Privacy Policy

1. Overview

This Privacy Policy explains how Ironledge Limited ("Ironledge", "we", "us", or "our") collects, uses, stores, shares and protects personal data when you use our website, APIs, platform, or contact us. It applies to all users including visitors to ironledge.io, API customers, and anyone who contacts us.

We are committed to protecting your privacy and handling your personal data in an open and transparent manner in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable EU data protection law.

2. Who We Are

The data controller is:

• Ironledge Limited
• Registered in England & Wales (Company No. 12345678)
• Registered office: 1 Open Finance Street, London, EC2V 8AE, United Kingdom
• FCA Authorised — FRN 987654
• ICO Registration No. ZA123456

Our Data Protection Officer can be contacted at info@ironledge.co.uk.

3. Data We Collect

3.1 Data you provide directly

• Account registration: name, email address, company name, role, and password
• Contact forms: name, email, company, enquiry type, and message content
• Billing: billing address, VAT number (payment details are processed by our PCI-DSS certified payment processor and are not stored by us)
• Support requests: any information you include in a support ticket or email
• Marketing preferences: newsletter subscriptions and communication preferences

3.2 Data collected automatically

• Usage data: API call logs, endpoint usage, error rates, and request volumes (used for billing and reliability monitoring)
• Log data: IP addresses, browser type, operating system, referring URLs, and access timestamps
• Cookies and similar technologies: session cookies, analytics cookies, and preference cookies (see Section 10)
• Device data: device type, screen resolution, and language settings

3.3 Data from third parties

• Identity verification: we may receive verification data from identity verification providers when you onboard as a customer
• Payment data: transaction confirmation data from our payment processor (Stripe)
• Open banking data: if you use our API to connect bank accounts, we process financial data solely on your behalf as a data processor — your end-users are your responsibility as data controller

4. How We Use Your Data

We use personal data for the following purposes:

• Service delivery: provisioning API keys, managing your account, processing payments, and providing customer support
• Communications: responding to enquiries, sending transactional emails (receipts, alerts, password resets), and service updates
• Marketing: sending newsletters, product updates, and promotional content where you have given consent or where we have a legitimate interest
• Security and fraud prevention: monitoring for suspicious activity, protecting our systems and users, and complying with our FCA obligations
• Analytics and improvement: understanding how our platform is used to improve features and performance
• Legal compliance: meeting our regulatory obligations including FCA, HMRC, and AML requirements
• Business operations: invoicing, financial reporting, and audit trail maintenance

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): processing necessary to perform our contract with you (account management, API provision, billing)
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, product analytics, and B2B marketing to existing customers
• Legal obligation (Art. 6(1)(c)): compliance with FCA regulations, AML requirements, and tax law
• Consent (Art. 6(1)(a)): marketing communications to prospects, analytics cookies, and any processing where we have asked for your explicit consent

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

6. Sharing Your Data

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

6.1 Service providers (processors)

We use carefully selected third-party providers to help deliver our services:

• Infrastructure: AWS (cloud hosting) — EU/UK data residency
• Payments: Stripe (payment processing) — PCI-DSS Level 1
• Analytics: Mixpanel (product analytics) — EU data processing
• Support: Intercom (customer support) — EU data processing
• Email: SendGrid (transactional email)
• Identity verification: Onfido (KYC/AML checks)

6.2 Legal and regulatory

We may disclose data where required by law, court order, regulatory authority (including the FCA), or to protect the rights, property or safety of Ironledge, our customers, or the public.

6.3 Business transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected users prior to any such transfer.

7. International Data Transfers

Your data is primarily stored and processed within the UK and European Economic Area (EEA). Where we transfer data outside these regions (e.g. to US-based sub-processors), we ensure appropriate safeguards are in place including:

• UK International Data Transfer Agreements (IDTAs)
• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable

A full list of our sub-processors and transfer safeguards is available on request at info@ironledge.co.uk.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law:

• Account data: retained for the duration of the contract plus 7 years (UK Companies Act and tax obligations)
• API logs: 90 days for operational purposes; anonymised aggregates retained indefinitely
• Support tickets: 3 years from resolution
• Marketing data: until consent is withdrawn or 2 years of inactivity
• Billing records: 7 years (HMRC requirements)
• AML/KYC records: 5 years from end of customer relationship (Money Laundering Regulations 2017)

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you (Subject Access Request)
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data where we no longer have a legal basis to retain it
• Right to restrict processing: ask us to limit how we use your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making: not be subject to solely automated decisions with significant effects
• Right to withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact our DPO at info@ironledge.co.uk or write to us at our registered address. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

10. Cookies

We use cookies and similar tracking technologies on our website. The categories we use are:

• Strictly necessary: session management, authentication, and security (no consent required)
• Analytics: understanding how visitors use our site (requires consent)
• Preferences: remembering your settings and language preferences (requires consent)
• Marketing: personalised content and retargeting (requires consent)

You can manage cookie preferences at any time via our cookie banner or your browser settings. For full details, see our Cookie Policy available at cookie-policy.html.

11. Security

We implement industry-leading technical and organisational security measures to protect your personal data, including:

• AES-256 encryption at rest and TLS 1.3 in transit
• Zero-trust network architecture with role-based access controls
• Annual penetration testing by accredited third-party firms
• 24/7 security monitoring and automated threat detection
• ISO 27001 certified information security management system
• SOC 2 Type II controls in progress

In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting a notice on our website and in the developer dashboard
• Sending an email to the address associated with your account
• Updating the "Last updated" date at the top of this policy

Your continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.

13. Contact & Data Protection Officer

For any privacy-related questions, Subject Access Requests, or to exercise your data rights, please contact:

• Data Protection Officer: info@ironledge.co.uk
• General enquiries: info@ironledge.co.uk
• Post: Data Protection Officer, Ironledge Limited, 1 Open Finance Street, London, EC2V 8AE

We are registered with the ICO (Registration No. ZA123456) and authorised by the Financial Conduct Authority (FRN 987654).