‍Policy Owner: Data Protection Officer

Effective Date: 2025-11-17

1. Introduction

This Privacy Policy explains how bracket.co.uk (“we”, “us”, “our”, or “the Company”) collects, uses, processes, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable UK data protection laws.

As a B2B SaaS provider operating in the UK and EU, we are committed to protecting the security, confidentiality, and privacy of your personal data. This policy applies to all personal data we process in connection with our services, whether you are a customer, prospective customer, website visitor, or other individual whose personal data we process.

2. Data Controller Information

Data Controller: bracket.co.uk

Registered Address: 86-90 Paul Street, London, EC2A 4NE

Contact Email: info@bracket.co.uk

Phone: 0203 966 8312

3. Data Protection Officer (DPO)

Data Protection Officer: Martin Lee

Title: Data Protection Officer

Email: dpo@bracket.co.uk

Phone: 02039668312

Our DPO is responsible for monitoring compliance with data protection laws, providing guidance on data protection matters, and serving as your point of contact for data protection inquiries.

4. EU and UK Representatives

EU Representative: Pierre Anderson

Address: 86-90 Paul Street, London, EC2A 4NE

Email: panderson@bracket.co.uk

Phone: 02039668312

UK Representative: Pierre Anderson

Address: 86-90 Paul Street, London, EC2A 4NE

Email: panderson@bracket.co.uk

Phone: 02039668312

5. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

5.1 Account and Contact Information

Name and job title

Business email address

Business phone number

Company name and address

Billing information and payment details

5.2 Technical Information

IP addresses and device identifiers

Browser type and version

Operating system information

Login credentials and authentication data

Usage analytics and performance metrics

5.3 Service Usage Data

Application logs and error reports

Feature usage patterns

Support ticket history and communications

Configuration settings and preferences

5.4 Communication Data

Email correspondence

Chat messages and support conversations

Survey responses and feedback

Marketing communication preferences

6. Purposes of Processing and Legal Bases

We process your personal data for the following purposes and legal bases under Article 6 of the GDPR:

6.1 Service Provision (Legal Basis: Contract Performance - Article 6(1)(b))

Providing and maintaining our SaaS services

User account management and authentication

Processing payments and billing

Providing customer support and technical assistance

6.2 Legitimate Interests (Legal Basis: Legitimate Interests - Article 6(1)(f))

Improving service performance and user experience

Conducting analytics to enhance our services

Network and information security monitoring

Fraud prevention and detection

Business development and marketing communications

6.3 Legal Obligations (Legal Basis: Legal Obligation - Article 6(1)©)

Complying with accounting and tax requirements

Responding to legal requests and regulatory requirements

Maintaining records as required by law

6.4 Consent (Legal Basis: Consent - Article 6(1)(a))

Marketing communications (where not based on legitimate interests)

Optional data collection for service enhancement

Cookies and similar tracking technologies (where required)

7. Data Retention

We retain personal data for the following periods:

Account Data: Retained while your account is active and for 7 years after account closure for legal and accounting purposes

Service Usage Data: Retained for 2 years after collection for service improvement

Support Communications: Retained for 3 years after resolution for quality assurance

Marketing Data: Retained until you withdraw consent or 3 years after last engagement

Financial Records: Retained for 7 years as required by tax and accounting regulations

We regularly review our retention periods and delete personal data when it is no longer necessary for the purposes for which it was collected.

8. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you and information about how we process it.

8.2 Right of Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right of Erasure (Article 17)

You can request deletion of your personal data in certain circumstances.

8.4 Right to Restrict Processing (Article 18)

You can request restriction of processing in certain circumstances.

8.5 Right to Data Portability (Article 20)

You can request your data in a structured, commonly used format for transfer to another service provider.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decision-making and profiling, where applicable.

9. Exercising Your Rights

To exercise any of your data protection rights, please contact us using the following methods:

Email: info@bracket.co.uk

Online Form: Available at bracket.co.uk/privacy-request

Mail: Data Protection Officer, bracket.co.uk, 86-90 Paul Street, London, EC2A 4NE

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of any delay.

9.1 Identity Verification

To protect your personal data, we may need to verify your identity before processing your request. We may ask for proof of identity and additional information to confirm you are authorized to make the request.

9.2 Requests by Authorized Agents

If you use an authorized agent to submit a request, we may require:

Proof that you gave the agent signed permission

Verification of your identity directly with us

Confirmation that you provided the agent permission to submit the request

10. International Data Transfers

As a UK-based company serving EU and international clients, we may transfer your personal data outside the European Economic Area (EEA) and the UK. When we do so, we ensure appropriate safeguards are in place:

10.1 Transfer Mechanisms

Adequacy Decisions: We transfer data to countries deemed adequate by the European Commission or UK authorities

Standard Contractual Clauses: We use EU and UK Standard Contractual Clauses for transfers to countries without adequacy decisions

Binding Corporate Rules: Where applicable, we rely on approved Binding Corporate Rules

10.2 Data Processing Locations

We currently process personal data in the following locations:

United Kingdom (primary data center)

European Union (backup and disaster recovery)

Azure UK South

We maintain a current list of all data processing locations and will update you of any significant changes.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

11.1 Technical Measures

Encryption of data at rest and in transit using industry-standard protocols

Multi-factor authentication for system access

Regular security monitoring and intrusion detection

Secure software development practices

Regular security assessments and penetration testing

11.2 Organizational Measures

Staff training on data protection and security

Access controls based on need-to-know principles

Regular access reviews and termination procedures

Incident response and breach notification procedures

Third-party security assessments and due diligence

12. Third-Party Data Processors

We work with carefully selected third-party service providers who may process your personal data on our behalf, including:

Cloud hosting providers

Customer support tools

Analytics and monitoring services

Payment processors

Email communication services

All third-party processors are bound by Data Processing Agreements that require them to:

Process data only on our documented instructions

Implement appropriate technical and organizational security measures

Maintain confidentiality of personal data

Assist with data subject rights requests

Notify us of any security breaches

A current list of our sub-processors is available at bracket.co.uk/sub-processors.

13. Data Breach Notification

In the event of a personal data breach, we will:

Assess the breach and take immediate containment measures

Notify the relevant supervisory authority within 72 hours (where required)

Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms

Document all breaches and our response measures

Review and update our security measures to prevent similar incidents

If you believe there has been a security incident involving your personal data, please contact us immediately at security@bracket.co.uk.

14. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

Enable essential service functionality

Remember your preferences and settings

Analyze service usage and performance

Provide personalized experiences

For detailed information about our use of cookies, please see our Cookie Policy at bracket.co.uk/cookies.

15. Marketing Communications

We may send you marketing communications about our services based on:

Your consent (where required)

Our legitimate business interests (for existing customers)

You can opt out of marketing communications at any time by:

Clicking the unsubscribe link in our emails

Updating your preferences in your account settings

Contacting us at privacy@bracket.co.uk

16. Data Protection by Design and Default

We implement data protection principles by design and default, including:

Minimizing data collection to what is necessary

Implementing privacy-friendly default settings

Conducting Data Protection Impact Assessments for high-risk processing

Regular privacy reviews of our services and processes

17. Children’s Privacy

Our services are designed for business use and are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will take steps to delete it promptly.

18. Complaints and Supervisory Authority

If you have concerns about our processing of your personal data, please contact us first at privacy@bracket.co.uk. We are committed to resolving any issues promptly and transparently.

You also have the right to lodge a complaint with the relevant supervisory authority:

UK: Information Commissioner’s Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

EU: Contact your local Data Protection Authority

Directory: ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will:

Post the updated policy on our website

Notify you of material changes via email or service notifications

Update the “Effective Date” at the top of this policy

We encourage you to review this policy periodically to stay informed about how we protect your personal data.

20. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

General Inquiries:

Email: info@bracket.co.uk

Address: bracket.co.uk, 86-90 Paul Street, London, EC2A 4NE

Data Protection Officer:

Email: info@bracket.co.uk

Phone: 02039668312

Data Subject Rights Requests:

Online Form: bracket.co.uk/privacy-request

Email: info@bracket.co.uk

‍

Version History

Version 1.0

Date 2025-11-17

Description Initial GDPR Privacy Policy

Author Pierre Anderson

Approved By Martin Lee