Privacy Policy

Last updated: April 2026

This policy explains how MoveMyWork ("we") collects, uses, and protects personal data about you. It is written with the UK GDPR and the Data Protection Act 2018 in mind.

1. Data controller

MoveMyWork. Contact: support@movemywork.com.

2. What data we collect

When you create an account we collect:

• Email address — used to identify your account and send transactional messages (verification, sign-in codes, password resets).
• Password — stored only as a one-way bcrypt hash. We never see or store your plain-text password.
• IP address and browser type — recorded for security (detecting abuse, rate-limiting, new-device alerts).
• Clipboard content and uploaded files — stored so you can access them across devices. We do not scan, read, or sell this content.

3. Legal bases for processing

• Contract — processing necessary to provide the Service you signed up for.
• Legitimate interests — security monitoring, abuse prevention, service improvement (balanced against your rights; opt-out options listed below where applicable).
• Consent — for any optional features such as product emails (if introduced later).
• Legal obligation — retention of records required by law.

4. How long we keep it

Account data is retained while your account exists. Text clips, links, and todos remain available throughout. On the Free plan, file uploads are kept for 30 days, then moved to an archive for a further 30 days where they remain recoverable by upgrading to Pro, after which they are permanently deleted; you will be emailed before any file is archived. On the Pro plan, files are kept indefinitely while the account is active. When you delete your account, we remove your clips, files, and profile within 7 days. Email delivery logs are kept for 30 days for debugging and abuse prevention. Backups may persist for up to 30 days before being overwritten.

5. Who we share it with

We share data only with processors strictly necessary to run the Service:

• Mailjet — transactional email delivery (EU-hosted). Subject to Mailjet's own GDPR terms.
• Our hosting provider, which houses the servers running the Service.
• Cloudflare — optional CAPTCHA and DDoS protection (if enabled).

We do not sell your data. We only disclose data to authorities where legally compelled.

6. International transfers

Our processors may store data in the EU or EEA. Where data leaves the UK/EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Your rights

Under UK GDPR you have the right to:

• access a copy of your data;
• request correction of inaccurate data;
• request erasure ("right to be forgotten") — available self-service from the Settings page;
• object to or restrict certain processing;
• data portability;
• withdraw consent at any time where consent is the legal basis;
• lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you're dissatisfied with how we handle your data.

8. Cookies

We use a small number of strictly-necessary cookies: a session cookie (to keep you signed in) and a "trusted device" cookie (to let you skip the sign-in code on browsers you've marked as trusted). We don't use advertising or tracking cookies.

9. Security

Passwords are hashed with bcrypt. Uploaded files live outside the public web root and are served only through authenticated endpoints. We use HTTPS throughout and rate-limit sensitive endpoints to prevent abuse. No system is perfectly secure; please notify us of suspected vulnerabilities at support@movemywork.com.

10. Changes to this policy

We'll post changes here and notify you by email of any material changes at least 14 days before they take effect.