Privacy Policy

1. Scope

This Privacy Policy explains how Mandatry UK Limited ("Mandatry") collects, uses, shares, and protects personal data when you use our Services.

Where Mandatry processes personal data on behalf of a business customer within customer-submitted content, Mandatry generally acts as a processor and the business customer acts as controller. That processing is governed by the relevant customer agreement and, where applicable, a data processing addendum.

2. Personal Data We Collect

We may collect:

• Account data: name, business email, role, organisation (if you create an account).
• Communications: messages you send to support or sales.
• Usage data: product usage events, logs, timestamps, device/browser info, IP address (for security and service operation).
• Customer-submitted data: content uploaded or submitted to the Services may include personal data, depending on customer use.

3. How We Use Personal Data

We use personal data to:

• provide, operate, maintain, and secure the Services;
• authenticate users and administer accounts;
• respond to enquiries and provide customer support;
• monitor performance, prevent abuse, and enforce our Terms;
• improve and develop the Services;
• comply with legal obligations.

4. Legal Bases (UK GDPR)

Where UK GDPR applies, we rely on:

• Contract: to provide the Services.
• Legitimate interests: security, fraud prevention, service improvement, customer support.
• Consent: where required (e.g., certain cookies/marketing).
• Legal obligation: compliance with applicable law.

5. Sharing and Disclosure

We may share personal data with:

• Subprocessors/service providers that support hosting, delivery, and operation of the Services.
• Professional advisers (legal, accounting) where necessary.
• Authorities where required by law or to protect rights and safety.
• Successors in a merger, acquisition, or asset sale.

We do not sell personal data in the ordinary sense of "sell".

6. Subprocessors

We use the following primary subprocessors:

• Vercel (hosting and delivery of web application components)
• Supabase (database, authentication, and related infrastructure services)

Subprocessors may change over time as we evolve the Service. Material changes may be communicated via our website or on request.

7. International Transfers

If personal data is transferred outside the UK, we will use appropriate safeguards (such as the UK International Data Transfer Agreement or other approved mechanisms) where required.

8. Retention

We retain personal data as long as necessary to provide the Services, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary depending on data type and context.

9. Security

We implement reasonable technical and organisational measures designed to protect personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your Rights (UK)

Depending on your circumstances, you may have rights to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent where processing is based on consent.

If you use the Services through an organisation, requests relating to customer-submitted data should generally be directed to that organisation (the controller). We will assist our customers where required.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

11. Cookies

We may use cookies or similar technologies for authentication, security, and basic analytics. Where required, we will provide cookie controls.

12. Contact

For privacy questions or requests: info@privacypartners.global