Theodore HQ

Privacy Policy

Last updated: 3 July 2026

The Support Centre is a public notice board for our Mac apps: bug reports, feature requests, comments, votes, and testimonials. Posting here is public by design, so this page explains exactly what we collect, where it goes, and the rights you have. It is written to satisfy UK GDPR without losing the plain English.

  • Everything you post is published on this board, under a display name you choose.
  • Email is optional and stays private. If you leave one, we use it only to email you replies about your own report. This site sends no marketing email, ever.
  • No accounts, no cookies. There is nothing to sign up for, and nothing tracks you across other websites.

Who is the data controller?

The data controller for any personal data this site holds about you is:

TJH/CO LIMITED (trading as THEODORE HQ)
A company registered in England and Wales
Company number: 16589593
Registered office:
Fairway House, Links Business
Fortran Rd, St. Mellons
Cardiff, CF3 0LT
United Kingdom
Email: support@theodorehq.com

Email support@theodorehq.com with any data-protection question.

What happens when you post a bug report, feature request, or comment?

Your post is published on this public board. We collect three things:

  • Your display name. You choose it, and it can be anything. It is published alongside your post.
  • The text you write. The title and description (or comment) are published on the board.
  • Your email address, which is optional. Leave it only if you would like updates. It is stored privately in a private repository, is never published, and is used only to email you replies about your own report. Nothing else, ever: no newsletter, no marketing.

Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR) in running a public support board and replying to the people who post on it. The email is entirely optional, and leaving it out changes nothing about how your report is handled.

Because posts are public, please do not include other people's personal data in them (see the Terms of Use). If you post something you later regret, email us and we will remove it.

Testimonials

Testimonials work the same way, with one extra safeguard: nothing is published until a human has read and approved it. We collect your display name and the text you write (published only after approval), an optional star rating, an optional country (shown as a small flag beside your words if you give one), and the same optional private email as above.

Votes never leave your browser

When you upvote a bug or feature request, the only record of which items you voted on is a small flag in your own browser's localStorage. It is never sent to a server as an identifier; the server only ever sees an anonymous plus one, and the vote count itself identifies nobody.

Storage basis: the PECR exception for appearance and functionality storage (Regulation 6, as amended by the Data (Use and Access) Act 2025), which covers first-party storage that simply makes a site work the way you asked. You can clear it at any time by clearing this site's data in your browser; the only effect is that the arrows you tapped forget they were tapped.

AI-assisted first replies

When you submit a bug report or feature request, we send the text of your submission (its title, its description, and your first name) to Anthropic, a US company, whose Claude model drafts the short acknowledgment that is posted publicly on your report and, if you left an email, emailed to you. That is the whole flow: a first “we have seen this” reply, so you are never left wondering whether your report landed.

Anthropic does not use data sent to its API to train its models, under its commercial terms. Your email address is never sent to Anthropic.

Rate limiting and server logs

To keep spam out, our API notes your IP address transiently, in memory only, to enforce a submission rate limit. We do not persist it, write it to a log, or connect it to your post. Lawful basis: legitimate interests (Article 6(1)(f)) in preventing abuse.

Vercel, our hosting provider, keeps standard access logs, as virtually every host does, under its own privacy notice (linked below).

Website analytics

We use Umami, a privacy-friendly analytics tool we self-host on our own server at analytics.theodorehq.com. It is cookieless, first-party, and collects aggregate statistics only: which pages are read, roughly where in the world from, and on what kind of device. No analytics data is shared with any third party.

Storage basis: the PECR statistical-purposes exception (Regulation 6, as amended by the Data (Use and Access) Act 2025), because the access solely compiles aggregate statistics about how the site is used. That exception requires a simple, free way to object: any standard content blocker (uBlock Origin, Ghostery, Brave's built-in shields) blocks our analytics by default, and the site works fully without it.

Vercel Web Analytics, a cookieless measurement tool run by our hosting provider, also runs on the site and is covered by Vercel's privacy notice below.

Who handles your data, and international transfers

Four providers touch Support Centre data. Each is based in the United States, and each transfer is covered by a UK-recognised safeguard: the UK Extension to the EU-US Data Privacy Framework and/or the provider's data-processing agreement incorporating UK-approved clauses.

You can ask us for more detail on any of these safeguards at support@theodorehq.com.

How long do we keep your data?

  • Published posts (reports, comments, testimonials) remain published as part of the public support record until removal is requested. Email us and we will take a post down.
  • Your private email address is kept while its report remains published, and is deleted on request at any time.
  • The vote flag in localStorage stays on your own device, under your control, until you clear your browser's site data.

Your rights under UK GDPR

You have the following rights over any personal data we hold about you:

  • Right of access: ask us for a copy of the data we hold (Article 15).
  • Right to rectification: correct anything inaccurate (Article 16).
  • Right to erasure: ask us to delete your data, including any published post (Article 17).
  • Right to restrict processing: pause our processing while a dispute is resolved (Article 18).
  • Right to data portability: receive your data in a structured, common format (Article 20).
  • Right to object: object to processing based on legitimate interests (Article 21).
  • Right to withdraw consent: at any time, where processing relies on it (Article 7(3)).
  • Right not to be subject to automated decision-making: we make no such decisions about you (Article 22).

To exercise any of these, email support@theodorehq.com. We respond within thirty days, free of charge.

Complaints

Under section 164A of the Data Protection Act 2018 (inserted by the Data (Use and Access) Act 2025) you can complain to us directly about how we have handled your personal data. Email support@theodorehq.com: we will acknowledge your complaint within 30 days, investigate it, and tell you the outcome.

You can also complain to the UK Information Commissioner's Office, the independent supervisory authority, at any time, though we would appreciate the chance to put things right first:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/make-a-complaint

Children

The Support Centre is not directed at children under 13 (the UK age of digital consent under section 9 of the Data Protection Act 2018). We do not knowingly collect personal data from anyone under 13; if you believe we hold such data, email us and we will delete it promptly.

Changes to this policy

If this policy changes, we will update the date at the top and announce any material change on this site before it takes effect. We will not quietly widen what we collect.

Contact

Questions, concerns, or anything that smells off: support@theodorehq.com. A real human (Theodore) reads every email.