Handsom logo

Privacy Policy

Last updated: 4 March 2026 ยท Effective: 4 March 2026

This Privacy Policy explains how HANDSOM LTD (company number NI733489), trading as Handsom ("Handsom", "we", "us"), collects, uses, shares, and protects personal data when you use our platform at handsom.ai and app.handsom.ai.

We are the data controller for the personal data described in this policy. Our registered address is 18 The Baths Ormeau Avenue, Belfast, United Kingdom, BT2 8HS. You can contact us about privacy matters at [email protected].

Note: If you are a user of an application built by a Handsom customer (rather than a direct Handsom customer), the operator of that application is the data controller for your data. Please contact them directly about your rights.

1. What Personal Data We Collect

1.1 Account and identity data

When you register for a Handsom account we collect:

  • Name and email address
  • Password (stored as a secure hash โ€” we never store your password in plain text)
  • Profile information you choose to provide
  • Billing name and address for paid subscriptions

1.2 Usage and technical data

When you use the platform we automatically collect:

  • Log data: IP address, browser type and version, pages visited, timestamps, referring URLs
  • Device data: operating system, screen resolution, language settings
  • Session data: how you interact with the workflow builder and platform features
  • Performance data: response times, errors, and crash reports (via Sentry)

1.3 Workflow and application data

When you build workflows and applications on Handsom we process:

  • Workflow configurations and node settings you create
  • Generated Code produced by the platform from your workflow configurations
  • Credentials and API keys you provide for third-party integrations (see section 6)
  • Database schemas and records you create within your customer environment

1.4 Payment data

Payment card details are collected and processed directly by Stripe. We receive only a tokenised reference and limited billing details (last four digits, card type, billing address). We do not store full card numbers.

1.5 Communications data

We collect and retain communications you send to us, including support requests, feedback, and email correspondence.

2. How and Why We Use Your Data

The table below summarises our processing activities, the legal basis for each, and how long we retain the data.

| Category of data | Purpose | Legal basis | Retention | Third parties | | ------------------------------------------ | ------------------------------------------------------------- | ------------------------------------------- | ---------------------------------------------- | --------------------------------------------------- | | Account data (name, email, password hash) | Creating and managing your account; authentication | Contract performance (Art. 6(1)(b) UK GDPR) | Duration of account + 90 days after closure | Auth provider (Better Auth) | | Billing data | Processing subscription payments; invoicing | Contract performance (Art. 6(1)(b)) | 7 years (tax/accounting obligations) | Stripe | | Usage and log data | Platform security; fraud prevention; service improvement | Legitimate interests (Art. 6(1)(f)) | 12 months | Sentry (error monitoring); infrastructure providers | | Workflow configurations and Generated Code | Providing the platform service; executing workflows | Contract performance (Art. 6(1)(b)) | Duration of account + 90 days | Railway (server); Vercel (client); AWS | | Credentials/API keys | Enabling third-party integrations you configure | Contract performance (Art. 6(1)(b)) | Until you remove them or close your account | Encrypted at rest; not shared | | Support communications | Responding to enquiries; improving support quality | Legitimate interests (Art. 6(1)(f)) | 3 years | Internal only | | Aggregated anonymised usage data | Platform analytics; product development; AI model improvement | Legitimate interests (Art. 6(1)(f)) | Indefinite (not personal data once anonymised) | Internal only |

3. Cookies and Tracking

We use cookies and similar technologies to operate the platform, remember your preferences, and understand how the platform is used. You can manage cookie preferences through your browser settings or our cookie banner.

| Type | Name / provider | Purpose | | --------- | ------------------ | ---------------------------------------------------------- | | Essential | Session cookie | Keeps you logged in; required for the platform to function | | Essential | CSRF token | Security: prevents cross-site request forgery attacks | | Analytics | Sentry | Error and performance monitoring to identify and fix bugs | | Analytics | Internal analytics | Aggregated usage statistics to improve the platform |

4. Sharing Your Data

We do not sell your personal data. We share data only in the following circumstances:

4.1 Infrastructure and service providers

We share data with the following sub-processors who provide infrastructure to operate the platform:

| Provider | Location | Purpose | | ------------------- | ---------------------- | ------------------------------------------------------------ | | Railway | USA (AWS us-east-1) | Server hosting and managed PostgreSQL database | | Vercel | USA / Global CDN | Client application hosting and CDN | | Amazon Web Services | USA / EU | EventBridge (scheduling), S3 (file storage), SQS (messaging) | | Stripe | USA | Payment processing and subscription management | | Resend | USA | Transactional email delivery | | Sentry | USA | Error monitoring and performance tracking | | Better Auth | Self-hosted on Railway | Authentication and session management |

4.2 Legal disclosures

We may disclose personal data to law enforcement, regulatory authorities, or courts where required by applicable law or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Handsom, our users, or others.

4.3 Business transfers

If Handsom is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5. International Transfers

Several of our sub-processors are based in the United States. Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (the UK IDTA) or the European Commission, or we rely on the adequacy decisions where applicable.

A list of our sub-processors and the transfer mechanisms in place is available on request at [email protected].

6. Credentials and API Keys

When you provide API keys, secrets, or other credentials for integration with third-party services (such as Stripe, Resend, or S3), these are:

  • Encrypted at rest using industry-standard encryption
  • Handled at the platform infrastructure layer and not exposed to AI agents or other users
  • Accessible only by the platform's workflow execution engine to carry out the integrations you have configured
  • Never used for any purpose other than executing your workflows

You are responsible for ensuring that credentials you provide are scoped appropriately (minimum required permissions) and are rotated regularly.

7. Data Retention

We retain your personal data only for as long as necessary to provide the platform services and to comply with our legal obligations. The key retention periods are:

  • Account data: retained for the duration of your account, plus 90 days after closure to allow data export
  • Billing records: retained for 7 years to comply with tax and accounting obligations
  • Usage logs and error data: retained for 12 months
  • Support communications: retained for 3 years
  • Anonymised, aggregated usage data: retained indefinitely (this is not personal data)

After the applicable retention period, your data is securely deleted or irreversibly anonymised.

8. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

| Right | What it means | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access | You can request a copy of the personal data we hold about you. | | Rectification | You can ask us to correct inaccurate or incomplete personal data. | | Erasure | You can ask us to delete your personal data in certain circumstances, including where it is no longer necessary for the purpose for which it was collected. | | Restriction | You can ask us to restrict processing of your personal data in certain circumstances, such as while we investigate an accuracy dispute. | | Portability | You can request your personal data in a structured, machine-readable format for transfer to another service. | | Objection | You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests. | | Withdraw consent | Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. |

To exercise any of these rights, contact us at [email protected]. We will respond within one month. We may need to verify your identity before processing your request. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data lawfully.

9. Children

The platform is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will delete that data promptly. Please contact us at [email protected] if you believe we may have collected data from a child under 13.

10. Security

We implement technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:

  • Encryption of data in transit (TLS) and at rest
  • Access controls limiting staff access to personal data on a need-to-know basis
  • Secure credential handling through platform infrastructure (credentials are not exposed to AI agents)
  • Error monitoring and alerting via Sentry
  • Regular security reviews of our infrastructure and third-party integrations

No security measure is absolute. In the event of a personal data breach, we will notify affected users and the ICO as required by the UK GDPR (within 72 hours of becoming aware of the breach where required).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the platform at least 14 days before the changes take effect. The current version is always available at app.handsom.ai/privacy-policy.

12. Contact Us

For any questions about this Privacy Policy or to exercise your rights, contact us at:

HANDSOM LTD (trading as Handsom) Company number: NI733489 18 The Baths Ormeau Avenue, Belfast, United Kingdom, BT2 8HS Privacy enquiries: [email protected] Website: handsom.ai