Legal
Privacy Policy
Last updated: 7 July 2026
1. Overview
This policy explains how Roastnet Ltd ("Roastnet", "we") collects and processes personal data when you visit roastnet.com, create a Roastnet workspace, use the Roastnet platform or the Factory desktop app, or interact with a roastery's storefront or cafe portal hosted on Roastnet.
Two roles matter. For data about our direct customers and site visitors (account details, billing, usage), Roastnet is the data controller. For personal data our customers store in their workspaces (their contacts, wholesale customers, storefront buyers), the roastery is the controller and Roastnet processes that data on their behalf.
2. What we collect
- Account data: name, email, company details, country, language.
- Billing data: plan, invoices and payment status. Card details are collected and stored by Stripe, not by us.
- Usage data: product interactions, device and browser information, and server logs used for security and reliability.
- Customer Data: content your workspace stores in the Service, processed under your instructions.
- Support communications you send us.
3. Why we process it (lawful bases)
- To provide the Service under our contract with you (Art. 6(1)(b) GDPR).
- To bill, secure and improve the Service — our legitimate interests (Art. 6(1)(f)).
- To meet legal obligations such as accounting and tax rules (Art. 6(1)(c)).
- With your consent where required, for example optional marketing emails (Art. 6(1)(a)); you can withdraw consent at any time.
4. GDPR rights
If you are in the UK or EEA you have the right to access, rectify and erase your personal data, to restrict or object to its processing, to data portability, and to withdraw consent. To exercise any of these rights, email [email protected] from the address associated with your account; we respond within one month. Where Roastnet acts as processor for a roastery's data, we will refer your request to the roastery and assist them in fulfilling it.
You also have the right to lodge a complaint with your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk).
5. Sharing and subprocessors
We do not sell personal data. We share it only with service providers who process it for us under contract: cloud hosting and storage (Amazon Web Services, EU region), content delivery and DNS (Cloudflare), payments (Stripe), email delivery, and — only for workspaces that enable AI features — the AI model provider configured for that workspace. Each subprocessor is bound by data-processing terms.
6. International transfers
Production data is hosted in the United Kingdom/EU (AWS eu-west-2, London). Where a transfer outside the UK/EEA occurs (for example to a subprocessor operating globally), we rely on adequacy decisions or standard contractual clauses.
7. Retention
Account and billing records are kept for as long as your account exists and thereafter as required by law (typically 6 years for accounting records). Customer Data is retained while your workspace is active and is available for export for 30 days after termination, after which it is deleted from production systems; backups roll off on a fixed schedule.
8. Cookies and analytics
The marketing site uses privacy-respecting, cookieless analytics. The application uses strictly necessary cookies for authentication and session security. We do not use third-party advertising cookies.
9. Children
The Service is for businesses and is not directed at children under 16. We do not knowingly collect their data.
10. Changes and contact
We will post updates to this policy here and, for material changes, notify you through the Service. Contact our privacy team at [email protected].
Questions about these documents? Contact the team.