Mission Gateway Privacy Policy
Privacy Policy
This Privacy Policy explains how Mission Digital LTD (“we”, “us”, or “our”) collects, uses, stores, and protects personal data when you use the Mission Launchpad network management platform. It has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) where applicable.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
Organisation: Mission Digital LTD
Address: Unit 16 Garden Studios, Townsend Industrial Estate, 21 Waxlow Rd, London, NW10 7NU
Email: gateway@missiondigital.co.uk
Website: https://www.missiondigital.co.uk/
If you have any questions about this policy or how we handle your data, please contact us at the address above.
2. What Personal Data We Collect
We collect only the data necessary to provide the Mission Launchpad service. The categories of personal data we process are:
We do not collect payment card details, health data, biometric data, or any other special category data as defined under Article 9 UK/EU GDPR.We do not collect payment card details, health data, biometric data, or any other special category data as defined under Article 9 UK/EU GDPR.
3. How and Why We Use Your Data (Legal Basis)
4. Cookies and Session Data
Mission Launchpad uses the following cookies and session mechanisms:
-
Session cookie (sessionid): A strictly necessary cookie that keeps you logged in during your visit. It expires when you close your browser or log out. No personal data is stored in the cookie itself — the data is held server-side.
-
CSRF token (csrftoken): A strictly necessary security cookie that protects forms from cross-site request forgery attacks.
We do not use tracking, advertising, or analytics cookies. No third-party cookies are placed on your device by this application.
Because we only use strictly necessary cookies, we are not required to obtain your consent before setting them. However, you can disable cookies in your browser settings; doing so will prevent you from logging in to the platform.
5. Data Retention
6. Who We Share Your Data With
We do not sell your personal data. We share data only where necessary with the following categories of recipients:
All processors are required to process data only on our instructions and to maintain appropriate security standards. Where processors are located outside the UK or EU, we ensure adequate safeguards are in place (see Section 7).
Legal Disclosures
We may disclose personal data if required to do so by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Mission, our users, or others.
7. International Data Transfers
Some of our service processors (including Google) may process data outside the UK or European Economic Area (EEA). Where this occurs, we rely on one of the following safeguards:
-
An adequacy decision by the UK Secretary of State or the European Commission confirming the receiving country provides equivalent data protection; or
-
Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) with the processor.
You may contact us to request further information about the specific safeguards in place for any transfer.
8. Your Rights Under UK/EU GDP
Depending on your location, you have the following rights regarding your personal data. You may exercise these rights by contacting us at the address in Section 1.
Right of Access
You can request a copy of the personal data we hold about you (a Subject Access Request).
Right to Rectification
You can ask us to correct inaccurate or incomplete personal data. Some corrections can be made directly via the Account page.
Right to Erasure
You can ask us to delete your personal data where there is no overriding legitimate reason for us to continue processing it.
Right to Restriction
You can ask us to restrict processing of your data in certain circumstances, for example while a correction is being verified.
Right to Data Portability
Where processing is based on consent or contract and carried out automatically, you can request your data in a structured, machine-readable format.
Right to Object
You can object to processing based on legitimate interest. You can unsubscribe from email reports at any time via the Alerts page.
Right to Withdraw Consent
Where processing is based on your consent (e.g. email report subscriptions), you can withdraw consent at any time without affecting prior processing.
Right to Withdraw Consent
Where processing is based on your consent (e.g. email report subscriptions), you can withdraw consent at any time without affecting prior processing.
We will respond to all verifiable requests within one calendar month. We will not charge a fee unless the request is manifestly unfounded or excessive.
9. Right to Lodge a Complaint
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority:
UK: Information Commissioner’s Office (ICO) — ico.org.uk
EU: The data protection authority in your EU member state of residence.
We would, however, appreciate the opportunity to address your concerns before you contact a regulator, so please contact us first.
10. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure, including:
-
All passwords are stored as salted, one-way cryptographic hashes — they are never stored in plain text.
-
2FA TOTP secrets are encrypted at rest.
-
All communications between your browser and the application are protected by TLS (HTTPS).
-
CSRF protection is applied to all state-changing requests.
-
Access to administrative functions is restricted to authorised staff accounts.
-
Database access is restricted to the application server and authorised administrators.
-
Sessions are invalidated on logout.
Despite these measures, no method of transmission over the internet is 100% secure. In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
11. Children’s Data
Mission Launchpad is a business-to-business network management tool. It is not directed at, and should not be used by, individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or via an in-app notice. We encourage you to review this page periodically.
13. Contact Us
For any questions, data subject requests, or concerns about how we handle your personal data, please contact:
Data Protection Contact — Mission Digital LTD
Email: gateway@missiondigital.co.uk
Address:
Unit 16 Garden Studios,
Townsend Industrial Estate,
21 Waxlow Rd,
London,
NW10 7NU
Title | Description | Provided directly by you or your organisation administrator |
|---|---|---|
Session data | Session tokens (stored server-side), selected router preference | Generated automatically when you log in |
Support tickets | Ticket subject, message body, ticket status, creation timestamp | Provided directly by you via the Support page |
Alert preferences | Your chosen report frequency (daily / weekly / monthly) per device; timestamps of when each report was last sent to you | Provided by you via the Alerts page |
Network usage data | Data consumption (bytes) per assigned router with timestamps; SIM configuration details; router last-seen timestamps; GPS coordinates of devices (displayed on network maps) | Retrieved automatically from the Peplink network management API |
Network device associations | Router serial numbers and device models assigned to your account | Assigned by an administrator |
Two-factor authentication (2FA) | Encrypted TOTP secret key, hashed backup recovery codes, 2FA creation and update timestamps | Generated by the system when you enable 2FA |
Account Information | Username, first name, last name, email address, hashed password, date account created, last login timestamp | Provided directly by you or your organisation administrator |
Purpose | Data Used | Legal Basis (UK/EU GDPR Art 6) |
|---|---|---|
Administration of user accounts (admin panel) | Account information, device assignments | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation where applicable |
System security, integrity, and fraud prevention | Login timestamps, session data, 2FA data | Art. 6(1)(f) — legitimate interest (security) |
Processing and responding to support requests | Account information, support ticket content | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (customer service) |
Generating PDF billing and usage reports | Usage data, account information | Art. 6(1)(b) — performance of a contract |
Sending scheduled email usage reports | Email address, alert preferences, usage data | Art. 6(1)(b) — contract; Art. 6(1)(a) — consent (you opt in) |
Displaying network device data and usage dashboards | Network device associations, usage data, GPS coordinates | Art. 6(1)(b) — performance of a contract |
Authenticating your identity and securing access (including 2FA) | Account credentials, 2FA data, session tokens | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (security) |
Providing and managing your account | Account information, session data | Art. 6(1)(b) — performance of a contract |
Data Category | Retention Period |
|---|---|
Session data | Expires at the end of your browser session or after a maximum idle period. |
Support tickets | Retained for 12 months after ticket closure, then deleted. |
Alert preferences and report timestamps | Retained while your account is active. Deleted with your account. |
Network usage records | Retained for up to 13 months (rolling) to enable monthly and year-on-year reporting, then deleted. |
2FA credentials | Deleted immediately when 2FA is disabled or when the account is closed. |
Account Information | For the duration of your account. Deleted within 30 days of a verified erasure request or account closure. |
Recipient | Purpose | Data Shared |
|---|---|---|
Hosting / infrastructure provider | Hosting the Mission Launchpad application and database | All application data, as a data processor acting on our instructions |
Cloudinary | Hosting the application loading screen image | Your IP address is sent to Cloudinary servers as part of the HTTP request |
Google Fonts (CDN) | Loading web fonts used by the application interface | Your IP address is sent to Google servers as part of the HTTP request; no personal data is explicitly shared |
Email delivery provider (SMTP / Gmail) | Sending scheduled usage report emails to you | Your email address; usage report content |
Peplink (InHand Networks) | Network device management API — we query this to retrieve router status, usage, and location data | API authentication credentials; router serial numbers |