Privacy Policy

1. Who We Are

LilliMad ("we", "us", "our") is a production management platform operated by Michael Etherington. This policy explains how we collect, use, store, and protect your personal information when you use the LilliMad platform at any of our hosted domains or self-hosted installations.

For privacy-related enquiries, contact: [email protected]

2. Information We Collect

Account & Identity Data

When you or your organisation administrator creates an account, we collect your name, email address, and a hashed password. We never store passwords in plain text.

Production & Operational Data

We store the content you create within the platform: projects, schedules, contacts, documents, crew and talent records, vendor information, and any files you upload. This data is owned by your organisation and processed on your behalf.

Usage & Technical Data

We collect server-side request logs (IP address, timestamp, endpoint, HTTP status) for security monitoring and debugging. We do not use third-party analytics or advertising trackers.

Cookies

We use two HttpOnly session cookies: access_token (org session) and platform_token (platform admin session). These are strictly necessary for authentication and are not used for tracking. No third-party cookies are set.

3. How We Use Your Information

• To authenticate you and maintain your session
• To store and retrieve your organisation's production data
• To provide support when you raise a ticket, including any screenshots you choose to attach
• To send transactional communications (invite links, password resets) where applicable
• To monitor for security incidents and investigate abuse

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Data Storage & Transfers

All data is stored on servers located within the United Kingdom or European Economic Area unless your organisation has arranged a custom hosting agreement. File attachments and logos are stored in an S3-compatible object store (MinIO). Database data is stored in PostgreSQL.

Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place in accordance with UK GDPR and the EU GDPR.

5. Data Retention

We retain your data for as long as your organisation's account is active. When an organisation account is deleted, all associated data — users, projects, documents, and files — is permanently deleted within 30 days. Support ticket attachments are retained for 12 months after ticket closure for audit purposes, then permanently deleted.

You may request deletion of your personal account at any time by contacting your organisation administrator or emailing us directly.

6. Your Rights

Under UK GDPR and EU GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a structured, machine-readable format
• Objection — object to certain processing activities
• Restriction — request we limit how we use your data

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

7. Support Access

Platform support staff may request temporary access to your organisation's data to assist with troubleshooting. Such requests are visible to your organisation's owner(s) in the Settings page and require explicit approval before access is granted. All access is time-limited and logged.

8. Children's Privacy

LilliMad is a business platform not intended for use by individuals under the age of 16. We do not knowingly collect personal data from minors.

9. Changes to This Policy

We may update this policy periodically. Where changes are material, we will notify organisation owners by email or via an in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

Michael Etherington
LilliMad
[email protected]