Privacy policy
Last updated: 7 July 2026 | Version 2.2
Version 2.2 (7 July 2026) is a clarity-and-accuracy update. It confirms that we use only aggregated, de-identified data to improve the platform and that we never market to a Business Owner's own customers; makes our international-transfer wording precise and conservative; states Xero's location consistently; changes our data-breach commitment to "without undue delay" (still aiming for 24 hours); clarifies how we treat sole-trader and partnership contacts under PECR; and reconciles our 30-day deletion commitment with the tax records the law requires us to keep. No right you have was reduced.
1. Who we are and our roles
OptiTech Automation is run by one person — Cristian Moise-Putanu, sole trader, Torquay, Devon. We control our own operational data and process booking and worker data on behalf of the trade businesses that subscribe to our platform.
OptiTech Automation is operated by Cristian Moise-Putanu, sole trader, Torquay Devon, UK. Registered with the Information Commissioner's Office (ICO) under registration number C1963975. For privacy questions:
OptiTech Automation operates in two distinct data-protection roles depending on whose data is being processed:
- Data Controller (our own operations): We are the Data Controller for platform operational data — including Business Owner account and subscription records, marketing site analytics, lead enquiries, support communications, and billing history. We decide how and why this data is processed.
- Data Processor (on behalf of Business Owners): When a subscribing trade business ("Business Owner") uses our platform to manage their customers and workers, we process that customer and worker data on the Business Owner's behalf. The Business Owner is the Data Controller for their customers' and workers' data. We act on their documented instructions. We do not use that personal data for our own commercial purposes, and we never market to a Business Owner's own customers. The only exception is that we may create and use aggregated, de-identified data — information that does not identify, and cannot reasonably be used to identify, any individual — to keep the platform secure, understand how it is used, and improve it. Aggregated data of that kind is not personal data. This is described in Clause 8.5 of the Business Owner Terms, and we do not sell personal data to anyone.
This policy covers both roles so that every person whose data touches our platform knows exactly how it is handled.
Contact for data protection queries: privacy@optitechautomation.co.uk or legal@optitechautomation.co.uk.
2. The three-party data model
Three groups of people interact with our platform. Each group has its own section below explaining exactly what data we hold, why, and for how long.
OptiTech Automation serves three distinct groups. Understanding which group you belong to tells you which part of this policy applies to you and who to contact if you want to exercise your rights.
- Business Owners Trade businesses (plumbers, electricians, gas engineers, cleaners, builders) that subscribe to OptiTech Automation to manage their bookings, workers, and customers. OptiTech Automation is the Data Controller for Business Owner account and billing data. Section 3 covers this group.
- Workers Employees or self-employed persons engaged by Business Owners who use our worker mobile app to manage their job assignments and schedule. The Business Owner is the Data Controller for worker data; OptiTech Automation processes it as Data Processor. Section 4 covers this group.
- Customers End consumers who book trade services through a Business Owner's branded booking page powered by OptiTech Automation. The Business Owner is the Data Controller for customer booking data; OptiTech Automation processes it as Data Processor. Section 5 covers this group.
3. Business Owners
We are the Data Controller for your account, billing, and enquiry data. We hold it to run your subscription, respond to your questions, and keep the platform running.
3a. Marketing site visitors
When you browse optitechautomation.co.uk without submitting a form, we collect anonymous page-view analytics only — pages visited, approximate session duration, device type, and browser type. We do not set analytics cookies without your explicit consent via the cookie banner. If you chat to our website assistant ("Sarah", an automated assistant powered by AI), we also store the questions you type, together with a SHA-256 hashed (non-reversible) IP and a random session reference, so we can answer better and improve the service. We do not use this to identify you, we do not link it to any account, and you do not need to give your name or email to use the chat. These questions are held separately from any contact details and automatically deleted after about 6 months. Please avoid typing sensitive personal information into the chat.
Legal basis: Art. 6(1)(f) UK GDPR — legitimate interests in understanding how our marketing site and website assistant are used so we can improve them. You can object at any time using the contact details below.
3b. Lead enquiries (booking demo / contact form)
When you submit an enquiry, we collect: your name, email address, business name, trade type, postcode, and estimated monthly booking volume.
Purpose: to respond to your enquiry and determine whether our platform is a good fit for your business. We do not add you to a marketing list without your separate opt-in.
Legal basis: Art. 6(1)(f) UK GDPR — legitimate interests in responding to inbound business enquiries.
Retention: 24 months from your last contact, then securely deleted.
3c. Subscribers (account and billing data)
When you subscribe, we hold: your name, business name, email address, postal address, telephone number, subscription tier, Stripe customer ID, Xero OAuth connection status, billing history, and support communications.
Purpose: to manage your subscription, process payments, provide platform access, send service communications (renewal reminders, maintenance notices), and respond to support requests.
Legal basis: Art. 6(1)(b) UK GDPR — performance of a contract for subscription management and billing. Art. 6(1)(c) — legal obligation for tax record retention. Art. 6(1)(f) — legitimate interests for service communications and platform security.
Retention: account data is retained for the duration of your subscription and for 7 years after your subscription ends, to comply with HMRC record-keeping obligations. Support communications are retained for 3 years. Server and access logs are retained for 90 days.
The Pledge — data export: The Pledge (clause 2 of your subscription agreement): when you ask, we will export all your data in CSV or PDF format promptly — we aim for the next Business Day (any weekday that is not a bank holiday in England & Wales) and commit to no later than five Business Days. On account closure, we will securely delete the Customer and Worker data we process for you within 30 days of your account being closed or of a written deletion request. Two honest qualifications apply to that 30-day commitment: (a) some account and billing records must be kept for up to 7 years because tax law requires it (see "Retention" below); and (b) we may hold data a little longer where the law requires it or where it is needed for a live legal claim — in which case we tell you what we are keeping and why. Everything else is deleted within the 30 days.
3d. Prospective business customers (business-to-business outreach)
From time to time OptiTech Automation contacts businesses that have not previously enquired, to introduce the platform. This is business-to-business outreach, and OptiTech Automation is the Data Controller for it. The data we process is limited to business-contact information — typically a business name, a business email address, a trade type, an approximate location, and a note of where we found the information. We obtain it from public and business sources, such as business directories, company websites, and public registers. Our lawful basis for holding and using this data is Art. 6(1)(f) UK GDPR (legitimate interests) in introducing a relevant business tool to other businesses, and we have carried out a Legitimate Interests Assessment. Separately, we respect the Privacy and Electronic Communications Regulations 2003 (PECR), which treat a sole trader and a non-LLP partnership as an "individual subscriber": we do not send unsolicited electronic marketing to an individual subscriber without the consent PECR requires. Where we send electronic marketing to a corporate subscriber (such as a limited company or a limited liability partnership) we rely on the PECR business-to-business position together with our legitimate interests. Every message identifies us and includes a one-click unsubscribe, and if you object or unsubscribe we stop contacting you and suppress your details from further outreach. We keep outreach records for no longer than 24 months from our last contact with you, and delete them sooner on request. To opt out or object at any time, email privacy@optitechautomation.co.uk.
4. Workers
OptiTech Automation is NOT the Data Controller for your data — your employer or principal (the Business Owner) is. If you want to access, correct, or delete your data, contact the Business Owner who gave you access to the app. OptiTech Automation processes your data as a processor on the Business Owner's instructions.
The Business Owner who gave you access to the OptiTech Automation worker app is the Data Controller for your personal data. They must have provided you with their own privacy notice explaining how they use your data. Contact them directly to exercise your data rights. OptiTech Automation will assist the Business Owner in fulfilling your request.
4a. Data we process on behalf of your Business Owner
Depending on what the Business Owner has configured, we may process the following data about you:
- Name, email address, telephone number
- Profile photo (if uploaded)
- Trade skills, professional certifications, and Gas Safe registration number (where applicable)
- Employment or engagement status as configured by the Business Owner
- Job assignments: job details, scheduled start and end times, site address, and customer contact information (shared on a need-to-know basis for the specific job only)
- Job completion records: timestamps, photos uploaded at completion, notes, and records of work completed as entered by the worker at the point of completion
- Real-time GPS location data during active job assignments (via Mapbox) — collected only when you are logged in and marked as "on duty"
4b. Location data
When you are logged into the app and your status is set to "on duty", your GPS location is collected and used to provide routing information (via Mapbox) and to support efficient job dispatch by the Business Owner. Location data is not retained by Mapbox beyond the routing session. Location history within the OptiTech Automation platform is retained for the period configured by the Business Owner, subject to an absolute maximum of 90 days from the date of the job to which each location record relates. After that maximum, location history is automatically purged at platform level. The Business Owner may configure a shorter retention period. If the Business Owner's privacy notice to you specifies a period shorter than 90 days, that shorter period applies. The 90-day maximum is a platform-level control set by OptiTech Automation to comply with the storage limitation principle in UK GDPR Article 5(1)(e) and cannot be extended by Business Owner configuration.
4c. Offline caching
The worker app is offline-capable. When you lose mobile signal, the app stores your job schedule and relevant customer contact details locally on your device for up to the period configured by the Business Owner (maximum 48 hours). This cached data is encrypted on-device where your operating system supports it. You must maintain a screen lock on your device. If your device is lost or stolen, report it to the Business Owner immediately.
4d. Retention
- Worker profile data: deleted within 30 days of your account being closed or your engagement with the Business Owner ending.
- Job records: retained per the Business Owner's retention policy (the Business Owner controls this).
- Proof photos (job-completion photographs): deleted 90 days after the booking is completed, unless the Business Owner has configured a longer period for their own legal or warranty purposes.
To exercise your data rights (access, rectification, erasure, restriction, portability, objection): contact the Business Owner who engaged you. You may also email privacy@optitechautomation.co.uk and we will forward your request to the relevant Business Owner within 5 business days.
5. Customers
OptiTech Automation is NOT the Data Controller for your booking data — the trade business you booked with is. For data rights (access, erasure, correction), contact that business directly. OptiTech Automation processes your data as a secure booking platform on their behalf.
When you book a trade service through a booking page powered by OptiTech Automation, your contract is with the Business Owner (the trade business). They are the Data Controller for your personal data. OptiTech Automation processes your data as a Data Processor on the Business Owner's behalf. For any data rights request, contact the Business Owner whose name appears in your booking confirmation. If you cannot reach them, email privacy@optitechautomation.co.uk and we will assist.
5a. Data we process on behalf of the Business Owner
When you make a booking, the following data is processed through our platform:
- Your name, email address, and telephone number
- Your service address (where the trade work will be carried out)
- Booking details: trade service type, preferred date and time, any notes you add at booking
- Payment confirmation reference (your card details are processed exclusively by Stripe and are never stored by OptiTech Automation or the Business Owner)
- Job history and any notes recorded by the attending worker
5b. Payments
Your deposit or full payment is processed by Stripe on behalf of the Business Owner. The Business Owner holds their own Stripe account; OptiTech Automation never holds, receives, or controls your funds. Stripe's privacy policy (stripe.com/gb/privacy) governs the processing of your payment card data. OptiTech Automation retains only the payment confirmation reference (a transaction ID, not your card number) for 7 years for tax record-keeping purposes.
5c. Who sees your data
Your booking details and contact information are shared with the worker assigned to your job, solely to enable them to attend and complete the booked service. Your data is not shared with any other party without your consent or a lawful legal basis.
5d. Retention
Booking data (name, contact, service details, job history) is retained per the Business Owner's data retention policy. Payment reference numbers are retained for 7 years for tax purposes. Proof photos uploaded by the attending worker are deleted 90 days after job completion.
To access, correct, or delete your booking data: contact the Business Owner whose name is in your booking confirmation. To complain about data handling: contact the Business Owner first, then the ICO at ico.org.uk or 0303 123 1113.
6. Who we share data with (sub-processors)
Like every modern online service, we rely on a small set of specialist, industry-standard technology providers to run the platform — for hosting, the database, payments, email, maps, and similar. We believe in naming them all rather than hiding them behind a vague phrase, so you can see exactly who is involved. There are sixteen we use in the normal course of running the service, plus two more (CAPTCHA protection and image moderation) that are engaged only when the related optional feature is switched on. Each one is bound by a data processing contract, receives only the data it needs to do its job, and is required to protect it. We do not sell your data, and we never use it for advertising.
OptiTech Automation uses the following sub-processors to deliver platform services. All sub-processors are bound by data processing agreements and are required to implement equivalent data protection standards.
| Provider | Service | Location | Transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Website and platform hosting, CDN, serverless functions | United States (EU edge nodes available) | UK Extension to the EU-US Data Privacy Framework |
| Supabase Inc. (via AWS eu-central-1) | PostgreSQL database and file storage | European Union (Frankfurt) | UK-EU Adequacy Decision (DPA 2018 s.17A, 28 June 2021) |
| Stripe Inc. / Stripe Payments UK Ltd | Payment processing via Stripe Connect (Business Owner sub-accounts) | United States / United Kingdom | UK Extension to EU-US Data Privacy Framework; UK Addendum to EU Standard Contractual Clauses |
| Xero | Accounting integration — draft invoice creation via OAuth on Business Owner's behalf | United Kingdom (contracting entity); Xero group headquartered in New Zealand | Contracted through Xero's UK entity under its data processing agreement; any transfer to a Xero group company (including in New Zealand or Australia) is covered by appropriate safeguards |
| Resend Inc. | Transactional email delivery (booking confirmations, job notifications) | United States | UK Extension to the EU-US Data Privacy Framework (Resend's DPF certification reference verified annually by OptiTech Automation; UK IDTA as fallback where certification lapses). |
| Twilio Inc. | SMS notifications and telephony (ETA alerts, job reminders) | United States | UK Extension to the EU-US Data Privacy Framework |
| Mapbox Inc. | Mapping, routing, and worker GPS location during active job assignments | United States | UK Extension to the EU-US Data Privacy Framework; no personal data retained by Mapbox beyond the routing session |
| Anthropic PBC | AI inference. Powers the in-platform AI assistant and AI features that draft or summarise text (for example the website assistant "Sarah", inbound-email triage, and content drafting). Note: the "Keith" dispatch engine is rule-based and does not use Anthropic or any other AI model. | United States | UK Extension to the EU-US Data Privacy Framework where certified, with the UK International Data Transfer Agreement (IDTA) as fallback. Supplementary measure: Anthropic does not train its models on data submitted through the API. Personal data may be included where it is necessary to perform the feature (for example lead details, inbound-email content, or website-chat text); only the data needed is sent. |
| Groq, Inc. | Fast AI inference — the "engine" behind our website assistant ("Sarah"), our sorting of inbound email, and the drafting of sales and support replies. It receives only the text needed for the task in hand — for example the message a visitor types into the website chat, or the sender, subject, and body of an email being sorted, or lead contact details — and nothing more. It is not used for advertising, and the provider does not use what we send to train its models. | United States | Engaged under a data processing agreement, sending only the data needed for each request. Where a transfer to the US takes place, we rely on an appropriate safeguard — the UK Extension to the EU-US Data Privacy Framework where the provider is certified, or otherwise the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. |
| Telegram Messenger Inc. | Used only to send our own operator a short, private alert that something needs attention (for example a new lead, booking, or support message). We keep the personal data in an alert to the minimum needed to act on it — typically a name and an email address. | United States | We minimise the personal data included in these operator alerts and, where a transfer to the US takes place, rely on appropriate safeguards such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses; where a suitable safeguard cannot be confirmed for a given alert, we reduce or omit the personal data sent. We keep this channel under review and will move to a mainstream operational channel where that better protects the data. |
| Cal.com, Inc. | Scheduling for demo and discovery calls. Receives the name, email address, and any notes or booking details a prospect provides when booking a call. | United States | Where a transfer to the US takes place, we rely on an appropriate safeguard such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or Data Privacy Framework certification where the provider holds it. |
| postcodes.io | Look-up of geographic coordinates and area data from a UK postcode, used for routing and job matching. Receives customer and worker postcodes. | United Kingdom | United Kingdom — no overseas transfer. A postcode is submitted for look-up; no name or contact detail is sent. |
| Companies House (UK Government) | Look-up of publicly registered company and officer information to verify business details. Receives a company name or registration number. | United Kingdom | United Kingdom — no overseas transfer. Companies House is the UK statutory register of companies. |
| Upstash, Inc. (Redis) | Rate-limiting and abuse protection for the website and platform. Receives the visitor or client IP address and a request counter so we can block abusive traffic. | European Union / United States | Data is held in an EU or US region depending on configuration. EU processing relies on the UK-EU adequacy decision; any US transfer is made under the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses. |
| Functional Software, Inc. (Sentry) | Error and performance monitoring so we can detect and fix faults. Receives technical diagnostic data about errors, which may incidentally include identifiers (such as a user or account reference, or data contained in an error) present at the moment a fault occurs. | United States / European Union | US transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; EU processing relies on the UK-EU adequacy decision. |
| Apple, Google, and Mozilla push services | Delivery of the browser or app push notifications a user has chosen to receive. The relevant push service receives the routing token for the recipient device and the notification payload needed to deliver the message. Engaged only after the user opts in to push notifications. | United States and the device vendor's global infrastructure | Overseas transfers are covered by the relevant vendor's UK/EU transfer safeguards (Data Privacy Framework certification where available, otherwise the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses). |
| hCaptcha (Intuition Machines, Inc.) | Bot and abuse protection on forms — engaged only when the CAPTCHA feature is enabled. When active, receives the visitor IP address and interaction signals needed to tell humans from bots. | United States | Engaged only when the CAPTCHA feature is enabled. US transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. |
| Sightengine SAS | Automated image moderation for uploaded job or proof photos — engaged only when the photo feature is enabled. When active, receives the uploaded image for classification. | European Union (France) | Engaged only when the photo feature is enabled. European Union — relies on the UK-EU adequacy decision. |
We do not sell personal data to any third party. We do not use personal data for advertising or marketing profiling. Sub-processor changes are announced to Business Owners with at least 30 days' written notice.
7. Our legal bases for processing
UK GDPR requires us to have a lawful reason for every type of processing. Here are ours.
- Performance of a contract (Art. 6(1)(b)): Processing your Business Owner subscription account, billing, and platform access. Processing booking data on behalf of Business Owners for their customers.
- Legal obligation (Art. 6(1)(c)): Retaining tax and financial records for 7 years as required by HMRC. Responding to lawful requests from regulators or law enforcement. Maintaining data breach logs as required by UK GDPR Art. 33.
- Legitimate interests (Art. 6(1)(f)): Responding to inbound lead enquiries. Sending service notifications (renewal reminders, maintenance windows). Platform security monitoring and fraud prevention. Anonymous analytics to improve the marketing site. We have carried out a Legitimate Interests Assessment for each of these purposes and concluded that our interests are not overridden by your rights and interests.
- Consent (Art. 6(1)(a)): Setting non-essential cookies (analytics, functional) where you have given consent via the cookie banner. Email marketing communications to subscribers who have opted in. Consent is always freely given, specific, informed, and unambiguous. You may withdraw consent at any time.
8. International data transfers
Some of our technology providers are based in the United States. We ensure your data is protected by UK-approved transfer mechanisms whenever it crosses UK borders.
The UK GDPR restricts transfers of personal data to countries outside the UK unless an appropriate safeguard is in place. Some of our providers are based in, or route data through, the United States — these include our hosting, payment, email, SMS, mapping, AI-inference, error-monitoring, rate-limiting, and push-notification providers (for example Vercel, Stripe, Twilio, Mapbox, Resend, Anthropic, Groq, Sentry, Upstash, and the device push services). For each such transfer we put in place an appropriate safeguard: the UK Extension to the EU-US Data Privacy Framework (approved by the UK government on 12 October 2023) where the provider holds a current certification, and otherwise the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported where appropriate by a transfer risk assessment. We review the safeguard for each US provider periodically, and where we cannot confirm a suitable safeguard for a particular provider we minimise, or do not send, personal data to it. Separately, we keep our internal operator-alert channel (Telegram) to the minimum personal data needed and keep its use under review (see the table above).
Where a sub-processor is not certified under the Data Privacy Framework, we use Standard Contractual Clauses in the form of the UK International Data Transfer Agreement (IDTA) before any data is transferred.
Supabase stores all database data in the EU (Frankfurt). We rely on the UK-EU Adequacy Decision (adopted 28 June 2021 under DPA 2018 s.17A) for this transfer. We monitor the adequacy decision status and will activate the IDTA as a fallback if it is revoked.
Xero processes data through its UK entity under its own data processing agreement, which incorporates appropriate UK safeguards.
9. Your rights under UK GDPR
You have eight rights. We respond within one calendar month. Email privacy@optitechautomation.co.uk to exercise any of them.
Under UK GDPR Articles 15 to 22 and DPA 2018, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month of receipt. Where we need more time (up to a further two months for complex requests), we will write to you within the first month to explain why.
- Access (Art. 15): Receive a copy of all personal data we hold about you, free of charge, within one month.
- Rectification (Art. 16): Ask us to correct inaccurate data or complete incomplete data without undue delay.
- Erasure (Art. 17): Ask us to delete your data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where the processing is unlawful. This right is subject to legal retention obligations (e.g. tax records).
- Restriction (Art. 18): Ask us to pause processing of your data while a dispute about accuracy or lawfulness is resolved.
- Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (CSV or JSON) for data processed by automated means on the basis of consent or contract. For Business Owner subscribers, The Pledge (clause 2) provides a prompt contractual export commitment — we aim for the next Business Day and commit to no later than five Business Days — which exceeds this statutory right.
- Objection (Art. 21): Object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights. You have an absolute right to object to processing for direct marketing purposes.
- Withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Complain to the ICO: You have the right to lodge a complaint with the Information Commissioner's Office at any time.
To exercise any of these rights, email privacy@optitechautomation.co.uk. Please include your name and enough detail for us to identify your data. We respond within 30 days.
To complain to the ICO: ico.org.uk or 0303 123 1113 or Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
10. Security
We use encryption, access controls, and breach notification procedures to protect your data.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:
- TLS 1.2 or higher encryption for all data in transit
- AES-256 encryption for data at rest in our database (Supabase)
- Row-level security and tenant isolation in our database so no Business Owner can access another's data
- Encrypted local storage for any personal data cached on worker devices (where the operating system supports it)
- Least-privilege access controls: staff access to personal data is restricted to what is necessary for their specific role
- Regular security testing and assessment of our technical measures
If we become aware of a personal data breach, we will: notify the ICO without undue delay and, where required, within 72 hours of becoming aware (UK GDPR Art. 33); notify affected Business Owners without undue delay where their data is involved, aiming to do so within 24 hours; and notify affected individuals directly without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34). We maintain an internal breach log of all incidents.
11. Cookies
We use strictly necessary cookies by default. Non-essential cookies (analytics, preferences) are only set if you opt in via our cookie banner. No advertising or tracking cookies.
- Strictly necessary (no consent required): Session management cookies (keeping you logged in), CSRF protection tokens, and load-balancing identifiers. These cannot be disabled without breaking the platform.
- Functional (opt-in required): Preference cookies such as dismissed-banner state. Set only after you click "Accept" in the cookie banner.
- Analytics (opt-in required): Anonymous page-view analytics to help us understand which pages are useful. Set only after you give consent. No cross-site tracking. No advertising profiling.
We do not use advertising cookies, retargeting cookies, or any third-party tracking cookies. Transactional emails sent via Resend and service SMS sent via Twilio are not marketing communications and do not require PECR consent.
Cookie use is governed by the Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO's Cookie and Similar Technologies guidance.
12. Changes to this policy
We will notify Business Owner subscribers of material changes. The date at the top of this page always shows when it was last updated.
We may update this policy from time to time to reflect changes in our services, sub-processors, or applicable law. When we make a material change, we will: update the "Last updated" date at the top of this page; send Business Owner subscribers an email notification at least 30 days before the change takes effect; maintain a summary of material changes on request (email privacy@optitechautomation.co.uk to request a previous version). Continued use of the platform after a material change has been notified constitutes acceptance of the updated policy. If you do not accept a material change, Business Owner subscribers may terminate their subscription in accordance with The Pledge (30 days' written notice, no exit fees).
13. Contact us
For any privacy question, data rights request, or data breach report:
To complain to the regulator: Information Commissioner's Office, ico.org.uk, 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.