This page provides detailed information about how ToggleKit Ltd (trading as “The Pixel House”) handles data in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. It supplements our Privacy Policy with specific information relevant to data processing, international transfers, and your rights.
1. Our role as data controller and processor
ToggleKit Ltd acts in two capacities depending on the context:
Data controller: for your account information, billing data, and usage analytics. We determine the purposes and means of processing this data to provide and improve the Service.
Data processor: when we capture screenshots, generate visual diffs, and store baseline images on your behalf. In this capacity, we process data according to your instructions (the URLs you submit and the configurations you set). You remain the data controller for any personal data that may appear in the screenshots you capture.
If you use the Service to capture screenshots of pages containing personal data (for example, user dashboards or personalised content), you are responsible for ensuring you have a lawful basis to process that data and that your use of the Service complies with applicable data protection laws.
2. Data processing agreement
For customers on paid plans who require a formal Data Processing Agreement (DPA) to comply with Article 28 of the GDPR, we provide a DPA upon request. Our DPA covers:
The subject matter and duration of processing
The nature and purpose of processing
The types of personal data and categories of data subjects
Our obligations and your obligations as controller
Sub-processor management and notification procedures
Data breach notification commitments
Data deletion and return obligations upon termination
All customer data is processed and stored within the European Union. Our infrastructure consists of:
Application hosting: Cloudflare Workers, running on Cloudflare’s global edge network. Worker execution for EU customers is pinned to EU data centres.
Database: Neon Postgres, hosted in the EU region. All account data, project metadata, comparison results, and monitor configurations are stored here.
Object storage: Cloudflare R2, with data stored in EU data centres. Screenshots, visual diffs, and baseline images are stored here.
Browser rendering: Cloudflare Browser Rendering, used to capture screenshots. Rendering sessions are ephemeral and no data persists after capture.
Queue processing: Cloudflare Queues for asynchronous screenshot capture, diff processing, and alert delivery. Queue messages are processed in the EU.
4. Sub-processors
We use the following sub-processors to deliver the Service. Each sub-processor is bound by a data processing agreement and processes data only as necessary to provide their specific service:
Cloudflare, Inc. — Application hosting, CDN, object storage (R2), browser rendering, queue processing. Data location: EU.
Neon, Inc. — Managed Postgres database hosting. Data location: EU.
Stripe, Inc. — Payment processing and subscription management. Processes billing data only. Certified under the EU-US Data Privacy Framework.
Resend, Inc. — Transactional email delivery. Processes email addresses and notification content only.
GitHub, Inc. — OAuth authentication provider (optional, only if you choose to sign in with GitHub). Processes authentication tokens and basic profile data.
We will notify you of any changes to our sub-processors with at least 30 days’ notice. If you object to a new sub-processor, you may terminate your subscription before the change takes effect.
5. International data transfers
We store and process customer data within the EU. Where our sub-processors are based outside the EEA or the United Kingdom, we ensure appropriate safeguards are in place:
EU-US Data Privacy Framework: where the sub-processor is certified under the framework (e.g., Stripe).
Standard Contractual Clauses (SCCs): approved by the European Commission, incorporated into our agreements with sub-processors where required.
UK International Data Transfer Agreement (IDTA): used where transfers are from the UK to countries without an adequacy decision.
We conduct transfer impact assessments for each sub-processor to evaluate the level of data protection in the recipient country and the effectiveness of the safeguards in place.
6. Technical and organisational measures
We implement the following measures to protect your data, in compliance with Article 32 of the GDPR:
Encryption in transit: all data transmitted between your browser or API client and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: database storage and object storage are encrypted at rest using AES-256.
Access controls: internal access to production systems is restricted to authorised personnel using multi-factor authentication.
API key security: API keys are hashed using a one-way cryptographic hash before storage. Plain-text keys are shown only once at creation time.
Rate limiting: API endpoints are protected by rate limiting to prevent abuse and ensure fair usage.
Logging and monitoring: access logs and security events are monitored for anomalous activity. Logs are retained for up to 90 days.
Regular reviews: we conduct periodic security reviews of our infrastructure, dependencies, and access controls.
7. Data breach notification
In the event of a personal data breach, we will:
Notify the relevant supervisory authority (the Information Commissioner’s Office in the UK) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals.
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
For customers with a DPA in place, notify the controller without undue delay after becoming aware of a breach involving their data.
Document all breaches, including the facts, effects, and remedial action taken, regardless of whether notification to the supervisory authority is required.
8. Data subject rights
We support the exercise of all data subject rights under the UK GDPR and EU GDPR. As a user of the Service, you may:
Access your data: request a copy of all personal data we hold about you. We will provide this in a commonly used, machine-readable format.
Rectify your data: update or correct inaccurate personal data through your account settings or by contacting us.
Erase your data: request deletion of your account and associated data. We will comply within 30 days, subject to any legal obligations requiring us to retain certain records.
Restrict processing: request that we limit how we process your data in certain circumstances (for example, while we verify its accuracy).
Data portability: receive your data in a structured, commonly used, machine-readable format (JSON). This includes your project configurations, comparison history, and monitor settings.
Object to processing: object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
To exercise any of these rights, contact us at privacy@thepixelhouse.co.uk. We will verify your identity before processing any request and respond within 30 days.
9. Data protection impact assessments
We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to the rights and freedoms of individuals, as required by Article 35 of the GDPR. This includes assessments of new features, third-party integrations, and changes to data processing activities.
10. Record of processing activities
We maintain a record of processing activities as required by Article 30 of the GDPR. This record documents the purposes of processing, categories of data subjects and personal data, recipients of data, international transfers, retention periods, and technical and organisational security measures.
11. Cookie and tracking policy
The Service uses only strictly necessary cookies for authentication session management. We do not use analytics tracking cookies, advertising cookies, or third-party tracking pixels. This means no cookie consent banner is required under the Privacy and Electronic Communications Regulations 2003 (PECR), as strictly necessary cookies are exempt.
12. Contact and supervisory authority
For any questions about our data processing practices or to exercise your rights: