Last Updated: 10.01.25

BACKGROUND

Circulo Technology Solutions understands that your privacy is important and that you care about how your data is used. We respect and value the privacy of everyone who visits this website, Circulo.tech, and will only collect and use personal data in ways that are described here and in a way that is consistent with our obligations and your rights under the law.

This Privacy Policy explains how we handle personal data both when you interact with us directly and when we provide data processing services to our business clients.

Please read this Privacy Policy carefully and ensure that you understand it.

DEFINITIONS AND INTERPRETATION

In this Policy the following terms shall have the following meanings:

Term	Definition
Account	An account required to access and/or use certain areas and features of Our Site
Client	A business customer who uses our software platform services
Cookie	A small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site
Cookie Law	The relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Data Controller	The person or entity that determines the purposes and means of processing personal data
Data Processor	The person or entity that processes personal data on behalf of a Data Controller
Data Subject	An individual whose personal data is being processed
DPA	Data Processing Addendum – the agreement governing our data processing services
Our Site	This website, Circulo.tech
Platform Services	Our software-as-a-service platform provided to business clients

INFORMATION ABOUT US

Company: Circulo Technology Solutions
Registration: Limited company registered in England under company number 14900505
Registered Address: 20 Wenlock Road, London, N17GU, United Kingdom
Data Protection Officer: Karm Khanna
Contact Email: hello@circulo.tech
Website: https://circulo.tech

WHAT DOES THIS POLICY COVER?

This Privacy Policy covers two distinct ways we handle personal data:

Part A: When We Are The Data Controller

This applies when you visit our website, contact us directly, or become our customer. In these cases, we decide what data to collect and how to use it.

Part B: When We Are A Data Processor

This applies when we provide our Platform Services to business clients and process their customers’ data on their behalf. In these cases, our clients decide what data to collect and how to use it.

Please note that we have no control over how your data is collected, stored, or used by other websites, and we advise you to check the privacy policies of any such websites before providing any data to them.

PART A: WHEN WE ARE THE DATA CONTROLLER

This section applies to our website visitors, prospects, and direct customers

WHAT IS PERSONAL DATA?

Personal data is defined by the UK GDPR and the Data Protection Act 2018 as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

In simpler terms, personal data is any information about you that enables you to be identified, including your name, contact details, identification numbers, electronic location data, and other online identifiers.

YOUR RIGHTS

Under the Data Protection Legislation, you have the following rights:

Right to be informed about our collection and use of your data
Right of access to the personal data we hold about you
Right to rectification if any data we hold is inaccurate or incomplete
Right to erasure (right to be forgotten)
Right to restrict processing of your data
Right to object to us using your data for particular purposes
Right to withdraw consent where we rely on consent as our legal basis
Right to data portability in certain circumstances
Rights relating to automated decision-making and profiling (we do not use your data in this way)

For more information about exercising your rights, please contact us using the details provided at the end of this policy.

We would welcome the opportunity to resolve your concerns ourselves first, so please contact us before making a complaint to the ICO.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

WHAT DATA DO WE COLLECT?

We may collect and hold the following personal data about you:

Direct Website Interactions:

Identity and Contact Data: Name, postal address, phone number, email address, country
Inquiry Data: Information about your inquiry type (general inquiry, demo request, etc.)
Profile Data: Your interests, preferences, and feedback
Account Data: Information you provide when registering an account
Correspondence Data: Information in enquiries, bookings, or communications you send us

Technical Data:

Browsing Data: Pages visited, interaction patterns, session duration
Device Data: IP address, browser type and version, time zone, operating system
Login Data: Authentication information for registered users
Analytics Data: How you use our website and services

Marketing and Communications:

Marketing Preferences: Your preferences for receiving marketing communications
Communication History: Records of our marketing interactions with you

Special Categories of Data: We do not collect special categories of personal data (health, race, religion, etc.) or information about criminal convictions.

Children’s Data: Our services are not intended for use by individuals under the age of 13 or under the age of 16 (depending on jurisdiction), and we do not knowingly collect personal data from children. If we learn that we have collected such data in error, we will delete it promptly.

Third-Party Data: If you provide us with someone else’s data (e.g., a colleague), you confirm that person has consented to you sharing their information and receiving communications on their behalf.

HOW IS YOUR DATA COLLECTED?

Direct Interactions:

You provide data when you:

Fill in forms on our website
Create an account or place an order
Subscribe to newsletters or request marketing
Contact us by email, phone, or post
Provide feedback or enter surveys
Attend our events or webinars

Automated Technologies:

Website server logs and basic technical data collection
Form submissions and downloads

Third Parties:

We may receive data from:

Advertising networks (Google Ads, Facebook, Bing Ads, when used)
Social media platforms (Facebook, LinkedIn)
Public sources and business directories

LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases:

Legitimate Interests:

Improving our website and services
Understanding customer needs and preferences
Direct marketing to existing customers
Preventing fraud and ensuring security
Business administration and legal compliance

Contract Performance:

Providing services you’ve requested
Managing your account and subscriptions
Processing payments and billing

Consent:

Email marketing to prospects (where required)
Optional cookies and tracking
Special projects or research

Legal Obligation:

Financial record keeping
Regulatory compliance
Responding to legal requests

HOW DO WE USE YOUR DATA?

We use your personal data to:

Service Delivery:

Respond to inquiries and provide information
Create and manage your account
Deliver our services and support
Process payments and billing
Provide customer support

Business Operations:

Improve our website and services
Conduct market research and analysis
Manage our business relationships
Ensure security and prevent fraud
Comply with legal obligations

Marketing (with appropriate legal basis):

Send relevant marketing communications
Personalize content and offers
Manage events and webinars
Conduct customer satisfaction surveys

You can opt out of marketing at any time using unsubscribe links or by contacting us.

WEBSITE FUNCTIONALITY

Our website operates without the use of cookies or tracking technologies. We collect only essential technical information required for website functionality, such as:

Server logs for security and performance monitoring
Basic device and browser information for compatibility
Form submission data when you contact us

We do not use analytics cookies, marketing cookies, or any tracking technologies that require consent under cookie laws.

DATA RETENTION

We retain your personal data only as long as necessary for the purposes we collected it, or as determined by our service providers’ standard retention policies:

Marketing contacts: Until you unsubscribe or as per MailChimp’s retention policies
Email communications: Retained in Google Workspace according to our business needs
Website technical data: Server logs retained for security and performance purposes
Customer accounts: Duration of service relationship
Legal obligations: As required by applicable law (typically 7 years for business records)

We conduct periodic reviews to ensure data is not held longer than necessary. You can request deletion of your data at any time by contacting us.

DATA SECURITY

We implement appropriate security measures to protect your data, primarily through our trusted third-party service providers and internal policies:

Third-Party Security:

We rely on industry-leading service providers who maintain robust security measures:

Google Workspace for email and document management (encrypted in transit and at rest)
MailChimp for email marketing (GDPR-compliant platform with enterprise security)
Website hosting through secure, managed hosting providers
Analytics platforms (Google Analytics, when used) with privacy controls enabled

Internal Security Measures:

Multi-factor authentication (2FA) required for all employee accounts
Employee training on data protection and privacy policies
Role-based access controls limiting data access to necessary personnel only
Regular access reviews and deprovisioning procedures
Confidentiality agreements for all staff members
Secure password policies and regular updates

Administrative Controls:

Written internal policies for data handling and protection
Regular review of third-party provider security practices
Incident response procedures for any security events
Employee onboarding and offboarding security procedures

We select service providers based on their security certifications, GDPR compliance, and industry reputation. All providers are required to maintain appropriate data protection standards equivalent to those required under UK GDPR.

DATA TRANSFERS

We store your data in the UK and European Economic Area (EEA). Any transfers outside these regions are protected by:

Adequacy decisions where available
Standard Contractual Clauses (SCCs)
Other appropriate safeguards approved by the ICO

For details about specific transfers, please contact us.

SHARING YOUR DATA

We do not sell your personal data. We may share it only in these limited circumstances:

Service Providers:

Google Workspace (email, documents, calendar)
MailChimp (email marketing)
Website hosting and content delivery networks
Advertising platforms (Google Ads, Facebook Ads, Bing Ads, when used)
Payment processors (for any paid services)
IT support and security services

Legal Requirements:

To comply with legal obligations
In response to court orders or government requests
To protect our rights or investigate fraud
In connection with legal proceedings

Business Transfers:

If we sell or transfer our business, your data may be transferred to the new owner under the same privacy protections.

All third parties are required to maintain appropriate data protection standards.

PART B: WHEN WE ARE A DATA PROCESSOR

This section applies when we provide Platform Services to business clients

DATA PROCESSING SERVICES

When we provide our software platform to business customers (“Clients”), we act as a Data Processor under UK GDPR. Our Clients remain the Data Controllers of their customers’ data.

Our Role as Data Processor:

We process personal data only according to Client instructions
We do not use Client data for our own business purposes
We implement appropriate security measures
We assist Clients with their GDPR compliance obligations
We notify Clients of any data breaches affecting their data

Types of Data We May Process:

Depending on our Client’s business and how they use our platform:

Customer contact information (names, emails, phone numbers, addresses)
Account and profile information
Transaction and order history
Website behavior and analytics data
Communication preferences and history
Any other data our Clients choose to process through our platform

Categories of Data Subjects:

Our Clients’ customers and users
Website visitors to our Clients’ properties
Other individuals whose data our Clients process

CLIENT RESPONSIBILITIES

Our Clients (as Data Controllers) are responsible for:

Having a legal basis for processing personal data
Providing privacy notices to their data subjects
Handling data subject rights requests
Determining data retention periods
Ensuring data accuracy and minimization
Obtaining necessary consents

YOUR RIGHTS FOR CLIENT DATA

If your personal data is being processed through our platform on behalf of one of our Clients:

Contact the Client First:

The Client is the Data Controller and primary contact for your rights
Direct all requests (access, deletion, correction) to the Client
The Client’s privacy policy governs how your data is used

We Will Assist:

We will help Clients respond to your requests where technically feasible
We will forward requests to the appropriate Client
We maintain technical capabilities to support data subject rights

Complaints:

Contact the Client first for any complaints
You can also contact the ICO if unsatisfied with the response
You may contact us if you cannot reach the Client

SECURITY FOR CLIENT DATA

We apply the same high security standards to Client data as our own:

Technical Safeguards:

End-to-end encryption for all data transmissions
Encryption at rest for all stored data
Multi-tenant architecture with logical data separation
Regular security monitoring and intrusion detection
Automated backup and disaster recovery procedures

Access Controls:

Role-based access with principle of least privilege
Multi-factor authentication for all administrative access
Regular access reviews and deprovisioning procedures
Audit logging of all data access and modifications

Operational Security:

Employee background checks and security training
Confidentiality agreements for all staff
Incident response procedures with Client notification
Regular security assessments and penetration testing
Vendor security assessment and management

SUB-PROCESSORS

We may engage sub-processors to help deliver our services. We maintain a list of approved sub-processors and:

Conduct security assessments before engagement
Require appropriate data protection agreements
Monitor ongoing compliance with security standards
Provide Clients with notification of any changes

Current sub-processors include our cloud infrastructure providers and essential service vendors. A current list is available upon request.

DATA PROCESSING ADDENDUM (DPA)

All Clients must sign our Data Processing Addendum, which includes:

Detailed processing instructions and limitations
Security requirements and breach notification procedures
Sub-processor management and liability allocation
Data subject rights assistance procedures
Data return and deletion requirements upon termination

DATA STORAGE AND TRANSFERS FOR CLIENT DATA

Client data processed through our Platform Services is stored and protected as follows:

Primary Data Storage:

Location: As specified in our agreement with each Client – we configure data storage locations to meet Client requirements (e.g., UK-only, EEA-only, US-only, or other specified regions)
Infrastructure: Enterprise-grade cloud infrastructure deployed in Client-specified regions with appropriate data residency controls
Redundancy: Multiple availability zones within the Client-specified region for high availability and disaster recovery

International Transfers:

Client data transfers are governed by our contractual agreements with each Client:

Client-controlled: Data location and transfer permissions are defined by Client requirements
Contractual safeguards: All transfers comply with Client-specified restrictions and applicable data protection laws
Geographic flexibility: We can deploy infrastructure in various regions to meet Client data residency requirements
Compliance maintained: Full adherence to UK GDPR, EU GDPR, or other applicable frameworks as required by Client location and preferences

We maintain detailed documentation of data locations and any transfers as agreed with each Client.

GENERAL PROVISIONS

CONTACT US

For any questions about this Privacy Policy or our data practices:

Data Protection Officer: Karm Khanna
Email: hello@circulo.tech
Address: 20 Wenlock Road, London, N17GU, United Kingdom

For Data Controller matters (your direct relationship with us):

Use the contact details above
We will respond within 10 business days

For Data Processor matters (data processed on behalf of our Clients):

Contact the relevant Client first
Contact us if you cannot reach the Client
We will assist in facilitating the response

SUBJECT ACCESS REQUESTS

To request access to your personal data:

Submit requests in writing to hello@circulo.tech
Include sufficient information to verify your identity
Specify what information you’re seeking
Allow up to 30 days for our response (may be extended for complex requests)

There is normally no charge unless your request is manifestly unfounded or excessive.

CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in:

Our business practices or services
Legal or regulatory requirements
Technology or security measures

Changes will be posted on our website with an updated “Last Updated” date. For material changes affecting your rights, we will provide additional notice through email or prominent website notices.

GOVERNING LAW

This Privacy Policy is governed by UK law. Any disputes will be subject to the jurisdiction of UK courts.

Effective Date: 10.01.25
Policy Version: 2.0