WeeConnect

Privacy Policy

Last updated 20 May 2026

1. Introduction

This Privacy Policy explains how Michael Speedie trading as WeeConnect ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the WeeConnect platform ("Service"). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller for personal data processed through the Service is:

Michael Speedie, trading as WeeConnect
Email: support@weeconnect.co.uk

Each Residents Association (RA) using WeeConnect may also be a data controller in respect of the personal data of their members. RA Admins are responsible for ensuring their use of member data complies with applicable data protection law.

3. What Data We Collect

Account data

When you register or are invited to join an RA, we collect: your name, email address, phone number (optional), and a hashed password. We never store passwords in plain text.

Association data

RA Admins provide: association name, contact email, property addresses, and configuration preferences. This data is used to operate the RA within the Service.

Usage data

We collect activity logs including login times, IP addresses, user agent strings, and actions taken within the Service. This is used for security monitoring, debugging, and audit purposes.

Payment data

Payment information (card details, billing address) is collected and processed exclusively by our third-party payment processor, our Merchant of Record. We do not store your card details. We retain our payment processor customer IDs and subscription IDs to manage your subscription.

Uploaded content

Documents, images, and files uploaded to the Service are stored securely. We process this content only to operate the Service.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Service delivery — to operate your account, manage RA membership, and provide platform features.
  • Authentication and security — to verify your identity, prevent unauthorised access, and detect fraud.
  • Communication — to send transactional emails (invitations, password resets, payment notifications). We do not send marketing emails without consent.
  • Billing — to manage subscriptions, process payments (via our payment processor), and handle payment failures.
  • Legal compliance — to comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

5. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

  • Contract (Article 6(1)(b)) — processing necessary to provide the Service under our Terms.
  • Legitimate interests (Article 6(1)(f)) — security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Article 6(1)(c)) — compliance with tax, accounting, and other legal requirements.
  • Consent (Article 6(1)(a)) — where applicable, such as optional marketing communications.

6. Data Sharing

We share personal data only with:

  • our third-party payment processor — payment processing (Merchant of Record). our payment processor's privacy policy governs their handling of payment data.
  • Supabase Inc. — database hosting (PostgreSQL). Data is stored in EU data centres.
  • Cloudflare Inc. — file storage (R2) and content delivery. Subject to Cloudflare's data processing agreement.
  • Vercel Inc. — application hosting. Server-side functions process requests in the EU region.

We do not sell your personal data to third parties. We do not share data with advertisers.

7. Data Retention

  • Active accounts — data is retained for as long as your account is active.
  • Closed accounts — personal data is deleted or anonymised within 90 days of account closure, except where retention is required by law.
  • Activity logs — retained for 12 months for security and audit purposes.
  • Email logs — retained for 6 months.
  • Payment records — retained for 7 years as required by HMRC.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data via your account settings or by contacting us.
  • Erasure — request deletion of your personal data, subject to legal retention requirements.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — request that we restrict processing in certain circumstances.

To exercise any of these rights, contact us at support@weeconnect.co.uk. We will respond within one month.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Passwords hashed with bcrypt (never stored in plain text).
  • JWT-based authentication with RS256 signing and short-lived access tokens (15 minutes).
  • Rotating refresh tokens stored in HttpOnly cookies.
  • All data transmitted over HTTPS/TLS.
  • Tenant-isolated database queries — every query filters by RA to prevent cross-tenant data access.

10. International Transfers

Your data may be processed by sub-processors located outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Children

The Service is not intended for users under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and Complaints

For questions or concerns about this policy, contact us at support@weeconnect.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.