Privacy Policy

Ellisdata is a trading name of Data Agile Ltd, a company registered in England and Wales (Company No. 14374464), with registered office at:

Email: support@ellisdata.co.uk

For the purposes of data protection law, Data Agile Ltd acts as Data Controller or Data Processor as described below.

This policy complies with the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Scope of This Policy

This Privacy Policy explains how we collect, use and protect personal data when you:

• Visit our website
• Submit a contact or demo request
• Create or use a portal account
• Use our AP Automation and data services

Our services are intended for business users only.

2. Data Controller vs Data Processor

We act as Data Controller when:

• You submit website enquiries
• You create or manage a portal account
• We administer contracts and billing

We act as Data Processor when:

Clients upload business data (including invoices, supplier and customer information) to our platform.

In these cases:

• The Client is the Data Controller.
• The Client determines the purpose and lawful basis for processing.
• We process personal data only in accordance with documented instructions and contract.

Where we act as Data Processor, individuals should direct data protection requests to the relevant Client organisation.

3. Categories of Personal Data We Collect

A. Website Enquiries

• Name
• Email address
• Company name
• Phone number (if provided)
• Information included in your message

B. Portal Account Data

• Name
• Business email address
• Authentication data
• Account activity logs

We use passwordless authentication with email OTP and multi-factor authentication (MFA).

C. Client Service Data (Uploaded by Clients)

Clients may upload:

• B2B invoices
• Supplier information
• Customer information
• Financial records
• ERP-linked data (e.g. QuickBooks or Xero integrations)

We do not independently verify the accuracy or legality of Client Data.

D. Technical and Usage Data

When you access our website or portal, we may collect:

• IP address
• Browser type
• Device information
• Log files
• Usage and diagnostic data

This is collected for security, monitoring and system improvement purposes.

4. How We Use Personal Data

We process personal data to:

• Respond to enquiries
• Provide contracted services
• Operate and secure our platform
• Authenticate users
• Integrate with third-party systems when authorised
• Maintain accounting and compliance records
• Monitor performance and detect misuse

We do not sell personal data.

We do not use Client invoice data for marketing purposes.

We are not responsible for the accuracy, legality, or content of data uploaded by Clients.

5. Lawful Basis for Processing

We rely on the following lawful bases:

• Legitimate Interest – responding to enquiries and maintaining system security
• Contract – providing services to Clients and managing accounts
• Consent – where marketing communications are sent

We do not automatically subscribe individuals to marketing lists.

6. Marketing Communications

We may send marketing communications only where:

• Explicit consent has been provided; or
• We are otherwise permitted to do so under applicable law.

You may withdraw consent at any time by using the unsubscribe link or contacting support@ellisdata.co.uk.

We do not share marketing lists with third parties.

7. Hosting and Sub-Processors

Data is hosted in Microsoft Azure (UK South region only).

We may use the following service providers:

• Microsoft – cloud infrastructure
• IONOS – email hosting
• Intuit – QuickBooks integration (client initiated)
• Xero – Xero integration (client initiated)

ERP integrations occur only when Clients choose to connect their accounts.

8. International Transfers

We do not intentionally transfer personal data outside the United Kingdom.

Where third-party providers are engaged, appropriate safeguards are implemented in accordance with applicable data protection law.

9. Security Measures

We implement appropriate technical and organisational measures including:

• Encryption at rest and in transit
• Managed identity authentication
• Role-based access controls
• Network isolation and IP restrictions
• Virtual private networking
• Secure database configuration
• Multi-factor authentication

Access to personal data is restricted to authorised personnel with a legitimate business need.

No system can be guaranteed to be completely secure.

10. Data Retention

We retain:

• Client financial and invoice data for up to six (6) years for accounting and legal compliance purposes
• Backup data in line with the same period
• Website enquiry data for up to 30 days unless ongoing communication requires longer retention

Retention periods may be extended where necessary for the establishment, exercise, or defence of legal claims.

11. Automated Decision Making

Our platform provides automation and AI-assisted recommendations.

We do not carry out fully automated decision-making that produces legal or similarly significant effects on individuals under Article 22 UK GDPR.

Final decisions remain under Client control.

12. Special Category Data

We do not intentionally process:

• Health data
• Criminal conviction data
• Biometric data
• Political or religious information

The platform is designed for general B2B invoice processing.

13. Your Rights

Under UK data protection law, individuals have the right to:

• Access personal data
• Request correction
• Request deletion
• Restrict processing
• Object to processing
• Request data portability (where applicable)

To exercise these rights, contact: support@ellisdata.co.uk

Where we act as Data Processor, requests should be directed to the relevant Client organisation.

You also have the right to lodge a complaint with the:

Information Commissioner's Office

14. Cookies and Analytics

We use essential cookies required for platform functionality.

We use Azure Application Insights for system monitoring and diagnostics.

We do not use advertising or marketing tracking cookies.

Non-essential cookies are not deployed without appropriate consent.

A separate Cookie Policy provides further details.

15. Changes to This Policy

We may update this Privacy Policy from time to time.

The most current version will always be available on our website.