iRostrum Ltd (“iRostrum”, “we”, “us”, “our”) is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when:

• you visit our website;
• you interact with us in a business or marketing context; and
• you use, or are an authorised user of, the iRostrum software-as-a-service platform and related services (the “Services”).

This Privacy Policy should be read together with:

• our  SaaS Terms and Conditions; and
• where applicable, our  Data Processing Agreement (“DPA”).

2. Who We Are

Company name: iRostrum Ltd

Website: https://www.irostrum.com

Contact email: marijke@irostrum.com

For the purposes of applicable data protection law, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, iRostrum acts as either a data controller or a data processor, depending on the context described below.

3. Our Role: Controller and Processor

3.1 When iRostrum Acts as a Data Controller

iRostrum acts as a data controller where we determine the purposes and means of processing personal data, including in relation to:

• website visitors;
• marketing and business contacts;
• customer account administrators and authorised users;
• billing and contract management;
• customer support communications; and
• product usage analytics used to operate, secure, and improve the Services (typically in aggregated or pseudonymised form).

This Privacy Policy applies to those activities.

3.2 When iRostrum Acts as a Data Processor

When customers use the Services to upload, store, or otherwise process personal data relating to their own end users or business contacts (“Customer Data”), iRostrum acts as a data processor on the customer’s behalf.

In those circumstances:

• the customer is the data controller;
• iRostrum processes Customer Data only in accordance with the customer’s documented instructions; and
• the processing is governed by our  Data Processing Agreement, which forms part of the SaaS contract.

Further details of iRostrum’s processor obligations, including security measures, sub-processors and international transfers, are set out in the Data Processing Agreement.

Customers are responsible for ensuring that their use of the Services and any Customer Data complies with applicable data protection law and for providing appropriate privacy information to their own end users.

4. Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

4.1 Website and Marketing Data

• Name, company
• Email address and phone number
• Information submitted via contact or demo request forms
• Marketing preferences
• Referral and campaign data

4.2 SaaS Account and Service Data

• Account registration and user profile information
• Authentication and access credentials
• Support requests and correspondence
• Service configuration and administrative data

4.3 Technical and Usage Data

• IP address
• Browser type and device information
• Log files and system metadata
• Usage data relating to interactions with the Services and website

5. How We Use Personal Data

We use personal data for the following purposes:

• to respond to enquiries and demo requests;
• to provide, operate, and administer the Services;
• to manage customer relationships, contracts, and billing;
• to provide customer support and service communications;
• to monitor, secure, and improve our website and Services;
• to analyse usage trends and service performance;
• to carry out marketing and business development activities (where permitted); and
• to comply with legal and regulatory obligations.

6. Legal Bases for Processing

We process personal data on the following legal bases, as applicable:

• Contractual necessity – where processing is required to perform a contract or take steps at your request prior to entering into a contract;
• Legitimate interests – to operate, secure, and improve our business and Services, provided those interests are not overridden by your rights;
• Consent – where required by law, including for non-essential cookies and certain marketing activities;
• Legal obligation – where processing is required to comply with applicable law.

7. Cookies and Tracking Technologies

7.1 Use of Cookies

We use cookies and similar technologies to operate our website, analyse usage, and measure the effectiveness of our marketing activities.

7.2 Consent Management

We use a consent management platform (Cookiebot) to obtain explicit consent before setting any non-essential cookies.

• Essential cookies are always enabled.
• Analytics and marketing cookies are only set if you choose to accept them.
• You may update or withdraw your consent at any time via the cookie settings interface.

7.3 Analytics and Marketing Technologies

Subject to your consent, we may use the following technologies:

• Google Analytics
• Google Tag Manager
• Google Ads conversion tracking
• LinkedIn Insight Tag
• Gartner marketing platforms

If you do not consent to non-essential cookies, these technologies will not be activated.

7.4 Cookie Declaration

A current and detailed list of cookies used on our website is available via our Cookie Declaration.

8. Data Sharing and Sub-Processors

We may share personal data with trusted third-party service providers who support our operations, including hosting providers, analytics services, customer support tools, and professional advisers.

Such providers:

• act under our instructions;
• are subject to appropriate confidentiality and security obligations; and
• process personal data only for specified purposes.

We do not sell personal data to third parties.

9. International Data Transfers

Some of our service providers may process personal data outside the United Kingdom or European Economic Area.

Where international transfers occur, we ensure appropriate safeguards are in place, such as:

• UK International Data Transfer Agreements;
• the UK Addendum to EU Standard Contractual Clauses; or
• adequacy regulations, where applicable.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting requirements.

In general:

• marketing and enquiry data is retained for a limited period following last contact;
• account and service data is retained for the duration of the customer relationship; and
• Customer Data processed under the DPA is deleted or returned in accordance with the SaaS Terms and DPA following termination of the Services, subject to lawful retention requirements.

11. Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data, taking into account the nature of the processing and the risks involved.

These measures include, where appropriate:

• access controls and authentication measures;
• encryption of data in transit and, where appropriate, at rest;
• staff confidentiality obligations; and
• security incident response procedures.

12. Your Rights

Under applicable data protection law, you have the right to:

• access your personal data;
• request correction of inaccurate or incomplete data;
• request erasure of your data;
• restrict or object to processing;
• withdraw consent at any time (where processing is based on consent); and
• request data portability.

To exercise your rights, please contact us using the details set out above.

13. Automated Decision-Making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be published on this page and the “Last updated” date will be revised accordingly. Where changes are material, we will take reasonable steps to notify affected users.