Privacy Policy

This Privacy Policy explains how Abstract 27 Ltd (company number 07504698, registered office 167-169 Great Portland Street, 5th Floor, London W1W 5PF), trading as Abstract27 ("we", "us"), collects and uses personal data when you use our Service. For this data, Abstract 27 Ltd is the data controller. We process personal data in accordance with the UK GDPR and the EU GDPR.

1. Data we collect

• Account data: the email address you use to sign in, and your display name and locale preference.
• Site data: metadata about the sites you create, such as subdomain, plan, and usage counts.
• Billing data: customer and subscription identifiers from our payment provider, Creem.io. We do not store your card details — Creem.io processes payments as Merchant of Record.
• Domain data: registration records from Porkbun when you register or connect a custom domain.
• Support data: the contents of emails and messages you send us.

2. How and why we use it

We use personal data to create and operate your account and sites, to process payments and prevent fraud, to provide support, to send service-related and (where you opt in) product-update emails, and to meet our legal obligations. Our lawful bases are the performance of our contract with you, our legitimate interests in running and securing the Service, your consent (for optional marketing emails, which you can withdraw at any time), and compliance with legal obligations. We do not sell your personal data.

3. Where your data is hosted

The Service runs on dedicated servers in the European Union (Hetzner, Germany). Daily encrypted backups are stored with Vultr in Amsterdam, Netherlands. Keeping data in the EU is a deliberate choice that simplifies GDPR compliance for you and your readers.

4. Sub-processors

We use a small set of carefully chosen sub-processors to deliver the Service — including Hetzner (hosting), Vultr (backups), Mailgun (transactional email), Bunny (CDN and storage), Porkbun (domain registration), and Creem.io (billing). The current list and the safeguards that apply are set out in our Data Processing Agreement.

5. Retention

We keep personal data for as long as your account is active. When a trial or subscription ends without renewal, your site is paused, then archived with an export made available, and finally deleted after the retention window described in our Terms of Service. We retain billing and tax records for as long as the law requires.

6. International transfers

Your data is hosted in the EU. Where a sub-processor processes data outside the UK or EEA, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses.

7. Cookies

On our own marketing and dashboard pages we use only essential cookies required to sign you in and keep your session secure. We do not use third-party advertising or cross-site tracking cookies. The Ghost sites we host for you may set their own cookies, which are governed by your own site's privacy notice.

8. Your rights

You have the right to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these rights, contact us through our contact page. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.

9. Changes and contact

We may update this policy from time to time and will post the new version here with an updated date. For any privacy question, reach us through our contact page.