This Privacy Policy explains how LandTable Cloud Ltd (trading as "LandTable"; "we", "us", or "our") collects, uses, discloses, and safeguards personal data when you visit landtable.io, use the LandTable application at cloud.landtable.io, or otherwise interact with our services (collectively, the "Services").
LandTable Cloud Ltd is a company established in the United Kingdom that provides its Services to customers globally. We act as a data controller with respect to information about visitors to our website, account holders, and people who contact us. With respect to the content and records that customers store inside their LandTable workspaces, bases, tables, and forms ("Customer Data"), we act as a data processor on behalf of our customers (who are the data controllers of that content).
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and where applicable the EU GDPR and other data protection laws.
1. Who we are and how to contact us
The data controller is LandTable Cloud Ltd, a company established in the United Kingdom. Our company registration number and registered office address are published on the UK Companies House register and can be obtained from Companies House or by emailing us at the address below.
For any privacy enquiries, to exercise your rights under the UK GDPR, or to raise a complaint, please contact us at:
- Email: legal [at] landtable.io
- Postal: c/o LandTable Cloud Ltd, at our registered office address as shown on the UK Companies House register. If you would like the address provided directly, please email us and we will respond.
We have not appointed a statutory Data Protection Officer because we are not required to do so under UK GDPR Article 37. Privacy enquiries should be directed to the contacts above. As we are established in the United Kingdom, we are not required to appoint a UK or EU representative under UK GDPR Article 27 or EU GDPR Article 27; if that position changes we will update this Policy and publish the representative's contact details here.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with the supervisory authority in your country of residence.
2. Personal data we collect
We collect personal data in the following categories:
2.1 Information you provide
- Account data: name, email address, password (stored as a salted hash), and workspace details when you register.
- Profile data: optional profile information such as display name, avatar, and time zone.
- Customer Data: the content you create or upload to the Services, including bases, tables, fields, records, attachments, comments, forms, and form submissions.
- Communications: the content of emails, support tickets, or other messages you send us.
- Billing data (if/when paid plans are available): billing contact details and limited payment metadata returned by our payment processor. We do not store full payment card numbers on our servers.
2.2 Information collected automatically
- Usage and device data: IP address, browser type and version, operating system, device identifiers, referring pages, pages viewed, actions taken in the application, and timestamps.
- Log and security data: authentication events, session activity, error logs, and information used to detect and prevent abuse.
- Cookies and similar technologies: see the Cookies section below.
2.3 Information from third parties
If you sign in via a third-party identity provider, accept a workspace invitation, or are added by a workspace administrator, we receive limited information from those third parties or from the inviting user (for example, your name and email address).
3. How we use personal data and our legal bases
Under UK and EU GDPR, we must have a lawful basis for each processing activity. We rely on the following bases:
- Contract — to create your account, provide the Services, authenticate you, deliver Customer Data, process billing, and provide support.
- Legitimate interests — to operate, secure, monitor and improve the Services; to prevent fraud and abuse; to communicate service-related information; to perform aggregated analytics; and to enforce our terms.
- Legal obligation — to comply with applicable laws, including tax, accounting, and lawful information requests.
- Consent — for optional cookies, marketing communications (where required), and any other processing for which we ask your specific consent. You may withdraw consent at any time.
4. Customer Data — our role as processor
When customers (typically workspace owners) use LandTable to store information, that information is Customer Data and the customer is the data controller. We process Customer Data only on documented instructions from the customer, namely:
- To provide, maintain and secure the Services.
- To respond to support requests.
- As required by applicable law.
If you are an end user whose personal data is contained in Customer Data and you wish to exercise your rights, please contact the workspace administrator first. We will support our customers in responding to such requests as required by law.
5. How we share personal data
We do not sell personal data. We share personal data only with:
- Sub-processors and infrastructure providers who help us deliver the Services (see section 7).
- Members of your workspace, to the extent necessary to provide collaboration features.
- Professional advisers (lawyers, accountants, auditors) under duties of confidentiality.
- Authorities and law enforcement where we are legally required to do so, or to protect our rights, users, or the public.
- Successors in interest in connection with a merger, acquisition, reorganisation, or sale of assets, subject to appropriate protections.
6. Where your data is hosted
LandTable is delivered using a small number of carefully chosen infrastructure providers:
- Application hosting: Koyeb hosts the LandTable application servers.
- Database: bunny.net hosts our libSQL database, which stores Customer Data and account information.
- DNS, CDN and edge security: Cloudflare provides DNS, content delivery and protective network services for our domains.
- Marketing website hosting: Vercel hosts the public LandTable marketing site at landtable.io.
Each of these providers operates global infrastructure. Personal data may therefore be processed on servers located in the United Kingdom, the European Economic Area (EEA), the United States, or other countries in which our providers operate. We document regional configurations and review changes carefully.
7. Sub-processors
A "sub-processor" is a third party that we engage to process personal data on our behalf. Our current sub-processors are:
| Sub-processor | Purpose | Primary location |
|---|---|---|
| Koyeb | Application hosting and compute | Global (provider-managed regions) |
| bunny.net | Managed libSQL database hosting | Global (provider-managed regions) |
| Cloudflare | DNS, CDN, TLS, DDoS and bot protection | Global edge network |
| Vercel | Marketing website hosting | Global edge network |
We may add or replace sub-processors over time. Material changes will be reflected in this Privacy Policy and, for customers on paid plans, may also be communicated by email or in-product notice.
8. International data transfers
Because LandTable operates globally, personal data may be transferred outside the United Kingdom or the EEA. Where this happens, we rely on appropriate safeguards under the UK GDPR, including:
- UK adequacy regulations, where applicable;
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- Equivalent EU Standard Contractual Clauses where the EU GDPR applies.
You can request a copy of the relevant safeguards by contacting us.
9. How long we keep personal data
We retain personal data only for as long as necessary for the purposes set out in this Policy:
- Account data and Customer Data: for the duration of your account, plus a limited grace period after closure to allow account recovery, billing reconciliation, and legal compliance. After that period, data is deleted or anonymised.
- Logs and security data: typically retained for up to 12 months, unless required for longer to investigate incidents or comply with law.
- Billing records: for the period required by applicable tax, accounting and corporate laws (typically 6 years in the UK).
10. Security
We implement appropriate technical and organisational measures designed to protect personal data, including:
- TLS encryption in transit for all traffic to the Services.
- Encryption at rest provided by our database and storage providers.
- Salted password hashing for account credentials.
- Role-based access controls and the principle of least privilege for staff access.
- Network protections via Cloudflare (DDoS mitigation, bot management, WAF).
- Logging, monitoring and alerting for security events.
- Regular updates and dependency review.
No service can be guaranteed to be 100% secure. If you believe your account has been compromised, please contact us immediately at legal [at] landtable.io.
11. Your rights
Subject to applicable law, you have the following rights in relation to your personal data:
- Right of access to a copy of your personal data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to restrict or object to processing.
- Right to data portability.
- Right to withdraw consent at any time, where processing is based on consent.
- Right to lodge a complaint with a supervisory authority such as the UK ICO.
To exercise these rights, email legal [at] landtable.io. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law (usually one month under UK GDPR).
12. Children
LandTable is not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
13. Cookies and similar technologies
In line with the Privacy and Electronic Communications Regulations (PECR) and the ICO's cookie guidance, this section explains exactly what cookies and browser storage we use, why we use them, and how long they persist. We currently use only items that are strictly necessary to provide the service you have requested, so consent is not required under PECR regulation 6(4). We do not set advertising, profiling or third-party analytics cookies. If we ever introduce non-essential cookies or similar technologies, we will request your consent first through a clear opt-in mechanism, and you will be able to withdraw that consent at any time.
13.1 First-party browser storage set by LandTable
The LandTable application and marketing site do not set any
first-party HTTP cookies of their own. Instead, we use a small
amount of localStorage in your browser:
| Name | Type | Purpose | Retention |
|---|---|---|---|
token | localStorage (app, cloud.landtable.io) | Strictly necessary — stores your authentication token so you remain signed in to your workspace between page loads. | Until you sign out, the token is invalidated, or you clear your browser storage. |
landtable.cookie-notice-dismissed | localStorage (app and marketing site) | Strictly necessary (user preference) — remembers that you have dismissed the cookie / storage notice so it does not reappear on every visit. | Persistent until you clear your browser storage. |
13.2 Third-party cookies set by our infrastructure providers
Our network and edge provider (Cloudflare, see section 6) may set a small number of strictly necessary cookies on our domains for security and bot-protection purposes. These are essential to keep the Services available and to protect them from abuse. Typical examples include:
| Name | Set by | Purpose | Retention |
|---|---|---|---|
__cf_bm | Cloudflare | Cloudflare bot-management cookie used to distinguish humans from automated traffic. | Up to 30 minutes from the last request. |
cf_clearance | Cloudflare | Set after a visitor passes a Cloudflare security challenge, so the challenge is not repeated on every request. | Up to 30 days, configurable by Cloudflare. |
Cloudflare may add or rename security cookies over time. You can read more in Cloudflare's cookies documentation.
13.3 Managing cookies and storage
You can clear cookies and browser storage at any time through your browser settings. Doing so will sign you out of LandTable and reset preferences such as the dismissal of this notice. Because the items above are strictly necessary, blocking them may prevent the Services from functioning correctly.
We do not currently use Google Analytics, advertising pixels, or other third-party analytics or marketing technologies. If that changes, this section will be updated and, where required by PECR, we will obtain your prior opt-in consent.
14. Marketing communications
We may send you product or service-related emails (such as security notices and material changes to terms), which are not marketing. With your consent or where otherwise permitted, we may also send occasional product updates and announcements. You can unsubscribe from marketing emails at any time using the unsubscribe link, or by emailing us.
15. Automated decision-making
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
16. Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and give you reasonable advance notice — for example, by email to the address associated with your account or by a prominent notice within the Services — before the changes take effect. Where a change requires your consent under the UK GDPR or PECR (for example, introducing non-essential cookies or a new processing purpose that relies on consent), we will ask for that consent through a clear opt-in mechanism before relying on the new basis. You can withdraw consent at any time, and you can stop using the Services if you do not agree to a change.
17. Questions
If you have any questions about this Policy or our privacy practices, please contact us at legal [at] landtable.io.