Data Protection (UK GDPR) Statement
Binder Community Limited · No. 17058768
Overview
Binder Community Limited takes the protection of personal data seriously. This statement summarises how we approach data protection. Full details — including your rights, how to exercise them, and the lawful bases for all processing — are in our
Privacy Policy, which this statement supports and does not replace.
1. The law we follow
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), and are registered with the Information Commissioner’s Office (ICO).
2. Our principles
We handle personal data lawfully, fairly and transparently; for specified, explicit and legitimate purposes; limited to what is necessary; accurately; for no longer than necessary; and securely — and we take responsibility for doing so (the accountability principle).
3. Lawful bases and special category data
We process personal data on one or more of the following lawful bases (Article 6 UK GDPR): your consent; performance of a contract with you; compliance with a legal obligation; and our legitimate interests, where they are not overridden by your interests or rights.
Special category data. We treat special category data with particular care. The categories that may arise on the Platform are:
• Sexual orientation and gender identity — through the Spectra/Dimension profile attribute system, where you choose to provide it.
• Religion or belief — through the Spectra/Dimension system, where you choose to provide it.
• Health — where you choose to share health-related information on your profile.
• Biometric data — processed by Stripe Identity as part of our age-assurance process (see section 7).
For Spectra/Dimension attributes (sexual orientation, gender identity, religion or belief, health), we rely on your explicit consent (Article 9(2)(a) UK GDPR). You can withdraw consent for any individual attribute at any time in Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
For biometric data processed by Stripe Identity in the age-assurance process, we rely on substantial public interest (Article 9(2)(g) UK GDPR, DPA 2018 Schedule 1 paragraph 18: safeguarding of children and individuals at risk). This is authorised by our Appropriate Policy Document, which is available on written request.
Profiling. We use an alignment engine to generate match scores between users — this is profiling within the meaning of Article 4(4) UK GDPR. The engine processes the profile information you provide, including your Spectra/Dimension attributes where you have given consent. It does not make solely automated decisions with legal or similarly significant effects (Article 22 does not apply). The logic, significance and envisaged consequences of this profiling are disclosed in our Privacy Policy (Matching and Profiling section). You have the right to object to profiling at any time (see section 4).
Criminal offence and safety data. We process safety, moderation and criminal offence data (where a user has shared illegal content or engaged in unlawful conduct) under our own authority (DPA 2018 s.10(5)) and on the substantial public interest condition (Schedule 1, para 10: preventing or detecting unlawful acts; para 18: safeguarding). This is also covered by our Appropriate Policy Document.
4. Your rights
You have the following rights under UK GDPR, subject to conditions and exemptions set out in the law:
• Access — to obtain a copy of your personal data.
• Rectification — to have inaccurate data corrected.
• Erasure — to have your data deleted in certain circumstances.
• Restriction — to limit how we process your data while a dispute is resolved.
• Objection — to object to processing based on legitimate interests, and to object to profiling.
• Portability — to receive your data in a structured, machine-readable format.
• Withdrawal of consent — to withdraw consent at any time, including per-attribute withdrawal for Spectra/Dimension data, without affecting lawfulness of prior processing.
• Complaint — to lodge a complaint with the ICO (ico.org.uk) or another supervisory authority.
You can access, export or delete your data in the app (Settings → Account). Full details of how to exercise your rights are in the Privacy Policy. We aim to respond within one month and do not charge for requests.
5. How we protect data
We apply technical and organisational measures appropriate to the sensitivity of the data, including:
• encryption in transit (TLS) and at rest, including database-level encryption of messages;
• fail-closed automated image scanning: every uploaded image is checked by Microsoft PhotoDNA against databases of known illegal imagery before it is shown — images are not displayed until cleared;
• storage on Supabase with access controls including row-level security and least-privilege access;
• hashed password storage;
• server-side coarsening of location data;
• scrubbing of identifiers from diagnostic/error data (Sentry); and
• a personal data breach response plan (tested and maintained by our DPO).
6. Accountability
We maintain a record of processing activities (ROPA); carry out data protection impact assessments (DPIAs) for high-risk processing — our DPIA covers the alignment engine (profiling), Stripe Identity (biometric age assurance), and the image-scanning pipeline; keep an Appropriate Policy Document and Data Retention Schedule; have appointed a Data Protection Officer (our General Counsel, Cameron Farquhar); and put written Article 28 data-processing contracts in place with our service providers.
7. Service providers and international transfers
We use trusted service providers acting as processors under written contracts. Our principal processors are:
• Supabase — database, authentication and storage.
• Stripe (Stripe Payments UK Ltd) — age / identity verification (Stripe Identity) and payment processing, under the UK Extension to the EU–US Data Privacy Framework. Stripe is a UK-established entity, with primary processing by Stripe Payments UK Ltd.
• Railway — application hosting and infrastructure.
• Microsoft (Azure / PhotoDNA) — image hash-matching (CSAM detection), under UK adequacy (Microsoft EU Data Boundary or SCCs as applicable).
• Expo — push notification delivery.
• Sentry — crash and error diagnostics (identifiers scrubbed).
8. Child protection and CSAM reporting
As a service regulated under the Online Safety Act 2023, we carry out proactive detection of child sexual abuse material (CSAM) using Microsoft PhotoDNA. Images are scanned against known-illegal image databases before display (fail-closed). Where a match is detected, the content is quarantined and reported to the National Crime Agency’s Child Exploitation and Online Protection Command (CEOP) as our duty under section 67 of the Online Safety Act 2023 requires, as soon as reasonably practicable and within 24 hours of confirmation. We also retain the minimum lawful record of such incidents. We do not retain detected CSAM on the Platform.
9. Contact and complaints
Our Data Protection Officer is Cameron Farquhar (General Counsel). You can contact us about data protection at:
Binder Community Limited, 15 Montpellier Vale, London SE3 0TA.
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time:
ico.org.uk / 0303 123 1113. We would appreciate the opportunity to address your concern before you contact the ICO.