Privacy Notice (UK)

Effective Date: 26/01/2026
Last Updated: 26/01/2026

Controller

EMSTREE CYF
14 MUSEUM PLACE
CARDIFF
CF10 3BH

Contact: legal@theitexchange.app | support@theitexchange.app | +447377573768
Website/App: https://www.theitexchange.app

This Privacy Notice explains how we collect, use, share, and protect personal data when you use https://www.theitexchange.app (the “Service”). It is intended to meet our transparency obligations under the UK GDPR and the Data Protection Act 2018.

1. Summary

We process personal data to:

  • Provide and improve the Service;
  • Manage accounts, billing, and support;
  • Enable business workflows (e.g., inventory/deals/offers communications);
  • Maintain security and prevent fraud; and
  • Comply with legal obligations.

Where we use third-party providers (e.g., hosting, email integrations), we do so under appropriate contractual protections.

2. The Personal Data We Collect

We may collect the following categories of personal data:

A) Account and profile data

  • Name, email address, phone number, company/organisation details
  • Role/permissions within your organisation
  • Authentication data (e.g., tokens/cookies) where applicable

B) Service usage and device data

  • Log data: IP address, browser type, operating system, timestamps, pages/actions
  • Diagnostic and performance data (error logs, crash reports)

C) Business contact data you upload or manage

If you upload or store third-party contact details (e.g., buyers/customers/suppliers), we may process:

  • Names, email addresses, phone numbers, job titles, company names
  • Communications metadata (e.g., message timestamps, subject lines) where integrated

D) Communications data (email integrations)

If you connect an email provider (e.g., Microsoft Outlook), we may process:

  • Email addresses, names, and message content/attachments as needed for the feature you enable (e.g., parsing offers from replies)
  • Message IDs, thread identifiers, dates received/sent

E) Payment and billing data (if applicable)

  • Billing contact details, invoices, transaction references
  • We typically do not store full card details; payments are handled by our payment provider

F) Cookies and similar technologies

We use cookies or similar technologies for authentication, security, and analytics. See Section 11.

3. How We Use Personal Data (Purposes)

We use personal data for:

  • Providing the Service: user accounts, access control, feature delivery
  • Customer support: responding to requests and troubleshooting
  • Security: fraud prevention, monitoring, audits, access logging
  • Product improvement: analytics, performance monitoring, feature development
  • Communications: service notices and (where permitted) marketing
  • Legal compliance: meeting tax, accounting, and regulatory obligations

4. Lawful Bases (UK GDPR Article 6)

We rely on one or more of the following lawful bases:

  • Contract (Art. 6(1)(b)): to provide the Service and perform an agreement with you/your organisation
  • Legitimate interests (Art. 6(1)(f)): to secure and improve the Service, prevent fraud, and support business operations (balanced against your rights)
  • Legal obligation (Art. 6(1)(c)): to comply with applicable laws (e.g., tax/accounting requirements)
  • Consent (Art. 6(1)(a)): where required (e.g., certain marketing, optional cookies) — you can withdraw consent at any time
  • Vital interests (Art. 6(1)(d)): rarely, if necessary to protect someone's life

Where we process “special category data” (rare for this type of Service), we will identify an additional condition under Art. 9 and explain it.

5. If You Provide Third‑Party Personal Data

If you upload or input personal data about others (e.g., buyers/customers/suppliers), you are responsible for ensuring you have a valid lawful basis to share that data with us and to use the Service to contact them (including compliance with UK PECR rules for electronic marketing where applicable).

6. Sharing Personal Data

We may share personal data with:

A) Service providers (processors)

Such as hosting, database, analytics, customer support tools, email delivery, and error monitoring providers. They may only process data on our instructions and under contractual safeguards.

B) Email/identity providers (if you connect them)

If you connect Microsoft/Google services, those providers process data under their own terms and privacy policies. Our integration uses the scopes/permissions you authorise.

C) Professional advisers

Lawyers, accountants, insurers, auditors where necessary.

D) Legal and regulatory disclosures

Where required by law, court order, or to enforce our rights and protect users.

We do not sell personal data.

7. International Transfers

Some of our providers may process data outside the UK. If personal data is transferred internationally, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA) or Addendum; and/or
  • Adequacy regulations; and/or
  • Other lawful mechanisms recognised under UK GDPR.

8. Data Retention

We keep personal data only as long as necessary for the purposes described, including legal, accounting, and security obligations.

Typical retention periods (example):

  • Account data: for the life of the account, plus 12 months after closure
  • Logs/security records: 24 months
  • Email integration data (e.g., parsed offers): as required to provide the feature and for audit, typically 12 months or until deleted by the customer

You can request deletion where applicable (see Section 10).

9. Security

We use appropriate technical and organisational measures to protect personal data, such as:

  • Access controls and least-privilege permissions
  • Encryption in transit (TLS) and, where applicable, at rest
  • Monitoring and audit logging
  • Secure development and incident response procedures

No system is 100% secure. Please use strong passwords and keep your credentials confidential.

10. Your UK GDPR Rights

You may have the right to:

  • Access your personal data
  • Rectification (correct inaccurate/incomplete data)
  • Erasure (delete data) in certain circumstances
  • Restriction of processing in certain circumstances
  • Data portability in certain circumstances
  • Object to processing based on legitimate interests or direct marketing
  • Withdraw consent at any time where we rely on consent
  • Complain to the UK Information Commissioner's Office (ICO)

To exercise rights, contact us at legal@theitexchange.app. We may ask for verification of identity.

ICO contact: https://ico.org.uk/

11. Cookies and Analytics (UK/PECR)

We use:

  • Strictly necessary cookies: required for login, security, and core site functionality
  • Analytics cookies (optional): to understand usage and improve the Service
  • Preference cookies (optional): to remember settings

Where required, we will obtain consent for non-essential cookies and provide controls to change your choices.

12. Marketing Communications

If we send marketing messages, we will do so in accordance with UK PECR and UK GDPR. You can opt out at any time using the unsubscribe link or by contacting us.

Service-related messages (e.g., security alerts, billing notices) are not marketing and may still be sent.

13. Children

The Service is not intended for children and we do not knowingly collect personal data from children.

14. Changes to This Notice

We may update this Privacy Notice from time to time. If changes are material, we will provide appropriate notice (e.g., in-app or by email).

15. Contact Us

For privacy questions or requests:

EMSTREE CYF
14 MUSEUM PLACE
CARDIFF
CF10 3BH

Contact: legal@theitexchange.app | support@theitexchange.app | +447377573768
Website/App: https://www.theitexchange.app