Get early access

Privacy Policy

Last updated: 1 May 2026

What we collect, why we collect it, and how we handle it during the beta.

Comfrey is a trading name of Acre Supply Co. Limited, a company registered in England and Wales (company number 08660871) with its registered office at 61 St. John's Road, Bedminster, Bristol, England, BS3 4JJ. Acre Supply Co. Limited is the data controller for the personal data described on this page. Where we refer to "we", "us", or "Comfrey", we mean Acre Supply Co. Limited trading as Comfrey.

This page covers Comfrey Beta. We try to keep it short, plain, and accurate. If something here is out of date, please tell us.

What we collect

When you use Comfrey Beta, we collect and process the following:

  • Account data — your email address and a Supabase authentication identifier so you can sign in.
  • Provider credentials — the API keys, OAuth tokens, and base URLs you give us for Make.com or Adobe Workfront Fusion. These are encrypted at rest with AES-256-GCM and only decrypted in memory for the duration of a request.
  • Automation data — scenarios, modules, blueprints, and run metadata that we read from your provider on your behalf so we can generate changelogs and run the beta tools.
  • Feedback — anything you write into the feedback forms, plus the tool and tool version it relates to.
  • Product analytics — pages you visit, tools you run, and quota events. Sent to PostHog and tied to your account.
  • Error and performance data — uncaught errors, stack traces, and basic performance metrics, sent to Sentry and Grafana Cloud. We strip authorisation headers before they leave your browser.
  • Email contact data — if you join the waitlist or receive transactional email, your address is stored in Loops.

Why we process it (lawful basis)

Under the UK GDPR we rely on the following lawful bases:

  • Performance of a contract — to give you access to Comfrey Beta, run the tools you ask us to run, and operate your provider connections.
  • Legitimate interests — to keep the service secure, diagnose bugs, measure how the beta is used, and decide what to ship next. We balance this against your privacy and only use the minimum data needed.
  • Consent — for marketing emails and the optional analytics that go beyond what is needed to run the product. You can withdraw consent at any time.

Who we share it with (subprocessors)

We do not sell your data and we do not share it with other customers. We do rely on the following processors to run the service:

VendorWhat they doRegion
SupabaseAuthentication, database, file storageEU
Fly.ioApplication hosting and secret storageEU
CloudflareCDN and edge serving for the dashboardGlobal
PostHogProduct analyticsEU
SentryError trackingUS
Grafana CloudPerformance metricsEU
LoopsTransactional and waitlist emailUS

Where data leaves the UK or EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an equivalent adequacy mechanism, to keep the protections in place. No subprocessor receives your provider API keys in plaintext.

Make and Fusion data

When you connect Make.com or Adobe Workfront Fusion, Comfrey reads scenarios, modules, blueprints, and run metadata from your account using the credentials you provide. We store snapshots of that data so we can show you changes over time.

We do not push, edit, or delete anything in your Make or Fusion workspace. We do not share your provider data with anyone else, and we do not use it to train AI models — ours or anyone else's.

How long we keep it

  • Account data — for as long as your account is active, plus a short period for backup recovery.
  • Provider credentials — until you delete the connection. Deletion immediately wipes the credential.
  • Snapshots — between 7 days and 12 months depending on the artefact, governed by our internal retention classes. Honest beta caveat: the automatic deletion worker is built but not yet switched on, so expired snapshots may be retained a bit longer than the policy says. Email us for a manual wipe.
  • Analytics, errors, and performance data — retained according to each subprocessor's default retention (typically 30 days to 12 months).

Your rights

You have rights under the UK GDPR including:

  • access to a copy of your personal data;
  • rectification of inaccurate data;
  • erasure (the "right to be forgotten") — full account erasure is a manual process in beta and we will action it within 30 days of request;
  • restriction of processing;
  • data portability;
  • objection to processing carried out on the legitimate interests basis;
  • withdrawing consent where consent is the lawful basis.

Cookies and similar technologies

Comfrey Beta uses local storage for sign-in session state. PostHog uses local storage to identify return visits for product analytics. We do not use third-party advertising cookies.

Contact

For privacy questions or to exercise your data rights, email contact@comfrey.io.