Privacy Policy

1. What personal data we collect

Account data. When you sign up, we collect your name, email address, company name, and job title (where provided). If you are added as a User by an account holder, they may provide your name and email address to us.

Payment data. We collect payment card details or direct debit information to process your subscription. Card details are handled by our payment processor and are not stored on our servers.

Usage data. We automatically collect information about how you use the Platform, including login times, features used, pages viewed, and session duration.

Technical data. We collect your IP address, browser type and version, device type, operating system, and time zone setting.

Customer Data. You may upload geospatial data, images, project files, and other content to the Platform. Where this contains personal data, you are the controller of that data and we process it on your behalf.

Communications. If you contact our support team, we keep a record of that correspondence.

2. Why we collect it and our lawful basis

We only process personal data when we have a lawful basis under UK GDPR:

• To create and maintain your account, authenticate Users, and provide the Platform — Contract (Article 6(1)(b)).
• To process payments and manage billing — Contract (Article 6(1)(b)).
• To monitor usage for security purposes and detect misuse — Legitimate interests (Article 6(1)(f)).
• To analyse usage patterns, improve the Platform, and develop new features — Legitimate interests (Article 6(1)(f)). We use anonymised and aggregated data wherever possible.
• To send you service-related communications (e.g. renewal reminders, policy changes) — Contract (Article 6(1)(b)).
• To send you marketing communications — Consent (Article 6(1)(a)), or legitimate interests where the soft opt-in under PECR applies.
• To comply with legal and regulatory obligations — Legal obligation (Article 6(1)(c)).

3. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipients, each bound by appropriate contractual and data protection obligations:

• Hosting and infrastructure providers — in the United Kingdom (London) and the Republic of Ireland (Dublin);
• Payment processors — to handle subscription billing securely;
• Analytics providers — using anonymised or pseudonymised data where possible;
• Email service providers — for service and marketing communications;
• Professional advisers — such as lawyers and accountants, where necessary;
• Law enforcement or regulatory bodies — where required by law.

We have entered into Data Processing Agreements with all third-party processors in accordance with Article 28 of the UK GDPR.

4. Where your data is stored

Your personal data is stored in data centres located in the United Kingdom (London) and the Republic of Ireland (Dublin).

We do not transfer personal data outside the UK or the European Economic Area unless appropriate safeguards are in place, such as the UK International Data Transfer Agreement or an adequacy decision by the Secretary of State. If this changes, we will update this Privacy Policy.

5. How long we keep your data

We keep personal data only for as long as we need it:

• Account data (name, email, company) — retained for the duration of your subscription and deleted 30 days after the account is closed;
• Usage and technical log data — retained for up to 12 months from collection, then anonymised or deleted;
• Payment records — retained for 7 years after the relevant transaction, as required by HMRC;
• Marketing preferences — retained until you withdraw consent or your account is deleted, whichever is earlier;
• Support correspondence — retained for up to 24 months after the last communication, then deleted;
• Backup copies — may persist in routine backup media for a limited period before being overwritten in the ordinary course.

6. Your rights

Under UK GDPR, you have the following rights. You can exercise any of them by contacting us at mail@figurfi.co.uk.

• Right of access. Ask us to confirm whether we process your personal data and provide a copy.
• Right to rectification. Ask us to correct inaccurate or incomplete personal data.
• Right to erasure. Ask us to delete your personal data, subject to certain exceptions.
• Right to restrict processing. Ask us to temporarily stop processing your data in certain circumstances.
• Right to data portability. Where we process on the basis of contract or consent, ask us to provide your data in a machine-readable format.
• Right to object. Object to processing based on legitimate interests; object to direct marketing at any time and we will stop immediately.
• Automated decision-making. We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. How we protect your data

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:

• encryption in transit (HTTPS/TLS) and at rest;
• secure password hashing;
• role-based access controls limiting who within our team can access personal data;
• use of reputable, certified cloud infrastructure providers;
• regular security reviews and monitoring.

No system is completely secure, and we cannot guarantee absolute security, but we are committed to maintaining a level of security appropriate to the risk.

8. Cookies

We use essential cookies to operate the Platform (for example, session management and authentication). We may also use analytics cookies to understand how users interact with the Platform. Where non-essential cookies are used, we will ask for your consent before placing them.

9. Marketing

We may send you information about FigurFi products and services where:

• you have given your consent; or
• you are an existing customer and the communication relates to similar products or services (the "soft opt-in" under PECR).

Every marketing email includes an unsubscribe link. You can also opt out at any time by contacting us and we will action your request promptly.

We do not share your data with third parties for their own marketing purposes.

10. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay.

11. Children

The Platform is a business-to-business service and is not directed at individuals under 18. We do not knowingly collect personal data from children.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always show the most recent revision.

13. Contact us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern about how we handle your data, please contact us:

Email: mail@figurfi.co.uk