Privacy Policy
Last updated: 17 June 2026
1Gesture ("we", "our", "us") operates a meeting reminder and impact gesture service. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and the rights you have over it. We are committed to transparency and to handling your data responsibly under the UK GDPR, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
1. Data We Collect
Account Data
When you create an account via Google or Microsoft OAuth, we receive and store:
- Your name and email address
- Your profile avatar (provided by your OAuth provider)
- Your browser timezone (e.g., "Europe/London") — used to display meeting times in your local timezone
Calendar Event Data
With your explicit consent, we read your Google Calendar or Microsoft Outlook Calendar to find your upcoming meetings. We retrieve:
- Event titles
- Event times (start and end)
- Attendee information (names and email addresses)
We read your calendar only to find upcoming meetings. We do not currently create, edit, or delete calendar events. To deliver reminders, we send emails on your behalf from your own connected mailbox — see Section 7 for the exact permissions we request and why.
Email Sending
To deliver meeting reminders, 1Gesture sends emails on your behalf from your own connected Google (Gmail) or Microsoft (Outlook) mailbox, using the send permission you grant at sign-in. These emails go to your meeting attendees and contain the reminder and impact-gesture content you have configured. We do not read your existing emails, and we do not send anything other than the reminders you set up.
Payment & Billing Data
If you subscribe to a paid plan, payments are processed by Stripe. We store billing identifiers (your Stripe customer and subscription IDs) and invoice and transaction metadata (amounts, dates, plan). We do not store your full card number — card details are collected and held directly by Stripe as a PCI-DSS compliant payment processor.
Default Gesture & Automatic Donation of Unused Gestures
If you are on a paid plan, you choose a default gesture during onboarding (or later in your dashboard). At the end of each month, any unused gestures in your allowance that do not carry over are donated automatically to the good cause behind your default gesture — they are never retained by us or forfeited. We record each automatic donation in our impact ledger (organisation, gesture, cause, amount and date) so that it is auditable and appears in your impact totals and in our reporting to the receiving Gesture Partner. You can change your default gesture at any time in your dashboard, which changes where future automatic donations go. No personal data about your meeting attendees is involved in this processing; the legal basis is the performance of our contract with you (UK GDPR Art. 6(1)(b)).
Uploaded Content
If you upload an organisation logo to brand your reminders, the image file is stored using Vercel Blob storage and served from there.
Team & Organisation Data
If you use 1Gesture as part of a team or multi-user organisation, we store your organisation membership, your role (for example, administrator or member), and any invitations sent or received. Organisation administrators can see the members of their organisation and organisation-level activity and impact.
Attendee Interaction Data
When attendees receive reminder emails sent on your behalf, we collect:
- Email open events
- Link click events
- Gesture claim activity
Product & Usage Analytics (first-party)
We operate our own first-party product analytics, stored in our primary application database (Supabase, United Kingdom). We also forward a copy of these product-analytics events, server-side, to PostHog (EU Cloud, hosted in the European Union) as a secondary analytics and backup store; PostHog acts as a processor for us and is never our system of record. We do not use third-party advertising networks, cross-site tracking, device fingerprinting, or session replay, and PostHog is configured with geo-IP enrichment disabled so it never receives or derives your IP address. Analytics that are not strictly necessary run only after you give consent via our cookie banner, and you can withdraw consent at any time (see your rights in section 5 and our Cookie Policy).
When enabled with your consent, we collect:
- A random analytics identifier ("anon_id") stored on your device (cookie and local storage) and a per-visit session identifier. These are random values, not your name or email.
- A truncated IP address — we remove the last part of your IP address in memory before it is stored, so we never log or keep your full IP for analytics.
- Coarse device information (browser family, device type, and an approximate screen-size band). We do not fingerprint your device.
- Pages viewed and interactions (for example, which calls-to-action you click), plus the marketing campaign parameters (UTM) and the referrer that first brought you to the site.
- If you create an account, we link your earlier anonymous activity to your account ("identity stitching"). This happens only after consent and only within our analytics retention window (see section 4).
- Approximate country, derived from your truncated IP address using a periodically-updated geolocation database. We derive only a two-letter country code — never a city, region, or precise location, and never anything more precise than the truncated IP described above.
- Page-performance measurements (Core Web Vitals, such as load and responsiveness timings) and on-page engagement timing. These are numeric measurements only.
- Which form fields you complete, recorded by a fixed internal field label only (for example, "work_email") — never the contents you type into them.
We use this strictly to understand and improve the product. We do not use it for advertising or for automated decisions that produce legal or similarly significant effects about you, and we never place payment-card or sign-in-token data into analytics. We may run non-manipulative A/B experiments (for example, comparing two dashboard layouts) to improve the product; we do not run experiments designed to reduce the funds reaching good causes.
Independently of the consent-based analytics above, and on the basis of our legitimate interest in operating and securing the service, we also record a small set of operational signals that do not require consent: generic, pre-defined diagnostic reason codes when an action fails (for example, that a sign-in was declined or a payment was not authorised) — never raw error messages or free text; and email deliverability outcomes for the system emails we send (whether a message was delivered, bounced, or marked as spam), with spam-complaint signals kept only in aggregate and never linked to your account.
On the same legitimate-interest basis, our own operations team reviews internal usage reports derived from your use of the service (for example, how often meetings included an impact gesture, or how many gestures were funded over a period). In these reports, individual members appear under a pseudonymous label rather than a name or email address, access is restricted to authorised platform operators, and every view of a report is itself logged. These reports are used only to operate and improve the service — never for advertising, and never for automated decisions that produce legal or similarly significant effects about you.
2. Legal Basis for Processing
Under the UK GDPR and EU GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | GDPR Article | Purpose |
|---|---|---|
| Consent | Art. 6(1)(a) | Reading your Google or Microsoft calendar; sending reminder emails on your behalf from your own connected mailbox; processing impact gestures on your behalf; and, where you have given consent, non-essential first-party product analytics |
| Contract | Art. 6(1)(b) | Delivering the service you signed up for, billing for paid plans, and storing your timezone for meeting time display |
| Legitimate Interest | Art. 6(1)(f) | Service operation, security, error monitoring, and anonymised analytics to improve the product |
| Legal Obligation | Art. 6(1)(c) | Retaining billing and transaction records to meet tax and accounting obligations |
You may withdraw your consent at any time by revoking 1Gesture's access in your Google or Microsoft account settings, by disconnecting your account in 1Gesture, or by contacting us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
3. Third-Party Data Processors
We share data with the following third-party processors, each under appropriate data processing agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google (OAuth, Calendar API, Gmail send) | Authentication, reading your calendar, and sending your reminders from your Gmail address | OAuth tokens, calendar event metadata, reminder email content | USA / global |
| Microsoft (OAuth, Graph API) | Authentication, reading your calendar, and sending your reminders from your Outlook address | OAuth tokens, calendar event metadata, reminder email content | USA / global |
| Resend | System and transactional email delivery (e.g. account, verification, and billing notifications) and fallback sending; also provides Svix-signed deliverability webhooks (delivered, bounced, marked as spam) used only in aggregate | Recipient email, email content; deliverability status (aggregate spam-complaint signals are never linked to your account) | USA |
| Stripe | Payment processing for paid plans | Billing identifiers, invoice/transaction metadata, card data (collected and held by Stripe) | USA |
| Vercel | Application hosting (serverless infrastructure) | Request data in transit, server logs, IP addresses | USA / global |
| Vercel Blob | Storage of uploaded organisation logo images | Logo image files | USA / global |
| Supabase | Primary application database (PostgreSQL) | Stored account, calendar, gesture, team, and billing-metadata records | United Kingdom (London, eu-west-2) |
| Sentry | Application error monitoring and performance tracking | Error stack traces, anonymised user context | USA |
| PostHog (EU Cloud) | Secondary product-analytics & backup store (server-side mirror of first-party events); not the system of record | Pseudonymous analytics identifier, coarse device family, page/interaction events, first-touch UTM (no IP, no payment or sign-in data) | European Union |
| Cloudflare | Content delivery network and security (DDoS protection, WAF) | IP addresses (processed transiently for security) | Global |
| Anthropic (Claude API) | AI-powered support chat assistant — your messages are processed by an automated AI model (Claude) to answer FAQ-based questions, with escalation to a human when it cannot confidently answer | The support-chat messages you type, which may contain any personal data you choose to include (such as your name, email address, or a description of your issue) | USA |
| HubSpot | Support ticketing and contact management (CRM) — creating and managing your support tickets | Your name, email address, support ticket subject and message, and the full support-chat transcript | USA |
We do not sell your personal data to any third party. We do not share personal data with advertisers.
4. Data Retention
- Active account data is retained for as long as your account remains active.
- Gesture claim records are retained for 3 years to support Impact Partner auditing requirements.
- Billing and transaction records are retained for up to 7 years after the relevant transaction, in order to comply with UK and US tax and accounting obligations. This legal-retention requirement overrides the account-deletion timeline below for financial records.
- Deleted accounts: upon account deletion, your personal data is removed within 30 days, except (a) billing and transaction records retained for the tax-compliance period stated above, and (b) aggregated, anonymised analytics summaries that cannot be linked back to you. Raw first-party analytics events are retained for up to 25 months and then permanently deleted.
5. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): request correction of inaccurate personal data.
- Right to Erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to Restriction of Processing (Art. 18): request that we limit how we use your data.
- Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): object to processing based on legitimate interest.
Please note that the right to erasure does not extend to records we are legally required to keep — in particular, billing and transaction records retained to meet tax and accounting obligations (see Section 4).
For CCPA residents (California): you have the right to know what personal information we collect, to request its deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise any CCPA right, contact us at the address below.
To exercise any of these rights, email privacy@1gesture.org. We will respond within 30 days.
6. Attendee Privacy
Gesture choices are private by default. An attendee's selected gesture is never visible to the meeting organiser or other attendees unless the attendee explicitly enables sharing via the privacy consent toggle.
When attendees interact with 1Gesture reminder emails:
- Their gesture selection is stored privately and is not disclosed to the meeting host.
- Sharing of gesture choices requires the attendee to explicitly enable privacy_share_consent.
- Attendee email addresses are hashed using SHA-256 for analytics purposes (a form of pseudonymisation), meaning we do not store raw attendee emails in our analytics systems.
6a. Organiser running impact shown to recipients
By default, when an attendee claims a gesture from one of your reminder emails, the post-claim thank-you page they see displays your aggregate lifetime impact through 1Gesture — for example, "120 plastic bottles removed, 23 school meals provided, 12 days of clean water". Only summed totals per gesture type are shown; no per-meeting detail, no attendee names, and no information that could identify a specific event is exposed.
Our lawful basis for this processing is legitimate interest under UK GDPR Article 6(1)(f): the disclosure supports recipient-to-sender conversion (a core growth mechanism of 1Gesture) and is proportionate to the limited, aggregate-only data involved. You can object at any time by switching off the toggle in Settings → Branding → Show my running impact; the totals stop appearing on the thank-you page immediately (subject to a short cache propagation window of up to five minutes).
If you would prefer never to have your impact totals appear on recipient thank-you pages, you may keep the toggle off; we will not use that data on the public surface. We may still use it internally for your own dashboard and to compute platform-wide totals.
6b. Cross-recipient referrer parameter (email "?ref=email-seed")
Reminder emails sent on your behalf may include a link to 1gesture.com tagged with a ?ref=email-seed query parameter. We use this parameter solely to measure recipient-to-sender conversion attributable to that link. The parameter does not encode any recipient or meeting identifier and does not enable us to single out any individual attendee.
6c. Public organisation impact page
If your organisation is on a paid (Pro or Team) plan and has set a public profile slug, 1Gesture publishes a public web page at /impact/<your-slug> showing your organisation's name and its aggregate impact totals (for example, "120 plastic bottles removed, 23 weeks of school meals"). Only your organisation name and summed totals are shown — never attendee names, email addresses, meeting details, individual claims, or any financial information.
This page is on by default for eligible organisations. You can switch it off at any time using the public impact control in your organisation settings. When it is off, the page returns a "not found" response and your impact data is not queried for the public page at all.
7. OAuth Scopes & Permissions
To provide the service, 1Gesture asks for your permission to access parts of your Google or Microsoft account. You are shown these permissions on the provider's consent screen at sign-in, and you can revoke them at any time. We request the following:
- Profile and email (
profile,email) — for account creation and authentication. - Calendar read (
calendar.readonly,calendar.events.readonly) — to retrieve your upcoming meeting details. - Send email on your behalf (
gmail.send) — to send your meeting-reminder emails from your own Gmail address. This permission only allows sending; it does not allow us to read your inbox.
1Gesture's access to, and use of, information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The only Google account data we access is your basic profile and email address (for sign-in), read-only access to your calendar (to find your upcoming meetings), and permission to send email on your behalf via gmail.send (to deliver your reminders from your own Gmail address). We use this data solely to provide and improve these features for you; we do not use it for advertising; we do not transfer it to others except as necessary to provide the service, to comply with applicable law, or in connection with a merger or acquisition; and we do not allow humans to read your Google data except with your affirmative consent for specific messages, where necessary for security or to comply with the law, or where the data has been aggregated and anonymised. We do not request any “restricted” Google API scopes, and we do not read the contents of your Gmail mailbox.
Microsoft
- Sign-in and profile (
User.Read,openid,profile,email) — for account creation and authentication. - Calendar read (
Calendars.Read) — to retrieve your upcoming meeting details. - Send email on your behalf (
Mail.Send) — to send your meeting-reminder emails from your own Outlook address. This permission only allows sending; it does not allow us to read your inbox. - Offline access (
offline_access) — to maintain the connection so reminders can be sent at the scheduled time even when you are not actively signed in.
8. Cookies
1Gesture uses a minimal set of essential and functional cookies, plus first-party analytics storage that is set only with your prior consent. We do not use third-party tracking cookies or third-party analytics cookies.
For full details on the cookies we set, their purpose, and duration, see our Cookie Policy.
9. Children's Privacy
1Gesture is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@1gesture.org and we will delete the data promptly.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Access controls and least-privilege principles
- Regular security reviews
- Cloudflare WAF and DDoS protection
- Sentry-based error monitoring for rapid incident detection
11. International Data Transfers
Several of our third-party processors operate outside the United Kingdom and the European Economic Area (EEA) — in particular Google, Microsoft, Stripe, Resend, Vercel, Sentry, Anthropic, and HubSpot, which process data in the United States, and Cloudflare, which operates globally. Our primary database, hosted by Supabase, is located in the United Kingdom (London / eu-west-2 region), so that data is not transferred outside the UK for storage; for users in the EU/EEA, the UK benefits from a European Commission adequacy decision. Our secondary analytics store, PostHog, is hosted in the European Union (EU Cloud), so first-party product-analytics events forwarded to it remain within the UK/EEA.
Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, or the processor's participation in recognised data protection frameworks (such as the EU-US and UK-US Data Privacy Framework).
For two of our support sub-processors — Anthropic (Claude API) and HubSpot — we are finalising data processing agreement verification and the corresponding transfer safeguards (Standard Contractual Clauses or the UK International Data Transfer Addendum) ahead of public launch. We will update this section once that verification is complete.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the service. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: privacy@1gesture.org
Service: 1Gesture
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO).