Privacy Policy

Introduction

Avaro Technologies Ltd ("we", "us", "our", or "Company") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and the Avaro One platform (the "Service").

Avaro Technologies Ltd is registered in England and Wales (Company Number 17073861). We are the data controller for personal data collected through our Service.

1. Data Controller Information

Company Name: Avaro Technologies Ltd
Registered Office: C/O WAINWRIGHTS ACCOUNTANTS FAVERSHAM HOUSE, OLD HALL ROAD, BROMBOROUGH, WIRRAL, UNITED KINGDOM CH62 3NX
Country: England and Wales
Email: privacy@avarotechnologies.com

You may contact our Data Protection Officer (DPO) or our privacy team with any questions or concerns regarding this Privacy Policy or our data handling practices.

2. Types of Personal Data We Collect

We collect the following categories of personal data:

Account Data

• Full name and email address
• Company name and industry
• Job title and role
• Phone number
• Billing address and payment information (processed by third-party payment providers)

Usage Data

• Log data (IP address, browser type, pages accessed, time spent)
• Feature usage patterns and interaction data
• Device information (operating system, device type)
• Analytics cookies and tracking identifiers
• Search queries and filter usage within the platform

Billing and Payment Data

• Invoice records and payment history
• Subscription tier and billing cycle information
• Payment method details (processed securely by payment providers)
• VAT/Tax identification numbers

Communications Data

• Email correspondence with our support team
• Feedback, survey responses, and feature requests
• Support ticket history
• Marketing communication preferences

Other Data

• Profile information you voluntarily add to your account
• Documents or files you upload to the Service (if applicable)
• Information from third-party integrations or single sign-on (SSO) providers

3. Legal Bases for Processing

Under UK GDPR and DPA 2018, we process your personal data based on the following legal bases:

Contract (Article 6(1)(b), GDPR)

• Account data, billing data, and service delivery information necessary to provide the Service to you
• Processing required to establish, maintain, and manage your subscription

Legitimate Interests (Article 6(1)(f), GDPR)

• Security and fraud prevention
• Service improvement and analytics (understanding how users interact with our platform)
• Marketing and promotional communications (where you have not opted out)
• Legal compliance and dispute resolution
• Identifying and remedying technical issues

Consent (Article 6(1)(a), GDPR)

• Marketing emails (you can opt out at any time)
• Analytics beyond what is necessary for service provision
• Non-essential cookies (see our Cookie Policy for details)

Legal Obligation (Article 6(1)(c), GDPR)

• Compliance with tax, accounting, and financial regulations
• Compliance with data protection law requests from authorities

4. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

Data Category	Retention Period	Rationale
Account Data (active accounts)	Duration of subscription + 30 days	Service delivery and account management
Billing/Invoice Data	7 years	UK tax and accounting requirements
Usage/Analytics Data	12 months	Service improvement and analytics
Support/Communication Records	3 years	Dispute resolution and legal compliance
Marketing Preferences	Until opt-out	Compliance with marketing preferences
Deleted Accounts	90 days (backup retention)	Data recovery and business continuity

5. Third-Party Data Sharing

We may share your personal data with the following categories of third parties:

Sub-Processors

We use a limited number of trusted sub-processors to deliver and support the Service. The current list includes:

• Cloud Infrastructure: For hosting, data storage, and compute services
• Payment Processing: For subscription billing and payment collection (PCI-DSS compliant)
• Email Delivery: For transactional emails (e.g. password resets, invoice notifications)
• Font Delivery: Google Fonts – for website typography (standard HTTP request data only, no profiling)

We maintain an up-to-date list of sub-processors and will notify customers of material changes. We do not currently use third-party analytics, advertising, or behavioural tracking services on our website.

Third-Party Integrations

If you integrate third-party services with Avaro One (e.g., accounting software, communication tools), we may share necessary data to enable that integration. You control which integrations are active on your account.

Legal and Regulatory Requests

We may disclose personal data when required by law, court order, or government authority, including requests from:

• Data protection authorities (e.g., UK ICO)
• Law enforcement agencies
• Tax authorities
• Courts and legal proceedings

Business Transfers

If Avaro Technologies is acquired, merges with another entity, or sells substantially all of its assets, your personal data may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have regarding your personal data.

Consent-Based Sharing

We will not share personal data for purposes beyond those listed above without your explicit consent.

6. International Data Transfers

Avaro Technologies is based in the UK. Some of our sub-processors operate outside the UK and EEA, including in the United States. Where we transfer personal data outside the UK/EEA, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms for data transfers to processors outside the EEA
• UK Adequacy Decisions: Where applicable, we rely on UK legal adequacy determinations
• Binding Corporate Rules: Where applicable, for transfers within corporate groups
• Supplementary Measures: Additional technical and organizational safeguards (encryption, pseudonymization)

By using our Service, you consent to the transfer of your personal data to countries outside the UK/EEA, subject to the protections described above.

7. Your Privacy Rights

Under UK GDPR and DPA 2018, you have the following rights regarding your personal data:

Right of Access (Article 15, GDPR)

You have the right to obtain a copy of the personal data we hold about you and information about how we process it. You can download your account information directly from your account dashboard or contact us for a formal Subject Access Request (SAR).

Right to Rectification (Article 16, GDPR)

You have the right to correct inaccurate or incomplete personal data. You can update much of your account information directly in your profile settings.

Right to Erasure (Article 17, GDPR)

You have the right to request the deletion of your personal data, subject to certain exceptions (e.g., where we have legal obligations to retain it). This is sometimes called the "right to be forgotten." Deletion requests will be processed within 30 days, though we may retain data where legally required (e.g., for tax purposes).

Right to Restrict Processing (Article 18, GDPR)

You may request that we limit how we use your personal data while we verify accuracy or resolve disputes regarding its use.

Right to Data Portability (Article 20, GDPR)

You have the right to receive a copy of your personal data in a structured, commonly-used, and machine-readable format (e.g., CSV or JSON). You may also request we transfer this data to another service provider.

Right to Object (Article 21, GDPR)

You have the right to object to processing based on legitimate interests, including for marketing purposes. You can manage marketing preferences in your account settings or by emailing privacy@avarotechnologies.com.

Rights Related to Automated Decision-Making and Profiling (Article 22, GDPR)

You have the right not to be subject to automated decision-making (including profiling) that produces legal or similarly significant effects. We do not use fully automated decision-making for such purposes.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@avarotechnologies.com
Mail: Data Protection Officer, Avaro Technologies Ltd, [YOUR REGISTERED ADDRESS]

We will respond to your request within 30 days (or 90 days for complex requests). We may ask you to verify your identity before processing your request.

8. Cookie and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. For full details about how we use cookies, including how to manage your preferences, please see our Cookie Policy.

9. Children's Privacy

Avaro One is a B2B professional services platform. We do not knowingly collect personal data from children under the age of 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete such data and terminate the child's account as quickly as possible.

Our Service is designed for business users aged 18 and over. If a parent or guardian believes their child has provided personal data to us, please contact privacy@avarotechnologies.com immediately.

10. Data Security

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent.
• Access Controls: Personal data access is restricted to authorized employees and contractors on a need-to-know basis, subject to confidentiality obligations.
• Authentication: We use multi-factor authentication (MFA) for administrative access and encourage users to enable MFA on their accounts.
• Network Security: Firewalls, intrusion detection systems, and regular security audits protect our infrastructure.
• Secure Development: Security is built into our software development lifecycle, including code review and vulnerability testing.
• Backups and Disaster Recovery: We maintain regular, encrypted backups and have disaster recovery procedures in place.
• Staff Training: All employees handling personal data undergo data protection and information security training.

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your personal data. If you become aware of a security breach, please contact us immediately at privacy@avarotechnologies.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have provided an email address) or by posting a notice on our website with a new "Last Updated" date.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

12. Data Protection Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have violated your privacy rights:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Phone: 0303 123 1113
Website: www.ico.org.uk

13. Contact Us