Privacy Policy

        Status: This is a comprehensive draft prepared for legal review. 
        Fields marked [in brackets] require your specific company details.
        This document is intended to comply with the UK GDPR, the EU GDPR, and the Data Protection Act 2018.
    

1. Who We Are

Data Controller: Brizop Ltd

Registered Address: [Registered office address, Kent, United Kingdom]

Company Number: [Company registration number]

ICO Registration Number: [ICO registration number, if registered]

Email: privacy@brizop.com

Phone: +44 7380 936147

Data Protection Officer (DPO): care of privacy@brizop.com

Brizop ("we", "us", "our") is the data controller responsible for your personal data processed through our website, platform, and services (collectively, the "Service").

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide

Account Data: Name, email address, phone number, business name, job title, billing address, payment information (processed by our PCI-compliant payment processor — we do not store full payment card details).
Customer Data: Information about your customers (names, contact details, purchase history, loyalty data) that you upload or process through our Service. We process this on your behalf as a data processor.
Communications: Emails, support tickets, chat messages, and phone call recordings (where permitted by law and with notice).
Form Data: Information you submit via our website contact forms, demo requests, or newsletter signups.

2.2 Information Collected Automatically

Usage Data: Pages visited, time spent, referral source, click patterns, feature usage within our platform.
Device & Browser Data: IP address, browser type and version, operating system, device type, screen resolution, language preference.
AI Interaction Logs: De-identified logs of inputs and outputs from our AI systems for model improvement, training, and auditing purposes. You may opt out of training use by contacting us.
Location Data: Approximate location derived from IP address (city/country level). We do not collect precise GPS location.
Cookies & Similar Technologies: See our Cookie Policy for full details.

2.3 Information from Third Parties

Payment Processors: Payment confirmation details (not full card numbers).
Integrations: Data from third-party services you connect to our platform (e.g., accounting software, delivery partners, loyalty programmes).
Marketing Partners: Contact information from event attendance, partner referrals, or lead generation services, where you have consented or we have a legitimate interest.

3. How We Use Your Data

We process personal data for the following purposes and under the following lawful bases:

Purpose	Data Categories	Lawful Basis
Providing the Service (POS, AI automation, analytics, delivery, dashboard)	Account Data, Customer Data, AI Logs	Contract (GDPR Art. 6(1)(b)) — necessary to perform our agreement with you
Processing payments and subscriptions	Account Data, Payment Data	Contract (Art. 6(1)(b))
Customer support and technical assistance	Account Data, Communications	Contract (Art. 6(1)(b)) / Legitimate Interest (Art. 6(1)(f))
Fraud prevention and security monitoring	Usage Data, Device Data, Account Data	Legitimate Interest (Art. 6(1)(f)) — protecting our platform, users, and customers
Improving and training AI models	Anonymised AI Logs	Legitimate Interest (Art. 6(1)(f)) / Consent (Art. 6(1)(a)) where required
Marketing communications (emails, product updates)	Account Data	Consent (Art. 6(1)(a)) or Legitimate Interest (Art. 6(1)(f)) for existing customers (soft opt-in under PECR)
Analytics and service improvement	Usage Data, Device Data	Consent (Art. 6(1)(a)) via cookie banner / Legitimate Interest (Art. 6(1)(f)) for essential analytics
Legal and regulatory compliance	Account Data, Transaction Data	Legal Obligation (Art. 6(1)(c))

4. Legal Bases Explained

Consent (Art. 6(1)(a)): You have given clear permission for us to process your data for a specific purpose. You can withdraw consent at any time.
Contract (Art. 6(1)(b)): Processing is necessary to fulfil our contract with you or to take steps at your request before entering into a contract.
Legal Obligation (Art. 6(1)(c)): Processing is necessary to comply with the law (e.g., retaining financial records for HMRC).
Legitimate Interest (Art. 6(1)(f)): Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests. We assess this on an ongoing basis.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, plus any legal retention period:

Data Category	Retention Period	Rationale
Account Data (active users)	Duration of account + 6 years after closure	Contract performance + HMRC record-keeping requirement
Transaction/Payment Data	6 years after transaction	Legal obligation (HMRC, anti-money laundering)
Customer Data processed through the Service	Duration of your use + 90 days (deleted per our DPA)	Contract — you control this data; we delete on instruction or account closure
AI Interaction Logs	12 months (anonymised thereafter for training)	Legitimate interest in improving AI accuracy and safety
Usage/Device Data	26 months	Analytics and platform improvement
Marketing Communications Data	Until consent withdrawn or 2 years after last interaction	Consent / Legitimate Interest
Cookie-Related Data	As per our Cookie Policy	Consent

6. Who We Share Your Data With

We share personal data with the following categories of recipients:

6.1 Service Providers (Data Processors)

We use trusted third-party services to operate our platform. All processors are contractually bound to process data only on our instructions and to maintain appropriate security measures:

Cloud Infrastructure: [e.g., AWS / Google Cloud / Azure] — hosting and compute services
Payment Processing: [e.g., Stripe / Square] — payment card processing (PCI DSS Level 1)
Analytics: Google Analytics 4, [other analytics]
Email & Communications: [e.g., SendGrid / Postmark] — transactional emails and marketing
Customer Support: [e.g., Intercom / Zendesk] — support ticket system
Heatmapping & Session Recording: Hotjar (optional — loaded only with your consent)
AI/ML Services: [e.g., OpenAI / Anthropic API] — AI model inference
Tag Management: Google Tag Manager

6.2 Other Disclosures

Professional Advisors: Lawyers, accountants, insurers, and auditors where necessary.
Regulators: HMRC, ICO, law enforcement, or other authorities where required by law.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
With Your Consent: Any other party you expressly authorise.

7. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA). Where we transfer your data to countries not deemed adequate by the UK or EU, we ensure appropriate safeguards are in place:

UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) executed with the recipient.
Transfer Risk Assessments (TRAs) conducted where required.
Where service providers are certified under the EU-US Data Privacy Framework (DPF) or the UK Extension to the DPF, we rely on that certification.

8. Your Rights

Under UK and EU data protection law, you have the following rights. We will respond to any request within one month (extendable by two months for complex requests):

Right	What It Means
Right of Access (Art. 15)	Request a copy of the personal data we hold about you, along with details of how we process it.
Right to Rectification (Art. 16)	Ask us to correct inaccurate or incomplete data.
Right to Erasure (Art. 17)	Request deletion of your data where there is no compelling reason to retain it ("right to be forgotten").
Right to Restriction (Art. 18)	Ask us to limit processing while a dispute is being resolved.
Right to Data Portability (Art. 20)	Receive your data in a structured, machine-readable format and transmit it to another controller.
Right to Object (Art. 21)	Object to processing based on legitimate interests, including direct marketing and profiling.
Rights Related to Automated Decision-Making (Art. 22)	Not be subject to decisions based solely on automated processing that significantly affect you, without human intervention.
Right to Withdraw Consent	Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@brizop.com. We may need to verify your identity before processing your request.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption: TLS 1.3 for data in transit; AES-256 for data at rest.
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege principles.
Monitoring: 24/7 intrusion detection, logging, and anomaly alerting.
Penetration Testing: Regular third-party security assessments.
Staff Training: Annual data protection and security awareness training.
Incident Response: Documented breach detection, notification, and remediation procedures.
PCI DSS Compliance: Payment processing handled by PCI DSS Level 1 certified providers.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours, and will inform affected individuals without undue delay where required by law.

11. Automated Decision-Making and Profiling

Our AI-powered platform may make automated decisions regarding pricing, inventory recommendations, and delivery routing. These decisions are designed to be explainable, and you have the right to request human review of automated decisions that significantly affect you. We do not engage in automated profiling for marketing purposes without your consent.

12. Children's Data

Our Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email (where we have your contact details) or through a prominent notice on our website. The "Last updated" date at the top of this page reflects the most recent revision.

14. Complaints

If you believe we have not handled your data in accordance with the law, you have the right to lodge a complaint with the supervisory authority:

UK: Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
https://ico.org.uk
Tel: 0303 123 1113

EU: Your local data protection authority (for users in the EEA)
We are primarily regulated by the Information Commissioner's Office (ICO) for UK GDPR compliance. For EU GDPR matters, please contact us to identify your relevant lead supervisory authority.

We encourage you to contact us first at privacy@brizop.com so we can resolve any concerns promptly.

15. Contact Us

For any questions about this Privacy Policy or to exercise your data rights:

Email: privacy@brizop.com
Phone: +44 7380 936147
Data Protection Officer: care of privacy@brizop.com
Post: [Full postal address, Kent, United Kingdom]
Response Time: We aim to respond within 72 hours for initial acknowledgment and within one month for substantive responses.

← Back to Brizop

PRIVACY POLICY