Privacy Policy
Last updated: October 7, 2025
1. Introduction
CopyPastia ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, and protect your personal information when you use our cloud clipboard service at copypastia.com (the "Service").
This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
Data Controller: CopyPastia
Contact: [email protected]
DPO Contact: [email protected]
3. Legal Bases for Processing
We process your personal data under the following legal bases:
- Contract Performance: To provide our cloud clipboard services
- Legitimate Interests: For security, fraud prevention, and service improvement
- Consent: For marketing communications and non-essential cookies
- Legal Obligation: To comply with applicable laws and regulations
4. Personal Data We Collect
4.1 Account Information
- Email address (required for account creation)
- Username/display name
- Password (encrypted)
- Account preferences and settings
4.2 Service Usage Data
- Content you paste or upload (text, files)
- Paste metadata (creation date, expiry settings, view counts)
- Service interaction logs
4.3 Technical Data
- IP addresses (for security and abuse prevention)
- Browser type and version
- Device information
- Usage analytics (via Google Analytics, with consent)
4.4 Payment Information
- Billing address and contact details
- Payment transaction records (processed by PayPal)
- Subscription and billing history
4.5 Communication Data
- Support ticket correspondence
- Contact form submissions
- Marketing communication preferences
5. How We Use Your Personal Data
5.1 Service Provision
- Creating and managing your account
- Storing and sharing your pastes/content
- Processing payments and subscriptions
- Providing customer support
5.2 Security and Compliance
- Preventing fraud and abuse
- Ensuring service security
- Complying with legal obligations
- Enforcing terms of service
5.3 Service Improvement
- Analyzing usage patterns (anonymized)
- Improving service functionality
- Developing new features
5.4 Marketing (with consent)
- Sending service updates and announcements
- Promotional communications (opt-in only)
- Newsletter and product updates
6. Data Sharing and Third Parties
We do not sell your personal data. We may share your data with:
6.1 Service Providers
- PayPal: Payment processing (PCI DSS compliant)
- Google Analytics: Usage analytics (with consent)
- Cloud Infrastructure: Secure hosting services
- Email Services: Transactional and marketing emails
6.2 Legal Requirements
- Law enforcement (when legally required)
- Regulatory authorities
- Court orders and legal proceedings
6.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the business transaction.
7. Data Retention
| Data Type | Retention Period | Purpose |
|---|---|---|
| Account Data | Duration of account + 30 days | Service provision |
| Paste Content | As per user-defined expiry or account deletion | Service functionality |
| Payment Records | 7 years | Legal/tax obligations |
| Support Communications | 3 years | Customer service improvement |
| Analytics Data | 26 months (Google Analytics) | Service improvement |
| Security Logs | 12 months | Security and fraud prevention |
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
8.1 Right of Access
Request a copy of the personal data we hold about you, including information about how it's processed.
8.2 Right to Rectification
Correct inaccurate or incomplete personal data without undue delay.
8.3 Right to Erasure (Right to be Forgotten)
Request deletion of your personal data when:
- The data is no longer necessary for the original purpose
- You withdraw consent and there's no other legal basis
- The data has been unlawfully processed
- Deletion is required for compliance with legal obligations
8.4 Right to Restrict Processing
Limit how we process your personal data when:
- You contest the accuracy of the data
- Processing is unlawful but you don't want deletion
- We no longer need the data but you need it for legal claims
- You've objected to processing pending verification
8.5 Right to Data Portability
Receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
8.6 Right to Object
Object to processing based on:
- Legitimate interests (including profiling)
- Direct marketing purposes
- Scientific/historical research or statistical purposes
8.7 Rights Related to Automated Decision Making
We do not use automated decision-making or profiling that significantly affects you. If this changes, you have the right to human intervention and to challenge such decisions.
8.8 Right to Withdraw Consent
Withdraw consent for processing based on consent at any time. This doesn't affect the lawfulness of processing before withdrawal.
8.9 How to Exercise Your Rights
Submit a Request
You can exercise your data protection rights by:
- Email: [email protected]
- Online Form: Use our contact form
- Account Settings: Some rights can be exercised directly through your account dashboard
Required Information for Requests
To process your request efficiently, please provide:
- Your full name and email address associated with your account
- Specific type of request (access, rectification, erasure, etc.)
- Detailed description of your request
- Verification documents if requested (to protect your privacy)
- Preferred format for data delivery (if applicable)
Response Timeframes
- Standard Response: Within 1 month of receiving your request
- Complex Requests: Up to 2 additional months (we'll inform you if extension is needed)
- Urgent Requests: Security-related requests prioritized within 72 hours
Fees
Generally, exercising your rights is free. However, we may charge a reasonable fee for:
- Manifestly unfounded or excessive requests
- Additional copies of data beyond the first free copy
- Administrative costs for complex requests
9. International Data Transfers
Your data may be processed outside the UK/EEA by our service providers. We ensure adequate protection through:
- Adequacy decisions
- Standard Contractual Clauses (SCCs)
- Certification schemes (e.g., Privacy Shield successors)
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit and at rest
- Access controls and authentication
- Regular security assessments
- Staff training on data protection
- Incident response procedures
11. Data Breach Notification
In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach.
12. Cookies and Tracking
We use cookies and similar technologies. For detailed information, please see our Cookie Policy. You can manage your cookie preferences through our cookie banner or browser settings.
13. Age Restrictions
Our service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us immediately.
14. Privacy by Design
We implement privacy by design principles:
- Data minimization
- Purpose limitation
- Storage limitation
- Transparency
- Security and confidentiality
15. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will:
- Post the updated policy on our website
- Update the "Last updated" date
- Notify users of material changes via email or website notice
- Obtain fresh consent where required
16. Contact Information
General Privacy Inquiries: [email protected]
Data Protection Officer: [email protected]
Address: [Your business address]
17. Complaints
If you have concerns about how we handle your personal data, you can:
- Contact us directly at [email protected]
- File a complaint with the Information Commissioner's Office (ICO): ico.org.uk
18. Data Processing Agreement (DPA) for Business Customers
18.1 Scope and Application
This DPA applies when:
- You use CopyPastia for business purposes
- You process personal data of individuals (employees, customers, etc.) through our service
- You are subject to UK GDPR or equivalent data protection laws
- You act as a data controller in relation to personal data processed via our service
18.2 Roles and Responsibilities
| Role | Party | Responsibilities |
|---|---|---|
| Data Controller | Business Customer | Determines purposes and means of processing; ensures lawful basis; handles data subject requests |
| Data Processor | CopyPastia | Processes data only on documented instructions; ensures security; assists with compliance |
18.3 Processing Instructions
As the processor, CopyPastia will process personal data only:
- On documented instructions from the controller (you)
- For the purpose of providing our cloud clipboard service
- In accordance with applicable data protection laws
- Within the geographic locations specified in this policy
18.4 Data Categories and Processing Activities
| Data Category | Processing Activities | Purpose |
|---|---|---|
| Content Data | Storage, retrieval, sharing | Service provision |
| User Identifiers | Account management, authentication | Access control |
| Usage Metadata | Logging, analytics | Service optimization, security |
| Technical Data | System operation, monitoring | Performance, security |
18.5 Sub-processors
CopyPastia may engage sub-processors for:
- Cloud Infrastructure: Secure hosting and storage services
- Payment Processing: PayPal for billing and subscription management
- Analytics: Google Analytics (with appropriate safeguards)
- Email Services: Transactional and notification emails
Sub-processor Safeguards:
- All sub-processors are bound by equivalent data protection obligations
- Regular audits and compliance assessments
- Contractual liability for sub-processor actions
- 30-day notice for changes to sub-processors
18.6 Security Measures
CopyPastia implements appropriate technical and organizational measures:
Technical Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and multi-factor authentication
- Regular security updates and vulnerability management
- Network security and firewall protection
- Secure backup and disaster recovery procedures
Organizational Measures
- Staff training on data protection and security
- Background checks for personnel with data access
- Incident response and breach notification procedures
- Regular security audits and penetration testing
- Data protection impact assessments (DPIAs) when required
18.7 Data Subject Rights Support
CopyPastia will assist the controller by:
- Providing technical and organizational measures to facilitate data subject rights
- Responding to controller's requests for assistance within 30 days
- Implementing appropriate measures for automated responses where possible
- Providing data in commonly used, machine-readable formats
18.8 Data Breach Notification
In case of a personal data breach, CopyPastia will:
- Notify the controller within 24 hours of becoming aware
- Provide all relevant information for breach assessment
- Assist with breach notification to supervisory authorities and data subjects
- Document all breaches and remedial actions taken
18.9 Data Protection Impact Assessments (DPIA)
CopyPastia will assist controllers with DPIAs by providing:
- Information about processing activities and security measures
- Risk assessments and mitigation strategies
- Technical documentation about data processing
- Consultation on high-risk processing activities
18.10 International Data Transfers
When transferring personal data outside the UK/EEA, CopyPastia ensures:
- Adequacy Decisions: Transfers only to countries with adequate protection
- Standard Contractual Clauses: EU/UK SCCs for other jurisdictions
- Supplementary Measures: Additional safeguards when required
- Regular Reviews: Ongoing assessment of transfer mechanisms
18.11 Audits and Compliance
Controllers have the right to:
- Request information about processing activities and security measures
- Conduct audits or inspections (with reasonable notice and scope)
- Receive compliance certifications and audit reports
- Review sub-processor arrangements and safeguards
18.12 Term and Termination
This DPA:
- Remains in effect for the duration of the service agreement
- Survives termination for data retention periods
- Requires secure deletion or return of data upon termination
- Includes post-termination confidentiality obligations
18.13 Liability and Indemnification
Under this DPA:
- Each party is liable for its own compliance failures
- CopyPastia is liable for sub-processor actions
- Liability is subject to the limitations in the main service agreement
- Both parties will cooperate to minimize regulatory penalties
18.14 Contact for DPA Matters
Data Protection Officer: [email protected]
Business Customer Support: [email protected]
Legal Department: [email protected]
19. Complaints and Supervisory Authority
If you have concerns about how we handle your personal data, you can:
- Contact us directly: [email protected]
- File a complaint with the Information Commissioner's Office (ICO): ico.org.uk
- Use our internal complaints process: Submit a complaint via our contact form