Privacy Policy

This Privacy Policy describes how ImportOps collects, uses, stores, and shares personal data when you use our websites, applications, and related services, and explains your rights under applicable data protection law. It should be read together with our Cookie Policy and, where relevant, our Data Processing Agreement.

1.Introduction and who we are

ImportOps is a trading name of [Your Full Legal Name], a sole trader registered in the United Kingdom. Our registered address is [Business Address]. For data protection enquiries, contact privacy@import-ops.com.

This policy is effective as of the "Last updated" date shown above and applies to processing carried out by ImportOps unless a separate notice is provided for a specific product or trial.

2.Scope and roles

2.1Controller and processor

1. Where we determine the purposes and means of processing personal data relating to your account, billing relationship with ImportOps (where we act independently of Paddle for certain records), marketing to you as a prospect or user, and operation of our own business, ImportOps acts as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Where your organisation uses the Service to store personal data about your customers, suppliers, employees, or other third parties, your organisation is typically the controller and ImportOps processes that personal data only on documented instructions as a processor, as further described in our Data Processing Agreement.

2.2Paddle as merchant of record

Payment card and certain subscription data are collected and processed by Paddle as merchant of record. Paddle acts as an independent controller for that processing. Please review Paddle's privacy notice and buyer terms: Paddle legal terms for buyers.

3.Personal data we collect

The categories of personal data we may process include:

3.1Identity and contact data

Name, email address, telephone number, job title or role, and similar identifiers provided at registration, in your profile, on support tickets, or in demo request forms.

3.2Organisation data

Organisation name, country, branding assets, configuration settings, and identifiers linking Users to an Organisation.

3.3Operational and Content data

Data you or your Users enter into the Service, which may include personal data relating to your customers, suppliers, drivers, or staff (for example names, contact details, addresses, notes, and documents or images that identify individuals). Uploaded images may contain embedded metadata (such as EXIF data) which can include GPS coordinates, device identifiers, and timestamps; this metadata is processed as part of the Content.

3.4Technical and usage data

IP address, browser type, device identifiers, approximate location derived from IP, log and diagnostic data, API request metadata, and security-related events. We aim to minimise personal data in logs.

3.5Communications

Records of email and in-app support conversations, feedback, and survey responses where you choose to provide them.

4.Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

• Performance of a contract (Article 6(1)(b) UK GDPR): to provide the Service, authenticate Users, manage Organisations, and deliver features you request.
• Legitimate interests (Article 6(1)(f) UK GDPR): to secure the Service, prevent fraud and abuse, troubleshoot errors, analyse aggregated usage to improve the product, and communicate service-related notices, where such interests are not overridden by your rights.
• Consent (Article 6(1)(a) UK GDPR): where required for non-essential cookies, certain marketing communications, or other processing we expressly offer on a consent basis. You may withdraw consent at any time without affecting lawfulness of processing before withdrawal.
• Legal obligation (Article 6(1)(c) UK GDPR): to comply with law, court orders, or regulatory requests, and to retain records where statute or tax law requires.

5.Artificial intelligence processing

1. Certain features send Content (for example images or transcribed text from documents) to third-party AI or OCR providers, currently including OpenAI and Google Cloud Vision, to perform extraction or structuring you initiate.
2. We do not include your account email address or profile fields in the API payloads for those features; however, Content itself may contain names, contact details, or other identifiers if they appear on a document or image.
3. Under the current terms of the OpenAI API and Google Cloud Platform, customer API data is not used to train foundation models as described in their published policies; those terms may change and you should review the providers' documentation periodically.
4. You remain responsible for verifying outputs before operational or compliance use. See also our Terms of Service.

6.Disclosures and processors

We disclose personal data to:

1. Service providers who host infrastructure, provide databases, deliver email, provide security and bot management, and perform similar processing on our instructions and subject to written terms consistent with Article 28 UK GDPR where applicable.
2. Paddle for payment processing as described above.
3. Professional advisers where required (for example lawyers or accountants) under confidentiality obligations.
4. Authorities when we believe disclosure is required by law or necessary to protect rights, safety, or security.

A current list of key sub-processors is summarised in this policy; a more detailed list is available on request and may be updated from time to time. Where we act as processor, engagement of new sub-processors is handled as set out in the DPA.

7.International transfers

Primary hosting for the Service is in the European Union (Ireland). Some processors are located in the United States or other countries. Where personal data is transferred outside the UK or EEA, we implement appropriate safeguards such as the UK extension to the EU-US Data Privacy Framework, UK International Data Transfer Agreement / Addendum, or standard contractual clauses approved for UK use, as applicable to the transfer.

8.Retention

1. Active accounts: we retain personal data for as long as the Organisation maintains an account and thereafter for a reasonable period to allow export, dispute resolution, and winding-down.
2. Closed accounts: we delete or anonymise personal data within a reasonable period after closure, except where retention is necessary for legal, regulatory, tax, or accounting purposes (for example up to six (6) years for certain UK records where applicable).
3. Logs and security data: retained for shorter periods and pruned automatically where configured.
4. Demo requests: retained for follow-up and security monitoring for a limited period.

9.Security measures

We implement appropriate technical and organisational measures having regard to the nature of processing and the risk to individuals, including encryption in transit, access controls, segregation of environments, and staff confidentiality obligations. No system is completely secure; you should protect credentials and report suspected incidents promptly.

10.Data portability and subject access

1. You may export certain Organisation data in structured machine-readable form using in-product tools where available (for example JSON export from settings).
2. Certain records may be exported as PDF (for example printable vehicle or workshop documents).
3. For a comprehensive copy of personal data we hold about you, or to exercise other rights, contact privacy@import-ops.com. We may need to verify your identity and, where you are a User of an Organisation, coordinate with your organisation's administrator where the data is processed on their behalf.

11.Personal data breaches

If we become aware of a personal data breach that affects you or your Organisation and poses a risk to rights and freedoms, we will notify affected controllers or individuals without undue delay and provide information reasonably required for your own regulatory notifications, where applicable. We will also notify the Information Commissioner's Office (ICO) or other supervisory authority when required by law.

12.Law enforcement and regulatory requests

We may disclose personal data where required by applicable law, regulation, legal process, or governmental request. Unless prohibited by law or court order, we will endeavour to notify the affected customer before disclosure and will seek to narrow production to what is legally required.

13.Your rights under UK GDPR

Subject to conditions and exemptions in UK GDPR, you may have the right to:

1. request access to personal data we hold about you;
2. request rectification of inaccurate data;
3. request erasure ("right to be forgotten") in certain circumstances;
4. request restriction of processing;
5. receive personal data you provided in a structured, commonly used, machine-readable format (data portability) where processing is based on consent or contract and is automated;
6. object to processing based on legitimate interests or for direct marketing;
7. withdraw consent where processing is consent-based;
8. lodge a complaint with the ICO (www.ico.org.uk) or, if you reside in another jurisdiction, with your local supervisory authority.

To exercise these rights, contact privacy@import-ops.com. We will respond within one (1) month in ordinary cases, extendable where permitted by law.

14.EEA, UK, and other jurisdictions

If you access the Service from the European Economic Area, the EU GDPR may also apply to certain processing; you enjoy substantially similar rights. If you are a California resident, the California Consumer Privacy Act as amended (CCPA/CPRA) may grant you additional rights; ImportOps does not "sell" personal information in the sense defined under CCPA/CPRA. Contact us to exercise applicable US state rights.

15.Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies on our marketing site are blocked until you provide consent through our cookie banner.

16.Marketing communications

Where we send promotional emails, we will do so in line with applicable law (for example with consent or soft opt-in where available). You may opt out at any time using the unsubscribe link or by contacting us. Transactional and service messages (security alerts, billing, legal notices) may be sent without marketing opt-in.

17.Automated decision-making

We do not make decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on individuals without human review in the Service as currently designed. AI features assist human users and require review before reliance.

18.Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us for deletion.

19.Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or business developments. Material changes will be communicated by email to account administrators or by prominent notice in the Service or on our website, at least thirty (30) days in advance where practicable. Continued use after the effective date constitutes acceptance of the updated policy where law permits.

20.Contact and supervisory authorities

Data protection contact: privacy@import-ops.com
UK supervisory authority: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (www.ico.org.uk).