Privacy Policy

1. Who we are

Kommercio is a product of Howells Digital Ltd, a company registered in England and Wales.

Registered office: [REGISTERED ADDRESS TBC]. ICO registration number: [ICO REG NUMBER TBC].

We are the data controller for personal data we collect about you directly — for example, when you sign up for a Kommercio account, contact us, or browse this website. Where Kommercio stores personal data entered by our tenants about their own customers, suppliers, and staff, we act as a data processor on behalf of that tenant. See our GDPR page for the controller/processor breakdown.

2. Data we collect

Account data

Name, work email address, business name, phone number (optional), password hash, passkey public keys, billing details, and subscription tier. Collected when you sign up and updated when you change it.

Product data entered by tenants

Any personal data tenants enter into their Kommercio instance — customer contacts, supplier contacts, staff users, order records, invoices, and related metadata. We hold this on behalf of the tenant and only act on it under their instruction.

Analytics

We use privacy-first analytics (tool to be confirmed) to understand how people use kommercio.io and our admin panels. No cross-site tracking, no advertising identifiers, no personal profiling. Aggregated page views, referrers, and session duration only.

Cookies

We set the minimum cookies required for the service to work — essentially session tokens, CSRF tokens, and tenant-identifying data. Full breakdown in our Cookie Policy.

Support and communications

When you email us or submit a contact form, we store the content and metadata of that message so we can help you. When we send you product or marketing emails, we track delivery and opens via our email provider in aggregate.

3. Lawful basis

Under UK GDPR, we need a lawful basis for every use of personal data. Ours are:

• Contract — account data, billing data, and anything required to deliver the service you've subscribed to.
• Legitimate interest — fraud prevention, abuse investigation, platform analytics, and improving the product. Balanced against your rights and freedoms; you can object at any time.
• Consent — marketing emails outside the scope of your active subscription. You opt in, you can withdraw at any time via the unsubscribe link or by emailing privacy@kommercio.io.
• Legal obligation — retention of financial records for the period required by UK tax and company law.

4. Third-party processors

We rely on the following sub-processors. Each has been chosen for security posture, regulatory compliance, and appropriate transfer mechanisms where data leaves the UK or EU.

This list may change as we add or remove services. Material changes will be notified via email to tenant admins.

5. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct data that is inaccurate or incomplete.
• Erasure — request deletion, subject to our legal retention obligations.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interests or direct marketing.
• Restriction — ask us to limit how we use your data while a query is resolved.
• Withdraw consent — where we rely on consent, you can withdraw it at any time.

Exercise any of these by emailing privacy@kommercio.io. We will respond within 30 days as required by UK GDPR (extendable to 90 days for genuinely complex requests, with notification to you).

6. Retention

• Account data — retained while your account is active, plus 7 years after closure to meet Companies Act 2006 and HMRC record-keeping requirements.
• Tenant-entered personal data — retained while the tenant subscription is active, then for 30 days post-termination to allow export, then deleted from primary storage.
• Anonymised analytics — retained indefinitely, as they no longer identify individuals.
• Support tickets — 3 years from ticket closure.
• Backups — rotated on a 30-day cycle; personal data deleted from primary systems will persist in backups for up to 30 days.

7. Children

Kommercio is a B2B product and is not offered to anyone under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

8. International transfers

Where personal data is transferred outside the UK or European Economic Area, we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA), or on the EU–US Data Privacy Framework where the recipient is certified. Copies of the SCCs / IDTA are available on request.

9. Complaints

If you believe we have mishandled your data, please contact us first at privacy@kommercio.io so we can try to resolve it. You also have the right to complain to the Information Commissioner's Office at any time.

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Web: ico.org.uk

10. Updates to this policy

We may update this policy from time to time. Material changes will be notified via email to tenant admins and via a banner on this page for at least 30 days. The "Last updated" date below always reflects the most recent change.

11. Cookies summary

We use essential cookies only and privacy-first analytics that do not set tracking cookies or use personal identifiers. Full details in our Cookie Policy.

12. Automated decision-making

Kommercio contains AI features — demand forecasting, churn detection, supplier scoring — that produce suggestions and draft records. These features do not produce legal or similarly significant decisions about individuals. A human always reviews and approves before any customer-facing action is taken.

13. Contact

For any privacy question, data subject request, or breach notification, contact:

Privacy team
Email: privacy@kommercio.io
Post: Howells Digital Ltd, [REGISTERED ADDRESS TBC]