Privacy Policy

OneRequest is operated by CODESTACK CONSULTING LIMITED, a company registered in England and Wales (Company Number: 14717256).

When we refer to “OneRequest”, “we”, “us” or “our” in this policy, we mean CODESTACK CONSULTING LIMITED and the OneRequest service available at onerequest.app.

We are the data controller for personal data collected through OneRequest.

Information you provide directly:

• Account information — when you create an account, we collect your name, email address, and authentication details via Clerk.
• Request content — titles, instructions, and field configurations you create when building requests.
• Recipient information — names, email addresses, and phone numbers you provide when adding recipients to tracked requests.
• Submitted responses — files, documents, text, signatures, photos, and other content submitted by recipients through your requests.
• Payment information — billing details processed securely through Stripe. We do not store card numbers directly.
• Communications — messages, comments, and replies exchanged through the OneRequest platform.

Information collected automatically:

• Usage data — pages visited, features used, actions taken within the platform.
• Device and browser information — IP address, browser type, operating system, and device identifiers.
• Cookies and similar technologies — see Section 8 below.

Information from third parties:

• Calendar data — if you connect Google Calendar or Microsoft Outlook, we access calendar availability data solely to provide booking and scheduling features. We do not store calendar event details beyond what is necessary to create confirmed bookings.
• Authentication providers — if you sign in via Google, we receive your name and email address from Google.

We use the information we collect to:

• Provide, operate, and maintain the OneRequest service
• Process and deliver requests between owners and recipients
• Send email notifications related to your requests and submissions
• Generate meeting links and calendar events for confirmed bookings
• Process payments and manage subscriptions
• Provide customer support
• Improve and develop the OneRequest platform
• Comply with our legal obligations
• Detect and prevent fraud, abuse, and security incidents
• Send product updates and announcements (you may opt out at any time)

We use Anthropic Claude to power AI features including request generation suggestions and document analysis. Content sent to these features is processed in accordance with Anthropic's privacy policy and is not used to train AI models.

We process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the OneRequest service you have signed up for.
• Legitimate interests — improving our service, preventing fraud, and ensuring platform security, where these interests are not overridden by your rights.
• Legal obligation — where processing is required to comply with applicable law.
• Consent — for optional features such as marketing communications, where we will ask for your consent explicitly.

We share data with the following categories of third parties:

We do not sell your personal data to third parties. We do not share your data with advertisers.

Recipients of requests do not need to create an account. Their submitted data is accessible only to the request owner and is stored securely in accordance with this policy.

• Account data — retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
• Request and submission data — retained for the lifetime of your account. Archived submissions are retained and accessible to the request owner.
• Payment records — retained for 7 years in accordance with UK financial record-keeping requirements.
• Analytics data — retained for 12 months in anonymised form.

Under UK GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your personal data, subject to legal obligations.
• Right to restriction — request that we restrict processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making — we do not make solely automated decisions that significantly affect you.

To exercise any of these rights, contact us at privacy@onerequest.app.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data lawfully.

OneRequest uses the following types of cookies:

Essential cookies — required for the platform to function. These include authentication session cookies and security tokens. You cannot opt out of essential cookies.

Analytics cookies — we use PostHog to understand how users interact with OneRequest. These cookies help us improve the product. You may opt out via your browser settings or a cookie preference centre (coming soon).

Third-party cookies — some features (such as Google Calendar integration) may set cookies from third-party services. These are governed by the respective third party's cookie policy.

We take the security of your data seriously:

• All data is transmitted over HTTPS/TLS
• Files are stored in private, access-controlled Supabase Storage buckets with signed URLs
• OAuth tokens (Google, Microsoft) are encrypted at rest using AES-256-GCM encryption
• Authentication is handled by Clerk with industry-standard security practices
• Row-level security is enforced on all database tables
• We conduct regular security reviews as part of our development process

If you discover a security vulnerability, please report it responsibly to security@onerequest.app.

OneRequest uses cloud infrastructure providers that may process data outside the United Kingdom. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions recognised under UK law.

OneRequest is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@onerequest.app and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and will update the “Last updated” date at the top of this page. Your continued use of OneRequest after changes are posted constitutes acceptance of the updated policy.

Limited Use disclosure: OneRequest's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Google data we access:

OneRequest requests the following Google permissions and uses them only for the purposes described:

• Gmail (gmail.send) — Used solely to send request notification emails from the user's own Gmail address on their behalf. We do not read, scan, index, or store email content. We never access the user's inbox, drafts, or any existing emails.
• Google Calendar (calendar.readonly, calendar.events, calendar.freebusy) — Used solely to check the user's calendar availability when generating booking time slots, and to create calendar events when a booking is confirmed. We do not read, store, or analyse the content of existing calendar events.

How we store Google data:

• OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM encryption before storage.
• Tokens are stored in our database (Supabase, hosted in the EU) and are never exposed to client-side code.
• We do not store any email content, calendar event content, or other Google user data beyond the OAuth tokens required to provide the service.

How we use Google data:

• Google data is used exclusively to provide or improve user-facing features within OneRequest.
• We do not use Google data for advertising, retargeting, or any form of personalised ads.
• We do not sell, rent, or trade Google user data to any third party.
• We do not use Google data to train AI or machine learning models.
• We do not allow humans to read Google user data unless the user has given explicit consent (e.g. for technical support).

Data sharing:

• Google user data is not shared with any third party except as strictly necessary to provide the service (e.g. sending an email via Gmail's API on the user's behalf).
• No data brokers, advertisers, or information resellers receive any Google user data.

Data retention and deletion:

• OAuth tokens are retained only while the user's Google integration is active.
• Users can disconnect their Google account at any time from Settings > Integrations, which immediately deletes all stored tokens.
• Upon account deletion, all Google OAuth tokens are permanently deleted.
• Users can also revoke access directly from their Google Account at https://myaccount.google.com/permissions.

Security:

• All data in transit is encrypted via TLS 1.2+.
• OAuth tokens are encrypted at rest using AES-256-GCM.
• Access to stored tokens is restricted to server-side API routes only — never exposed to client-side code or browser storage.

For any privacy-related questions, requests, or concerns:

CODESTACK CONSULTING LIMITED
Company Number: 14717256
Registered in England and Wales

Email: privacy@onerequest.app

For data subject requests, please email privacy@onerequest.app with the subject line “Data Subject Request” and we will respond within 30 days.