Privacy Policy

Version 1.0 — Effective 4 June 2026

This Privacy Policy explains how Magnitude Global (operated by Turbulence Studio Ltd, "we", "us") collects, uses and protects your personal data when you use the Magnitude platform at magnitude.global. We are the data controller for the personal data described below and we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data we collect

We collect the following categories of personal data:

Account details — username, display name, email address, password hash, organisation name, region, phone number (Location Management accounts only), and self-declared portfolio descriptions.
Usage data — pages you view, scans you open, measurements and camera shots you save, and high-level interaction logs used to operate the platform and prevent abuse.
Application data — for permit and licence applications, the information you submit (intended use, proposed dates, company name, contact details).
Payment data — handled entirely by Stripe. We never see or store full card numbers, CVCs, or bank details. We retain payment identifiers (Stripe session and payment-intent IDs) so we can match a payment to an issued licence or permit.
Communications — emails you send us (e.g. enquiries, support) and emails we send you (receipts, agreement copies, approval notifications).

2. How we use your data

We use your personal data to:

Operate the platform — authenticate logins, render dashboards, issue licences and permits, and deliver scans to authorised buyers.
Manage licences — generate and send licence-agreement PDFs, record payouts to Creators and Location Owners, and respond to negotiation requests.
Send transactional emails — receipts, agreement copies, permit approvals, password resets, and other communications you would expect from a platform you have signed up to.
Comply with legal obligations — bookkeeping, tax, response to lawful requests.
Protect the platform — investigate suspected fraud, abuse, breach of terms, or security incidents.

Our lawful bases for processing are: (a) contract — to provide the services you signed up for; (b) legitimate interest — to operate, secure and improve the platform; (c) legal obligation — bookkeeping and statutory reporting; (d) consent — for any optional communications you opt in to.

3. Payment data

All card payments are handled by Stripe. Stripe is a PCI-DSS Level 1 certified payment processor. We never receive your card number, expiry, or CVC. Stripe's privacy notice is available at stripe.com/privacy.

4. Scan content

Scans uploaded to the platform may contain incidental personal data — for example, faces, vehicle number plates, signage, or addresses visible in the captured environment. The uploader of a scan is responsible for ensuring they have any necessary permissions, consents, or clearances under data-protection and intellectual-property law before publishing that scan. Magnitude will remove or restrict scans on request where a credible privacy or rights concern is raised.

5. Sharing your data

We share personal data with:

Service providers — Stripe (payments), Resend (transactional email), Cloudflare (hosting, storage, content delivery), DocuSign (electronic signature, when in use).
Counterparties on a licence — when you buy a licence, your name, organisation and email appear in the licence-agreement PDF that is delivered to the Licensor. When you sell a licence, the same applies in reverse.
Legal recipients — courts, regulators, or law enforcement where we are legally required to do so.

We do not sell your personal data.

6. International transfers

Our infrastructure is hosted on Cloudflare, which operates a global network. Where personal data is transferred outside the UK or EEA, we rely on Cloudflare's standard contractual clauses and equivalent safeguards required by UK GDPR.

7. Retention

We retain account data while your account is open and for a reasonable period afterwards to support potential disputes, tax, and audit. Licence and permit records — including the issued agreement PDFs — are retained for at least 7 years for tax and contractual evidence purposes. Stripe retains its own payment records under its own policy.

8. Your rights

Under UK GDPR you have the right to:

Request access to the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and associated personal data, subject to records we are legally required to keep (e.g. issued licences for tax purposes).
Object to processing or request restriction.
Request portability of data you provided to us, in a structured format.
Withdraw consent for any processing that is consent-based.
Complain to the UK Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.

To exercise any of these rights, email paul.burke@turbulence.studio from the address associated with your account.

9. Cookies and local storage

We use a small number of strictly necessary browser cookies and a localStorage entry to keep you signed in. We do not use third-party advertising or tracking cookies.

10. Security

Passwords are stored only as salted hashes. Payment data is handled exclusively by Stripe. The platform is delivered over HTTPS. No system is perfectly secure; if we become aware of a breach affecting your personal data, we will notify you and the ICO as required by law.

11. Changes

We may update this Privacy Policy from time to time. The version number and effective date above are authoritative. Material changes will be notified by email or via an in-app notice.

12. Contact

Magnitude Global is operated by Turbulence Studio Ltd, registered in England & Wales. For any privacy enquiry, data-subject request, or to exercise the rights above, contact:

paul.burke@turbulence.studio

13. Governing law

This Privacy Policy is governed by the laws of England and Wales.