Privacy Policy (UK)

Who we are: [Company Legal Name], trading as [Product/Brand, e.g., “AttributionOS”] (“we”, “us”, “our”). Registered address: [Address]. ICO registration no.: [if available]. Contact: [privacy@yourdomain].

This policy explains how we handle personal data when you: (a) visit our websites and marketing pages, (b) create an account and use our SaaS platform and dashboard, and (c) interact with our support or sales teams. It covers the product described in your PRD.

1) Our role

• Controller: We act as a controller for data about our customers and users of the platform (e.g., account, billing, usage, support).
• Processor: We act as a processor for our customers when we process their end-user/event data solely to provide the analytics services. A Data Processing Addendum (DPA) is available on request.

2) Personal data we collect

• Account & Billing: name, email, company, role, authentication data, subscription plan, invoices and payment status (payments handled by [Stripe/…], we do not store full card details).
• Product & Event Data (processor): campaign and attribution signals (e.g., UTM parameters, ad click IDs such as gclid/fbclid), device and network metadata (IP address, user-agent, referrer), in-app/website events you choose to track (installs, conversions, revenue events), and identifiers you send (e.g., hashed user ID). We instruct customers not to send special category data.
• Logs & Telemetry: service logs, diagnostics, security logs.
• Support & Sales: messages, call notes, and attachments you share with us.
• Cookies/SDK-less tracking on our sites: see Cookies & similar technologies below.

3) Purposes & lawful bases

• Provide and secure the service (create your account, serve dashboards, prevent abuse) — Contract.
• Billing, tax, and records — Contract / Legal obligation.
• Product improvement, troubleshooting, and analytics — Legitimate interests (we balance these against your rights).
• Marketing (emails/ads) on our own sites — Consent where required; you can withdraw at any time.
• Cookies & similar tech — Consent for non-essential cookies; essential cookies run without consent. ICO guidance requires clear information and prior consent for non-essential cookies under PECR. (ICO)

4) Cookies & similar technologies

We use:

• Essential cookies for core site and security (no consent required).
• Analytics/Performance and Advertising cookies only with your consent via our banner/preferences center. You can change or withdraw consent at any time. This flows from PECR and ICO guidance on cookies and consent. (ICO)

5) Sharing your data

• Service providers/sub-processors under contract (e.g., cloud hosting, databases, logging/monitoring, email delivery, payment processing, customer support tools).
• Professional advisors (legal, accounting), law enforcement when required by law, and corporate transaction counterparties (if we sell/merge assets). We maintain a current list of sub-processors at [URL] and require appropriate safeguards and confidentiality.

6) International transfers

If we transfer UK personal data outside the UK (e.g., to the US or other countries), we use legal transfer tools such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, and perform transfer risk assessments where needed. (ICO)

7) Data retention

• Customer/account data: kept while your account is active and for up to [6 years] afterward for tax, accounting, and dispute purposes.
• Event data (processor): default retention [e.g., 24 months] (configurable by the customer).
• Logs: [e.g., 90–180 days] unless extended for security investigations. We delete or anonymise data after these periods unless we must keep it longer by law.

8) Security

We apply technical and organisational measures including encryption in transit and at rest, access controls, least-privilege permissions, environment isolation, continuous monitoring, and employee training. Customers are responsible for securing their own credentials, API keys, and data sent into the platform.

9) Your rights (UK GDPR)

Subject to conditions and exemptions, you have the right to: be informed; access; rectify; erase; restrict; object; data portability; and, where processing is based on consent, withdraw consent at any time. You also have the right to complain to the ICO (see contact below). (ICO, GOV.UK)

How to exercise your rights: email [privacy@yourdomain]. We will respond within one month and may request verification of identity.

10) Children

Our services are not directed to children and are intended for business users. In the UK, children under 13 cannot consent to online services; parental consent would be required. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact [privacy@yourdomain] to request deletion. (ICO, WSGR Data Advisor)

11) Automated decision-making

We do not make decisions producing legal or similarly significant effects solely by automated means. If this changes, we will explain the logic involved and your rights related to such processing.

12) When we act as a processor

When customers send us end-user/event data, we process it only under their instructions, to provide the analytics service, troubleshoot, and maintain security. Customers are responsible for providing their own privacy notices to end users and establishing a lawful basis (e.g., consent for non-essential cookies/tags, or other lawful bases for server-side events). We offer a DPA that includes data-security terms, confidentiality, sub-processor controls, international transfer mechanisms, and deletion on termination.

13) Third-party links

Our sites and dashboards may contain links to third-party sites. Their privacy practices are their own; review their policies before providing data.

14) Changes to this policy

We may update this policy to reflect changes in law, guidance, or our services. We’ll post updates here and change the “Last updated” date. Where appropriate, we’ll notify you by email or in-app.

15) Contact & UK complaints

• Email: [privacy@yourdomain]
• Mail: [Company Legal Name, Address]
• ICO: You can raise a complaint with the UK Information Commissioner’s Office (ICO). See “UK GDPR guidance and resources / Right to be informed and individual rights” on the ICO site for how to do this. (ICO)

---

Cookie Notice (UK summary for your banner/preferences center)

• Essential cookies: required for security, load-balancing, and user login.
• Analytics cookies (consent): help us measure visits, feature usage, and performance.
• Advertising cookies (consent): used to measure ad performance and build audiences. Set or change your preferences anytime via [“Cookie Settings” link]. Non-essential cookies are off unless you opt in, as required by PECR and ICO guidance. (ICO)

---