Privacy Policy

Last updated: November 2025

This Privacy Policy explains how Suite & Sandstone (“we,” “our,” “us”) collects, uses, and protects information when you visit suiteandsandstone.com, interact with our content, or use any of our services, including dashboards, analytics, AI insights, automation, or pilot projects (collectively, the “Service”).

We are committed to protecting your privacy and complying with the UK GDPR, Data Protection Act 2018, and all applicable UK privacy regulations.

1. Who We Are

Suite & Sandstone
Website: suiteandsandstone.com
Email: hello@suiteandsandstone.com
Location: United Kingdom

We act as the Data Controller for information collected through our website and marketing activities, and as a Data Processor (or sub-processor) for information processed on behalf of clients during service delivery.

2. Information We Collect

A. Information You Provide to Us

This includes:

Name, email, phone number, and company details
Information submitted through website forms (e.g., units, PMS type, notes)
Files you upload, such as spreadsheets or PMS exports
Payment information (processed securely by Stripe or PayPal — we do not store card details)
Communications through email, chat, or support channels

B. Information We Collect Automatically

When you use our website, we may automatically collect:

IP address and approximate location
Browser and device type
Pages visited and time spent on site
Referring URLs
Analytics provided by Google Analytics or similar tools

This helps us improve performance and user experience.

3. Information We Do Not Want

We strongly request that you do not provide the following:

Guest names
Guest email addresses or phone numbers
Government IDs or passport details
Payment card numbers
Sensitive personal data (e.g., health information, religious beliefs, ethnicity)

Our analytics and dashboards do not require PII.
If PII is accidentally submitted, we will securely delete it upon discovery.

4. How We Use Your Information

We may use your information to:

Deliver dashboards, reports, alerts, and automations
Set up and manage your pilot project or ongoing retainer
Provide technical support and service updates
Process payments and invoicing
Improve our products and tools
Communicate about service updates, schedules, or improvements
Comply with legal obligations

We only use your data for purposes that are relevant and necessary.

5. Legal Bases for Processing

Under the UK GDPR, we process personal data using the following legal bases:

Contract — to deliver the Service you purchase
Legitimate interest — to maintain and improve our tools and communicate essential updates
Consent — for optional marketing emails (you may withdraw consent at any time)

6. Data Sharing

We do not sell your data.
We only share data with third-party service providers when necessary to deliver the Service, such as:

Google Workspace (file storage & communication)
Make.com / Zapier (automation)
Microsoft/Teams (notifications)
Power BI / Looker Studio (dashboards)
OpenAI APIs (AI insights using non-PII fields)
Stripe / PayPal (secure payment processing)
Wix (forms, hosting, analytics)

All third parties are GDPR-compliant or operate under approved safeguards.3

7. AI Usage

When AI tools are used for insights:

Only non-PII, whitelisted fields are sent to models
We enforce strict input sanitisation
Query logs are retained only for quality & security
You may request deletion of all logs at any time
Your data is not used to train any AI model

We treat data confidentiality as a core principle.

8. Data Retention

We retain data only as long as necessary:

Client project files: up to 12 months after the end of engagement (unless earlier deletion is requested)
Communications: up to 24 months
Website analytics: 12–26 months
Financial records: 6 years (legal requirement)

You may request deletion at any time.

9. Data Security

We use industry-standard security measures, including:

Read-only access to client systems whenever possible
Password-protected accounts and restricted permissions
Encrypted cloud storage (Google Workspace)
Daily backups and versioning
Audit trails for key activities

While no system is completely impenetrable, we take data protection seriously and follow best practices.

10. Your Rights (UK GDPR)

You have the right to:

Access your personal data
Correct inaccurate information
Request deletion (“right to be forgotten”)
Restrict or object to processing
Receive a copy of your data (data portability)
Withdraw consent for marketing

To exercise any rights, contact: hello@suiteandsandstone.com
We respond within 30 days.

11. Cookies

We use cookies for:

Analytics
Performance optimisation
Session management

You can manage or disable cookies via your browser settings.
Where required, we will request explicit consent for non-essential cookies.

12. International Data Transfers

Some tools we use may process data outside the UK or EEA.
When this occurs, we rely on:

UK GDPR Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum
Adequacy Decisions

We ensure that your data receives an equivalent level of protection regardless of where it is processed.

13. Third-Party Links

Our website may link to external sites.
We are not responsible for their privacy practices or content.
You are encouraged to review their policies separately.

14. Children’s Privacy

Our Service is intended for businesses only.
We do not knowingly collect information from individuals under 18 years old.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in regulation or our Service.
We will post updates on this page with an updated “Last Updated” date.
Continued use of the Service constitutes acceptance of the updated policy.

16. Contact Us

For privacy questions, data access requests, or concerns:

📧 hello@suiteandsandstone.com
🏢 United Kingdom

We take every privacy inquiry seriously and aim to respond promptly.