Privacy Policy

Last updated: April 2026

Kinsman & Co (“we”, “our”, “us”) operates the Insights Dashboard at kinsman-insights.com. This policy explains how we collect, use, store, and protect your personal data when you use our platform. We are committed to transparency and to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data We Collect

We collect the following categories of information:

Account Information

• Name, email address, and password (hashed) when you register
• Organisation name, role, and billing details

Marketing Platform Data

When you connect your advertising and analytics accounts via OAuth, we retrieve performance data from the following platforms:

• Google Ads — campaign metrics, spend, conversions
• Meta Ads — campaign metrics, spend, conversions
• LinkedIn Ads — campaign metrics, spend, conversions
• Google Analytics 4 (GA4) — sessions, traffic sources, conversions
• Google Search Console — search queries, clicks, impressions
• Shopify — orders, revenue, product performance

We only access the data necessary to provide dashboard insights. We do not access your customers’ personal data through these integrations.

Usage Data

• Pages visited, features used, and interaction patterns within the dashboard
• Browser type, device information, and IP address
• We log IP addresses in our audit trail for security monitoring and abuse prevention. These logs are retained for 90 days.

2. How We Use Your Data

• Analytics dashboard: Aggregating and displaying your marketing performance data in a unified view
• AI-powered insights: Generating actionable recommendations based on your performance data using artificial intelligence
• Creative generation: Producing ad copy, images, and video assets aligned to your brand guidelines
• Scheduled reports: Compiling and delivering PDF performance reports via email
• Alerts and notifications: Detecting anomalies in your data and notifying you of significant changes
• Account management: Authentication, billing, support, and service communications

3. Legal Basis for Processing

Under the UK GDPR, we process your data on the following legal bases:

• Contract: Processing necessary to provide you with the services you have subscribed to
• Legitimate interest: Improving our platform, detecting errors, and ensuring security
• Consent: Where you have explicitly opted in, such as marketing communications or push notifications

4. Data Storage and Security

Your data is stored using the following infrastructure:

• Database: PostgreSQL hosted on Neon, with encryption at rest and in transit
• Application hosting: Vercel, with edge network distribution and HTTPS enforcement
• File storage: Vercel Blob for uploaded assets (logos, images, fonts)

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords (bcrypt), and role-based access controls.

5. Third-Party Services

We share data with the following third-party services, each acting as a data processor on our behalf:

• Stripe— Payment processing and subscription management. Stripe processes your payment details directly; we do not store card numbers.
• Google, Meta, and LinkedIn OAuth— Authentication and authorised access to your advertising accounts. We store access tokens securely and only request the minimum required scopes.
• OpenAI— AI-powered insights, copy generation, and image generation. Aggregated performance data may be sent to OpenAI’s API for processing. OpenAI does not use this data to train its models under our agreement.
• Anthropic— AI-powered asset analysis using Claude. Uploaded brand assets may be analysed for categorisation.
• Sentry— Error tracking and performance monitoring. Sentry may receive technical error data including stack traces and request metadata.
• Gleap— Customer feedback and support platform. Collects feedback submissions, browser information, and interaction data to help us improve our service. Data is processed by Gleap GmbH under their privacy policy.
• Vercel Analytics— Privacy-friendly web analytics service. Collects anonymised page view and interaction data (no cookies, no cross-site tracking). Data is processed by Vercel Inc.
• Vercel Speed Insights— Performance monitoring service. Collects Web Vitals metrics (page load times, interactivity, visual stability) to help us optimise platform performance. No personally identifiable information is collected. Data is processed by Vercel Inc.

6. Cookies

We use the following cookies:

• Session cookie (__Secure-authjs.session-token) — Essential for authentication. This is a secure, HTTP-only cookie that maintains your logged-in session. It expires when your session ends or after 30 days of inactivity.
• CSRF token— Essential for protecting against cross-site request forgery attacks.
• MFA verification cookie— A session cookie used to confirm successful multi-factor authentication. This cookie expires when you close your browser.

We do not use advertising or cross-site tracking cookies. Vercel Analytics uses a privacy-friendly, cookieless approach that does not track users across websites.

7. Data Retention

We retain your data for as long as your account is active and as needed to provide our services:

• Account data: Retained for the duration of your subscription, plus 90 days after cancellation to allow for reactivation
• Marketing performance data: Retained for up to 24 months to support historical comparisons and trend analysis
• Creative assets: Retained until you delete them or close your account
• Billing records: Retained for 7 years as required by UK tax law

8. Your Rights

Under the UK GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of any inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interest
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at info@kinsmanco.com. We will respond within 30 days.

9. Data Deletion

You can delete your account and associated data at any time by contacting us. Upon receiving a deletion request, we will:

• Delete your account and authentication credentials
• Remove all stored marketing platform data and OAuth tokens
• Delete uploaded creative assets from our storage
• Retain only billing records as required by law

Deletion is typically completed within 30 days of your request.

10. International Data Transfers

Some of our third-party processors (including Vercel, OpenAI, and Stripe) operate in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

11. Children’s Privacy

Our service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or through a notice on the dashboard. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Kinsman & Co
Email: info@kinsmanco.com
Website: kinsmanco.com

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.