GOOBLR
Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: March 3, 2026

Contents

  • 01Information We Collect
  • 02How We Use Your Information
  • 03Marketing Communications
  • 04Data Retention
  • 05Third-Party Services
  • 06Your Rights
  • 07Security
  • 08Contact Us

GOOBLR is the data controller responsible for your personal data ("we", "our", or "us"). We respect your privacy and are committed to protecting it in accordance with UK data protection law (UK GDPR and the Data Protection Act 2018). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. For details on the cookies we use, see our Cookie Policy.

01

Information We Collect

  • Account Data: When you register, we collect your name, email address, and authentication credentials (including OAuth IDs from Google, GitHub, or Discord).
  • Contact Data: When you fill out our contact forms, we collect your name, email, phone number, company name, and the contents of your message.
  • Project & Order Data: When you use our package builder or request a quote, we collect project briefs, reference URLs, budget information, and technical requirements.
  • Technical Data: We automatically collect device and usage information such as IP address, browser characteristics, operating system, language preferences, and referring URLs. We also use cookies and similar technologies; see our Cookie Policy for full details.
  • AI Design Data: When you use the AI Web Designer tool in your dashboard, we collect the natural language prompts you enter, the HTML layouts generated in response, and the multi-turn conversation history for that session. This data is stored to maintain context and to allow you to return to previous designs.
  • Message Attachments: Files uploaded as attachments within project conversations are stored along with their filename, file type, size, and storage URL. These are collected solely to facilitate communication between you and the GOOBLR team on your project.
  • Two-Factor Authentication (2FA) Data: If you enable two-factor authentication on your account, we store a cryptographic TOTP secret key and a set of one-time backup codes. These are stored solely for authentication verification and are not used for any other purpose.
  • Marketing Preferences: Whether you have opted in to receive marketing emails, the date of your consent or withdrawal, and a unique unsubscribe token used to manage your preferences without logging in.
02

How We Use Your Information

  • To facilitate account creation and login.
  • To provide, operate, and maintain our services.
  • To process your transactions and send confirmations and invoices.
  • To respond to your enquiries and provide support.
  • To protect our services via fraud monitoring and bot prevention (Cloudflare Turnstile).
  • To operate the AI Web Designer tool: your prompts and session history are transmitted to a third-party AI service provider to generate layout outputs and stored to maintain conversation context across sessions.
  • To send you marketing communications including blog posts, guides, insights, and company news where you have given your explicit consent.

Lawful Basis for Processing (UK GDPR Art. 6)

Data CategoryLawful Basis
Account DataPerformance of a contract
Contact & Enquiry DataLegitimate interests (responding to enquiries)
Project & Order DataPerformance of a contract
Invoice & Accounting RecordsLegal obligation (tax and accounting law)
Technical / Usage DataLegitimate interests (security and site performance)
Analytics Data (Microsoft Clarity)Consent
AI Design DataPerformance of a contract
Message AttachmentsPerformance of a contract
Two-Factor Authentication DataPerformance of a contract (account security)
Marketing CommunicationsConsent (Article 6(1)(a) UK GDPR) — you may withdraw consent at any time via the unsubscribe link in any marketing email or through your account settings.
03

Marketing Communications

Where you have given your explicit consent, we may send you marketing emails to let you know about new blog posts, guides, insights, and company updates.

  • Consent is opt-in only. You can subscribe at registration or at any time via your dashboard settings. We never pre-tick consent checkboxes.
  • Every marketing email contains a one-click unsubscribe link. You do not need to log in to unsubscribe.
  • You may withdraw consent at any time via the unsubscribe link in any email or through your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Transactional emails are not marketing. Invoices, order updates, payment confirmations, security alerts, and email verification messages are sent under contractual or legitimate interest grounds and are not affected by your marketing preference.
  • Consent records (opt-in/opt-out status and timestamp) are retained for the duration of your account to demonstrate compliance with UK GDPR Article 7.
04

Data Retention

We only keep your personal data for as long as necessary for the purposes set out in this notice, unless a longer period is required by law.

Account Data

Retained for the lifetime of your account. Deleted within 30 days of account closure.

Contact Form Submissions

Retained for up to 2 years for customer service purposes.

Order & Invoice Data

Retained for 7 years to comply with tax and accounting laws.

AI Design Outputs & Conversation History

Retained for the lifetime of your account. Deleted within 30 days of account closure.

Message Attachments

Retained for the duration of the associated project, and for up to 12 months after project closure.

Marketing Consent Records

Your opt-in/opt-out status and timestamps are retained for the duration of your account. If your account is deleted, consent records are purged alongside all other account data.

05

Third-Party Services

We share data with third-party providers only where necessary to deliver our services.

Stripe: Payments

We use Stripe for secure payment processing. We do not store full card details on our servers.

Cloudflare Turnstile: Security

Used to protect our forms from spam and abuse.

OAuth Providers: Authentication

Google, GitHub, and Discord are used as optional login methods.

Microsoft Clarity: Analytics & Heatmapping

We use Microsoft Clarity to understand how visitors interact with our website through session recordings, heatmaps, and click/scroll analytics. Clarity scripts are loaded only after you explicitly accept analytics cookies via our consent banner; if you decline or withdraw consent, Clarity will not activate. Clarity does not store personally identifiable information and does not use the data it collects for advertising. The lawful basis for this processing is your consent. For more information, see Microsoft's Privacy Statement.

AI Service Provider: Web Designer Tool

When you use the AI Web Designer tool, your natural language prompts are transmitted to a third-party AI service provider to generate layout responses. This provider acts as a data processor on our behalf. Prompts and conversation data are not retained by the provider beyond what is necessary to generate a response. This transfer may involve international data processing; we ensure appropriate safeguards are in place via contractual protections.

Image Provider: Web Designer Tool

The AI Web Designer tool may optionally query a third-party image provider to return contextually relevant stock imagery based on your design prompts. No personally identifiable information is transmitted to this provider.

International Transfers

Some of the above third parties (Stripe, Google, GitHub, Discord, AI service providers) are headquartered outside the UK. Where your data is transferred internationally, we rely on the recipient's participation in an approved adequacy framework or their use of UK-approved Standard Contractual Clauses (SCCs) to ensure your data receives equivalent protection. You can obtain further details by contacting us at privacy@gooblr.com.

06

Your Data Protection Rights

Under UK GDPR you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@gooblr.com. We will respond within one calendar month.

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): Request deletion of your data where there is no longer a legal basis to retain it.
  • Restriction of Processing: Ask us to pause processing your data while a dispute is resolved.
  • Data Portability: Where processing is based on consent or contract and carried out automatically, receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests, or to direct marketing at any time.
  • Automated Decision-Making: Not be subject to decisions made solely by automated processing that produce significant legal or similarly significant effects on you.

Right to Lodge a Complaint with the ICO

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would appreciate the chance to address your concerns first.

07

Security of Your Information

We use administrative, technical, and physical security measures to help protect your personal data. While we have taken reasonable steps to secure the information you provide, no security measures are perfect or impenetrable.

08

Contact Us

Questions about this policy? Email us at privacy@gooblr.com.