Privacy Policy

Last updated: 27 February 2026

1. Who We Are

Internal Newsletter ("the Service") is operated by Internal Newsletter Ltd ("we", "us", "our"). We are the data controller for the personal data we process through the Service.

Contact: hello@internalnewsletter.com

2. Data We Collect

Account data

When you register, we collect your name, email address, and password (stored as a secure hash). When you create or join a Team, we store your role and team membership.

Team and content data

We store the content you create within the Service, including newsletter text, content blocks, templates, calendar events, and team settings (such as your team name and logo).

AI-generated content

When you use AI drafting features, we send contextual information (block type, team name, and any context you provide) to OpenAI for processing. The generated draft is stored within your Team's content. We do not use your content to train AI models.

Billing data

Payment processing is handled by Stripe. We do not store your full card details. Stripe provides us with limited information such as the last four digits of your card, expiry date, and billing address. Please refer to Stripe's Privacy Policy for how they handle your payment data.

Usage data

We collect anonymised usage data via Ahoy to understand how the Service is used. This includes pages visited, features used, and referral sources. We mask IP addresses and do not build individual user profiles for advertising.

Cookies

We use essential cookies for authentication and session management. Analytics cookies are only enabled with your consent. See section 7 for details.

3. How We Use Your Data

We use your data to:

  • Provide and maintain the Service
  • Process payments and manage subscriptions
  • Send transactional emails (password resets, team invitations)
  • Generate AI-assisted content drafts when you request them
  • Improve the Service based on anonymised usage patterns
  • Respond to support requests

We do not sell your personal data. We do not use your data for advertising or profiling.

4. Legal Basis for Processing

We process your data on the following legal bases (under UK GDPR):

  • Contract — to provide the Service you signed up for
  • Legitimate interest — to improve and secure the Service
  • Consent — for analytics cookies (which you can withdraw at any time)
  • Legal obligation — to comply with tax, accounting, and other legal requirements

5. Data Sharing

We share data with the following categories of third parties, solely to provide the Service:

  • Stripe — payment processing
  • OpenAI — AI content generation (only when you use AI features)
  • Mailpace — transactional email delivery
  • Hatchbox / hosting provider — infrastructure and data storage

We require all third-party processors to handle your data in accordance with applicable data protection law.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Billing records are retained for 7 years in accordance with UK tax law.

7. Cookies

We use the following types of cookies:

  • Essential cookies — required for authentication and security. These cannot be disabled.
  • Analytics cookies — used to understand how the Service is used. These are only set with your consent and can be disabled at any time via the cookie banner.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability (receive your data in a structured format) — you can download your data at any time from your Account settings
  • Withdraw consent for analytics cookies at any time

To exercise any of these rights, contact us at hello@internalnewsletter.com. We will respond within 30 days.

9. International Transfers

Some of our third-party providers (including OpenAI and Stripe) process data in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

10. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit (TLS), secure password hashing, and access controls. However, no system is completely secure, and we cannot guarantee absolute security.

11. Children

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or through the Service. The "last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and Complaints

For any questions or concerns about this policy, contact us at hello@internalnewsletter.com.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.