Privacy Policy

Last updated: 01 May 2025

Ceedbox (“we”, “us”, “our”) designs, builds and supports bespoke software and web-application solutions. Protecting the personal data we handle—whether that data belongs to our clients, end-users of the platforms we build, or visitors to our own website—is central to our business and legal responsibilities.

1. Who we are

Company name: **Ceedbox Ltd**
Company number: **12881199**
Registered office: **Leestone Road Sharston Industrial Estate, Sharston, Wythenshawe, Manchester, United Kingdom, M22 4RB**

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, Ceedbox Ltd is the **data controller** for the data described in this policy—unless explicitly stated otherwise in a project-specific Data Processing Addendum.

2. Personal data we collect

  • **Business contacts / clients:** Name, job title, business email, phone, billing address, Purchase orders, Statements of Work, invoices, bank-transfer refs
  • **Platform end-users** (when Ceedbox hosts or supports a product on a client’s behalf): Username, encrypted password, email address, access logs, IP address, browser type, session timestamps, feature-usage analytics
  • **Website visitors:** IP address, device identifiers, cookie IDs, pages viewed
  • **Recruitment:** CV details, cover letters, interview notes, right-to-work checks

**Note:** When our client is the data controller (e.g. you sign up to a web-app we built for that client), Ceedbox acts as data processor. In such cases our client’s privacy notice applies to your personal data; this policy covers only the processing Ceedbox controls directly.

3. How & why we use personal data

  • **Provide and maintain contracted services:** User authentication, feature enablement, bug-fixing — (*Contract*)
  • **Customer support:** Responding to tickets, troubleshooting, usage guidance — (*Legitimate interests*)
  • **Invoicing & finance:** Raising invoices, processing payments, accounting records — (*Legal obligation / Contract*)
  • **Improve products & websites:** Aggregated analytics, A/B testing, UX research — (*Legitimate interests*)
  • **Security & fraud prevention:** Access logging, anomaly detection, back-up & DR — (*Legitimate interests / Legal obligation*)
  • **Legal compliance:** Responding to court orders, HMRC enquiries — (*Legal obligation*)
  • **Marketing (B2B):** Newsletters, product updates — (*Consent / Legitimate interests*)

4. Our lawful bases for processing

Under UK GDPR we must identify at least one lawful basis for each processing purpose:

  • **Contract:** Necessary to perform a contract with you or take steps at your request before entering into one.
  • **Legitimate interests:** Necessary for our business where not overridden by your rights—we always balance both.
  • **Legal obligation:** Necessary to comply with UK law (e.g. tax, employment).
  • **Consent:** Only used when you’ve clearly given permission (e.g. for marketing). You can withdraw at any time.

5. Sharing your data

**We never sell personal data.** We share it only with:

  • Trusted suppliers (cloud hosting, payments, email, analytics) — all GDPR compliant & contract-bound
  • Professional advisers (lawyers, accountants, insurers)
  • Authorities (e.g. HMRC, police) where required by law or to protect rights, property or safety
  • Corporate transactions (e.g. merger, acquisition) with safeguards in place

6. International transfers

Some suppliers operate outside the UK. When we transfer personal data internationally, we use safeguards like: **adequacy decisions**, **Standard Contractual Clauses + UK Addendum**, **Binding Corporate Rules**, or other legal mechanisms.

7. Security

We apply technical and organisational measures such as:

  • TLS 1.2+ encryption
  • MFA for admin accounts
  • Principle of least privilege
  • Pen testing, code reviews
  • ISO 27001-aligned policies and training

No system is 100% secure, but we assess and mitigate risk continuously.

8. Retention

  • Client contracts & invoices: **6 years** after end of tax year (HMRC requirement)
  • Platform access logs: **12 months** (unless required for security)
  • Support tickets: **3 years** after closure
  • Marketing lists: until you unsubscribe or **24 months** after last engagement
  • Recruitment records (unsuccessful): **6 months** unless consent to keep longer

When retention expires, we securely delete or anonymise data.

9. Your rights

  • **Access:** obtain a copy of your data
  • **Rectification:** correct errors
  • **Erasure:** request deletion (in certain cases)
  • **Restriction:** pause processing while under review
  • **Portability:** receive or transfer data in machine-readable form
  • **Object:** to legitimate interest processing or direct marketing
  • **Withdraw consent:** anytime where consent is the legal basis

10. Marketing choices

We send B2B marketing emails only with your explicit consent or if you’ve bought similar services from us and not opted out. You can **unsubscribe at any time** via email link or by contacting us.

11. Cookies & similar technologies

We use cookies, local storage and similar technologies for essential functionality, analytics and (with consent) marketing. Full details are in our **Cookie Policy**.

12. Changes to this policy

We may update this Privacy Policy for legal, technical or business reasons. Any updates will be posted here and, if significant, we will notify you. The “Last updated” date always reflects the latest version.

13. Contact & complaints

**Postal:** Data Protection Officer, Ceedbox Ltd, Leestone Road, Sharston Industrial Estate, Sharston, Wythenshawe, Manchester, United Kingdom, M22 4RB

If you are dissatisfied with our response, you can complain to the UK Information Commissioner’s Office (ICO): ico.org.uk | 0303 123 1113

For any queries about this Privacy Policy, please contact our Data Protection Officer using the details above.