Privacy Policy

Effective Date: 27th February 2023

Introduction

Welcome to the privacy policy of SOFTWARE FOR SMALL BUSINESSES LTD (company number 14682834) (“we”, “us” or “our”). We are committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, share, and protect personal information when you use our website (https://www.softwarefordogtrainers.co.uk) and our software-as-a-service platform (“Platform”). It also outlines your rights under the UK General Data Protection Regulation (“UK GDPR”) and other applicable laws. This privacy notice is provided in compliance with our obligation to be transparent under Article 13 of the UK GDPR.

By using our website or Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our services. We may update this policy from time to time, and will notify you of any material changes by posting the updated policy on our site with a new effective date.

Who We Are (Data Controller)

Data Controller: The organisation responsible for deciding how and why your personal data are processed is SOFTWARE FOR SMALL BUSINESSES LTD, a company registered in England and Wales (No. 14682834). Our registered address is 4 Chillerton Way, Wingate Durham TS28 5DY, and you can contact us at [email protected] or 07715 389674. For the purposes of UK data protection law (UK GDPR and Data Protection Act 2018), we are the “data controller” for the personal data described in this policy.

Representatives and DPO: We are based in the United Kingdom and primarily serve UK customers. We do not currently have an EU representative (as our focus is UK users), nor are we required to appoint a Data Protection Officer under Article 37 UK GDPR (as we do not carry out large-scale processing of special category data or systematic monitoring of public areas). However, we take privacy seriously. If you have any questions or requests regarding your personal data, please contact [Privacy Team Contact] at the details above. We will be happy to assist you.

Scope of this Policy

This Privacy Policy applies to personal data we collect from: (a) visitors to our website; (b) registered users of our Platform (such as dog training businesses and their authorized staff); and (c) any other individuals who interact directly with us. Our Platform is primarily offered to users in the UK but is accessible globally. This policy covers all personal data that we process in the context of offering our software services and running our website. It does not cover the practices of third-party websites or services that you may link to through our Platform – such services have their own privacy notices.

Business Customers and Client Data: When our business customers (e.g. dog trainers) input personal information about their own clients or other individuals into our Platform (for example, adding a client’s name and contact details, session notes about a training session, or scheduling an automated message to a client), we generally act as a data processor on behalf of that business customer with respect to that particular personal data. This means our customer is responsible for ensuring they have a lawful basis and any necessary consent to collect and share that personal data. We will process such data only to provide our services according to our agreements with our customers. This Privacy Policy primarily explains how we handle personal data as a data controller – for example, information you provide to us when you create an account or use our Platform. If you are an end customer of one of our business users, please contact that business for information about how your data is handled in their use of our Platform.

Personal Data We Collect

We may collect and process various categories of personal data about you. The types of information we collect include:

Contact and Identity Information: When you register or contact us, we collect information such as your name, business or trading name, email address, phone number, postal address, and other contact details. This includes account credentials (username, password) for the Platform and any profile information you choose to provide.

User Account Data: Information relating to your user account on our Platform. For example, registration dates, subscription plan, login activity, and any preferences or settings saved in your profile. We also collect any content you upload or submit via the Platform, which may include text, images, or other media containing personal data.

Training Session Notes and Records: Our Platform allows dog trainers to record session notes, training logs, or other documentation about training sessions. These session notes may include personal information (for example, names of dog owners or clients, details about their dogs, scheduling information, and notes on progress). We also support voice recording features, so you may upload or capture voice recordings (e.g. audio notes dictating a recap of a session or verbal client feedback). Voice recordings might contain your voice or others’ voices, which are personal data. If you use the optional transcription feature, the audio may be converted to text by an AI-driven tool for your convenience.

Payment and Financial Information: If you make payments for our services (such as subscription fees), we will process payment-related information. We use Stripe as our payment processor, so we generally do not store your full credit/debit card details on our systems. Card information is entered into Stripe’s secure payment form. We may retain records of your transactions, such as the last four digits of your card, card type, expiry, and transaction amounts and dates. We also keep billing contact details and billing addresses as needed.

Communications Data: Information you provide when communicating with us or through the Platform. For example, if you email customer support or use a chat feature, we will collect the content of your communications and any contact information you provide. If our Platform facilitates communications (such as sending SMS or email reminders to your clients via integrated services like Twilio or LeadConnector), we will process the recipient’s contact information (e.g. phone number or email) and the content of the message. We also log the date and time of such messages.

Usage Data and Device Information: We automatically collect certain data about how you access and use our website and Platform. This includes technical information such as your IP address, browser type and version, device identifiers, operating system, and device type. We also collect usage logs including timestamps of logins, pages or features accessed, clicks and actions on the Platform, and errors or performance data. For example, we use Google Analytics to gather information about user interactions on our website, such as page views and navigation patterns, in order to understand and improve usage. This may involve collecting device/browser identifiers and approximate location (based on IP address). We may also use cookies and similar tracking technologies (explained below) to collect this information.

We do not knowingly collect any personal data from children under 16, nor is our service directed at children. Our Platform is intended for use by adult professionals (business owners) and their clients. If we learn that we have inadvertently collected personal information from a child without proper consent, we will delete it.

We do not routinely collect “special category” data (such as health information, racial or ethnic origin, political opinions, etc.) or information about criminal convictions. We ask that you refrain from uploading or recording such sensitive data in our Platform unless necessary. In the rare case that you do provide any special-category personal data (for instance, noting a health condition of a client’s dog owner relevant to training), we will treat it with extra care and security, and ensure a lawful basis (such as explicit consent if required).

Purposes of Processing and Lawful Bases

We will only use your personal data when the law allows us to (i.e. when we have a valid “lawful basis” under Article 6(1) UK GDPR for the processing). Under the UK GDPR, processing is lawful only if it meets one of the defined bases in Article 6(1).

The lawful bases we rely on for different processing activities are: (a) Performance of a Contract, (b) Legitimate Interests, (c) Consent, and (d) Legal Obligation. Below we explain the purposes for which we process data and the corresponding legal bases:

Providing and Supporting the Service (Contractual Necessity): We process your personal data primarily to provide you with the services you have requested – namely, access to and use of our software Platform for managing a dog training business. This includes using your contact details to set up and maintain your user account, authenticate you at login, and enable core Platform features (such as saving session notes, uploading voice recordings, and scheduling communications). It also covers processing necessary to provide customer support, to send you important service or transactional communications (e.g. welcome emails, password reset, service updates, invoices), and to handle billing through Stripe. These uses are necessary for the performance of our contract with you as a user of the Platform (Article 6(1)(b) UK GDPR) – without this processing, we could not provide the service you expect. If you refuse to provide certain data needed for the service (like account information or payment details), we may be unable to fulfil the contract or provide the Platform features.

Service Optimisation and Legitimate Interests: We also process certain data to pursue our legitimate business interests in operating and improving our services (Article 6(1)(f) UK GDPR). For example, we analyse usage logs and analytics data to understand how our Platform is used, which features are popular, and to detect technical issues. This helps us troubleshoot problems, enhance user experience, and develop new features that benefit our users. We may also use your data to ensure security, prevent fraud, and protect the integrity of our Platform (for instance, monitoring login locations and IP addresses to detect suspicious access, or using automated tools to prevent spam or abuse in communications). We rely on legitimate interests for these processing activities only after considering any potential impact on your rights and freedoms. We do not use legitimate interests as a basis if we determine that your interests or rights override ours (except in cases of direct marketing, which we handle separately). You have the right to object to processing based on our legitimate interests in certain cases (see Your Rights below).

Communications and Marketing (Consent or Legitimate Interests): We may send you marketing communications (such as newsletters, offers, or updates not strictly related to your contract) if you have subscribed to them or explicitly consented (Article 6(1)(a)). For example, when signing up, you might opt in to receive email updates about new features. You can withdraw consent at any time, and we will provide easy opt-out mechanisms (e.g. “unsubscribe” links in emails). In some cases, if you are a corporate subscriber or existing customer, we may send you limited marketing about similar products under the “soft opt-in” rule of PECR, relying on our legitimate interest in promoting our business. However, you will always have the opportunity to opt out of marketing. We will not spam you or share your contact details with third parties for their own marketing without your consent.

Payment Processing and Accounting (Contract and Legal Obligation): When you make payments, we process relevant personal data to charge your account and manage subscriptions (contractual necessity, Article 6(1)(b)). Additionally, we must retain certain transaction records for legal and financial reporting reasons. For instance, UK tax law and accounting regulations may require us to keep invoice information and payment history for a number of years. Processing of personal data for compliance with such legal obligations is lawful under Article 6(1)(c) UK GDPR. This might include retaining your billing details on invoices and sharing transaction records with tax authorities or our accountants if legally required.

Customer Support and Enquiries (Contractual Necessity or Legitimate Interests): If you contact us for support or with questions, we will use your contact information and communication content to respond and resolve issues. This is typically necessary to perform our service contract with you (ensuring the service works as intended and assisting you) or in some cases based on our legitimate interest in maintaining good customer relations and resolving queries. We may also record support requests to improve our services or for training our staff (legitimate interests, balanced to ensure minimal privacy impact).

Platform Features (Including AI and Automated Workflows): Our Platform offers certain automated or AI-driven features to enhance your productivity. For example, you may choose to use an AI voice transcription feature that converts your voice notes into text (using machine learning algorithms), or set up automated workflows that trigger communications like SMS or email reminders to your clients (e.g. appointment reminders or review requests) without manual intervention each time. When you use these features, we will process the relevant personal data (such as the audio from your voice notes, or your client’s contact details and scheduled message content) to carry out the automated function as requested by you. The purpose of this processing is to deliver the functionality you initiated – e.g. transcribing your provided audio to text for your later reference, or sending the messages you scheduled to the designated recipient. The lawful basis will typically be contractual necessity (Article 6(1)(b)), as these features are part of the services you choose to use on our Platform. In cases where the automated feature involves personal data of third parties (like your clients’ phone numbers for reminders), we operate as your data processor, and you are responsible for ensuring you have a lawful basis to process and communicate that data (for example, that your client has consented to receive such reminders or that it’s necessary for your contract with them).

We do not use personal data for any purposes that are incompatible with the above, and we will not further process your data for new purposes without informing you and obtaining any necessary consent. We will always ensure we have a valid lawful basis for any processing of your personal data, as required by Article 6 of the UK GDPR. If we ever need to process your data for a purpose that requires your consent, we will ask for it explicitly and you have the right to refuse or withdraw your consent at any time.

Cookies and Tracking Technologies

Our website and Platform use cookies and similar tracking technologies to distinguish you from other users and to improve your experience. Cookies are small text files that websites place on your device to store data about your preferences or past actions. We use the following types of cookies on our site:

Strictly Necessary Cookies: These cookies are essential for the operation of our website and Platform. They include, for example, cookies that enable you to log into secure areas and use core features. Without these cookies, the services you have asked for (like remembering your login session) cannot be provided. These cookies do not require your consent.

Analytics and Performance Cookies: We use these to collect information about how visitors use our website, such as which pages are visited most often and if users get error messages. For instance, we use Google Analytics which sets cookies to gather information on site usage (e.g. _ga cookie to identify unique visitors). These analytics cookies help us improve how our website works, but are not strictly necessary. Therefore, we will only set them if you consent.

Functional Cookies: These cookies allow our site to remember choices you make (such as your language or region) and provide enhanced features. They may be set by us or by third-party providers whose services we have added to our pages. We may ask for consent for certain functional cookies if they are not essential.

Advertising/Tracking Cookies: At present, we do not serve third-party ads on our site, but we do integrate with Meta (Facebook/Instagram) for certain features. If we ever implement advertising pixels or social media cookies (for instance, a Facebook Pixel for conversion tracking or the ability to login via Facebook), such cookies would track your activity across sites and require prior consent. We will inform you and obtain consent before deploying any such cookies.

Cookie Consent: In compliance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR requirements, we implement a cookie consent mechanism on our site. When you first visit our website, you will see a cookie banner explaining our use of cookies. Non-essential cookies (like analytics or social media plugins) will not be set unless and until you opt-in via this banner or our cookie settings preference center. You have the right to choose which categories of cookies to accept (except strictly necessary cookies, which are always on). You can withdraw or modify your cookie consent at any time by using the cookie settings tool on our website or by adjusting your browser settings to block or delete cookies. Please note that if you disable certain cookies, some features of our site or service may not function properly (for example, disabling functional cookies might prevent the use of certain interactive features).

For more detailed information on the specific cookies we use and their purposes, please see our Cookie Policy (or the cookie consent tool details). By continuing to use our site with cookies enabled, you are agreeing to our use of cookies as described here. You can also find general information about cookies and how to manage them at AllAboutCookies.org or consult your browser’s help documentation.

Disclosure of Personal Data to Third Parties

We will never sell your personal data. However, we do share certain personal information with third parties, but only in the following circumstances and with adequate safeguards:

1. Service Providers (Processors): We use trusted third-party companies to help us deliver our services – these third parties process data on our behalf and under our instructions, and are bound by data protection contracts (Data Processing Agreements) as required by Article 28 of the UK GDPR. Key processors and third-party services we use include:

Stripe: We use Stripe for payment processing. When you enter payment details, that information is transmitted directly to Stripe. Stripe may process your name, email, payment card information, billing address, and transaction amount on our behalf to process payments and prevent fraud. Stripe is a PCI-DSS compliant payment provider with its own stringent privacy and security measures. Stripe’s processing of your data is governed by our contract with them and by Stripe’s privacy policy. (Stripe, Inc. is based in the USA; see International Transfers below regarding data transfers to the US.)

Amazon Web Services (AWS): Our Platform is hosted on AWS cloud infrastructure. We store most Platform data (including your account information, notes, voice recordings, and uploaded files) on AWS servers. AWS acts as our data hosting provider. We primarily utilise AWS data centres located in [the UK/European Economic Area] to store personal data, but AWS as a global company may involve support or backup services outside the UK. AWS implements strong security controls to protect data at rest and in transit, and our contract with AWS includes data protection commitments.

Google Analytics: As noted, we use Google Analytics to collect website usage statistics. Google acts as our analytics provider. Google Analytics may set cookies and collect identifiers and usage data from your browser for analytics purposes. IP addresses are anonymised where possible (we utilise Google’s IP anonymisation feature). Google LLC is based in the United States, so analytics data may be transferred to the US. However, Google has certified to relevant data transfer frameworks (see International Transfers below) and we have measures in place to safeguard such transfers. Google only provides us aggregated insights – we do not receive personally identifying information about website visitors from Analytics, only statistics. You can opt out of Google Analytics as described in the Cookies section.

Twilio: We use Twilio (including its subsidiary SendGrid and related communication APIs) to power certain communication features of our Platform, such as sending SMS text messages or automated voice calls (if applicable) to your clients or to you. If you or your account triggers an SMS reminder or any text notification, the recipient’s phone number and message content are sent to Twilio’s system to be delivered. Twilio acts as a processor for delivering these communications. Twilio may also process some log data about the message (time sent, delivery status, etc.). Twilio is a US-based company; data may transit through US data centres when sending messages internationally. Twilio is committed to GDPR compliance and we have a Data Processing Addendum in place with them.

Meta (Facebook/Instagram/WhatsApp) Integrations: Our Platform may offer integration with Meta platforms. For example, you might connect your business’s Facebook or Instagram account to our Platform to automatically post updates or to use a Facebook Pixel for advertising purposes. If you choose to use these integrations, we will share the minimum necessary data with Meta. This could include things like: content you choose to publish to your Facebook/Instagram via the Platform, or analytics/tracking information via cookies or pixel if you have consented. Meta Platforms, Inc. (Facebook) will receive such data as an independent controller for their own purposes (e.g., delivering content on their platform or providing analytics to us). We will only initiate Meta integrations with your consent or at your direction. Meta is based in the US and Ireland; any data transfer to Meta in the US will be protected by adequacy mechanisms (Meta is certified under the EU-US Data Privacy Framework, which the UK recognises via the “Data Bridge” as providing adequate protection for transfers). Please review Facebook’s and Instagram’s privacy policies for more details on how they handle data.

LeadConnector: We utilise LeadConnector as part of our software ecosystem (LeadConnector is a service that facilitates integrations and automation between our Platform and other applications, often associated with CRM and marketing workflows). LeadConnector may process certain personal data such as contact information (e.g., syncing a lead’s name, email, or phone from our Platform to another system or vice versa) and communications (like email or SMS content) in order to automate tasks or integrate with other tools. Essentially, if you use features that connect your account with other CRMs or marketing platforms, LeadConnector acts in the background as a processor to transfer or sync that data as instructed by you. LeadConnector’s infrastructure may be cloud-based and could involve servers in the United States or other countries. We ensure that any transfers via LeadConnector are subject to appropriate safeguards, and we have agreements in place that require LeadConnector to maintain confidentiality and security of your data.

We only share personal data with these service providers to the extent necessary for them to perform their services for us. They are not allowed to use your data for their own purposes. We require all our processors to implement appropriate technical and organisational measures to protect personal data and to process it only as instructed by us.

2. Other Disclosures and Recipients: In addition to our core processors above, we may also disclose personal data in a few other scenarios:

Business Partners: If our Platform integrates with or links to third-party services at your request (for example, if you choose to connect a scheduling app or use a plugin provided by a partner), we will disclose data to that third party based on your instructions. Such partners will process your data under their own terms as separate controllers, so please review their privacy policies. We will only share what is necessary for the integration and only with your authorisation.

Legal Requirements: We may disclose your personal data where required to comply with a legal obligation under UK or other applicable law (Article 6(1)(c)), or in response to valid requests by public authorities (e.g., law enforcement, courts, or regulatory agencies). For instance, if we receive a court order or an Information Commissioner’s Office (ICO) demand to provide certain data, we may need to comply. We will verify the legitimacy of any request and only disclose the minimum data necessary.

Enforcing Our Rights: We may share personal data with our professional advisors (such as lawyers or auditors) or with courts/tribunals if necessary to establish, exercise or defend legal claims. This could include sharing data relevant to a contractual dispute with a customer or handling a violation of our Terms of Service. The lawful basis for this would typically be our legitimate interests in protecting our legal rights or those of others.

Corporate Transactions: If we ever undergo a business transaction such as a merger, acquisition by another company, reorganisation, or sale of all or part of our assets, personal data may be transferred to the successor or acquiring entity as part of the transaction. We would ensure the new owner continues to respect your personal data in line with this policy. A notice would be provided to inform you of the change in control and any new uses of your personal data.

Other than the situations above, we will treat your personal data as private and confidential and will not disclose it to any other third parties without your knowledge and (if legally required) your consent.

International Data Transfers

We are based in the UK, and we generally prefer to store and process personal data within the UK or the European Economic Area (EEA) whenever feasible. However, some of our third-party processors and service providers are located outside of the UK/EEA, or may themselves sub-process data outside of these regions. In particular, many of our key service providers (such as Stripe, Google, Twilio, Meta, and LeadConnector) are U.S.-based companies or have servers in the United States or other countries. This means your personal data may be transferred to and stored/processed in countries outside the UK (and outside the European Union) that may have different data protection standards.

Whenever we transfer personal data out of the UK to a country that is not deemed “adequate” by the UK government (i.e., not offering an equivalent level of data protection), we will ensure appropriate safeguards are in place as required by UK GDPR Chapter V. Specifically, we take the following measures in accordance with Articles 45-49 of the UK GDPR:

Adequacy Decisions: Where an adequacy regulation or “data bridge” is in place, we rely on that. For example, the UK has determined that EEA countries (EU member states) are adequate, so transfers to the EEA are permitted. Recently, the UK government implemented the “UK-US Data Bridge” as an extension of the EU-US Data Privacy Framework. This means that transfers of personal data from the UK to certain U.S. organisations certified under the Data Privacy Framework are recognised as safeguarded by an adequacy decision. We will preferentially rely on this mechanism when transferring data to U.S. entities that are certified. (For instance, Meta, Google, and others are participants in the EU-US/UK-US framework, which allows us to transfer analytics or integration data to them under an approved adequacy arrangement.)

Standard Contractual Clauses (SCCs)/International Data Transfer Agreement: In cases where no country-level adequacy decision exists, we will use standard data protection contract clauses approved under UK law. We have entered into the UK International Data Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses, as appropriate, with our service providers for transfers to the U.S. and other countries. These SCCs contractually oblige the recipient to protect your data to UK GDPR standards, providing legally enforceable rights and remedies for data subjects. For example, our contracts with Stripe, Twilio, and AWS include standard clauses to cover any overseas transfers.

Additional Safeguards: We also assess on a case-by-case basis whether additional technical or organisational measures are needed to protect data in transit or at rest in third countries. This can include encryption (we encrypt data in transit using HTTPS/TLS and, where possible, at rest), access controls, and policies to handle government requests for data. We only transfer the minimum data necessary for the purposes described, and our providers are vetted for robust security practices.

Derogations: In very limited circumstances, if no adequacy or SCC safeguard is available, we might rely on a specific Article 49 derogation – for example, if a transfer is necessary for the performance of a contract with you (e.g. if you are traveling outside the UK and need your data accessed there) or if you explicitly consent to a particular transfer after being informed of the risks. We will ensure any such transfers are truly necessary and infrequent.

If you would like more information about our international data transfer safeguards, please contact us. We can provide copies of relevant contractual clauses or details about how and where your data is stored. Our goal is to ensure that your personal information enjoys a high standard of protection wherever it is processed, and that your rights are preserved even when your data is transferred abroad.

Data Retention

We will keep your personal data only for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general, this means we retain your information for the duration of your account being active and for a period after that as required or permitted by law. Currently, our company does not have a very granular data retention schedule; instead, we apply the following principles:

Account Data: We retain the personal information associated with your user account (contact details, profile info, account settings, etc.) for as long as your account remains active. If you cancel your subscription or request deletion of your account, we will proceed to delete or anonymise your personal data within a reasonable period after the closure of your account (generally within [30] days, unless a longer retention is required for legal reasons as described below).

User-Generated Content: Data such as session notes, voice recordings, and other content you have uploaded to the Platform will typically be kept as long as you have an active account so that you have ongoing access to it. If you delete specific content (for example, you remove a session note or recording manually), it will be removed from active databases, though residual copies might remain in backups for a short period. If your account is deleted, we will delete the associated user-generated content from our systems (again, subject to short-term backups). We do not impose a fixed retention period on the data you store in our Platform – it is retained until you choose to delete it or until your account is terminated.

Communication Logs: Logs of communications (emails, support chats, SMS sent) are retained for as long as necessary for support and audit purposes. For instance, if an SMS was sent through the Platform, we may keep a log of that event for troubleshooting or record-keeping. These logs are usually deleted or anonymised after [X] months unless needed longer.

Analytics Data: Aggregated analytics data (which is anonymised or pseudonymised) may be retained indefinitely for statistical purposes, as it no longer identifies any individual. Raw analytics logs at an individual level are typically deleted or anonymised within [14] months or as per Google’s default retention settings (we currently follow Google Analytics’ retention period setting, which is [14] months, subject to our configuration).

Financial Records: As noted, we keep invoicing and payment records for at least the minimum period required by law (for example, HMRC in the UK may require us to keep records for 6 years). This means that even if you delete your account, we may retain transactional records (with personal identifiers such as your name or business name) in our accounting files until the legal retention period lapses. These records will be securely stored and restricted to finance personnel only.

If we do not have a specific legal requirement or overriding business need to keep data, we will either securely delete it or anonymise it once it is no longer necessary for the purpose it was collected. In cases where we cannot feasibly delete or anonymise data (for example, stored in long-term backups), we will store it securely and isolate it from further active use until deletion is possible.

No fixed retention period: Where we have not specified an exact time limit for retention, the criteria we use to determine how long to keep data include: the nature and sensitivity of the data, the potential risk of harm from unauthorised use, the purpose of processing and whether it can be achieved through other means, and our contractual or legal obligations. UK GDPR requires that personal data shall not be kept in identifiable form longer than necessary (the “storage limitation” principle), so we regularly review our data holdings to ensure we are not retaining personal data indefinitely without justification.

In summary, your data will be stored by us until it is no longer needed for the provision of our services or any of the above-mentioned purposes, or until you ask us to delete it, whichever comes first, subject to any mandatory retention requirements. We are in the process of formalising a detailed data retention schedule to better define retention periods for all categories of data – once established, we will update this policy accordingly.

Your Rights as a Data Subject

Under the UK GDPR, you have various rights in relation to your personal data. We respect your rights and will facilitate your exercise of them. These rights include:

Right to Be Informed: You have the right to be given clear and transparent information about how your personal data is processed and why. This Privacy Policy is part of fulfilling that right (Article 13 and 14 UK GDPR).

Right of Access: You have the right to obtain confirmation as to whether we are processing personal data about you, and if so, to request a copy of the personal data we hold about you (commonly known as a “data subject access request”). This allows you to check that we are using your information in accordance with the law. The copy of your data will be provided in a reasonable format, and we will also give you supplementary information (similar to what’s provided in this policy) about how and why we process it.

Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or updated without undue delay (Article 16 UK GDPR). You can also directly correct and update some of your information by logging into your account settings on our Platform.

Right to Erasure: In certain circumstances, you have the right to request the deletion or removal of your personal data (the “right to be forgotten”). You can ask us to erase your data, for example, if the data is no longer necessary for the purpose it was collected, you withdraw consent (and no other legal basis exists), or you object to processing and we have no overriding legitimate grounds to continue, or if we processed your data unlawfully. Please note this right is not absolute – sometimes we may have legal or legitimate grounds to retain certain data (we will inform you if so). If you are a Platform user, the simplest way to exercise this right is often to delete specific content or your entire account through the service, which will trigger deletion of associated data.

Right to Restrict Processing: You have the right to request that we suspend or limit the processing of your personal data in certain scenarios. For instance, if you contest the accuracy of the data, or if you have objected to processing (pending verification of our grounds), or if processing is unlawful but you oppose erasure and prefer restriction. When processing is restricted, we are permitted to store the data but not use it further except for limited purposes (e.g. legal claims or to protect others’ rights) until the restriction is lifted.

Right to Data Portability: For data that you have provided to us and which we process by automated means on the basis of your consent or to perform a contract, you have the right to request a commonly used, machine-readable copy of such data, and/or to have it transmitted to another controller where technically feasible (Article 20 UK GDPR). In practice, this could apply to certain account data or content you uploaded. We will provide the data in CSV or a similar format, or directly transfer it to another service at your request if possible.

Right to Object: You have the right to object to our processing of your personal data in certain circumstances. You can object at any time to processing of your personal data for direct marketing purposes – if you do, we will stop using your data for marketing immediately (there is no exception to this). You can also object if we are processing your data based on legitimate interests (or for a task in public interest/exercise of official authority) and you feel it impacts your rights and freedoms. In such cases, we will review your objection and will stop that processing unless we have compelling legitimate grounds that override your interests or the processing is needed for legal claims. Where your objection is to direct marketing, as noted, we will always honour it.

Right to Withdraw Consent: In situations where we rely on your consent to process your personal data (for example, for optional marketing emails or for certain cookies), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted based on consent before its withdrawal. If you withdraw consent for a specific feature or service, we may not be able to provide certain elements of the service, but we will advise you if that is the case. (For example, if you withdraw consent to analytics cookies, the site will still work but we will stop collecting analytics data from your visits.)

Rights Related to Automated Decision-Making: You have rights to not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, except under certain permitted circumstances (Article 22 UK GDPR). Important: We do not currently carry out any solely automated decision-making with legal or significant effects on individuals – see the section Automated Decision-Making and AI below. In the event we ever implement such automated decision-making, you would have the right to receive information about the logic involved, to express your point of view, and to obtain human intervention or challenge the decision.

Right to Lodge a Complaint: If you believe we have not complied with your data protection rights or applicable privacy laws, you have the right to file a complaint with a supervisory authority. As we are a UK-based business, our lead supervisory authority is the UK Information Commissioner’s Office (ICO). You can find their contact details on the ICO website; notably, you can reach the ICO via ico.org.uk, by phone at 0303 123 1113, or by post to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We encourage you to contact us first to attempt to resolve any concerns, but you are entitled to complain to the ICO at any time. We inform individuals of their right to complain to the ICO and provide contact details as good practice. If you reside outside the UK, you may also have the right to lodge a complaint with your local data protection authority.

We will not usually charge a fee for you to exercise these rights. However, the law permits a reasonable fee or refusal of requests that are manifestly unfounded or excessive, so we reserve that right in rare cases. We will respond to legitimate requests as soon as possible and within one month at most, as required by law (this timeframe may be extended by an additional two months for complex requests, but we will inform you if an extension is needed). We may need to request specific information from you to confirm your identity before fulfilling a request, as a security measure to ensure personal data is not disclosed to anyone who does not have the right to receive it.

For any questions or to exercise your rights, please contact us at [email protected]. We will guide you through the process and address your request in accordance with applicable law.

Automated Decision-Making and AI

As mentioned, our Platform incorporates some automation and AI-powered tools to assist users, but we do not make any decisions about individuals that have legal or similarly significant effects without human involvement. In other words, we do not engage in “solely automated decision-making” within the meaning of Article 22 UK GDPR that would impact your rights in a substantial way (such as credit decisions, hiring decisions, etc.).

The AI-driven features we offer (for example, voice-to-text transcription of your recorded notes, or automatically sending messages that you have pre-written to your clients on a schedule) are provided to enhance functionality and efficiency, but they do not replace human judgment regarding individuals. Some details:

Automated Messaging & Workflows: If you configure our Platform to send automatic reminders, follow-up emails, or review requests to your clients, the “decision” to send those messages at particular times is driven by the rules you set (e.g., send a reminder 1 day after a session). The content is typically written or approved by you. There is no algorithm independently deciding to contact a person beyond what you have scheduled. The effect on the recipient is usually a routine communication rather than a significant decision about them. Nonetheless, the system is automated in execution. We ensure that users maintain control – you can modify or cancel automated communications at any time. Recipients (your clients) who receive communications can opt-out of further messages by contacting you or using any provided unsubscribe mechanism.

AI Transcription and Analysis: If you use our voice recording feature, you have the option to transcribe audio to text. This uses automated speech recognition (an AI algorithm) to convert spoken words to written text. This process is automated, but it affects only the format of your content (audio to text) and is intended as a convenience tool. The transcript is provided to you and not used by us to make decisions. We do not analyse the content of your notes or recordings to perform any profiling on you or your clients. Any AI analyses (like transcription) are at your behest and under your control. We will always be transparent if we introduce any further AI features – for example, if we in future offered an AI that suggests training plan improvements, we would describe what data it uses and how it works.

No Automated Profiling of Users or Clients: We do not profile users or their clients in any way that leads to a decision with legal or significant impact. “Profiling” under UK GDPR means evaluating personal aspects like behaviour, interests, or location to predict things about an individual. Our analytics might categorise usage for improving our service (e.g., identifying heavy usage vs. light usage customers to tailor support), but these do not negatively affect any user’s rights or access. We do not deny services or offer different pricing based on any automated analysis of personal data. Any significant decisions (like suspending an account for policy violations, or handling a billing issue) involve human review and are not done by a machine alone.

In the event that we ever contemplate using personal data in a way that involves automated decision-making with legal or similarly significant effects, we will only do so in compliance with Article 22 UK GDPR. That means we would ensure one of the following conditions applies: (i) the decision is necessary for entering into or performing a contract with you; (ii) it is authorised by law; or (iii) it is based on your explicit consent. In all such cases, we would also implement safeguards, including the right for you to obtain human intervention, express your point of view, and contest the decision. We would also conduct a Data Protection Impact Assessment if appropriate to evaluate the risks of any new automated-decision system.

For now, the use of AI and automation in our Platform is limited to assisting functions under your control. If you have any questions or concerns about these features, or if you believe an automated process may be affecting you unfairly, please contact us and we will be happy to provide more information or review the process.

Data Security

We take the security of your personal data very seriously. We have implemented appropriate technical and organisational measures to prevent your personal information from being accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed without authorisation. In particular, we follow the UK GDPR’s “security principle,” which requires that personal data be processed in a manner that ensures its integrity and confidentiality by means of appropriate security measures. Some of the key security practices we employ include:

Encryption: We use encryption to protect data in transit and at rest. Our website and Platform employ HTTPS/TLS encryption for all data transmissions, meaning that information you send to us is encrypted while traveling over the internet. For stored data, sensitive fields (such as passwords and API keys) are hashed or encrypted. We also utilise encryption for data backups.

Access Controls: We restrict access to personal data strictly to those employees, contractors, and service providers who need access to perform their job duties. Access is granted on a least-privilege basis. All staff with such access are subject to confidentiality obligations and receive training on data protection. Administrative access to our systems is protected with strong authentication (including multi-factor authentication where feasible) and logging of access.

Secure Infrastructure: Our servers are hosted with reputable providers (such as AWS) that have robust physical and network security. We leverage firewalls, network isolation, and intrusion detection systems to guard against unauthorised external access. Our Platform is regularly updated to apply security patches and we monitor for vulnerabilities.

Testing and Maintenance: We conduct regular reviews and tests of our security measures. This may include periodic penetration testing by independent experts, vulnerability scanning, and internal audits of compliance. Article 32 of the UK GDPR specifically suggests having a process for regularly testing and assessing security measures, and we strive to meet this standard. We also maintain an incident response plan to handle any suspected data security breach promptly and effectively, including notifying affected individuals and authorities when required by law.

Pseudonymisation: Where possible, especially for analytics, we use techniques like pseudonymisation or anonymisation. For example, analytics data may be linked to a unique ID rather than directly your name, and we may strip or randomise parts of IP addresses in Google Analytics. If we ever use production data for testing or development, we anonymise it first.

Organisational Policies: We have internal policies governing how personal data is handled and protected. This includes data protection policies, access control policies, and regular training for staff on cybersecurity and data privacy. Our team is educated about their obligations to protect personal data and to report any potential issues immediately.

Processor Due Diligence: As noted, we ensure that our third-party processors (hosting, payment, etc.) are also employing appropriate security. We review their certifications and compliance reports (for instance, AWS is ISO 27001 and SOC2 certified; Stripe is PCI-DSS Level 1 certified). We include contractual commitments from them to maintain high security standards and we monitor their compliance.

Despite all our efforts, no system can be 100% secure. However, we continuously update and improve our security measures to align with industry best practices and to address new threats. In the unfortunate event of a personal data breach (security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data), we will promptly assess the risk to your rights and freedoms. If the breach is likely to result in a high risk to you (for example, sensitive data exposure), we will inform you and the ICO as appropriate without undue delay, as required by law.

By using our Platform, you acknowledge that you understand the inherent risks of data transmission over the internet, but rest assured we are using all reasonable means to mitigate those risks.

Changes to this Privacy Policy

We may amend or update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our privacy policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. For significant changes, we may notify you by email (if we have your email) or by placing a prominent notice on our website or within the Platform. Minor updates (e.g. clarifications) will be indicated by updating the “Effective Date” at the top of the policy. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

If we plan to process your personal data for a new purpose not covered by this policy, we will provide you with information about that purpose and any other relevant details prior to starting the processing, in accordance with the transparency requirements under UK GDPR.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us:

SOFTWARE FOR SMALL BUSINESSES LTD

Address: 4 Chillerton Way, Wingate Durham TS28 5DY

Email: www.softwarefordogtrainers.co.uk
Phone: 07715 389674

We will gladly assist you with any queries or concerns. Reaching out to us does not affect your right to also lodge a complaint with the ICO or another supervisory authority as noted above; however, we welcome the opportunity to address your concerns directly and ensure your privacy is protected.

Thank you for trusting SOFTWARE FOR SMALL BUSINESSES LTD with your data. We are dedicated to safeguarding your privacy and delivering a secure, reliable service for you and your business.