Gumly LogoAll Legal Docs
Back to Home

Privacy Policy (UK)

Legal Document

Last updated: 1 June 2026

1. Who we are

Gumly Limited, company no. 16949574, 71-75 Shelton Street, London, England, WC2H 9JQ ("Gumly", "we", "us", "our") provides an AI-assisted marketing platform at www.gumly.ai and related applications (the "Service").

For UK data protection law, Gumly Limited is the data controller for personal data described in this policy. If you have questions or wish to exercise your rights, contact us at privacy@gumly.ai.

2. What data we collect

2.1 Account data

  • Email address, password (stored securely by our authentication provider), name, company name, phone
  • Account type (e.g. business or agency), sign-in history, and profile preferences
  • Marketing attribution fields (e.g. UTM parameters) linked to your account where provided

2.2 Signup and pre-account data

  • Information you submit before or during registration: website URL, industry, business description, target market, services, unique selling points, plan selection, and website analysis outputs
  • Waiting-list and early-access applications (email, name, business details, estimated ad spend)
  • Job applications and optional feedback forms (e.g. marketing challenges)

2.3 Google Ads and connected platform data

When you connect Google Ads, we may collect and process:

  • OAuth tokens (encrypted), connected account ID and name, and the Google account email used for the connection
  • Advertising data retrieved via the Google Ads API, such as campaign and ad group structure, performance metrics, spend, keywords, search terms, conversion-related signals, and account status (including billing issue indicators reported by Google)
  • Diagnosis and recommendation outputs we generate from that data (stored so you can view results in the product without re-fetching every time)

2.4 Internal product analytics (first-party)

  • Product usage events (e.g. signup steps, feature use, errors) with session identifiers, surface/page context, and sanitized properties
  • Session engagement summaries (e.g. time active, views per session)
  • Anonymous landing-page metrics (scroll depth, time on page, conversion to waitlist/signup)
  • Technical metadata: browser user-agent string and country derived from infrastructure headers (we do not store full IP addresses in our analytics tables)

See our Cookie & Tracking Notice for how browsers store related identifiers locally.

2.5 Billing and payment data

  • Subscription status, plan, billing period, and Stripe subscription identifiers stored in our database
  • Payment card and bank details are collected and processed by Stripe — we do not store full card numbers on our servers

2.6 Support and communications

  • Emails and messages you send to us (e.g. support@gumly.ai)
  • In-product questions submitted to our AI consultation feature (question and generated answer)
  • Optional email on feedback or challenge forms

2.7 Security and error logs

  • Security audit records (e.g. sign-in events, OAuth events, API request path/method, IP address, user-agent)
  • Application logs on our hosting provider for reliability and incident response

3. Why we collect data (purposes and lawful bases)

Under UK GDPR we rely on the following bases, depending on the activity:

  • Contract — to provide the Service, manage your account, connect platforms, run diagnostics, and process subscriptions you purchase
  • Legitimate interests — to secure the Service, prevent abuse, improve product quality, understand aggregated usage, and support business operations (balanced against your rights)
  • Consent — where required (e.g. accepting Terms & Privacy at signup, connecting Google Ads, optional marketing communications, or non-essential cookies if we introduce them in future). When you give consent, we may log the acceptance with a timestamp, IP address or IP country, and browser user-agent for audit purposes.
  • Legal obligation — where we must retain or disclose data to comply with law

4. Google Ads access

If you choose to connect Google Ads, you authorise Gumly to access your Google account using OAuth scopes including the Google Ads API (adwords) and your Google account email (userinfo.email).

  • Why: To display account and campaign data, run ads performance checks, generate recommendations, and (where you approve) apply changes you request in the product
  • Storage: OAuth tokens are encrypted at rest; advertising metrics and diagnosis snapshots are stored in our database linked to your user and business records. When you disconnect Google Ads, OAuth tokens and credentials are deleted promptly; cached campaign snapshots may be retained so you can view past results if you reconnect or for product analytics until account deletion.
  • Control: You can disconnect Google Ads in account settings; you can revoke access in your Google Account permissions
  • Sharing: Data is shared with Google when we call the Google Ads API on your behalf. We may send relevant excerpts to AI providers (see Section 5) to generate explanations and recommendations — not to sell your data

Gumly is not affiliated with Google. Your use of Google Ads remains subject to Google's terms and policies.

5. Internal tracking

We use first-party analytics to understand how the product is used and to improve onboarding and reliability. In Phase 1 we do not use third-party analytics cookies (such as Google Analytics) on the marketing site or app.

Events are sent to our own systems and stored in our database. We use allowlisted event names and limit the properties attached to each event. Pre-authentication activity can be linked to your account after signup using an anonymous identifier.

Gumly may use aggregated and anonymised campaign performance patterns to improve its recommendations, analytics, and product quality. Gumly does not use OAuth tokens, payment data, customer lists, or directly identifying personal data for AI training.

6. Billing and payment data

Paid plans are processed by Stripe. Stripe acts as an independent controller/processor for payment data under its own privacy policy. We receive confirmation of payment status, subscription identifiers, and metadata needed to activate and manage your plan. Refund and cancellation handling is described in our Terms & Conditions.

7. Who we share data with

We do not sell your personal data. We share data only as needed to run the Service:

Access to production customer data within Gumly is restricted to our engineering team on a least-privilege basis for operating, securing, and improving the Service.

  • Infrastructure: Supabase (database, authentication, file storage), Google Cloud (application hosting), Cloudflare (CDN, DDoS protection, and edge routing)
  • Payments: Stripe
  • Advertising platforms: Google (and others if you connect them) when you request integrations
  • AI providers: OpenAI and/or Anthropic when generating recommendations, website analysis, or consultation responses
  • Email: Resend for transactional messages
  • Legal: Authorities or advisers if required by law or to protect rights and safety

8. International transfers

Some providers may process data outside the UK (including in the United States). Where required, we use appropriate safeguards such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses offered by our suppliers.

9. Data retention

We keep data only as long as needed for the purposes above, including:

Data typeTypical retention
Account & business profileWhile your account is active; deleted or anonymised after account deletion, subject to legal holds
Pre-signup draftsUp to 24 hours unless consumed at registration
Google Ads OAuth tokensWhile connected; deleted promptly when you disconnect Google Ads or delete your account
Google Ads cached snapshots & diagnosis dataMay be retained after disconnect for product functionality and analytics; deleted on account deletion
Product analytics eventsWhile account active, then up to 24 months; may be aggregated or deleted earlier
Billing recordsAs required for tax, accounting, and dispute resolution (often 6+ years)
Security audit logsUp to 12 months for security investigations, then deleted or aggregated
Browser attribution (local)Up to 30 days on your device

10. Security

  • Encryption in transit (TLS) and encryption at rest for sensitive tokens (AES-256 / Fernet)
  • Access controls and least-privilege for production systems
  • OAuth state validation for platform connections
  • Monitoring and audit logging for security-relevant events

More detail is available on our Security page.

11. Your rights (UK)

If you are in the UK, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data in certain circumstances
  • Restrict or object to processing in certain circumstances
  • Data portability for data you provided, where applicable
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise your rights, email privacy@gumly.ai. We will respond within one month in most cases (extendable where permitted by law).

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect children's personal data.

13. Changes to this policy

We may update this policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may be notified by email or in-product notice where appropriate.

14. Contact

Privacy:privacy@gumly.ai

Support:support@gumly.ai