Data Protection & GDPR Compliance

Overview

Cherished Book is deeply committed to the privacy and security of the sensitive data entrusted to us. This page outlines our technical and organizational security measures, our data protection principles, and the processes by which you can exercise your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For a summary of what data we collect and why, please refer to our Privacy Policy.

Technical and Organizational Security Measures

We use the following technical and organisational measures to keep your data private and protected:

• Encryption: All data is encrypted in transit (using TLS 1.3) and at rest (using AES-256 encryption on our databases and storage volumes).
• In-House AI: As detailed in our AI Statement, our AI models run locally on our own servers. Memorial data is never sent to third-party commercial AI providers.
• Infrastructure: We use secure, UK-based origin servers, with off-site backups hosted in Google Cloud's London region (europe-west2), ensuring data residency compliance.
• Access Controls: Strict role-based access control (RBAC) is enforced both at the application level (Owner, Moderator, Contributor roles) and the administrative level (only authorized personnel can access infrastructure).

Privacy by Design

Data protection is embedded into the core of Cherished Book:

• Data Minimization: We only collect data that is absolutely necessary to provide the service.
• Cookie-Free Visitor Statistics: We count how many people visit each memorial entirely on our own servers — we do not use Google Analytics or any third-party tracking, set no advertising or tracking cookies, and store no visitor IP addresses for this purpose. Visits are counted once per browser session per day using the essential session cookie, and memorial owners only ever see anonymous totals that cannot identify an individual.
• Privacy Controls: Memorials are shared via unique URLs managed by the memorial owner. For users requiring stricter access management, we offer enhanced privacy controls, such as restricting access to only those with secure, generated invitation links, as a premium option.
• Data Protection Impact Assessments (DPIA): We assess data protection impacts prior to major platform updates or significant changes to our data processing activities, alongside our regular annual compliance reviews.

Your GDPR Rights & How to Exercise Them

Under the UK GDPR, you have specific rights regarding your personal data. We have established processes to help you exercise these rights promptly:

1. The Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you. Memorial Owners on our Premium tier can use the built-in "Export" feature to download a complete zip archive or PDF of the memorial. For all other access requests, please contact us.

2. The Right to Rectification

You can correct inaccurate or incomplete data directly through your Account Settings and the Memorial Dashboard. If you need help, please contact us.

3. The Right to Erasure ("Right to be Forgotten")

You can delete your account yourself from your profile settings. We email you a 6-digit code to confirm it is really you, and then your account enters a 28-day cooling-off period before anything is removed. You can cancel during those 28 days using the link in the emails we send.

When the period ends, we permanently delete your account and any memorials you alone own. Memorials you share with others are kept, with your access removed. For contributions you have made to memorials you do not solely own, you choose at the point of deletion whether to remove your name or delete them entirely. A small amount of data may be kept where the law requires it, such as financial records for tax, and copies can remain in routine backups until those backups are rotated. To erase data held outside your account, please contact us with the subject "Data Erasure Request".

4. The Right to Data Portability

You have the right to receive your data in a structured, commonly used, and machine-readable format. Memorial exports fulfill this requirement for memorial content.

5. Rights to Restrict or Object to Processing

You may object to our processing of your data for direct marketing or request we restrict processing under certain conditions.

Data Breach Protocols

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we have a strict incident response protocol. We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk to your personal data, we will communicate the breach to you directly, without undue delay, outlining the nature of the breach and the steps we are taking to mitigate it.

Complaints

If you are unhappy with how we have handled your personal data, we ask that you contact us first so we can try to resolve the issue. However, you also have the right to lodge a complaint directly with the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.