Privacy Policy

This policy explains what data Postroom collects, why we collect it, how we use it, and the rights you have over it. It applies to everything we run under the postroom-hq.com domain, including postroom-hq.com, audit.postroom-hq.com, and any audit reports or outreach emails we send.

Postroom is a trading name of The Garden Network Limited, a company registered in England and Wales (Companies House 16552976). When this policy says “we”, “us”, or “Postroom”, that’s who it means. The Garden Network Limited is the data controller for all personal data described below.

1. What we collect

1.1 Contact form, audit form, and newsletter signup

When you submit the contact form, request an audit, or sign up to our newsletter on postroom-hq.com, we collect:

• Your name
• Your email address
• Your role, organisation, and list size (audit form only)
• Any message you write us
• Your Mailchimp read-only API key, if you choose to provide it

Form submissions are delivered to our team inbox via Resend. We do not store contact or newsletter submissions in a database. Audit submissions are processed as described in section 1.2.

1.2 Mailchimp audit data

If you connect your Mailchimp account by providing a read-only API key on audit.postroom-hq.com, we use that key to read aggregate programme data only:

• List size and growth rate
• Campaign send history over the last 90 days
• Aggregate open, click, bounce, and unsubscribe rates
• Automation titles and structure (not content)
• Segmentation and tag structure (counts, not member identities)
• Account-level deliverability and authentication settings

We do not read, retrieve, or store any individual subscriber email addresses, names, donor records, or other personally identifiable information from your Mailchimp account. The API key you provide is used in transit only and is not stored once the audit completes. If you provide an audit key, you should rotate or delete it in Mailchimp after your audit is done.

1.3 Newsletter content we audit

For our outbound charity-sector outreach (see section 2.3), we may read newsletters that a UK Muslim charity has sent publicly to us or to an archived list we have access to. Newsletters are public marketing content and contain no personal data of donors or subscribers. We score the newsletter against our audit framework and use the resulting observation in our outreach email.

1.4 Charity contact information

For B2B outreach to UK Muslim charity comms and fundraising leads, we maintain an internal contacts database sourced from:

• The UK Charity Commission public register
• Charity websites (publicly listed staff contact details)
• LinkedIn (publicly listed professional contact details)
• Newsletters the charity has chosen to send publicly

We hold name, professional email, role, and the charity they work for. We do not hold home addresses, personal phone numbers, or any special-category data.

1.5 Analytics

We use Plausible Analytics on postroom-hq.com and audit.postroom-hq.com. Plausible is a privacy-friendly analytics tool that does not use cookies, does not track you across sites, and does not collect any personal data. It records aggregate page views, referrers, and rough device/country information only.

1.6 Error tracking

We use Sentry to capture application errors so we can fix bugs. Sentry receives the URL where an error occurred and a stack trace. We have configured it to redact form input values and other potentially sensitive fields. Sentry does not receive your Mailchimp API key or any Mailchimp data.

2. How we use it, and our lawful basis

Under UK GDPR we must have a lawful basis for processing every piece of personal data. Ours are as follows.

2.1 Generating your audit report

Lawful basis: consent and contract. By submitting the audit form and providing your Mailchimp API key, you are asking us to run the audit. We use your contact details to deliver the report, and your Mailchimp data to generate it.

2.2 Responding to contact form and newsletter submissions

Lawful basis: consent.When you fill in our contact form or newsletter signup, you’re asking us to respond or to add you to our list. You can unsubscribe at any time using the link in any newsletter we send, or by emailing support@postroom-hq.com.

2.3 Outbound B2B outreach to UK Muslim charities

Lawful basis: legitimate interest. We send one-to-one personal emails to comms and fundraising leads at UK Muslim charities, offering to share an observation from one of their newsletters and the option of a free audit. We rely on legitimate interest under UK GDPR Article 6(1)(f) on the following basis:

• The recipients are professionals at registered charities, contacted at their work email about a service relevant to their job
• The contact details are publicly published by the charity or the individual themselves
• We send a personal one-to-one email, not a marketing broadcast
• Every email includes a clear opt-out and the basis on which we contacted you
• We honour opt-outs immediately and permanently across all our systems

If you’d rather not be contacted, reply with “unsubscribe” or email support@postroom-hq.com and we will remove you from our database. You can also object to our use of legitimate interest at any time (see section 5).

2.4 Improving our audit framework

Lawful basis: legitimate interest.We use the aggregate, de-identified output of audits we run (scores against the seven dimensions, identified gaps, recommendations generated) to improve our benchmark thresholds and our reporting framework. This use is aggregate only. We never expose one charity’s data to another, and we never use one charity’s data to generate another charity’s report.

3. Who we share it with (sub-processors)

Postroom does not sell, rent, or trade personal data. We share data with a small number of trusted infrastructure providers, each bound by data processing agreements:

• Vercel (USA, EU data residency where supported) — application hosting
• Supabase (EU region: eu-west-2, London) — database for audit runs and our internal contacts database
• Anthropic (USA) — Claude API, used to generate the narrative portion of the audit report and outreach drafts. Anthropic does not train on data passed via API.
• Resend (USA) — transactional email delivery for contact forms, audit reports, and newsletters
• Microsoft 365 (Outlook) — for sending and receiving outbound charity-sector outreach
• Sentry (USA, EU data residency enabled) — error tracking
• Plausible (Germany) — privacy-friendly, cookieless analytics
• Mailchimp (USA) — we read from your Mailchimp account using your read-only key via the official SDK. We do not send any data to Mailchimp. Connecting your Mailchimp account remains governed by your existing agreement with Mailchimp.

Where personal data is transferred outside the UK or EEA, we rely on adequacy decisions, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses, depending on the destination country and provider.

4. How long we keep it

• Mailchimp API keys — used in transit only, not persisted at rest after an audit completes
• Audit reports — retained for the charity that requested the audit, accessible via a unique link, deleted on request
• Charity contacts database — entries are retained while a charity remains active on the Charity Commission register, or until we receive an opt-out, whichever is sooner
• Outreach drafts and sent records — retained for 90 days from creation, then automatically purged. Suppression records (opt-outs) are retained indefinitely to honour the opt-out.
• Contact form submissions — retained in our team inbox for as long as the enquiry is active, deleted on request
• Newsletter list — retained until you unsubscribe

5. Your rights

Under UK GDPR you have the right to:

• Ask for a copy of the personal data we hold about you
• Ask us to correct anything that’s wrong
• Ask us to delete your data
• Ask us to restrict how we use it
• Object to our use of legitimate interest as a lawful basis (this is the relevant basis for the charity contacts database and outbound outreach)
• Ask us to port your data to another provider
• Withdraw consent at any time, where we rely on consent (this does not affect processing before withdrawal)

To exercise any of these, email privacy@postroom-hq.com. We aim to respond within 14 days and will always respond within 30 days as required by law.

You also have the right to complain to the UK Information Commissioner’s Office (the ICO) at ico.org.uk if you think we’re mishandling your data. We’d appreciate the chance to address it directly first, but it’s your right either way.

6. Security

We protect your data with industry-standard measures: encrypted connections (TLS) everywhere, hashed credentials, role-based access to internal systems, environment-isolated secrets, principle-of-least-privilege database access, and access logging. No system is perfectly secure, but we take this seriously and will tell you within 72 hours if a breach affects your personal data, as required by UK GDPR Article 33.

7. Cookies

postroom-hq.com and audit.postroom-hq.com do not use marketing, advertising, or third-party tracking cookies. We do not use Google Analytics. We use Plausible, which is cookieless. audit.postroom-hq.com may set strictly necessary cookies to keep you signed in to your audit account. These do not require consent under PECR.

8. Children

Postroom’s services are for UK charities and the professionals who run them. They are not directed at children and we do not knowingly collect personal data from anyone under 18.

9. Changes to this policy

If we change this policy, we’ll update the date at the top and, for material changes, notify newsletter subscribers and anyone with an active audit account by email. The current version of this policy always lives at postroom-hq.com/privacy.

10. Contact us

Privacy questions, data subject requests, and complaints: privacy@postroom-hq.com

General questions and unsubscribe requests: support@postroom-hq.com

Postal address:
The Garden Network Limited
Companies House 16552976
England and Wales