built.
| metric | Big Tech Cloud | The Vault · GeeCloud |
|---|---|---|
| Data location | Scattered across global data centres | UK dedicated · Coventry & Maidenhead |
| Analytics | Google Analytics + ad-tracking cookies | Self-hosted Umami · zero cookies |
| Cookies | Tracking & advertising cookies | Essential session only · none for tracking |
| Access to your data | AI scanning · algorithmic profiling | Isolated Docker containers · zero admin snooping |
| Ownership | Monetised, shared with partners | Yours — never sold, never shared for ads |
| Third-party trackers | Many | 0 |
what we collect
The short list. Nothing hidden beneath it.
- website analytics
- Umami — a self-hosted, open-source analytics tool — runs on our own UK hardware, not a third party's. It is cookieless by design and counts page views anonymously: page URL, referrer, approximate country, browser and device type, and nothing that identifies you. Nothing is sent to Google, Meta or any advertising network. Your IP is used for a moment to derive country and a daily-rotating hash that de-duplicates a visit, then discarded — never stored. We publish no visitor figures; the point is that the data barely exists, not that it's on display.
- account data
- If you hold a plan, we process only what's needed to run it: your email, username, chosen tier, authentication handled by our own Authentik SSO, and the storage figures required to enforce your quota.
- when you email us
- We keep your message and address to reply and for our records — nothing more.
- what we never collect
- No advertising pixels, no fingerprinting, no social embeds, no cross-site tracking, no data brokers. There is no profile of you here to sell, because we never build one.
why we're allowed to
Lawful basis, in plain terms.
- controller
- GeeCloud is the data controller under UK GDPR. We rely on four lawful bases and nothing else.
- legitimate interests
- Aggregate, anonymous analytics that never identify you — used only to see which pages earn their place.
- contract
- The processing required to give you the account you signed up for.
- legal obligation
- Records we're required to keep, such as billing and tax.
- consent
- Only where we ask for it explicitly and separately.
where it lives
On our hardware. Inside the UK.
- where data lives
- On our own machines in two UK data centres — Coventry and Maidenhead. Encrypted backups stay inside that footprint. Data at rest never leaves the UK.
- in fairness
- Where Cloudflare's proxy fronts a route, the initial request may transit its global edge before reaching our UK servers; the stored data itself stays in the UK. We'd rather say so than overclaim.
- sub-processors
- Kept to a minimum. Cloudflare handles DNS and edge protection; Brevo delivers transactional email — enrolment, recovery and security notices. Neither receives anything for advertising.
- retention
- We keep personal data only as long as the purpose needs and the law requires, then delete it. The analytics carry no identifier to expire.
- who can read your files
- Data is encrypted at rest, and backups are encrypted before they leave the machine. Access to tenant data is limited to what running the service actually requires — no algorithmic snooping, no browsing out of curiosity.
your rights
Your data, your call.
- your rights
- Under UK GDPR you can ask for access, correction, deletion, restriction, a portable copy, or object to processing. We action valid requests without fuss.
- how to exercise them
- Email [email protected]. We may need to confirm it's really you before acting on account data.
- the regulator
- You can complain to the Information Commissioner's Office at ico.org.uk at any time — though we'd like the chance to put things right first.
- changes
- If this policy changes materially, the version and last_updated date at the top change with it.