Privacy Policy

Last updated: 17 June 2026

1Gesture ("we", "our", "us") operates a meeting reminder and impact gesture service. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and the rights you have over it. We are committed to transparency and to handling your data responsibly under the UK GDPR, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

1. Data We Collect

Account Data

When you create an account via Google or Microsoft OAuth, we receive and store:

Calendar Event Data

With your explicit consent, we read your Google Calendar or Microsoft Outlook Calendar to find your upcoming meetings. We retrieve:

We read your calendar only to find upcoming meetings. We do not currently create, edit, or delete calendar events. To deliver reminders, we send emails on your behalf from your own connected mailbox — see Section 7 for the exact permissions we request and why.

Email Sending

To deliver meeting reminders, 1Gesture sends emails on your behalf from your own connected Google (Gmail) or Microsoft (Outlook) mailbox, using the send permission you grant at sign-in. These emails go to your meeting attendees and contain the reminder and impact-gesture content you have configured. We do not read your existing emails, and we do not send anything other than the reminders you set up.

Payment & Billing Data

If you subscribe to a paid plan, payments are processed by Stripe. We store billing identifiers (your Stripe customer and subscription IDs) and invoice and transaction metadata (amounts, dates, plan). We do not store your full card number — card details are collected and held directly by Stripe as a PCI-DSS compliant payment processor.

Default Gesture & Automatic Donation of Unused Gestures

If you are on a paid plan, you choose a default gesture during onboarding (or later in your dashboard). At the end of each month, any unused gestures in your allowance that do not carry over are donated automatically to the good cause behind your default gesture — they are never retained by us or forfeited. We record each automatic donation in our impact ledger (organisation, gesture, cause, amount and date) so that it is auditable and appears in your impact totals and in our reporting to the receiving Gesture Partner. You can change your default gesture at any time in your dashboard, which changes where future automatic donations go. No personal data about your meeting attendees is involved in this processing; the legal basis is the performance of our contract with you (UK GDPR Art. 6(1)(b)).

Uploaded Content

If you upload an organisation logo to brand your reminders, the image file is stored using Vercel Blob storage and served from there.

Team & Organisation Data

If you use 1Gesture as part of a team or multi-user organisation, we store your organisation membership, your role (for example, administrator or member), and any invitations sent or received. Organisation administrators can see the members of their organisation and organisation-level activity and impact.

Attendee Interaction Data

When attendees receive reminder emails sent on your behalf, we collect:

Product & Usage Analytics (first-party)

We operate our own first-party product analytics, stored in our primary application database (Supabase, United Kingdom). We also forward a copy of these product-analytics events, server-side, to PostHog (EU Cloud, hosted in the European Union) as a secondary analytics and backup store; PostHog acts as a processor for us and is never our system of record. We do not use third-party advertising networks, cross-site tracking, device fingerprinting, or session replay, and PostHog is configured with geo-IP enrichment disabled so it never receives or derives your IP address. Analytics that are not strictly necessary run only after you give consent via our cookie banner, and you can withdraw consent at any time (see your rights in section 5 and our Cookie Policy).

When enabled with your consent, we collect:

We use this strictly to understand and improve the product. We do not use it for advertising or for automated decisions that produce legal or similarly significant effects about you, and we never place payment-card or sign-in-token data into analytics. We may run non-manipulative A/B experiments (for example, comparing two dashboard layouts) to improve the product; we do not run experiments designed to reduce the funds reaching good causes.

Independently of the consent-based analytics above, and on the basis of our legitimate interest in operating and securing the service, we also record a small set of operational signals that do not require consent: generic, pre-defined diagnostic reason codes when an action fails (for example, that a sign-in was declined or a payment was not authorised) — never raw error messages or free text; and email deliverability outcomes for the system emails we send (whether a message was delivered, bounced, or marked as spam), with spam-complaint signals kept only in aggregate and never linked to your account.

On the same legitimate-interest basis, our own operations team reviews internal usage reports derived from your use of the service (for example, how often meetings included an impact gesture, or how many gestures were funded over a period). In these reports, individual members appear under a pseudonymous label rather than a name or email address, access is restricted to authorised platform operators, and every view of a report is itself logged. These reports are used only to operate and improve the service — never for advertising, and never for automated decisions that produce legal or similarly significant effects about you.

2. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process your personal data based on the following legal grounds:

Legal Basis GDPR Article Purpose
Consent Art. 6(1)(a) Reading your Google or Microsoft calendar; sending reminder emails on your behalf from your own connected mailbox; processing impact gestures on your behalf; and, where you have given consent, non-essential first-party product analytics
Contract Art. 6(1)(b) Delivering the service you signed up for, billing for paid plans, and storing your timezone for meeting time display
Legitimate Interest Art. 6(1)(f) Service operation, security, error monitoring, and anonymised analytics to improve the product
Legal Obligation Art. 6(1)(c) Retaining billing and transaction records to meet tax and accounting obligations

You may withdraw your consent at any time by revoking 1Gesture's access in your Google or Microsoft account settings, by disconnecting your account in 1Gesture, or by contacting us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

3. Third-Party Data Processors

We share data with the following third-party processors, each under appropriate data processing agreements:

Processor Purpose Data Shared Location
Google (OAuth, Calendar API, Gmail send) Authentication, reading your calendar, and sending your reminders from your Gmail address OAuth tokens, calendar event metadata, reminder email content USA / global
Microsoft (OAuth, Graph API) Authentication, reading your calendar, and sending your reminders from your Outlook address OAuth tokens, calendar event metadata, reminder email content USA / global
Resend System and transactional email delivery (e.g. account, verification, and billing notifications) and fallback sending; also provides Svix-signed deliverability webhooks (delivered, bounced, marked as spam) used only in aggregate Recipient email, email content; deliverability status (aggregate spam-complaint signals are never linked to your account) USA
Stripe Payment processing for paid plans Billing identifiers, invoice/transaction metadata, card data (collected and held by Stripe) USA
Vercel Application hosting (serverless infrastructure) Request data in transit, server logs, IP addresses USA / global
Vercel Blob Storage of uploaded organisation logo images Logo image files USA / global
Supabase Primary application database (PostgreSQL) Stored account, calendar, gesture, team, and billing-metadata records United Kingdom (London, eu-west-2)
Sentry Application error monitoring and performance tracking Error stack traces, anonymised user context USA
PostHog (EU Cloud) Secondary product-analytics & backup store (server-side mirror of first-party events); not the system of record Pseudonymous analytics identifier, coarse device family, page/interaction events, first-touch UTM (no IP, no payment or sign-in data) European Union
Cloudflare Content delivery network and security (DDoS protection, WAF) IP addresses (processed transiently for security) Global
Anthropic (Claude API) AI-powered support chat assistant — your messages are processed by an automated AI model (Claude) to answer FAQ-based questions, with escalation to a human when it cannot confidently answer The support-chat messages you type, which may contain any personal data you choose to include (such as your name, email address, or a description of your issue) USA
HubSpot Support ticketing and contact management (CRM) — creating and managing your support tickets Your name, email address, support ticket subject and message, and the full support-chat transcript USA

We do not sell your personal data to any third party. We do not share personal data with advertisers.

4. Data Retention

5. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

Please note that the right to erasure does not extend to records we are legally required to keep — in particular, billing and transaction records retained to meet tax and accounting obligations (see Section 4).

For CCPA residents (California): you have the right to know what personal information we collect, to request its deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise any CCPA right, contact us at the address below.

To exercise any of these rights, email privacy@1gesture.org. We will respond within 30 days.

6. Attendee Privacy

Gesture choices are private by default. An attendee's selected gesture is never visible to the meeting organiser or other attendees unless the attendee explicitly enables sharing via the privacy consent toggle.

When attendees interact with 1Gesture reminder emails:

6a. Organiser running impact shown to recipients

By default, when an attendee claims a gesture from one of your reminder emails, the post-claim thank-you page they see displays your aggregate lifetime impact through 1Gesture — for example, "120 plastic bottles removed, 23 school meals provided, 12 days of clean water". Only summed totals per gesture type are shown; no per-meeting detail, no attendee names, and no information that could identify a specific event is exposed.

Our lawful basis for this processing is legitimate interest under UK GDPR Article 6(1)(f): the disclosure supports recipient-to-sender conversion (a core growth mechanism of 1Gesture) and is proportionate to the limited, aggregate-only data involved. You can object at any time by switching off the toggle in Settings → Branding → Show my running impact; the totals stop appearing on the thank-you page immediately (subject to a short cache propagation window of up to five minutes).

If you would prefer never to have your impact totals appear on recipient thank-you pages, you may keep the toggle off; we will not use that data on the public surface. We may still use it internally for your own dashboard and to compute platform-wide totals.

6b. Cross-recipient referrer parameter (email "?ref=email-seed")

Reminder emails sent on your behalf may include a link to 1gesture.com tagged with a ?ref=email-seed query parameter. We use this parameter solely to measure recipient-to-sender conversion attributable to that link. The parameter does not encode any recipient or meeting identifier and does not enable us to single out any individual attendee.

6c. Public organisation impact page

If your organisation is on a paid (Pro or Team) plan and has set a public profile slug, 1Gesture publishes a public web page at /impact/<your-slug> showing your organisation's name and its aggregate impact totals (for example, "120 plastic bottles removed, 23 weeks of school meals"). Only your organisation name and summed totals are shown — never attendee names, email addresses, meeting details, individual claims, or any financial information.

This page is on by default for eligible organisations. You can switch it off at any time using the public impact control in your organisation settings. When it is off, the page returns a "not found" response and your impact data is not queried for the public page at all.

7. OAuth Scopes & Permissions

To provide the service, 1Gesture asks for your permission to access parts of your Google or Microsoft account. You are shown these permissions on the provider's consent screen at sign-in, and you can revoke them at any time. We request the following:

Google

1Gesture's access to, and use of, information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The only Google account data we access is your basic profile and email address (for sign-in), read-only access to your calendar (to find your upcoming meetings), and permission to send email on your behalf via gmail.send (to deliver your reminders from your own Gmail address). We use this data solely to provide and improve these features for you; we do not use it for advertising; we do not transfer it to others except as necessary to provide the service, to comply with applicable law, or in connection with a merger or acquisition; and we do not allow humans to read your Google data except with your affirmative consent for specific messages, where necessary for security or to comply with the law, or where the data has been aggregated and anonymised. We do not request any “restricted” Google API scopes, and we do not read the contents of your Gmail mailbox.

Microsoft

8. Cookies

1Gesture uses a minimal set of essential and functional cookies, plus first-party analytics storage that is set only with your prior consent. We do not use third-party tracking cookies or third-party analytics cookies.

For full details on the cookies we set, their purpose, and duration, see our Cookie Policy.

9. Children's Privacy

1Gesture is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@1gesture.org and we will delete the data promptly.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

11. International Data Transfers

Several of our third-party processors operate outside the United Kingdom and the European Economic Area (EEA) — in particular Google, Microsoft, Stripe, Resend, Vercel, Sentry, Anthropic, and HubSpot, which process data in the United States, and Cloudflare, which operates globally. Our primary database, hosted by Supabase, is located in the United Kingdom (London / eu-west-2 region), so that data is not transferred outside the UK for storage; for users in the EU/EEA, the UK benefits from a European Commission adequacy decision. Our secondary analytics store, PostHog, is hosted in the European Union (EU Cloud), so first-party product-analytics events forwarded to it remain within the UK/EEA.

Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, or the processor's participation in recognised data protection frameworks (such as the EU-US and UK-US Data Privacy Framework).

For two of our support sub-processors — Anthropic (Claude API) and HubSpot — we are finalising data processing agreement verification and the corresponding transfer safeguards (Standard Contractual Clauses or the UK International Data Transfer Addendum) ahead of public launch. We will update this section once that verification is complete.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the service. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: privacy@1gesture.org
Service: 1Gesture

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO).