Privacy Policy

Who we are

Barbal Limited (“we”) is a company registered in England and Wales. Company Number 11682895.

Information Security

We take both the privacy and information security of our users and stakeholders seriously. We collect data to understand our customers and how our users use our websites and applications.

All Barbal processes and systems are assessed by Cybertec Limited who awarded us with Cyber Essentials Plus certification on 4th March 2021.

In line with our information security policy, access to confidential information (including personal data) by Barbal personel is on a needs-only basis. We only collect and store information that is essential for us to perform business functions.

All personel at Barbal with access to personally identifiable information are subject to idenfication checks.

Information collected for sales and marketing purposes is only accessible to our sales and marketing teams.

Customer information provided directly through the service or indirectly via an employee is only accessible to personel who have had background checks and need to access information to perform their role. More information about privacy and security of our applications and services is given below.

Privacy statement

We use a number of third party products and services for marketing and user analytics. These will not collect personal information through our websites and apps without your consent.

Cookie Policy

You can choose to refuse cookies at any time, after which we will not place any more cookies in your browser. You must manually clear cookies to remove cookies we have already placed in your browser.

The sole exception to this is a single cookie (“cookieconsent_status”) which we place in the browser when you refuse cookies to remember that cookies have been refused. This cookie is not used to track how you use our products and services.

The Barbal and StandardsRepo web applications (“the apps”) require a cookie opt in to use the service. We only store essential cookies to make the app work or improve the use of the service.

First party cookies

We use a single first party cookie to remember that you have previously given consent or refusal for the website to use cookies. This is called “cookieconsent_status”.

Google Analytics

Barbal websites and apps use Google Analytics (GA), a web analytics service provided by Google, Inc. (“Google”). The information generated by the cookie about your use of our website will be transmitted to and stored by Google, however, we do not allow Google to use this information. We use this information to better understand our audience and ultimately to provide a better experience with our websites and apps.

Google analytics uses the following cookies:

  • _ga
  • _gat
  • _gid

You can find Google’s privacy policy here.

Disable Google Analytics.


We use Hubspot as our marketing and customer relationship management system.

Hubspot uses the following cookies on the website:

  • __hssc
  • __hssrc
  • __hstc
  • hubspotutk

If you provide us with any personal data by e.g. by contacting us, booking a demo, joining the mailing list or signing up to our events or services, we will store this in Hubspot so that we can contact you. We do not give Hubspot permission to use your information for any other purpose.

We collect the following personal data about you in forms on this site so that we can respond to your queries appropriately and provide you with relevant information or communications:

  • Name
  • Email address
  • Employer
  • Role

You can opt-out from receiving communications from Barbal via hubspot using links in email footers.

You can find Hubspot’s privacy policy here.


We use mailchimp as our mailing list provider for marketing emails. We only store your email address and subscription preferences in Mailchimp.

Mailchimp uses cookies on the site to track your mailing list preferences.

You can find Mailchimp’s privacy policy here.

Embedded content

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Barbal Document Drafting System


We collect information about usage of our Barbal Document Drafting System web application (,, or other domains for private-hosted instances) (“the service”) to help us identify and plan maintenance and enhancements.

We handle both personal data and content provided to the service on a confidential basis with the same protocols.

The service is self-certified as meeting the 14 Cloud Security Principles.

Personal data

Personal data collected by the service relating to user accounts

Barbal is the data controller for personal data required for user accounts.

We process the following personal data from users:

  • Necessary personally identifiable information
    • Email address
  • Necessary linkable information
    • Username
  • Optional personally identifiable information
    • Full Name
    • Avatar
  • Optional linkable information
    • Location
    • Website

The only personal data required to use the service is an email address. We use your email address for authentication, notifications and to contact you with issues to relating to your account or use of the service. We never disclose your email address to other users of the service or third parties. Your username does not need to contain personal data.

You may provide additional personally identifiable information such as name, affiliation and profile picture, which is presented by the service on your profile page to help other users understand who you are. This information is classed as “content” (see below) and will be made available to collaborators in workspaces.

All users of the app have a public profile which lists their username, profile content and activities in public workspaces.

Personal data processed by the service in content

We class “content” as any information, documents or files uploaded or entered directly into workspaces (“workspace content”) or non-mandatory aspects of user profiles (“profile content”). Except where excluded by our acceptable usage policy, we do not restrict the types or nature of content processed by the service. This means that users may enter personal data or other content they wish to keep private or confidential.

You are the data controller for any personal data you enter as content. Barbal is the data processor and we will handle content in accordance with this privacy policy.

Securing your account

Your account is secured with a password, which must be in accordance with our password and security policy.

We recommend that you also enable two-factor authentication which is available in your user settings.


You may opt in to marketing via the service. See the Hubspot section for more information.

Workspace privacy

Workspaces can be private or public.

Workspace privacy settings are available to the workspace administrator.

Public Workspaces

Public workspaces are listed in the Explore pages and are indexed by search engines. Anyone on the web can view the content of a public workspace including the latest saves of each document copy, proposal and the info pages.

We recommend that public workspaces include a copyright statement including the owner of the work and the basis for which it is made available to others.

Barbal is not responsible for data breaches that result from a user making a workspace public or entering content into a public workspace.

We may make copies of data stored in public workspaces for internal development and testing of functionality and features. This will not be re-published without the permission of the owner.

Private Workspaces

A private workspace is only accessible by users added by administrators of that workspace (see also Access by Barbal to your data).

The adminstrator is responsible for ensuring that only authorised users are granted access to private workspaces.

Additional privacy agreements

For customers on our enterprise pricing tier we may agree to additional privacy and information security measures and procedures, including overriding aspects in this policy relating personal data (e.g. by requiring a username to be personally identifiable). Please contact us to discuss your needs.


We only use cookies necessary to operate the service.

You must accept cookies to sign in to the service.

We use first party cookies for the following purposes:

  • Record your agreement for us to use cookies
  • Sign you in
  • Keep you signed in (optional – “Remember Me” feature)
  • Store your preferences (e.g. what language you prefer)
  • Store information about your current session
  • Secure your interaction with our service (e.g. protect against Cross-site request forgery attacks)

We use the following first party cookies:

Name Purpose
user_accepts_cookies Indicates that you chose to accept cookies and allows the below cookies to be installed
_csrf Stores a unique identifier to protect you against Cross Site Request Forgery attacks
barbal_user Stores your username (used by the “Remember Me” feature)
barbal_auth Stores an encrypted version of your password (used by the “Remember Me” feature)
barbal_session Stores a unique identifier so that the server can validate your session
lang Stores your language preference
macaron_flash Triggers alert messages and notifications where we need to track events across page loads

We use Chatlio as our in-app support chat service. Chatlio, uses a cookie (chatlio_*) to track information necessary to provide its service. View the Chatlio Privacy Policy here.

You can set your browser not to accept cookies, and tells you how to remove cookies from your browser. You will only be able to view the public features of our website without accepting cookies.

You can manage your cookie preferences and access the link to this privacy policy at any time via our privacy control. The privacy control is loaded by clicking on the yellow triangle at the bottom of every page in the service.

We also support the “I don’t care about cookies” plugin. If you have this plugin installed, this will take priority and you will not be able to manage your cookies through our privacy control, unless you add as an exception.


We use logging to:

  • understand how users are using the services,
  • proactively anticipate user support needs,
  • understand how the app is performing,
  • identify and analyse issues, and
  • monitor data and security incidents.

Logs store meta-data about activities and events in the service.

Logs are classified as secure information and are only available to authorized personel. We may access logs at any time and without explicit permission. We will anonymise log information when sharing it.

Cloud hosting

The service is hosted by Google Cloud Platform which is accredited to ISO 27001.

Data is stored and processed in Google’s “europe-west2” region.

Only authorised personel have access to the cloud hosting platform. We log all access and activity.

The service is shared with other users. We can provide dedicated instances of the service to customers on our enterprise tier.

The service is protected by best-practice security measures and is encrypted at rest and in transit.

The service penetration tested by a CREST-certified tester annually to ensure that unauthorised access to your data is prevented.

Data retention

Barbal Limited will keep “necessary” and any optional data (as defined in section 1 above) that you have provided for a period of seven years after your last login. Once this time period has expired, we will delete your data (necessary and optional) from our systems.

Access by Barbal to your data

We manage who has access to confidential information carefully inline with our information security policy. Only authorised personel have access to your personal data and content via the application or the cloud hosting environment.

We will not access content in private workspaces without the permission of the workspace owner.

Data breaches

Data breaches or cyber incidents are handled by our Chief Technology Officer, who reports the nature and resolution of all breaches to the board.

Your data protection rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Barbal Limited for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Barbal Limited correct any information you believe is inaccurate. You also have the right to request Barbal Limited to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Barbal Limited erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Barbal Limited restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Barbal Limited’s processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Barbal Limited transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:

Or write to us: Barbal Limited, 286 Paintworks, Arnos Vale, Bristol, BS4 3AQ, United Kingdom.

Privacy policies of other websites

The service contains links to other websites. Our privacy policy applies only to our services hosted on the and domains. If you click on a link to another website, you should read their privacy policy.

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Barbal Limited has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.


Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Feedback or queries

We welcome suggestions for improving this privacy policy and are happy to provide additional information on request. Please contact us via or the contact form on our website.