Privacy Notice

This privacy notice explains how Overshow ("we", "us") collects, uses and protects your personal data when you use our website and services.

By using our website or contacting us, you acknowledge this notice.

Who we are

Overshow is a local-first AI application developed and operated by San Digital Limited, a company registered in England and Wales.

• Company name: San Digital Ltd
• Company number: 12957488
• VAT number: GB361512914
• Registered office: San Digital Limited, Kendal House, Oxenholme Road, Kendal, England, LA9 7RL
• Email: hi@over.show

San Digital Limited is the data controller for personal data collected through the Overshow website and licensing services.

Personal data we collect

We collect and process the following categories of personal data:

• Contact form data
  • Name
  • Email address
  • Company name
  • Any other information you choose to include in your message
• Licensing and single sign-on (SSO) data
  • Name
  • Work email address
  • Company/organisation
  • SSO identifiers and metadata (for example, unique ID from your identity provider, role or group membership where required for access control)
• Optional connected provider data
  • Identity provider name and account identifiers for Google or Microsoft sign-in and calendar connections
  • Granted permissions or scopes, token expiry, and connection status metadata
  • Encrypted access tokens and refresh tokens used to maintain authorised Google Calendar or Microsoft 365 calendar connections
• Technical and usage data
  • IP address
  • Browser type and version
  • Device information
  • Pages visited and actions taken on our site
  • Date and time of access

Overshow is designed as a local-first AI application. Model inputs and outputs processed locally by your organisation are not transmitted to us by default, except where you choose to share information with us for support or improvement purposes.

If you enable optional Google Calendar or Microsoft 365 calendar sync, app.over.show stores encrypted provider tokens and related connection metadata so the desktop app can refresh access securely. In normal operation, the desktop app calls the provider APIs directly to fetch authorised calendar data. Overshow servers do not proxy normal calendar event payloads, and we do not routinely ingest or store the full calendar event payload in the web portal as part of normal sync.

Cookies and similar technologies

What are cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember preferences and provide certain functionality.

Cookies we use

• Marketing site (over.show): no cookies. We do not set cookies on the marketing site, and we do not display a cookie banner because no non-essential cookies are in use.
• Web app (app.over.show): strictly necessary cookies only, limited to:
  • Session cookie: keeps you signed in while you use your account and billing area.
  • Security cookies: anti-CSRF and sign-in flow tokens used to protect authentication.

These cookies are essential to provide the service you have asked for (signing in and managing your account) and do not require your consent under UK GDPR and the Privacy and Electronic Communications Regulations (PECR). They do not track you across other websites, are not shared with advertisers, and contain no personal information beyond what is needed for the service.

You can manage or block cookies through your browser settings. Blocking strictly necessary cookies will prevent you from signing in to the web app.

We do not use advertising or cross-site tracking cookies.

Cookieless analytics

We use Vercel Web Analytics and Vercel Speed Insights on the marketing site and web app to understand aggregated usage (which pages are visited, rough performance metrics such as Web Vitals). These products do not set cookies and do not use cross-site identifiers. Data is aggregated at Vercel's edge and contains no personal identifiers we can link back to an individual.

• Lawful basis: legitimate interests (understanding site usage and performance to improve the service). There is no consent requirement because no information is stored on, or retrieved from, your device for analytics purposes.
• Sub-processor: Vercel Inc. See "Sharing your personal data" below.
• What is collected: page URL visited, approximate country, anonymised device and browser class, and Web Vitals (LCP, CLS, INP, TTFB). No IP addresses are retained.

Custom events

In addition to page views, we fire a small number of named events to understand how the marketing site converts. These events are sent to the same Vercel Analytics pipeline as page views, without cookies or cross-site identifiers, and carry only non-personal attributes about the interaction:

• hero_cta_click, pricing_cta_click - which call-to-action was clicked, its variant, target URL, and the homepage section it sat in.
• pricing_toggle_change - whether the pricing toggle is set to monthly or yearly.
• faq_interaction - the FAQ question text and whether it was opened or closed.
• form_start, form_submit, form_submit_error - which enquiry form was started or submitted, and, on error, an HTTP status or network error category. We do not send any form field values with these events.

No personally identifying fields from forms (such as name, email, or free-text responses) are included in custom events. Events are stored in the same aggregated Vercel Analytics counters as page views and are subject to the same retention.

You can block Vercel Analytics requests at the network level via browser extensions if you prefer. The site works the same either way.

How we use your personal data

We use your personal data for the following purposes:

• To respond to enquiries
  • Handling queries submitted through the contact form.
  • Providing information about our products, services and pricing where requested.
• To manage licensing and access
  • Verifying your identity via SSO and authorising access to Overshow.
  • Allocating and managing licences within your organisation.
  • Monitoring licence usage at an aggregate level for capacity planning and contract management.
• To operate optional Google and Microsoft calendar features
  • Storing and refreshing encrypted provider tokens for authorised calendar connections.
  • Allowing the desktop app to list authorised calendars and read event metadata on your behalf.
  • Powering meeting detection, calendar correlation, attendee matching, and pre-meeting briefs in the desktop app.
  • We do not use this access to create, edit, delete, or share calendar events on your behalf.
• To operate and improve our website and services
  • Ensuring the security and integrity of our systems.
  • Analysing anonymised or aggregated usage trends to improve usability and performance.

We do not sell your personal data.

Google and Microsoft calendar integrations

When you choose to connect a calendar in the desktop app, Overshow requests delegated, read-only calendar access.

• Google Calendar: the current desktop flow requests https://www.googleapis.com/auth/calendar.events.readonly and https://www.googleapis.com/auth/calendar.calendarlist.readonly.
• Microsoft 365 / Microsoft Entra ID: the current desktop flow requests Calendars.Read. Microsoft sign-in may also include standard identity permissions and offline_access so the authorised connection can refresh without prompting you on every sync.

We use these permissions only to let the desktop app identify the calendars available to the signed-in account, read event metadata across those calendars, and support calendar-linked features in the desktop app.

Calendar data handled through this integration can include calendar names, event titles, attendees, locations, notes or descriptions, start and end times, recurrence markers, response status, and meeting links or conference URLs present in the event. Sensitive calendar fields stored by the desktop app are encrypted locally. We do not use Google or Microsoft calendar data for advertising, sale to data brokers, or AI model training.

You can stop future provider access by revoking Overshow in your Google or Microsoft account, or through your organisation's administrator controls where applicable. If access is revoked or expires, future cloud calendar sync will fail until you reconnect. Existing local calendar data already stored on your device remains under your control.

Our lawful bases for processing

We rely on the following lawful bases under UK data protection law:

• Legitimate interests
  • Responding to contact form enquiries.
  • Operating, securing and improving our website and licensing services.
  • Managing existing or prospective business relationships.

Where we enter into a contract with your organisation, some processing may also be necessary for performance of a contract, for example, to provide and support the Overshow licensing service.

If we ever rely on consent (for example, for certain types of direct marketing), we will ask for it clearly and separately, and you can withdraw it at any time.

How long we keep your data

We keep personal data only for as long as necessary for the purposes described above:

• Contact form data: normally retained for up to 2 years from the last meaningful interaction, to manage ongoing conversations and potential opportunities.
• Licensing and SSO data: retained for the duration of your organisation's licence plus up to 2 years, to support audit, security and contract management.
• Connected provider tokens and sync metadata: retained while the connection remains linked to your account and thereafter only as long as needed for security, troubleshooting, audit, contractual, or legal reasons.
• Technical logs: retained for short periods (typically up to 12 months) for security, troubleshooting and service improvement, unless a longer period is required for investigation or legal reasons.

We may retain data for longer where required to comply with legal or regulatory obligations or to establish, exercise or defend legal claims.

Sharing your personal data

We may share your personal data with:

• Service providers and suppliers who support our website, licensing infrastructure, hosting and security. These providers only process personal data on our instructions and under written contracts.
• Single sign-on providers, calendar providers, and your organisation's identity systems, where necessary to authenticate users, refresh delegated tokens, or access authorised calendar data on your behalf.
• Professional advisers, such as legal or accounting advisers, where necessary for our legitimate interests.
• Regulators, law enforcement or courts, where we are legally required to do so or where necessary to protect our rights, users or the public.

We do not allow third parties to use your personal data for their own marketing.

International transfers

Our core services are hosted within the UK or European Economic Area (EEA) wherever practicable.

If we need to transfer personal data outside the UK or EEA, we will ensure appropriate safeguards are in place, such as:

• An adequacy decision by the UK Government or European Commission; or
• Standard contractual clauses or equivalent contractual protections.

You can contact us for more details of these safeguards.

Security of your personal data

We take appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (for example, HTTPS for our website).
• Access controls and authentication for administrative systems.
• Regular security updates and vulnerability management.
• Restricted access to personal data on a need-to-know basis.
• Staff awareness and confidentiality obligations.

No system can be guaranteed to be completely secure, but we work to reduce risks to a level appropriate to the nature of the data and our services.

Your rights

Under UK data protection law, you have the following rights in relation to your personal data:

• Right of access. To obtain a copy of your personal data and information about how it is used.
• Right to rectification. To correct inaccurate or incomplete data.
• Right to erasure. To request deletion of your data in certain circumstances.
• Right to restrict processing. To limit how we use your data in certain situations.
• Right to data portability. To receive your data in a structured, commonly used format and transmit it to another controller, where applicable.
• Right to object. To object to processing based on legitimate interests, and to direct marketing.
• Rights in relation to automated decision-making and profiling. Where these are used in a way that has legal or similarly significant effects on you.

To exercise any of these rights, please contact us using the details above. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

• Website: https://ico.org.uk
• Telephone: 0303 123 1113

We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first if possible via office@sandigital.uk.

Direct marketing

If you have given consent or we otherwise have a lawful basis (for example, where you are a business contact and we rely on legitimate interests), we may use your contact details to send you information about Overshow and related services.

You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any email, or
• Contacting us using the details above.

Opting out of marketing will not affect essential service or transactional communications.

Third-party websites

Our website may contain links to third-party websites. This privacy notice does not cover those sites, and we are not responsible for their content or privacy practices. You should review their privacy notices before providing any personal data.

Changes to this notice

We may update this privacy notice from time to time to reflect changes in our services or legal obligations. When we do, we will update the "Last updated" date at the top of this page.

Where appropriate, we may also notify you of significant changes by email or through our website.