BrynForum
This policy explains how BrynForum — operated by Zealand IT Ltd, a company registered in England and Wales (company number 06895694), trading as BrynForum ("we", "us") — collects and handles personal data. It covers data we process as a data controller (i.e. for our own customers signing up to and operating BrynForum) and as a data processor (i.e. on behalf of our Customers, for the users of their hosted forums).
We comply with the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR.
1. Where we sit in the data chain
When you (the BrynForum Customer) sign up and operate a forum on BrynForum, there are two layers of personal data:
- Your data as our Customer — name, email, billing address, payment-instrument metadata. We are the controller of this data.
- Your forum's user data — your forum members' usernames, emails, posts, IPs, etc. You are the controller; we are the processor hosting it on your instruction.
2. Data we collect as controller (your relationship with BrynForum)
2.1 Signup and account
When you create a subscription we collect: your name, email address, the slug you choose for your forum, and the password we generate for your forum's admin account. Stored in our own systems (Hetzner Cloud, Germany, EU).
2.2 Billing
Payment is processed by Lemon Squeezy, Inc., our merchant of record. They collect and store your billing details (card information, billing address, VAT identifiers where applicable) under their own privacy policy. We receive: order ID, your email, the tier purchased, and a payment-confirmation signal. We do not see or store your card number.
2.3 Service operation
We log requests to our infrastructure (HTTP access logs at the reverse proxy and Flarum application logs). These logs may contain IP addresses for up to 14 days for abuse-prevention and debugging purposes. We do not associate those IPs with marketing profiles.
2.4 Analytics on the marketing site
The marketing site at brynforum.com uses Google Analytics 4 (gtag.js) to measure aggregate page visits. Analytics is configured with IP anonymisation enabled and no advertising signals.
3. Data we process as processor (your forum's user data)
Your forum users' data is hosted in your private Flarum instance on BrynForum infrastructure. We process this data only:
- To deliver the hosting service (storage, retrieval, indexing, search, email delivery);
- To perform routine backups (encrypted at rest);
- To investigate abuse or security incidents that you or a third party report.
We do not analyse, profile, mine, sell, or otherwise commercially exploit your forum users' data.
You — as the data controller of your forum's user data — are responsible for providing your own privacy notice to your forum's users, handling their access/erasure requests, and configuring your forum (cookie banner, content moderation, retention) in line with applicable law.
4. Sub-processors
To run the Service, we share data with the following infrastructure providers ("sub-processors"):
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany (EU) |
| Cloudflare, Inc. | DNS, CDN, edge cache | Global edge; primary processing under UK/EU SCCs |
| Cloudflare R2 | User upload storage | EU region selected |
| Resend (Production Mail, Inc.) | Transactional email delivery | USA (under SCCs) |
| Lemon Squeezy, Inc. | Payment processing, merchant of record | USA (under SCCs) |
Material changes to this list will be communicated at least 14 days before they take effect.
5. Legal basis
We process personal data under one of the following legal bases:
- Contract — to provide the Service you have subscribed to;
- Legal obligation — for tax/billing records and lawful disclosure requests;
- Legitimate interests — for security, fraud prevention, and service improvement, balanced against your privacy interests.
6. Retention
- Account data: for the duration of your subscription, plus 30 days after cancellation for export purposes.
- Backups: 14 days local (Hetzner snapshots) plus 30 daily / 12 monthly off-box rotations (encrypted).
- Server logs: 14 days, then deleted.
- Billing records: 7 years, as required by UK tax law.
7. Your rights
Under UK and EU GDPR you have the right to: access the data we hold about you, correct it, request deletion (subject to retention obligations above), restrict processing, object to processing, and data portability. To exercise any of these rights, contact us via the contact form. We will respond within one calendar month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
8. Cookies
The marketing site uses:
- A small number of Google Analytics cookies (
_ga,_ga_*) — see Google's documentation for details. You can opt out via the Google Analytics Opt-out Browser Add-on. - No advertising cookies, no cross-site tracking.
Cookies used inside your Flarum forum are governed by your forum's own privacy notice — typically session cookies (functional) and any cookies set by extensions you enable.
9. Security
Our infrastructure runs with: TLS 1.2+ for all public traffic; SSH key-only access with root login disabled; encrypted database backups; firewalls (host + cloud); intrusion-prevention monitoring. We do not run an SOC2 / ISO27001 programme at our current scale — if formal compliance attestations are a hard requirement, please contact us before subscribing.
10. International transfers
Where we transfer personal data outside the UK or EEA (e.g. to Lemon Squeezy or Resend in the USA), the transfer is governed by the EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum.
11. Changes to this policy
Material changes will be notified to your account email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For data-protection queries, including subject-access requests, use the contact form. We do not currently have a designated Data Protection Officer (we operate below the UK GDPR threshold requiring one), but privacy enquiries are handled directly by the operator within one calendar month.