Privacy Policy
1. Who we are
PromoWave Ltd is the data controller for personal data processed in connection with PromoTrace.
54 Quicksilver Street,
Worthing, BN13 1FN,
United Kingdom
Company No. 11303443 · VAT GB293075488
Email: [email protected]
This policy explains how we handle personal data under the UK GDPR and the UK Data Protection Act 2018, with reference to the EU GDPR for EU data subjects.
2. What data we collect
2.1 Account data
- Email address, first name, last name, role within your company.
- Company name, optional company website and logo.
- Hashed password (we never see or store your plaintext password).
- Locale, time zone, theme preference (functional, stored locally in your browser where possible).
2.2 Calculation data
- Product names, categories, materials, weights, decoration methods, transport routes you enter into the calculator.
- Computed CO₂e results, breakdowns, and reports you generate.
- Optional client names you associate with calculations.
We treat calculation data as your Customer Data, not as our own asset. We do not use your calculations to train external AI models or to sell aggregated insights to third parties.
2.3 Technical data
- IP address (logged for security and rate-limiting; truncated for analytics where possible).
- Browser type and version, device type, operating system, screen size.
- Pages and features used, error messages, performance telemetry.
- Audit-log entries for admin actions on your account.
2.4 Payment data
- If you pay by Stripe (when enabled), Stripe Payments Europe Ltd collects card details directly — we never see them. We receive only the result (paid / failed) and a reference to the Stripe transaction.
- If you pay by bank transfer, we receive your bank-issued reference data via our payment account.
- VAT number (if you provide one), invoice address, and the invoice amount and date.
2.5 Communications
- Emails you send to [email protected] and our replies.
- Chat transcripts if you use the Vistochat assistant on our public pages.
- Contact-form submissions from promotrace.io.
3. Why we process it (lawful basis)
| Purpose | Lawful basis |
|---|---|
| Provide the Service to you | Performance of contract (Art. 6(1)(b)) |
| Authenticate users, prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails (invoices, password resets) | Performance of contract |
| Improve product reliability and performance | Legitimate interest |
| Comply with tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |
| Respond to your support requests | Performance of contract / legitimate interest |
| Send marketing emails (where applicable) | Consent (Art. 6(1)(a)), opt-in only |
4. Who we share it with (sub-processors)
We use a small number of trusted vendors to operate the Service. Each is bound by a data-processing agreement that requires them to handle your data only as instructed by us and to maintain appropriate security.
| Provider | Role | Location |
|---|---|---|
| Vistoweb E.E. | Develops and operates the Platform on PromoWave's behalf (engineering, hosting management, monitoring, support). | Athens, Greece (EU) |
| Hetzner Online GmbH | Provides the underlying server infrastructure and storage. | Falkenstein, Germany (EU) |
| Cloudflare, Inc. | Provides DDoS protection, CDN, and edge security in front of the application. | Global edge network with EU data residency where available |
| Stripe Payments Europe Ltd | Processes card payments (when Stripe is enabled). PCI-DSS Level 1. | Dublin, Ireland (EU) |
| Vistochat (Vistoweb E.E.) | Powers the live-chat assistant on our public pages. Stores chat transcripts on Vistoweb's infrastructure. | Athens, Greece (EU) |
The current list above is up-to-date as of the "Last updated" date at the top of this page. We will update this list when we add or change a sub-processor; material changes are announced with at least 30 days' notice.
5. International transfers
All current sub-processors are based in the UK or EU/EEA. Where data is transferred outside the UK or EEA (for example, when Cloudflare routes through a global edge node), we rely on:
- UK adequacy decisions (where applicable) — currently the EEA, Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay.
- UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) with appropriate technical and organisational measures.
You can request a copy of the transfer mechanism by emailing [email protected].
6. How long we keep it
| Data type | Retention |
|---|---|
| Active account data | For the lifetime of the subscription |
| Calculation data | For the lifetime of the subscription, plus 90 days post-cancellation for export |
| Invoices and payment records | 6 years (UK HMRC requirement for VAT-registered companies) |
| Server access logs | 30 days rolling |
| Application audit logs (admin actions) | 12 months rolling |
| Support emails | 24 months from last interaction |
| Marketing emails (if opted in) | Until you unsubscribe, plus 30 days |
| Vistochat transcripts | 90 days, or until you ask us to delete sooner |
7. Your rights
Under UK GDPR you have the right to:
- Access — ask for a copy of personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your personal data, subject to our legal-retention obligations.
- Restriction — ask us to limit how we use your data while a query is being resolved.
- Portability — receive your account data in a machine-readable format (JSON / CSV).
- Object — object to processing based on legitimate interest, including profiling.
- Withdraw consent — for processing based on consent (e.g. marketing emails), at any time.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority in the EU.
To exercise any of these rights, email [email protected]. We respond within 30 days, with the option to extend by 60 days for complex requests, in line with UK GDPR. We don't charge a fee for reasonable requests.
8. Security
We use industry-standard technical and organisational measures appropriate to the risk:
- Encryption in transit (TLS 1.3) and at rest (server disk + database backups).
- Hashed passwords (bcrypt, never stored in plaintext).
- CSRF protection, strict Content-Security-Policy, rate limiting on authentication endpoints.
- Audit logs of administrative actions.
- Principle of least privilege for staff and sub-processor access.
- Off-site daily database backups, retained for 30 days.
- Regular security review and patching of the platform's dependencies.
If we discover a personal-data breach that risks your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and you without undue delay, with the information required by UK GDPR Articles 33–34.
9. Cookies and similar technologies
See our Cookie Policy for details of the cookies and local-storage items we use.
10. Children
PromoTrace is a B2B service. It is not intended for use by individuals under 18, and we do not knowingly collect personal data from children.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes, we will email account holders and require explicit re-acceptance via a login banner.
12. Contact and complaints
For privacy questions, requests, or to exercise your rights:
PromoWave Ltd
(Data Controller)
54 Quicksilver Street,
Worthing, BN13 1FN,
United Kingdom
Email: [email protected]
If you're not satisfied with our response, you have the right to lodge a complaint with:
- UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
- EU: your local data-protection supervisory authority — list at edpb.europa.eu