Privacy Policy

Effective date: 1 March 2025

1. Introduction

Grambit Cloud Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and share personal data when you visit our website, use our platform, or otherwise interact with our services.

This policy applies to all individuals whose personal data we process, including website visitors, customers, prospective customers and business contacts. Please read it carefully.

2. Data Controller

The data controller responsible for your personal data is:

Grambit Cloud Ltd
Company No. 14567890
London, United Kingdom
Email: info@grambit.io

3. Data We Collect

We may collect and process the following categories of personal data:

3.1 Information You Provide

• Account data: name, email address, company name, job title, password (hashed).
• Billing data: billing address, VAT number, payment card details (processed by our payment provider; we do not store full card numbers).
• Communications: any information you include in emails, support tickets or contact forms.

3.2 Information Collected Automatically

• Usage data: pages visited, features used, timestamps, session duration.
• Device and technical data: IP address, browser type and version, operating system, screen resolution, referring URL.
• Cookies and similar technologies: see Section 8 below.

3.3 Information from Third Parties

• Business contact data from publicly available sources or data partners for sales and marketing purposes.
• Information from identity-verification or fraud-prevention services.

4. How We Use Your Data

We process your personal data for the following purposes:

• Providing, operating and maintaining our SaaS platform and related infrastructure services.
• Creating and managing your account.
• Processing payments and issuing invoices.
• Communicating with you about your account, service updates, and support requests.
• Sending marketing communications where you have given consent or we have a legitimate interest to do so.
• Analysing usage patterns to improve our services and user experience.
• Detecting, preventing and addressing security incidents, fraud and technical issues.
• Complying with legal obligations, including tax and accounting requirements.

5. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

• Performance of a contract: processing necessary to deliver the services you have subscribed to.
• Legitimate interests: improving our services, preventing fraud, and direct marketing to existing customers (where proportionate).
• Consent: where you have opted in to receive marketing communications or where cookies require your consent.
• Legal obligation: where processing is necessary to comply with applicable law (e.g., tax records, anti-money-laundering checks).

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained for the duration of your account and up to 12 months after closure, unless a longer period is required by law.
• Billing and transaction data: retained for 7 years to comply with UK tax and accounting legislation.
• Usage and analytics data: retained in aggregated or anonymised form; identifiable logs are deleted after 90 days.
• Marketing data: retained until you withdraw consent or unsubscribe.

7. Third-Party Sharing

We do not sell your personal data. We may share it with the following categories of recipients:

• Service providers: hosting providers, payment processors, analytics tools, customer support platforms and email delivery services that process data on our behalf under written data-processing agreements.
• Professional advisers: lawyers, auditors and accountants where necessary.
• Law enforcement or regulators: where required by law or to protect our legal rights.
• Business transfers: in connection with a merger, acquisition or sale of assets, your data may be transferred to the successor entity.

Where data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses approved by the ICO, or transfers to countries with an adequacy decision).

8. Cookies

Our website uses cookies and similar tracking technologies to enhance your experience, analyse traffic and support our marketing efforts.

• Essential cookies: required for the website to function (e.g., session cookies, CSRF tokens). These cannot be disabled.
• Analytics cookies: help us understand how visitors interact with the site (e.g., page views, bounce rate). Set only with your consent.
• Marketing cookies: used to deliver relevant advertisements and measure campaign effectiveness. Set only with your consent.

You can manage your cookie preferences at any time through our cookie banner or your browser settings.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Regular security assessments and vulnerability scanning.
• Role-based access controls and multi-factor authentication for internal systems.
• Staff training on data protection and information security.
• Incident response procedures in line with UK GDPR breach notification requirements (72-hour notification to the ICO where applicable).

10. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data, subject to legal retention obligations.
• Right to restrict processing: request that we limit how we use your data in certain circumstances.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint: you may file a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us at info@grambit.io. We will respond within one month of receiving your request.

11. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Grambit Cloud Ltd
Email: info@grambit.io
London, United Kingdom

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify you by posting a prominent notice on our website or by sending you an email. The "Effective date" at the top of this page indicates when the policy was last revised.

We encourage you to review this page periodically to stay informed about how we protect your data.