Last reviewed: May 2026. We review this policy at least annually and whenever our processing changes materially

Introduction

Econori Ltd ("we", "our" and "us") is committed to protecting and respecting your privacy. We comply with all applicable data protection legislation, including the UK General Data Protection Regulation, the EU General Data Protection Regulation (EU 2016/679) (GDPR) and the Data Protection Act 2018, and where applicable the California Consumer Privacy Act (CCPA) as amended by the CPRA.

This Privacy Policy ("Policy") sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and what your rights are in relation to the personal data we hold about you. Please read this Policy carefully to understand our views and practices regarding your personal data and how we treat it.

Any capitalised terms used throughout this Policy have the same meaning as defined in our Terms of Service.

Our Website and Platform may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that the operators of these websites have their own privacy policies applying to the processing of your personal data and that we do not accept any responsibility or liability for their policies.

Data controller and contacts

If you visit and use our Website or Platform certain personal information from you may be collected and processed by us. As the legal entity owning and operating the Website and the Platform we are responsible for, and control the processing of, your personal data. Therefore, we are your data controller.

Where we process personal data on behalf of a business customer (for example, when their authorised users access our Platform), the customer is the data controller and Econori acts as a data processor under their instructions and the data processing agreement signed with them.

Data controller: Econori Ltd, 124 City Road, London, EC1V 2NX, United Kingdom.

General enquiries: hello@econori.com

Privacy enquiries and data-subject requests: privacy@econori.com or via the request form at econori.com/privacy-policy.

EU representative (Article 27 EU GDPR): eurep@econori.com.

Information we collect from you

"We do not collect or require you to provide us with any more information than necessary to enable us to provide you with our Services." We avoid excessive data collection and maintain a no-sale policy.

We may collect information when you access our Website, sign up for an account, use our Platform or contact us. This includes potentially identifying data, collected either directly (like employee details you input) or indirectly (such as IP addresses via cookies).

Personal information we collect includes:

•        business name;

•        business registered office address;

•        primary contact name, e-mail address and phone number;

•        employee name, e-mail address and job title;

•        username and log-in details;

•        technical and access log data (IP address, browser type, timestamp, requested URL), used solely for security monitoring and service operation;

•        any other personal information provided to us via e-mail.

We do not collect or process: government identification numbers (SSN, driver licence, passport), financial account or payment-card numbers, health or biometric data, precise geolocation, or any other special-category data under Article 9 GDPR.

This information is used to:

•        create and manage your account with us;

•        verify your identity;

•        provide you with our Services;

•        notify you of changes made to our Website, Platform, Terms or this Policy that may materially affect you;

•        answer and solve your queries;

•        improve the Services we offer.

Our Website is not intended for use by children under the age of 16 and we do not knowingly collect or use personal information relating to children.

The legal bases we rely on when processing your personal information

We can only process personal information when we have a legal basis to do so. The relevant legal bases are:

•        consent: you give us your clear consent to process your personal information for a certain specific purpose;

•        performance of a contract: where we need your personal information to perform our obligations under a contract we have with you;

•        legal obligations: if we need your personal information in order for us to comply with our legal obligations under applicable law;

•        legitimate interests: where we need your personal information for our legitimate interests (for example, securing our Platform, preventing fraud and abuse, and maintaining audit logs).

We rely on contractual performance when collecting and processing names, addresses, e-mail addresses, telephone numbers, job titles and log-in information. Without this information we cannot provide expected Services when you sign up for an account and use our Platform. If your account is cancelled, we will delete this information from our Platform within 30 days so that it is no longer available to our Users, unless we are obliged by applicable law to retain such information longer. We will, however, retain your generic business name and the generic business e-mail address on our internal database, so that we are aware that we should not contact you in the future for marketing and sales purposes.

We rely on your explicit consent when we send you any of our marketing materials, such as a newsletter or suggestions for suppliers that may be of interest to you. Without such consent, we will not use your personal information for any marketing purposes. Once you have given your consent, you can at any time withdraw your consent by contacting us, by clicking on the unsubscribe link in e-mails sent out to you or by adjusting the settings in your dashboard.

Cookies

"We use cookies on our Website, but these cookies do not collect any personal information."

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our Website. Our Platform uses only strictly necessary session cookies required to authenticate you and keep you logged in. We do not load advertising cookies, third-party tracking pixels, beacons, or session-replay technology in the Platform.

Our public marketing website (econori.com) may, separately, use a limited number of analytics cookies to understand aggregated visitor behaviour. Where used, these are configured to collect information in an anonymised form (number of visitors, country, referring page, pages viewed) and are subject to your cookie preferences set on first visit.

Most web browsers allow you to adjust your cookie settings manually. For further information on cookies generally visit www.aboutcookies.org or www.allaboutcookies.org.

Who we share your personal information with

"Please note that we do not sell your personal information to any third party."

We do, however, technically share your information with third-party service providers (sub-processors) in order to operate the Platform and to manage our customer communications.

Our current sub-processors are:

•        Amazon Web Services EMEA SARL - cloud infrastructure hosting (eu-west-3, Paris, France);

•        Amazon Web Services EMEA SARL (Cognito) - managed user authentication;

•        Functional Software, Inc. (Sentry) - application error monitoring (PII redacted; no session replay);

•        GitHub, Inc. - source-code hosting and CI/CD (no customer production data);

•        HubSpot, Inc. and The Rocket Science Group LLC (Mailchimp) - customer-relationship management and marketing email (used only for individuals who have given consent).

Each sub-processor is bound by a written agreement requiring equivalent security and confidentiality protections. An up-to-date list is available on request and is published in our Data Processing Agreement.

We will share personal information with law enforcement or other authorities if required by applicable law.

We will not share your personal information with any other third party.

How we store your personal information

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or otherwise accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

All Platform data is stored within the European Union (Amazon Web Services, eu-west-3 / Paris). Data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher). Backups are retained for 7 days and stored within the same EU region. Production access is restricted to a small number of named engineering staff using multi-factor authentication.

We do not transfer personal data outside the United Kingdom or the European Economic Area without an appropriate safeguard in place (such as the UK International Data Transfer Agreement, the UK Addendum, or the EU Standard Contractual Clauses).

Once we have received your information, we and our third-party service providers will use strict procedures and security features to prevent unauthorised access.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so, and in the case of personal-data breaches affecting business customers, without undue delay and in any event within 72 hours of becoming aware.

We only retain your personal information for as long as we need it to fulfil the purposes for which we have initially collected it. If your personal information is not required anymore for contractual or statutory obligations, we normally delete it within 30 days of the end of the contract or your account being closed. We do retain your generic business name and generic business e-mail address in order to remember not to contact you for marketing and sales purposes in the future. However, we may retain certain data for longer to comply with the retention obligations of applicable laws, for example laws and regulations on taxes and the prevention of fraud and anti-money laundering.

Your rights

Under data protection laws, you have a number of rights which you can exercise free of charge. The rights relevant to you are:

•        Access to your personal information and to certain other supplementary information that this Policy is already designed to address.

•        Require us to correct any mistakes in your personal information which we hold.

•        Require the erasure of personal information concerning you in certain situations.

•        Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations.

•        Object at any time to processing of personal information concerning you for direct marketing.

•        Object in certain other situations to our continued processing of your personal information.

•        Otherwise restrict our processing of your personal information in certain circumstances.

If you want to exercise any of your rights, please contact us using any of the following methods: (i) e-mail privacy@econori.com; (ii) complete the request form at econori.com/privacy-policy; or (iii) write to the postal address given under "Data controller and contacts" above. Please let us know what your request relates to and provide us with enough information to identify you. We may require you to provide us with proof of identity (such as a passport or driving license) and address in order to prevent misuse. We will acknowledge your request within 10 calendar days and respond substantively within 30 calendar days (extendable to 60 days for complex requests, in line with Article 12 GDPR).

Additional rights for California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA), including the right to know what personal information we collect about you, the right to delete that personal information, the right to correct inaccurate personal information, the right to opt out of any sale or sharing of personal information, and the right to non-discrimination for exercising any of these rights.

Econori does not sell or share personal information for cross-context behavioural advertising. We provide at least two methods to submit a request: the e-mail address privacy@econori.com and the request form at econori.com/privacy-policy. We will respond to verifiable consumer requests within 45 calendar days, extendable by a further 45 days where reasonably necessary, free of charge.

Make a complaint

If you encounter any problems in relation to the use of your personal information, please contact us so we can try to resolve your query or concern.

You also have the right to lodge a complaint with the Information Commissioner Office (ICO) in the United Kingdom (our lead supervisory authority) at https://ico.org.uk/concerns/ or telephone 0303 123 1113, or with the supervisory authority in the EU member state where you work, normally live or where any alleged data infringement of data protection has occurred.

Changes to this Policy

From time to time, we may make changes to this Policy. The most recent version of our Policy can always be found here.

If you have an account with us and the changes materially affect you, we will inform you by e-mail 30 days prior to the changes coming into effect.

How to contact us

Questions, comments and requests regarding this Policy are welcomed and should be addressed via e-mail to privacy@econori.com (privacy-related matters) or hello@econori.com (general enquiries) or in writing to the address set out under the section Data controller and contacts.