Privacy Policy - Felgate

Version 0.1-draft · Effective 4 June 2026 · Operator: Andrei Trimbitas trading as Old Forge Technologies

This Privacy Policy explains how Andrei Trimbitas trading as Old Forge Technologies ("Felgate", "we", "us") handles personal data for which we are the controller: the data of practitioners who hold an account, their billing data, and visitors to our websites (felgate.co.uk, app.felgate.co.uk).

Scope note. When a practitioner uses Felgate to manage their clients, the practitioner is the data controller for their clients' data and we are the processor. That processing is governed by our Data Processing Agreement and the practitioner's own privacy notice - not by this policy. If you are a client of a practitioner, please refer to that practitioner's privacy information.

1. Who we are and how to contact us

Controller: Andrei Trimbitas trading as Old Forge Technologies, The Old Forge, Newmarket Road, Kennett, CB8 7PP, United Kingdom. Privacy contact: legal@felgate.co.uk.

2. The data we collect (as controller)

Account data - name, email, practice name, subdomain, password (hashed), MFA settings, role and preferences.
Billing data - plan, subscription status and payment metadata. Card details are handled by Stripe; we do not store full card numbers.
Usage and technical data - log data, IP address, device/browser information and actions taken in the control plane, used to run, secure and improve the Service.
Communications - emails and support messages you send us.

In our capacity as controller we do not seek to collect your clients' special-category health data for our own purposes; that data belongs to your tenant and is processed under the DPA.

3. Why we use it, and our lawful basis

Purpose	Lawful basis (UK GDPR)
Create and run your account, provide the Service	Contract (Art 6(1)(b))
Take payment, manage subscriptions, prevent fraud	Contract; Legal obligation; Legitimate interests
Secure the platform, prevent abuse, keep logs	Legitimate interests (Art 6(1)(f))
Support and service communications	Contract; Legitimate interests
Product analytics and improvement	Legitimate interests
Marketing emails to practitioners (not clients)	Consent or soft opt-in; unsubscribe anytime
Comply with law, respond to lawful requests	Legal obligation

4. Cookies and similar technologies

We use only strictly-necessary cookies to run the Service: a session cookie to keep you logged in; a "remember me" cookie (up to 30 days) if you choose it; and a CSRF token to protect forms. These are exempt from consent under PECR because they are essential to a service you have requested. We do not use advertising or third-party tracking cookies, and we do not currently use analytics cookies. If we introduce non-essential cookies we will ask for your consent first through a cookie banner and update this policy.

5. Who we share it with

Recipient	Purpose	Location / safeguard
Stripe	Payment processing	Safeguarded under UK transfer mechanisms
IONOS	Domain / DNS for tenant subdomains	UK / EU
Email provider	Transactional & onboarding email	UK / EU preferred
Backup provider (if used)	Encrypted off-site backups	UK / EU preferred
Professional advisers, authorities	Legal, accounting, regulatory	As required by law

Core hosting is self-managed by Andrei Trimbitas trading as Old Forge Technologies, which limits the number of third parties touching the data. We do not sell personal data. A current sub-processor list for client data is in the DPA.

6. International transfers

Where a recipient processes data outside the UK we rely on an approved transfer mechanism (UK adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU SCCs) and, following the Data (Use and Access) Act 2025, apply the "not materially lower" protection test. We prefer UK/EU regions for email and backups.

7. How long we keep it

We keep account and billing data while you have an account, then only as long as needed for legal, accounting and tax purposes (generally up to 6-7 years for financial records). Logs are kept for a limited period for security. Retention of your clients' data is governed by your tenant settings and the DPA.

8. Your rights

Under UK data protection law you can ask to access, rectify, erase or restrict your personal data, to object to certain processing, to portability, and to withdraw consent. Contact legal@felgate.co.uk; we respond within statutory timescales. You can also complain to the ICO (ico.org.uk), though we would appreciate the chance to help first. If your request concerns data held in your clients' records, you are the controller - use the in-product export and erasure tools.

9. Security

We protect personal data with encryption in transit (TLS) and at rest (special-category fields encrypted with per-tenant keys), access controls, multi-factor authentication, tenant isolation, monitoring and backups. No system is perfectly secure; we keep our measures under review. Our security commitments to practitioners as a processor are set out in the DPA.

10. Children

The Service is for practitioners (adults) and is not directed at children. Where a practitioner's client is a minor, the practitioner is the controller and is responsible for the appropriate consent and safeguards.

11. Changes

We may update this policy. The version and effective date are at the top. Material changes will be notified by email or in-product.