Privacy Policy
Last updated: May 2025
1. Who We Are
Stillroom HQ is a craft business ERP (Enterprise Resource Planning) platform operated by Julie Brocklesby, trading as Jules of the Earth, based in the United Kingdom. We are the data controller for the personal data processed through this platform.
Contact: For any data protection enquiries, please email [email protected].
2. What Data We Collect
We collect and process the following categories of data:
Account Information
Your name, email address, and hashed password when you register for or are added to an account.
Business Data
Information you enter into the platform: customers, suppliers, products, ingredients, formulations, batches, orders, and financial records. This data belongs to your business.
⚕ Client Consultation Records (Special Category Data)
If you use the Herbalist module, client consultation records — including health history, treatment notes, and any images uploaded during a consultation — are stored on our UK-based server. This constitutes Special Category data under UK GDPR (health data). See Section 4 for legal basis and Section 6 for your responsibilities as data controller.
Uploaded Files
Business logos, product images, and files attached to consultations. These are stored in a secure uploads folder on our UK-based server.
Usage Data
Technical logs used for security and system maintenance (e.g. failed login attempts, error logs). We do not use analytics tracking services.
3. How We Use Your Data
- ✓To provide and maintain the Stillroom HQ service.
- ✓To authenticate you and keep your account secure.
- ✓To store and display the business data you enter.
- ✓To send transactional system notifications (e.g. password resets) — we do not send marketing emails.
- ✓To maintain backups to protect against data loss.
4. Legal Basis for Processing
Contract performance — Processing your account data and business data is necessary to provide the service you have signed up for.
Explicit consent — Where the Herbalist module is used, client health data is Special Category data. The legal basis for storing this data is explicit consent, which you (the herbalist) are responsible for obtaining from your clients before entering their records into the platform.
Legitimate interests — We maintain security logs and backups to protect the platform and your data.
Legal obligation — We may retain certain records where required by law.
5. Where Your Data Is Stored & Backed Up
Your data is stored on a self-hosted server based in the United Kingdom. We do not use overseas cloud hosting for your primary data.
Nightly Backup Coverage
Database
All records, consultations, notes
✓ External HDD (2am)
✓ Google Drive (3am)
Uploaded Files
Logos, images, consultation attachments
✓ External HDD (2am)
⚠ Not in Google Drive
Retention
Backups are automatically rotated
after 30 days
Encrypted backup copies of the database are also stored in Google Drive (operated by Google LLC, USA). Google is certified under the UK-US Data Bridge, providing appropriate safeguards for international transfers.
Your connection to Stillroom HQ is routed through Cloudflare (USA), which provides DDoS protection and secure tunnelling. Cloudflare processes connection metadata but does not store your business data.
6. Your Responsibilities as Data Controller
Important — if you use the Herbalist consultation module:
When you store client health records through Stillroom HQ, you are the data controller for your clients' personal and health data. Stillroom HQ acts as your data processor.
This means you are responsible for:
- Obtaining explicit consent from your clients before recording their health information.
- Having your own client-facing privacy policy that explains how you handle their data.
- Responding to your clients' subject access requests and erasure requests.
- Registering with the Information Commissioner's Office (ICO) if you process health data (most practitioners are required to do this).
7. How Long We Keep Your Data
Active accounts: Your data is kept for as long as your account is active.
After account deletion: Your data is permanently deleted within 30 days of account closure, except where we are legally required to retain records.
Backups: Encrypted backups are automatically rotated and deleted after 30 days.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access
Request a copy of the data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data (subject to legal obligations).
Right to Portability
Receive your data in a portable, machine-readable format.
Right to Restriction
Ask us to limit how we process your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection authority.
9. Cookies
Stillroom HQ uses only essential session cookies required to keep you logged in. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required.
10. Data Security
We implement appropriate technical and organisational measures to protect your data, including: HTTPS encryption in transit, bcrypt password hashing, access controls, and regular encrypted backups. No system is completely secure, and we cannot guarantee absolute security, but we take our responsibilities seriously.
11. Third Parties
We do not sell your data. The only third-party services we use are:
12. Changes to This Policy
We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify active users by email. Continued use of the platform after changes constitutes acceptance of the updated policy.
© 2026 Stillroom HQ · Jules of the Earth · United Kingdom