Privacy Policy

This privacy policy applies to the Maddisys Ltd corporate website (www.maddisys.co.uk). For privacy policies specific to our products, please refer to the product-specific privacy policies linked below.

1. Information We Collect

When you visit our corporate website or contact us through our contact form, we may collect:

• Contact Information: Name, email address, and any other information you provide when filling out our contact form.
• Usage Data: Information about how you interact with our website, including pages visited, time spent, and referral sources.
• Technical Data: IP address, browser type, device information, and operating system.

2. Legal Basis for Processing

Under the UK GDPR and Data Protection Act 2018, we process your personal data based on the following lawful bases:

• Consent (Article 6(1)(a)): When you submit our contact form, you consent to us processing your data to respond to your enquiry. You may withdraw this consent at any time by contacting us.
• Legitimate Interests (Article 6(1)(f)): We process technical and usage data to improve our website, ensure security, and prevent abuse. We have conducted a legitimate interest assessment and concluded that these interests do not override your rights and freedoms.
• Legal Obligation (Article 6(1)(c)): We may process data where required to comply with legal or regulatory obligations.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To respond to your enquiries and provide customer support
• To improve our website and user experience
• To send important updates about our products and services (only with your explicit consent)
• To comply with legal obligations and protect our rights
• To prevent fraud, abuse, and ensure website security

We will never sell, rent, or share your personal information with third parties for their marketing purposes without your explicit consent.

4. Cookies and Tracking

Our website uses minimal cookies and similar tracking technologies. We use:

• Essential Cookies: Required for the website to function properly (e.g., security cookies).
• Analytics Cookies: Help us understand how visitors interact with our website to improve user experience.

You can control cookie settings through your browser preferences. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling essential cookies may limit some functionality of our website.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction in accordance with Article 32 of the UK GDPR. These measures include:

• Secure HTTPS encryption (TLS 1.2+) for all data transmission
• Regular security assessments and updates
• Limited access to personal data on a need-to-know basis
• Secure data storage within Google Cloud Platform infrastructure
• Rate limiting on contact form submissions to prevent abuse

6. Third-Party Services and International Data Transfers

Our website uses third-party services to provide functionality. Some of these services may process data outside the UK/EEA:

• Google Cloud Platform: We use Google Cloud Platform (including Cloud Run and Cloud Functions) to host our website and process contact form submissions. Data is primarily processed in the europe-west region. Google maintains appropriate safeguards including Standard Contractual Clauses for any international transfers. Google Cloud Privacy
• SendGrid (Twilio): We use SendGrid to send email confirmations when you submit our contact form. SendGrid is a US-based service and data may be transferred to the United States. Twilio maintains appropriate safeguards including Standard Contractual Clauses and has certified to the EU-US Data Privacy Framework. Twilio Privacy Policy
• Google Firestore: We use Firestore for rate limiting on our contact form. This stores hashed IP addresses temporarily. Data is stored in the europe-west region.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place as required by Chapter V of the UK GDPR, including Standard Contractual Clauses or adequacy decisions.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this privacy policy, unless a longer retention period is required by law.

• Contact form submissions: Retained for up to 2 years to enable us to respond to enquiries and for business records
• Rate limiting data (hashed IP addresses): Automatically deleted after 30 minutes
• Server logs: Retained for up to 30 days for security and debugging purposes

8. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your personal data where there is no compelling reason for continued processing
• Right to Restriction (Article 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within one month as required by law.

These rights are not absolute and may be subject to exemptions. We may need to verify your identity before processing your request.

9. Right to Lodge a Complaint

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority:

We would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Rate limiting on our contact form is an automated security measure but does not constitute profiling under GDPR.

11. Children's Privacy

Our website is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will take steps to delete such information.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this privacy policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us: