Privacy Policy

1. Who we are

This Privacy Policy is issued by Packlah Ltd (“Packlah”, “we”, “us”, “our”), a company registered in England and Wales. Packlah Ltd is the data controller for the personal data we process in connection with the Packlah marketing site (packlah.io) and the Packlah application (app.packlah.io).

If you need to reach our privacy team, see section 13.

2. What data we collect

We collect the following categories of personal data:

Account data

• Name and work email address
• Company name, role, and country
• Authentication identifiers (hashed password, or SSO tokens)
• Account preferences and settings

Billing data

• Company billing address and VAT number
• Payment method tokens (we do not see or store your card details - see section 5)
• Invoice history and subscription tier

Usage data

• Pages visited within the marketing site and the app
• Features used, calculations run, and reports generated
• Approximate location derived from IP address
• Device, browser, and operating system metadata
• Timestamps of access events

Customer content

• SKU catalogues, material breakdowns, recycled content data, and any other product information you upload or sync into Packlah
• Calculation outputs and historical snapshots
• Documents and files you upload to the workspace

Customer content is data that belongs to your business. We process it on your behalf to provide the Service - see the separate Data Processing Addendum (DPA) available on request for the contractual terms that apply.

Marketing and support data

• Communications you send us via email, the in-app chat, or contact forms
• Marketing preferences and consent records
• Survey or feedback responses

3. How we use your data

We process personal data for the following purposes:

• To provide the Service - including running calculations, storing your SKU catalogue, generating reports, and surfacing data through the app interface.
• To bill you - processing subscription payments, sending invoices, and chasing late payment where applicable.
• To support you - responding to support tickets, answering questions, and helping you use the product.
• To improve the Service - aggregated and anonymised usage analytics inform product decisions. We do not use customer content for this purpose without explicit consent.
• To communicate with you - service updates, security notices, billing notices, and (with consent) marketing emails.
• To meet legal obligations - including tax record-keeping, anti-fraud measures, and responding to lawful requests from regulators.
• To protect Packlah and our customers - security monitoring, access logging, and abuse prevention.

4. Legal basis for processing

Under the UK GDPR we must have a lawful basis for processing personal data. The bases we rely on are:

• Contract - processing necessary to provide the Service you signed up for and to take pre-contractual steps at your request.
• Legitimate interests - product improvement, security monitoring, fraud prevention, and direct B2B marketing to business contacts of customers and prospects, where this is balanced against your interests and rights.
• Legal obligation - tax, accounting, and other statutory requirements.
• Consent - certain marketing communications, optional analytics cookies, and any processing of customer content for purposes beyond providing the Service.

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Who we share data with

We share personal data only with third parties who process it on our behalf as data processors, under written contracts that meet UK GDPR Article 28 requirements. Our main processors are:

• Vercel Inc. - hosting of the marketing site and app frontends.
• Supabase Inc. - application database, authentication, and storage. Customer content and account data sit here, in UK-region infrastructure where available.
• Stripe Payments UK Ltd - subscription payment processing. Card details are submitted directly to Stripe and never reach our servers.
• Email infrastructure providers - for transactional and marketing email. Current providers are disclosed in our DPA.
• Customer support platform - for handling support tickets and chat conversations.
• Analytics providers - for aggregated, IP-anonymised usage analytics.

We may also disclose data where required by law, in response to lawful requests from public authorities, or in connection with a sale or restructuring of our business. We will notify customers in advance where lawful to do so.

We do not sell personal data. We do not share customer content across customers.

6. International transfers

Some of our processors are based outside the UK, including in the European Economic Area and the United States. Where personal data is transferred outside the UK, we rely on:

• Adequacy decisions issued by the UK government for the destination country, where available
• The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, where adequacy is not available
• Supplementary technical and organisational measures where required by the transfer risk assessment

Where possible we use UK-region infrastructure to minimise cross-border transfers.

7. How long we keep data

We retain personal data only for as long as necessary:

• Account data and customer content - for the duration of your subscription, and for 90 days after termination to allow for reactivation. After 90 days customer content is deleted from active systems, with anonymised aggregates retained for audit and analytics purposes.
• Billing records - retained for 6 years to meet UK tax and accounting record-keeping requirements.
• Support correspondence - typically 3 years from the last interaction.
• Marketing preferences and consent records - retained for as long as we hold your account, plus 2 years.
• Backups - rolling encrypted backups are retained for 30 days and then overwritten.

8. Your rights

Under the UK GDPR you have the following rights in relation to your personal data:

• Access - request a copy of the personal data we hold about you.
• Rectification - ask us to correct inaccurate or incomplete data.
• Erasure - request deletion of your data where one of the conditions in Article 17 applies.
• Restriction - ask us to limit how we process your data in certain circumstances.
• Portability - receive your data in a structured, commonly used, machine-readable format and request transfer to another controller.
• Objection - object to processing based on legitimate interests, or to direct marketing.
• Withdraw consent - where processing is based on consent.
• Not be subject to automated decision-making - we do not make decisions affecting you based solely on automated processing.

To exercise any of these rights, contact us at privacy@packlah.io. We will respond within one calendar month. Where requests are complex or numerous we may extend this by a further two months, telling you why.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data properly. We would prefer the chance to address your concern first - see section 13.

9. Security

We protect personal data through a combination of:

• Encryption in transit (TLS) and at rest (AES-256)
• Row-level isolation in our application database so customer content is segregated
• Access controls limiting who can see customer data internally
• Audit logging of administrative access
• Regular dependency and security reviews
• Secure development practices and pre-deployment review

No system is perfectly secure. If we become aware of a breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO without undue delay, in line with our statutory obligations.

10. Cookies

The marketing site (packlah.io) uses cookies as follows:

• Strictly necessary cookies - for things like remembering your cookie preferences. Set by default.
• Analytics cookies - for aggregated traffic measurement, set only with your consent.
• Functional cookies - for preferences such as theme, set only with your consent where applicable.

The Packlah application (app.packlah.io) uses session cookies strictly necessary to keep you signed in.

You can change your cookie preferences at any time via the site footer cookie settings link, or by clearing cookies in your browser.

11. Children

Packlah is a B2B service intended for use by businesses and their employees. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have collected such data, please contact us so we can delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, our processors, or the law. The version and effective date at the top of this page will always reflect the current version. Material changes will be notified to account holders by email at least 30 days in advance.

13. Contact and complaints

For privacy-related queries or to exercise any of your rights:

• Email: privacy@packlah.io
• Post: Packlah Ltd, [registered office address - to be confirmed]

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office. Their contact details are at ico.org.uk/make-a-complaint.

Related: Terms of Service