Privacy Policy

Last updated: February 2026

1. Introduction

This Privacy Policy explains how Actionpad, trading as Actionpad (“Actionpad”, “we”, “us”, or “our”), collects, uses, stores, and protects your personal data when you use our web application at actionpad.app and all associated subdomains.

Actionpad is the data controller for the personal data described in this policy.

“You” and “your” refer to you as an individual user and, where applicable, the organisation you represent.

2. Information We Collect

Account information. When you sign in with Google Workspace, we receive your name, email address, and profile photo from Google. We also use your Google Workspace domain to identify your organisation's tenant.

Calendar data. We access Google Calendar event metadata (event title, time, attendees, and video call link) read-only via the Google Calendar API. Actionpad does not modify your calendar.

Content you create. Meeting agendas, notes (shared and private), action items, and task list entries you create within Actionpad.

Guest information. Names and email addresses of external meeting guests, sourced from Google Calendar event attendee lists.

Billing information. Payment processing is handled entirely by Stripe. Actionpad does not directly store credit card numbers or bank details. We store your Stripe customer ID and subscription status.

Usage data. Pages visited, features used, and general interaction patterns collected to improve the product. We do not use third-party analytics or tracking pixels.

Technical data. IP address, browser type, and device information transmitted automatically with web requests, used for security and debugging purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Actionpad service: authenticating your account, syncing calendar events, delivering meeting agendas, and managing action items.
  • Send transactional emails to meeting guests (agenda previews and action summaries) on behalf of meeting organisers.
  • Deliver Slack notifications if your organisation has connected Slack.
  • Process billing and manage subscriptions via Stripe.
  • Send transactional emails to you, such as billing confirmations and security alerts.
  • Monitor, maintain, and improve the service, including performance monitoring, bug fixing, and feature development.
  • Enforce our Terms of Service and protect against abuse.
  • Comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising or profiling.

4. Lawful Basis for Processing

If you are in the UK or European Economic Area, we process your personal data under the following lawful bases:

Contract performance (Art. 6(1)(b)). Processing necessary to provide the Actionpad service your organisation has subscribed to: account creation, calendar sync, content storage, email delivery, and billing.

Legitimate interests (Art. 6(1)(f)). Service security (rate limiting, abuse prevention), product improvement based on aggregated usage patterns, and communication about service-affecting changes. These interests do not override your rights because the data used is minimal and directly related to your use of the service.

Legal obligation (Art. 6(1)(c)). Retaining billing records as required by applicable tax and accounting law.

Consent (Art. 6(1)(a)). We do not currently rely on consent as a lawful basis. If we introduce any processing that requires it in future, we will seek your explicit consent first.

5. Cookies

Actionpad uses a single session cookie to authenticate your login. This is a strictly necessary cookie. It is essential for the service to function and does not require consent under the ePrivacy Directive.

We do not use third-party tracking cookies, advertising pixels, or analytics cookies.

Third-party services used in the billing flow (such as Stripe Checkout) may set their own cookies, governed by their respective privacy policies.

6. Who We Share Your Data With

We share personal data only with the third parties necessary to operate the service:

Google (authentication and calendar). Your Google account is used for sign-in; calendar event metadata is read to populate meetings.

Stripe (payment processing). Your billing email and subscription details are shared with Stripe, which processes and stores payment information directly.

Resend (email delivery). Recipient email addresses and email content for transactional emails sent on your behalf, such as meeting agendas and action summaries.

Slack (integration, if enabled). Your Slack user ID and email address are used to map Slack users to Actionpad accounts. Notification messages are delivered via Slack's API.

Infrastructure providers. Our hosting providers process your data as sub-processors to deliver the service. Data is encrypted at rest and in transit.

Law enforcement or regulatory bodies. We may disclose data if required by law, subpoena, or court order, or if necessary to protect our rights, safety, or the rights of others.

Each third-party service has its own privacy policy governing their handling of your data. We do not sell, rent, or trade your personal data to any third party.

7. International Data Transfers

Your data is primarily processed on infrastructure located in the United States. If you are based in the UK or European Economic Area, this means your data is transferred outside your jurisdiction.

We ensure appropriate safeguards are in place for these transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement where applicable. You may contact us for more information about the specific safeguards applied to your data.

8. Data Security

We implement industry-standard measures to protect your data, including:

  • Encryption at rest for all stored data.
  • Encryption in transit (HTTPS/TLS) for all connections.
  • Row-level security ensuring strict tenant isolation. Your organisation's data is never accessible to other organisations.
  • Private notes are additionally isolated so only the author can access them.
  • Secure, httpOnly session cookies with SameSite attributes.
  • Rate limiting on authentication and sensitive endpoints.
  • Security headers including HSTS, Content Security Policy, and X-Frame-Options.

No method of electronic transmission or storage is 100% secure. While we implement reasonable safeguards, we cannot guarantee absolute security.

9. Data Retention

Active accounts. Your data is retained for as long as your account and your organisation's subscription are active.

After cancellation. When your organisation cancels its subscription, your data enters read-only mode. You can request full deletion at any time by contacting us.

After suspension. Data is retained for 90 days after account suspension to allow for reactivation, after which it is scheduled for deletion.

Guest data. External guest names and email addresses are retained for the duration of the meeting record. Guests can request deletion by contacting us.

Billing records. Transaction records are retained for the period required by applicable tax and accounting laws (typically 6–7 years).

Backups. Deleted data may persist in encrypted backups for a limited period before being permanently purged.

10. Your Rights

All users can:

  • Access their personal data through account settings or by contacting us.
  • Update or correct their personal data.
  • Request deletion of their account and personal data.
  • Export their data in a portable format.

To exercise any of these rights, contact us at hello@actionpad.app.

11. Additional Rights for UK and EU Users

If you are located in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR and EU GDPR:

  • Right of access (Art. 15). Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16). Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17). Request deletion of your data, subject to legal retention requirements.
  • Right to restrict processing (Art. 18). Request that we limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20). Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21). Object to processing based on legitimate interests.
  • Right to lodge a complaint. You may lodge a complaint with your local data protection authority (for example, the Information Commissioner's Office in the UK).

We will respond to rights requests within 30 days as required by law. Contact us at hello@actionpad.app to exercise any of these rights.

12. Children's Privacy

Actionpad is a business tool designed for use by organisations. It is not directed at children under 16 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. When we do, we will post the updated policy on this page with a revised “Last updated” date.

For material changes that affect how we process your data, we will provide notice through the Actionpad application. We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this privacy policy, want to exercise your data rights, or have a concern about how we handle your data, contact us at hello@actionpad.app.

Actionpad