GDPR
GDPR compliance.
Goalite Limited operates under UK GDPR and the UK Data Protection Act 2018. This page explains our legal basis for data processing, your rights as a data subject, and how enterprise customers can access data processing agreements.
Legal basis
Lawful basis for processing.
| Processing activity | Lawful basis |
|---|---|
| Account creation and management | Contract performance |
| Goal and habit data processing | Contract performance |
| AI plan generation | Contract performance |
| Marketing communications | Legitimate interest / Consent |
| Analytics (anonymised) | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
Your rights
Your rights under UK GDPR.
Right to access
Request a copy of the personal data Goalite holds about you.
Right to rectification
Request correction of inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data where there is no compelling reason for continued processing.
Right to restrict processing
Request that Goalite limits how it uses your personal data while a concern is being investigated.
Right to data portability
Receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV).
Right to object
Object to processing based on legitimate interest, including direct marketing.
Rights related to automated decision-making
Goalite does not make solely automated decisions with legal or significant effects. AI plan generation is assistive, not deterministic.
Right to lodge a complaint
You may lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data rights have been infringed.
How to exercise your rights
Contact hi@goalite.com. Responses provided within 30 days per GDPR Article 12 requirements.
Data retention
How long we keep your data.
| Category | What it includes | Retention |
|---|---|---|
| Account data | Name, email, organisation | Duration of account + 30 days |
| Goal data | Goals, milestones, habits, progress | Duration of account + 30 days |
| Usage data | Login times, feature usage (anonymised) | 90 days rolling |
| AI interaction data | Goal inputs used for plan generation | Not retained after plan generation |
| Audit logs | Admin actions, access logs | 12 months |
| Marketing consent records | Consent timestamps and preferences | Duration of account + 3 years |
Data transfers
International data transfers.
Data is hosted on Microsoft Azure across UK and EU regions. No international transfers outside UK/EU occur by default. If processing requires data to leave these regions, appropriate safeguards (SCCs or UK IDTA) will be applied and customers notified.
Enterprise DPA
Data Processing Agreement.
Enterprise customers may request a Data Processing Agreement (DPA) which documents Goalite’s obligations as a data processor. DPAs are available on request for organisations on Teams or Enterprise plans.
ICO registration
Information Commissioner’s Office.
Goalite Limited is registered with the Information Commissioner’s Office (ICO). Registration details are available on request.
FAQ