Cuelistcuelist

Legal · Privacy

Privacy Policy

What personal data we collect, why, where it's processed, and how to exercise your rights under the GDPR + equivalent laws.

v1.0 · last updated 2026-05-19

01

Who we are

Cuelist (referred to below as "we" / "us") provides a SaaS platform for theatre script annotation, cue management, and live booth collaboration. We act as the data controller for personal data relating to user accounts and platform operation, and as a data processor for content uploaded by customers (see the DPA for the processor relationship).

Contact: privacy@cuelist.dev.

02

Data we collect

The categories of personal data we collect are:

  • Account identity — name, email address, hashed password (or OAuth provider id where SSO applies), preferred language, theme preference.
  • Organisation membership — which organisations a user belongs to, role within each, and timestamps of joining / last activity.
  • Billing data — organisation billing email, company name and address (for tax purposes), and payment-method metadata (card brand, last four digits — full PAN held by Stripe, never by us).
  • Customer Content — scripts (PDFs), annotations, cues, comments, and any other content uploaded to a project. Acting as processor — see DPA.
  • Live presence — during a collaboration session, we relay user identity, viewport pointer, and avatar colour to other peers in the same project room.
  • Operational logs — request metadata (IP, user agent, timestamps), application errors, queue + cron health. Used for security and debugging.

03

Why we process it (lawful basis)

Under Articles 6 and 9 of the GDPR we rely on:

  • Performance of a contract — to deliver the Cuelist service that the customer (or their organisation) has signed up for.
  • Legitimate interests — for security, abuse prevention, debugging, basic product analytics (aggregated counts of feature usage, not individual tracking), and operational logging. We balance these interests against the user's privacy expectations and only retain what we need.
  • Legal obligation — to retain billing records for tax + accounting purposes for as long as required by applicable law.
  • Consent — for any optional analytics that could identify an individual. We don't load such tools without explicit opt-in via the cookie banner.

04

Sub-processors

We use the following sub-processors to deliver the service. Customers receive notice via this page when the list changes materially.

Sub-processorPurposeRegion
Cloudflare, Inc.Application hosting (Workers), database (D1), object storage (R2), queues, KV, Durable Objects, transactional email delivery (the Workers send_email binding — invites, magic links, exports, billing notifications), consent-gated privacy-friendly web analytics (no cookies, no cross-site identifiers), and global edge delivery.Global (with EU regional bias)
Stripe Payments Europe Ltd.Subscription billing, payment processing, tax calculation, customer portal, and invoicing.IE, US
Functional Software, Inc. (Sentry)Application error monitoring and performance tracing for the web app and live-collaboration service. Receives error traces and request metadata; not used for Customer Content.US

05

Where data lives

Customer Content is stored in Cloudflare's global storage primitives (D1 + R2) with EU regional bias. Operational logs and metadata are processed at the edge nearest the request. Billing data is processed by Stripe under their global compliance regime (EU + US processing).

06

Retention

We keep personal data only as long as necessary:

  • Account data — for the life of the account, plus 14 days after account deletion (the soft-delete window during which the account can be restored).
  • Customer Content — until deleted by the customer, plus 14 days after account deletion or 30 days after organisation deletion. Backups age out within 90 days.
  • Audit log — 13 months for Starter and Pro; 7 years for Enterprise customers (configured per contract).
  • Billing records — retained for the period required by tax law in the jurisdictions we operate in (typically 5–7 years).

07

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights, email privacy@cuelist.dev and we will respond within 30 days. We will require enough information to verify your identity before acting on a request.

Most rights can be exercised directly via Settings → Account (export, delete). Account deletion triggers a 14-day soft-delete window before permanent erasure.

08

Cookies + similar tech

We use cookies sparingly. The categories:

  • Strictly necessary — session cookie (Better Auth), active-org cookie, theme preference, locale. Set without consent because the service can't function without them.
  • Analytics — Cloudflare Web Analytics, loaded only after you opt in via the cookie banner. It sets no cookies and uses no cross-site identifiers; absent consent, the beacon is never sent.

09

Children

Cuelist is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@cuelist.dev and we will delete it.

10

Changes to this policy

We will post material changes here with an updated version number and notify customers via the in-app inbox + the billing contact's email address.