Privacy Policy

Last updated: 19 March 2026 — Version 2.0

1. Who We Are and Scope

ITLOX ("we", "our", "us") is the data controller for personal data collected through the itlox.com website and related pre-sales and marketing activities. ITLOX is a company incorporated in England and Wales with registered offices at 167-169 Great Portland Street, London W1W 5PF.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you:

  • Visit or interact with the itlox.com website
  • Submit an enquiry, interest registration, or contact form
  • Subscribe to ITLOX communications
  • Enter into a commercial relationship with ITLOX
  • Use any ITLOX product or service where ITLOX acts as a data controller

Where ITLOX processes personal data on behalf of enterprise customers (acting as a data processor), the terms of the applicable Data Processing Agreement govern that processing.

2. Personal Data We Collect

2.1 Data You Provide Directly

  • Identity data: name, job title, company name
  • Contact data: email address, phone number, postal address
  • Account data: login credentials, account preferences, subscription details
  • Communication data: enquiry content, support request details, feedback
  • Payment data: billing address, payment method details (processed by our payment processor; we do not store full card numbers)
  • Technical requirements and use case information provided during sales enquiries

2.2 Data Collected Automatically

  • Technical data: IP address, browser type and version, operating system, device identifiers
  • Usage data: pages visited, time spent on pages, referring URLs, exit pages, click paths
  • Cookie data: as described in our Cookie Policy

2.3 Data from Third Parties

  • Publicly available professional information (e.g. LinkedIn profiles, company websites) for business development purposes
  • Information from analytics providers and advertising platforms (where you have consented to their data collection)
  • Referral information from partners or affiliates

2.4 Sensitive Data

We do not intentionally collect special category personal data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) through the itlox.com website. If such data is provided voluntarily in a communication, we will handle it with heightened care and only process it where a lawful basis under GDPR Article 9 applies.

3. Lawful Basis and Purposes for Processing

We process personal data only where we have a valid lawful basis under UK GDPR Article 6. The table below summarises our main processing activities:

Contract Performance (Article 6(1)(b))

  • Processing enquiries and interest registrations
  • Providing requested product information and demonstrations
  • Managing subscription accounts, billing, and account-related communications
  • Fulfilling pre-contractual and contractual obligations

Legitimate Interest (Article 6(1)(f))

  • Improving our website and services through usage analytics
  • Security monitoring, fraud prevention, and abuse detection
  • Sending relevant business updates to existing contacts and customers
  • Business development and relationship management
  • Defending or exercising legal claims

We have conducted Legitimate Interest Assessments (LIAs) for these activities and concluded our interests are not overridden by your fundamental rights. You may object to processing on this basis at any time.

Legal Obligation (Article 6(1)(c))

  • Complying with accounting, tax, and financial reporting obligations
  • Responding to lawful requests from law enforcement or regulatory authorities
  • Meeting anti-money laundering and know-your-customer requirements where applicable

Consent (Article 6(1)(a))

  • Email marketing communications to individuals (where required by PECR)
  • Optional analytics and functional cookies
  • Any other processing activity where we have asked for and received your consent

Where we rely on consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Processors, Sub-Processors, and Disclosure

We do not sell, trade, or rent your personal data. We may share your data with the following categories of recipients:

4.1 Service Providers and Processors

We engage trusted third-party processors who act on our instructions and are bound by data processing agreements:

  • Cloud infrastructure providers (e.g. AWS, Google Cloud, Microsoft Azure) — hosting and data storage
  • Analytics providers (e.g. Google Analytics) — website analytics (consent-gated)
  • Payment processors (e.g. Stripe) — subscription billing and payment processing
  • CRM and sales tools — customer relationship management
  • Email service providers — transactional and marketing email delivery
  • Security and monitoring tools — fraud detection and infrastructure security

4.2 Legal and Regulatory Disclosure

We may disclose personal data where required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of ITLOX, its customers, or the public. We will notify you of such disclosure where legally permitted.

4.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections as described in this policy. We will notify you of any such transfer.

5. International Data Transfers

ITLOX operates globally and your personal data may be transferred to and processed in countries outside the UK and European Economic Area ("EEA"), including the United States. We ensure appropriate safeguards are in place for all international transfers:

  • Adequacy decisions: We transfer data to countries with an ICO or EU adequacy decision where available
  • Standard Contractual Clauses (SCCs): For transfers to processors in countries without an adequacy decision, we use UK IDTA or EU SCCs (as applicable) supplemented by a transfer impact assessment
  • Binding Corporate Rules: Where applicable for intra-group transfers
  • US transfers: US-based processors are required to sign UK IDTA or EU SCCs and to implement appropriate technical and organisational measures

You may request a copy of the transfer mechanisms we rely on by contacting dpo@itlox.com.

6. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security programme includes:

  • Encryption of personal data in transit (TLS 1.2+) and at rest
  • Access controls and authentication requirements for staff accessing personal data
  • Regular security assessments and vulnerability management
  • Incident response procedures aligned with ICO notification requirements (72-hour notification for qualifying breaches)
  • Contractual security requirements imposed on all data processors

No internet transmission is completely secure. While we employ strong safeguards, we cannot guarantee absolute security of data transmitted over the internet. You transmit data to us at your own risk. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the ICO without undue delay as required by UK GDPR Article 33-34.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:

CategoryRetention PeriodBasis
Website enquiries / contact forms3 years from last contactLegitimate interest
Subscription / account recordsDuration of subscription + 7 yearsLegal obligation (tax/accounting)
Payment transaction records7 yearsLegal obligation
Marketing communications consentUntil withdrawal + 1 yearConsent records
Website analytics data24 months maximumAnalytics retention policy
Security logs12 monthsLegitimate interest / legal obligation
Session dataSession duration onlyStrictly necessary

Data is securely deleted or anonymised after the applicable retention period expires, unless longer retention is required by law or is necessary for the establishment, exercise, or defence of legal claims.

8. Your Rights

Under UK GDPR and (where applicable) EU GDPR, you have the following rights in relation to your personal data:

Right of Access (Article 15)

Request a copy of your personal data and information about how it is processed.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data in certain circumstances (e.g. where the data is no longer necessary, consent is withdrawn, or there is no legitimate overriding interest).

Right to Restrict Processing (Article 18)

Request that we limit processing of your data in certain circumstances.

Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect lawfulness of prior processing.

Right not to be subject to automated decision-making (Article 22)

We do not currently use fully automated decision-making that produces legal or similarly significant effects. We will inform you if this changes.

How to Exercise Your Rights

Contact our Data Protection Officer at dpo@itlox.com. We will respond within 30 days (extendable by 2 months for complex requests with notice). We may verify your identity before processing certain requests. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

9. California Residents — CCPA / CPRA Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may provide you with additional rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you and the purposes for which it is used
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: ITLOX does not sell personal information and does not share it for cross-context behavioural advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights

To exercise your California rights, contact privacy@itlox.com. We will respond within 45 days.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website. Full details of the cookies we use, their purposes, legal basis, and how to manage your preferences are set out in our Cookie Policy. You can manage your cookie preferences at any time via the Cookie Settings link in our website footer.

11. Children's Privacy

ITLOX services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information. If you believe we have collected personal data from a child, please contact privacy@itlox.com.

12. Supervisory Authority and Complaints

You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed unlawfully. We ask that you contact us first at dpo@itlox.com as we are committed to resolving complaints directly.

UK — Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EU Member States

Contact your local supervisory authority. A full list is at: edpb.europa.eu

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practice. We will post the updated policy with a new "Last updated" date. For material changes affecting your rights, we will notify you by email (where we hold your address) or through a prominent notice on our website. Your continued use of ITLOX services after the effective date of an updated policy constitutes your acknowledgment of the changes.

14. Contact Us

ITLOX Limited — Data Controller

UK Office (Data Controller):

167-169 Great Portland Street
London, England W1W 5PF
+44 (0)20 4558 3728

Data Protection Officer: dpo@itlox.com (30-day response time)

Privacy enquiries: privacy@itlox.com

General: contact@itlox.com

Solicitor review recommended: This Privacy Policy has been drafted to reflect UK GDPR, EU GDPR, and CCPA requirements. It has not been reviewed by a qualified data protection solicitor or privacy counsel. ITLOX should commission a formal Data Protection Impact Assessment (DPIA) for high-risk processing activities (particularly AI/synthetic data and healthcare data via CareOSP), engage a qualified DPO, and register with the ICO as a data controller if not already done.