Privacy Notice (GDPR-Aligned)

1. Introduction and Scope

This Privacy Notice explains how BritData collects, uses, stores, shares, transfers, and protects personal data in connection with websites, customer onboarding, account administration, product analytics, support operations, and delivery of data platform services. This notice applies to visitors, customer administrators, authorized users, support contacts, vendor contacts, and prospective business customers where personal data is processed by BritData.

This notice is intended to provide transparent and practical information about data processing, lawful bases, retention logic, cross-border transfers, and available privacy rights under applicable laws, including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, and relevant local data protection regimes.

2. Roles: Controller vs Processor

BritData acts as a controller for personal data processed for business operations such as contract management, account provisioning, billing, fraud prevention, service quality monitoring, website analytics, and regulatory compliance. In these contexts, BritData determines purposes and means of processing.

BritData acts as a processor when processing customer-submitted personal data under documented customer instructions through the Services. In these contexts, customer is typically the controller (or another processor with delegated instructions), and processing terms are governed by contract and applicable Data Processing Addendum (DPA).

If role allocation is unclear for a specific workflow, parties should reference the applicable order and DPA annexes to classify responsibilities and rights execution pathways.

3. Categories of Personal Data We Process

• Identity data: name, username, title, employer, organizational unit.
• Contact data: business email, phone number, billing and mailing addresses.
• Account data: tenant IDs, role assignments, authentication artifacts, preference settings.
• Commercial data: order history, subscription plan details, invoice records, payment references.
• Support data: helpdesk tickets, chat transcripts, attachments, call summaries, diagnostics.
• Technical data: IP address, device/browser attributes, API logs, timestamps, telemetry identifiers.
• Security data: audit trails, anomaly detection signals, access attempts, abuse indicators.
• Marketing data: communication preferences, event registrations, campaign engagement data.

We generally do not seek sensitive personal data unless required for a specific lawful purpose and supported by additional safeguards. Customers should avoid uploading special-category data unless contractually required and appropriately configured.

4. Sources of Personal Data

• Directly from individuals when forms are submitted or accounts are created.
• From customer organizations that provision users and provide administrative metadata.
• Automatically through logs, cookies, SDK telemetry, and security monitoring systems.
• From business partners, resellers, payment providers, and publicly available professional sources.
• From authorized integrations and connectors configured by customer administrators.

5. Purposes of Processing

BritData processes personal data only for defined and legitimate purposes, including: service delivery, authentication and authorization, customer support, incident response, fraud prevention, contractual administration, financial operations, legal compliance, service improvement, and business communications.

• Provisioning accounts, enforcing role-based access, and enabling enterprise controls.
• Operating and securing APIs, dashboards, integrations, and background processing pipelines.
• Diagnosing performance, reliability, and quality defects with proportionate telemetry.
• Maintaining records for accounting, audits, tax, and legal response obligations.
• Sending service notices, renewal reminders, and material policy updates.

6. Lawful Bases for Processing (GDPR Article 6)

• Contract necessity: to provide subscribed services, support, invoicing, and account administration.
• Legitimate interests: for platform security, abuse prevention, product improvement, and business continuity.
• Legal obligation: to comply with tax, accounting, sanctions, and lawful request requirements.
• Consent: where required by law for specific marketing communications or optional cookies.

Where we rely on legitimate interests, we assess proportionality and impact on individuals and apply mitigation controls. Where consent is used, it may be withdrawn at any time with future effect.

7. Cookies and Similar Technologies

We use cookies and similar technologies to provide core website functionality, secure sessions, measure performance, and understand usage patterns. Categories may include strictly necessary, performance/analytics, functionality, and (where implemented) marketing cookies.

Cookie choices may be managed through available preference tools and browser controls. Blocking certain categories may impact website or account functionality, including login persistence and user preference storage.

8. Automated Processing and Profiling

We may use automated techniques for spam detection, anomaly identification, traffic shaping, and abuse prevention. These mechanisms are designed to protect service integrity and users. We do not intentionally use solely automated decision-making that produces legal or similarly significant effects on individuals without applicable safeguards and rights pathways.

9. Sharing of Personal Data

We disclose personal data only where necessary and lawful, including with service providers, infrastructure vendors, support tools, payment processors, legal advisors, auditors, and competent authorities where legally required.

• Processors are engaged under contracts requiring confidentiality and data protection commitments.
• Access is limited to role-based necessity and monitored through logging and control reviews.
• We do not sell personal data in exchange for money in ordinary business operations.

10. Sub-processors

Where BritData acts as processor, we may engage vetted sub-processors to provide hosting, data storage, communication tooling, observability, and support operations. Sub-processors are selected through due diligence, contractual safeguards, and security assessments proportionate to risk.

Customer-facing sub-processor lists and update mechanisms are provided through contractual channels where applicable.

11. International Data Transfers

Personal data may be transferred across jurisdictions where BritData, affiliates, or service providers operate. Where required, we implement legally recognized transfer safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs), UK transfer addenda, and supplementary measures tailored to transfer context and risk.

Transfer impact factors are periodically reviewed, including legal environment, technical architecture, encryption controls, and access minimization measures.

12. Data Security Measures

BritData maintains administrative, technical, and organizational security controls intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Controls may include encryption in transit, hardened access controls, segmentation, logging, vulnerability management, incident response procedures, and periodic control testing.

Security is risk-based and continuously improved; however, no system can guarantee absolute protection. Individuals and customers also play a critical role through strong credential hygiene, device security, and timely reporting of suspicious activity.

13. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill legitimate business and legal purposes, including contractual performance, security monitoring, dispute resolution, accounting, and regulatory compliance. Retention periods differ by data category, role, and legal context.

• Account and subscription records are retained for contract administration and auditability.
• Security logs are retained for defined security and incident response windows.
• Support artifacts are retained to maintain service continuity and quality history.
• When data is no longer needed, we delete or anonymize it according to policy and technical capability.

14. Data Subject Rights

Depending on jurisdiction and role allocation, individuals may have rights including access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where applicable. Rights are not absolute and may be subject to legal exemptions.

When BritData acts as processor, we generally direct requests to the relevant controller customer, and assist that customer as required by contract and law.

15. How to Exercise Rights

Requests may be submitted to privacy@britdata.example with sufficient detail for verification. To protect privacy and prevent unauthorized disclosure, we may request identity confirmation before actioning requests. We aim to respond within legally required timelines and may extend where permitted for complex or numerous requests.

If a request is denied in whole or part, we provide the basis where legally required and inform available escalation pathways.

16. Children's Data

Services are designed for business use and are not directed to children. We do not knowingly collect personal data from children in contexts where parental consent is required. If we become aware of such data collection, we will take appropriate steps to delete the data and restrict further processing.

17. Marketing Communications

We may send service-related communications necessary for account and contractual operations. Where legally permitted, we may also send product updates, webinars, and promotional content relevant to business users. Recipients may opt out of non-essential marketing communications using provided unsubscribe mechanisms.

18. Business Transfers

If BritData is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction subject to confidentiality protections and applicable legal requirements.

19. Legal Requests and Compliance Disclosures

We may disclose personal data to courts, regulators, law enforcement, or other competent authorities where required by law, subpoena, or legal process, or where necessary to protect rights, safety, systems, and legal claims. We evaluate requests for validity and scope before disclosure where feasible.

20. Data Breach and Incident Response

BritData maintains incident response procedures to identify, contain, investigate, and remediate security events. Where a personal data breach is confirmed and notification is legally required, we notify relevant parties in accordance with contractual and legal obligations, including required details known at the time.

21. Regional Privacy Addendum (Summary)

Depending on where individuals are located, additional rights and disclosures may apply under local laws (for example, rights related to access categories, correction, deletion, limitation of sharing, appeal, or complaint submission). Region-specific supplements may be provided in contract packs or localized notices where required.

22. Do Not Track and Browser Signals

Some browsers transmit "Do Not Track" signals. Because no uniform industry standard currently governs interpretation in many contexts, our website may not respond to all such signals consistently. Users should rely on available cookie controls and browser privacy settings for preference management.

23. Data Accuracy and User Responsibilities

Customers and users should provide accurate data and update account details as needed. Where customers act as controllers, they are responsible for lawful collection and instruction, including notices and consent management for data subjects whose data is submitted to the Services.

24. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect legal, technical, or business developments. Material changes will be communicated through reasonable channels such as account notices, website updates, or direct customer communications. The "Last updated" date indicates the effective revision date.

25. Contact and Complaints

For privacy questions or rights requests, contact: privacy@britdata.example. For security concerns, contact: security@britdata.example. Individuals may also lodge complaints with their local supervisory authority where applicable. We encourage contacting us first so we can investigate and resolve concerns promptly.