Privacy Policy
Effective Date: 18 March 2026
1. Introduction
Close2Source (“we”, “our”, or “us”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at close2source.com (the “Platform”).
By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Platform.
Data Controller
Christopher Scutt trading as Close2Source
87 Little Breach, Chichester, West Sussex, PO19 5TZ, United Kingdom
Email: info@close2source.com
Sole trader (unregistered). VAT registration not applicable at current trading scale.
2. Information We Collect
2.1 Information You Provide
- Account registration details (name, email address, password)
- Profile information (display name, profile picture, bio)
- Organization details (name, description, location)
- Project information (titles, descriptions, updates, images, documents)
- Communications sent through our contact form or support channels
- Payment or credit-related information where applicable
2.2 Information Collected Automatically
- Device information (browser type, operating system, IP address)
- Usage data (pages visited, features used, time spent on Platform)
- Cookies and similar tracking technologies (see Section 6)
- Firebase Analytics data including session identifiers and interaction events
2.3 Information from Third Parties
- Authentication data from Google Sign-In or Apple Sign-In where used
- Public profile information linked to your third-party authentication provider
3. How We Use Your Information
We use the information we collect to:
- Create, manage, and secure your account
- Provide and improve the Platform and its features
- Process credits, transactions, and platform activity
- Enable organization and project management features
- Send transactional emails (account confirmations, notifications)
- Respond to your inquiries and support requests
- Monitor Platform usage for security and fraud prevention
- Comply with legal obligations
- Analyse Platform performance using aggregated, anonymised data
3a. Lawful Basis for Processing (UK GDPR Article 6)
Under UK GDPR, we are required to identify a lawful basis for each category of processing. The table below sets out the basis we rely on for each activity.
| Processing Activity | Lawful Basis (Article 6 ground) |
|---|---|
| Account credentials (name, email, password) | Performance of a contract — Art. 6(1)(b) |
| Providing Platform services (project/org management, profiles) | Performance of a contract — Art. 6(1)(b) |
| Transactional emails (confirmations, notifications) | Performance of a contract — Art. 6(1)(b) |
| Credit processing and transactions | Performance of a contract — Art. 6(1)(b) |
| Firebase Analytics (usage data, session data) | Consent — Art. 6(1)(a) |
| AI-powered features (profile improvement, project analysis) | Consent — Art. 6(1)(a) |
| Mandatory AI content moderation (safeguarding scan on publish) | Legal obligation / Legitimate interests — Art. 6(1)(c)/(f) |
| Partner and pledge data | Performance of a contract / Legitimate interests — Art. 6(1)(b)/(f) |
| Contact form messages | Legitimate interests — Art. 6(1)(f) |
| Fraud prevention and platform security | Legitimate interests — Art. 6(1)(f) |
| Legal compliance obligations | Legal obligation — Art. 6(1)(c) |
Where we rely on consent (Art. 6(1)(a)), you may withdraw consent at any time via your Account Settings without affecting the lawfulness of processing before withdrawal.
4. Sharing Your Information
We do not sell, trade, or rent your personal data to third parties. We may share your information only in the following circumstances:
- Google Firebase (USA / London): We use Firebase Authentication, Firestore, Cloud Storage, and Analytics to operate core Platform services. Primary data storage is in the europe-west2 (London) region. Firebase is operated by Google LLC under the Google Cloud Data Processing Addendum.
- Krystal Hosting Ltd (UK): Outbound transactional emails (contact form and notification emails) are sent via mail servers operated by Krystal Hosting Ltd, 124 City Road, London EC1V 2NX (Company No. 07571790). Krystal is a UK-registered processor; no international transfer is involved. A Data Processing Agreement is in place under krystal.io/legal/data-processing-agreement.
- OpenAI, Inc. (USA): When you use AI-powered features on the Platform (such as profile improvement, project analysis, or AI-assisted registration), content you provide is processed by OpenAI's servers in the United States. This international transfer is made under Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA). OpenAI acts as a data processor under a signed Data Processing Addendum. You can opt out of AI features at any time in Settings. See our AI Use Policy for full details.
- OpenAI Moderation (mandatory): All profile content submitted for publication is scanned by OpenAI's content moderation API for safeguarding and safety purposes. This processing is mandatory, does not require your consent, and is carried out on the basis of legitimate interests / legal compliance obligations (Art. 6(1)(c)/(f)).
- Legal Requirements: Where required by law, court order, or governmental authority.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to a successor entity.
- With Your Consent: In any other circumstance where you have given explicit consent.
4a. International Data Transfers
The Platform primarily processes data within the UK and EEA (Google Firebase, europe-west2, London). Where data is transferred to a country outside the UK/EEA (specifically to OpenAI in the United States), we ensure adequate safeguards are in place:
- OpenAI (USA): Transfer is governed by Standard Contractual Clauses (SCCs) and the UK IDTA. OpenAI's current data processing terms are available at openai.com/policies/data-processing-addendum.
5. Data Storage and Security
Your data is stored using Google Firebase infrastructure, with our primary Firestore database located in the europe-west2 (London) region. Firebase applies industry-standard encryption in transit (TLS) and at rest.
While we take reasonable technical and organisational measures to protect your data, no system is completely secure. We cannot guarantee the absolute security of your information and encourage you to use a strong, unique password for your account.
Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
6. Cookies and Local Storage
The Platform uses cookies and browser local storage to:
- Maintain your authenticated session
- Remember your cookie consent preference
- Collect anonymised analytics data via Google Firebase Analytics
By continuing to use the Platform after accepting our cookie notice, you consent to this use. You can clear local storage and cookies through your browser settings at any time, though this will log you out and reset your preferences.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you with Platform services. If you request account deletion, we will remove or anonymise your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).
8. Your Rights
Under UK GDPR you have the following rights in relation to your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data (subject to legal obligations to retain)
- Restriction — request that we restrict processing of your data in certain circumstances
- Portability — receive a copy of your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time via Settings
To exercise any of these rights, please contact us at info@close2source.com. We will respond within one calendar month as required by UK GDPR Article 12.
Right to complain: If you believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns before you contact the ICO.
9. Children's Privacy
The Platform is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Third-Party Links
The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any external services you visit.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Effective Date” at the top of this page. We encourage you to review this policy periodically. Continued use of the Platform after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: