Last updated: 20 June 2026
ModularPlatform is a SaaS platform operated as a data controller under the General Data Protection Regulation (GDPR). References to "we", "us", or "our" mean the platform operator. If you have questions about this policy, contact us via the support channel in your account dashboard.
We collect data you provide directly (name, email, password hash, display name), data generated by your use of the service (audit logs, billing records, notification history, files you upload), and, with your consent, analytics data (page views, feature usage) and marketing data (click-through records for communications we send).
We process your personal data on the following bases: contract performance (to provide the service you signed up for), legal obligation (audit retention, AML), legitimate interest (security monitoring, fraud prevention), and consent (analytics, marketing, third-party sharing — you can change these at any time in Privacy settings).
Your data is used to operate and improve the platform, to send transactional notifications (account activity, billing receipts), to fulfil legal obligations, and — with your consent — to analyse usage patterns and to send marketing communications. We do not sell your personal data to third parties.
We use strictly necessary cookies to maintain your authenticated session (iron-session cookie). With your consent we also set analytics cookies to measure how you use the platform and marketing cookies to record consent preferences. You can manage your cookie choices at any time via the cookie settings link in the footer.
We retain your personal data for as long as your account is active. Audit and billing records are retained for the minimum period required by applicable law (typically 7–10 years) even after account deletion; personal identifiers in those records are anonymised on erasure. All other data is deleted within 30 days of account closure.
Under GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. You can exercise most rights directly in the Privacy settings page. To download all data we hold about you, use the "Download my data" button. To permanently delete your account and erase personal data, use the "Delete my account" option — this crypto-shreds your encryption key so stored data becomes permanently unrecoverable.
Passwords are hashed using Argon2. Sensitive personal data fields are encrypted at rest (AES-GCM) under per-subject encryption keys. TLS is enforced in transit. Access to personal data is restricted to the data subject and platform administrators via role-based permissions and Postgres row-level security.
We use Stripe for payment processing (subject to Stripe's privacy policy). Where enabled by your tenant, we may share data with other processors listed in the platform settings. We enter into data processing agreements with all sub-processors and require them to apply equivalent protections.
We may update this policy from time to time. Material changes will be communicated via the platform or by email before they take effect. The "Last updated" date at the top reflects the most recent revision.