Privacy Policy
Version 1.0 · Last updated 12 May 2026
This Privacy Policy explains how Resonatr collects, uses, and protects personal data. We've written it in plain English — but it's also legally binding under UK GDPR.
Questions? Email privacy@resonatr.io.
Who we are
Resonatr is operated by Resonatr Ltd, a company registered in England and Wales.
For the purposes of UK GDPR:
- For customer account data: Resonatr is the data controller
- For website visitor data: Resonatr is the data processor; our customers are the data controllers
What data we collect
From customers (people who sign up to Resonatr)
When you create an account:
- Your email address
- Your name (if you provide one)
- Your password (stored hashed)
- Account preferences and settings
When you use the platform:
- The brand model you create (company info, personas, content zones)
- Pages you visit within the dashboard
- Logs of API calls you make
- Communications with our support team
From visitors to customer websites
When pearl.js fires on a customer's website, we collect:
- The site_id of the customer (not the visitor's identity)
- A session ID we generate (not linked to any personal account)
- Page path being viewed
- Browser, device, operating system
- Approximate location (country, region, city) from IP address
- UTM parameters from the URL
- The referrer URL (where they came from)
- Time of visit
We do NOT collect:
- Email addresses
- Names
- IP addresses (we discard these after geographic lookup)
- Cross-site browsing history
- Persistent identifiers across sessions
- Any data that would identify a specific person
How we use this data
Customer data
- To provide the Resonatr service
- To send transactional emails (signup confirmation, security alerts)
- To respond to support requests
- To improve the product based on usage patterns
Visitor data
- To match visitors against personas defined by customers
- To return personalised content variants
- To produce analytics for the customer about their visitors
We never:
- Sell data to anyone
- Share data with advertising networks
- Use customer data to train AI models for other customers
- Combine visitor data across our customer base
Where data is stored
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | USA |
| Vercel | Application hosting | Global |
| Anthropic | AI content generation | USA |
| Resend | Transactional email | USA |
| Cloudflare | DNS, edge | Global |
Each provider is contractually bound to GDPR-compliant data handling. Standard Contractual Clauses are in place where applicable for international transfers.
How long we keep data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Analytics events | 24 months |
| Email confirmations | 12 months |
| Audit logs | 24 months |
| Deleted account residue | 30 days, then permanent deletion |
Your rights under UK GDPR
You have the right to:
- Access — request a copy of personal data we hold about you
- Correction — ask us to correct anything that's wrong
- Deletion — ask us to delete your data (subject to legal retention requirements)
- Portability — receive your data in a machine-readable format
- Restriction — ask us to pause processing while a dispute is resolved
- Object — challenge how we process your data
- Withdraw consent — for any processing based on consent
Email privacy@resonatr.io to exercise any of these rights. We respond within 14 days, usually much faster.
You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
Cookies and tracking on resonatr.io
Our marketing site uses:
- Essential cookies for the signup and login flow (no consent needed)
- Pearl.js for our own analytics, using only the signals described above
We do not use advertising cookies, cross-site tracking pixels, or third-party analytics like Google Analytics.
Security
- TLS encryption for all data in transit
- Encryption at rest in our database
- Multi-factor authentication for our team
- Regular security audits
- Principle of least privilege for access
- Logging of administrative actions
If a data breach occurs, we'll notify affected customers within 72 hours and the ICO as required.
Children's data
Resonatr is not intended for children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, email privacy@resonatr.io and we'll delete it.
Changes to this policy
We may update this policy. Material changes will be communicated by email at least 14 days before they take effect.
Contact
- Email: privacy@resonatr.io
- Post: Resonatr Ltd, [registered office]