Privacy Policy
Last updated: March 9, 2026
Future Mill Limited ("we", "us", or "our") operates SquirrelStack (the "Service"). This Privacy Policy explains how personal data is handled when people visit our website, create or use SquirrelStack accounts, or interact with data processed through the Service.
Privacy at a Glance
- SquirrelStack is a B2B platform providing analytics, advertising, monitoring, CRM, project management, and support tools
- Customers control the end-user and business data they put into SquirrelStack; we process that data on their instructions
- We use the personal data we control to provide, secure, bill for, and support the Service
- We do not sell personal data or use customer data for advertising
- Our built-in analytics feature uses no cookies and masks IP addresses by default
- Questions can be sent to [email protected]
Who This Policy Is For
This Privacy Policy applies to:
- Visitors to our website
- Customer administrators and authorised users
- Individuals whose personal data is processed through the Service on behalf of our customers
SquirrelStack is intended for business use only.
Roles and Responsibilities
When personal data is processed through SquirrelStack:
- The customer is usually the data controller for end-user, contact, visitor, support, CRM, booking, project, and similar business data collected through the customer's use of the Service
- Future Mill Limited is the data processor for that customer data
For our own website, account administration, service operations, billing, and direct support communications, Future Mill Limited acts as the data controller.
A Data Processing Agreement is available for customers who require one.
If your data was collected through a SquirrelStack customer account, you should usually contact that customer first. We may redirect your request to them where they act as controller.
Information We Collect
Data We Control Directly
| Category | Examples | Why we use it | Legal basis | Retention |
|---|---|---|---|---|
| Website and enquiry data | Information you submit in forms, emails you send us, and basic request metadata | To respond to enquiries, prevent abuse, and run our website | Legitimate interests; steps prior to contract | Up to 12 months after the enquiry closes unless longer retention is required |
| Account and administration data | Name, work email address, company name, role, profile data, login method, and workspace membership | To create accounts, authenticate users, manage organisations, and provide the Service | Contract; legitimate interests in securing and administering the Service | For the life of the account and up to 12 months after closure, unless longer retention is required |
| Billing and transaction data | Subscription plan, invoices, payment status, billing contact details, and payment identifiers supplied by our payment provider | To charge for the Service, maintain records, prevent fraud, and comply with accounting obligations | Contract; legal obligation; legitimate interests | For the period required by tax, accounting, and audit rules, typically up to 7 years |
| Service usage and security data | IP address, browser type, device information, sign-in events, account actions, and diagnostic logs | To secure accounts, investigate incidents, maintain the Service, and troubleshoot problems | Legitimate interests; contract | Typically up to 12 months, unless we need longer retention for security, dispute, or legal reasons |
Customer Data We Process for Customers
Depending on which features a customer enables, customer-controlled data may include:
- Analytics: page views, referrers, device and browser information, and country; analytics IP addresses are masked to the subnet level and no cookies are placed by the analytics feature
- Advertising: campaign performance data synced from connected advertising platforms such as Google Ads and LinkedIn Ads
- SEO: search query and page performance data synced from Google Search Console
- Help desk: support conversations, contact names and email addresses, and message content
- Chat widget: visitor name, email address, and message content
- CRM: contacts, companies, deals, pipeline stages, activities, and booking details
- Project management: epics, stories, tasks, comments, and user assignments
- Uptime monitoring: check results, response times, error reports, and status page data
- Error tracking: application error reports including stack traces and request context
- Financial: invoice and revenue data synced from connected accounting platforms
- Video conferencing: meeting links and scheduling data from connected platforms such as Zoom
This data is provided and controlled by the customer. We process it only to provide the Service, following the customer's instructions and our contract with that customer.
Special Categories of Data
SquirrelStack is not intended for the routine processing of special categories of personal data or criminal offence data. Customers should not submit that kind of data unless they have assessed the risk and agreed appropriate safeguards with us in writing.
Cookies and Local Storage
We use limited cookies and local storage for essential product functions. We do not use cookies for advertising, cross-site profiling, or our built-in analytics feature.
| Technology | Purpose | Duration | Required? |
|---|---|---|---|
| Session cookie | Keeps signed-in users authenticated while they browse the Service | Usually until the browser session ends | Yes, for authenticated areas of the Service |
remember_token cookie |
Keeps users signed in across browser restarts, rotated on use and valid server-side for up to 30 days | Browser-persistent; token validity is up to 30 days unless cleared sooner | Yes, for persistent login functionality |
| Browser local storage for UI preferences | Remembers interface preferences such as selected view mode | Until cleared by the user or browser | No, but it improves usability |
| Browser local storage for the chat widget | Remembers a visitor's name and email so they do not need to re-enter them for each chat conversation | Until cleared by the user or browser | Optional for the customer feature, but necessary if the customer wants that continuity |
Our analytics feature does not use cookies or client-side storage. It relies on server-side, privacy-preserving visit tokens that are designed to reduce identifiability.
Where the SquirrelStack chat widget is embedded on a customer's website, that customer is responsible for determining whether any additional notice or consent is required under applicable cookie or privacy laws for their use of the widget.
How We Use Personal Data
We use personal data to:
- Provide, operate, and maintain the Service
- Authenticate users and secure accounts
- Process payments and manage subscriptions
- Communicate service updates and support responses
- Monitor and diagnose errors to improve reliability and performance
- Prevent abuse, fraud, and unauthorised access
- Comply with legal, tax, accounting, and regulatory obligations
We do not use customer data for marketing, advertising, or profiling.
Legal Bases for Processing
Where we act as a data controller, we process personal data on one or more of the following bases:
- Contract: to provide the Service, manage subscriptions, authenticate users, and deliver support
- Legitimate interests: to secure, maintain, improve, and administer the Service, investigate misuse, and communicate with business users about service operations
- Legal obligation: to comply with accounting, tax, regulatory, and law-enforcement obligations
- Consent: where we specifically ask for it, which you can withdraw at any time
Where we act as a data processor, we process personal data only on the customer's documented instructions and under our contract with that customer.
For cookies and similar technologies, we rely on strictly necessary use for authentication, security, and core service functionality unless we specifically ask for consent.
Data Retention
We retain personal data for no longer than necessary for the purposes described in this policy. The main retention periods are:
| Data type | Retention approach |
|---|---|
| Account profile and workspace administration data | Retained for the duration of the customer relationship and ordinarily deleted within 12 months after account closure, unless longer retention is required for disputes, security, or legal compliance |
| Billing and finance records | Retained for the period required by applicable accounting and tax rules, typically up to 7 years |
| Customer-controlled data in the Service | Retained according to the customer's instructions and contractual terms; on account deletion or termination, live production data is ordinarily removed within 30 days |
| Analytics data | Retained while the customer subscription remains active, then deleted with the relevant customer data unless the customer deletes it sooner |
| Backups | Retained for up to 30 days for disaster recovery and then overwritten or deleted in the normal rotation cycle |
| Security and diagnostic logs | Usually retained for up to 12 months, unless a longer period is needed to investigate incidents, enforce terms, or comply with legal obligations |
Data Security
We apply technical and organisational measures designed to protect personal data, including:
- Encryption in transit using TLS
- Encryption at rest for sensitive data such as API keys, OAuth tokens, and SMTP credentials
- Logical access controls with account-level data isolation
- Audit logging of significant account actions
- Encrypted backups and controlled administrative access
No system is completely secure, and absolute security cannot be guaranteed.
Data Sharing and Sub-processors
We do not sell personal data.
We share data with the following service providers as necessary to operate the Service:
| Provider | Role | Location | Transfer safeguard |
|---|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, DNS, and file storage (R2) | United States / Global | Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable |
| Scaleway SAS | Cloud hosting and transactional email delivery | France | No restricted transfer for EEA-hosted processing |
| Stripe, Inc. | Payment processing and billing | United States | Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable |
| Google LLC | OAuth authentication | United States | Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable |
| Airbrake Technologies, Inc. | Application error monitoring | United States | Adequacy regulations where available, or SCCs with UK Addendum / IDTA as applicable |
Where customers connect optional third-party integrations such as Google Ads, Google Search Console, LinkedIn Ads, HubSpot, Help Scout, Xero, Slack, or Zoom, data is exchanged with those platforms on the customer's instruction. Those providers are governed by the customer's own relationship with them and are not our sub-processors for the purposes of customer-controlled data.
We may also disclose data:
- To courts, regulators, law enforcement, or other authorities where required by law or necessary to protect legal rights
- To professional advisers such as auditors, lawyers, and insurers under appropriate confidentiality obligations
- In connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business
International Data Transfers
Personal data may be processed outside the UK or EEA. Where this happens, we use appropriate safeguards, such as:
- Adequacy decisions or adequacy regulations
- The European Commission's standard contractual clauses
- The UK International Data Transfer Addendum or International Data Transfer Agreement, where required
- Another lawful transfer mechanism recognised under applicable data protection law
Our primary infrastructure is hosted in Europe, but some support functions and sub-processors may operate from other jurisdictions, including the United States.
Your Rights
Depending on applicable law and on whether we act as controller for your data, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your personal data
- Receive a portable copy of data you provided to us
- Restrict certain processing
- Object to processing based on legitimate interests
- Withdraw consent where processing is based on consent
To exercise these rights, contact [email protected]. We aim to respond within 30 days, although the applicable legal timeframe may vary depending on the request and jurisdiction.
If your data is processed through SquirrelStack by one of our customers, contact that organisation first, as it is usually the data controller for that data.
You also have the right to lodge a complaint with your local data protection authority. If you are in the UK, that authority is the Information Commissioner's Office.
Children's Data
SquirrelStack is not intended for use by children under the age of 16, and we do not knowingly collect personal data from children in connection with the Service.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version on our website and update the "Last updated" date above.
Contact Us
If you have questions about this Privacy Policy or how personal data is handled, contact:
Future Mill Limited
Email: [email protected]