Privacy policy.

Summary

We collect the minimum personal data needed to run our website, sell our services, and operate Preshift Reports and Preshift Stack. Customer operational data (POS feeds, contracts, vendor information) is processed strictly to deliver the service it was uploaded for, is never sold, is never used to train third-party AI models, and is deleted within ninety days of customer off-boarding. The full detail is below. Plain English where we can manage it.

1. About this policy

This policy explains how Preshift Ltd ('Preshift', 'we', 'us') handles personal data when you visit our website, interact with our sales and support teams, or use Preshift Reports, Preshift Stack or any of our other services. It is written to satisfy our obligations as a controller under the UK General Data Protection Regulation (UK GDPR), the EU GDPR where relevant, and the Privacy and Electronic Communications Regulations 2003 (PECR).

It covers our website at preshift.co.uk and any product service we deliver under a written agreement, including Reports and Stack. Where we process personal data on behalf of a customer (rather than for our own purposes), the customer is the data controller and we are the processor. Those processing activities are governed by the Data Processing Agreement (DPA) you sign with us. See section 5.

2. Who we are and how to contact us

Preshift Ltd is a company registered in England and Wales. We are registered with the Information Commissioner's Office as a data controller.

For any privacy enquiry, including data subject requests, data breach reports, or to ask a question about this policy, email privacy@preshift.co.uk. We aim to respond within five working days and to complete any data subject request within one calendar month, in line with UK GDPR Article 12.

3. The personal data we process and where it comes from

We process personal data from three sources.

Information you give us. When you fill in a form, book a call, email us, accept a meeting invite, or sign a contract, you give us your name, work email, job title, employer, phone number where applicable, and the content of whatever message or document you send. This is the largest single category of personal data we hold.

Information we generate from your use of our website. We log access events to detect abuse and improve the site (IP address, user agent, pages visited, timestamps). We use a small number of analytics cookies covered in our Cookie Policy at /cookies.

Information from third parties. If you become a customer of Reports or Stack, we receive operational data from your connected systems (point-of-sale, payments, finance, contract uploads). Most of that operational data is not personal data, but some of it can be (named staff in shift reports, customer contact data in CRM exports, signatories on contracts). When that's the case you are the controller and we process it on your behalf under our DPA. See section 5.

4. When we act as a controller, and when we act as a processor

We are a controller (we decide why and how the data is processed) when:

• You visit our website. • You contact us through any sales or marketing channel. • You subscribe to The Briefing, our monthly newsletter. • You become a customer and we hold your billing, account, and main-contact information. • We use your business contact details to follow up about your engagement.

We are a processor (you decide why and how, we follow your written instructions) when:

• We process operational data from your connected systems to run Preshift Reports. • We process vendor contracts and supplier data you upload to Preshift Stack. • We process anything else that we hold on your behalf because you asked us to.

The processor activities are governed by our Data Processing Agreement, available at /dpa. The DPA sits underneath our Master Services Agreement and is the binding contract for how we handle data you control.

5. Why we process your personal data, and our legal basis

Under UK GDPR we need a legal basis for every processing activity. Ours are below.

Responding to enquiries and managing prospect conversations. Legal basis: legitimate interests, namely running our business.

Providing our services to customers and managing accounts. Legal basis: contract, namely performing the agreement you have with us.

Invoicing and accounting records. Legal basis: legal obligation, namely UK tax and company law requirements that we keep accounting records for six years.

Sending The Briefing newsletter to subscribers. Legal basis: consent, which you can withdraw at any time using the unsubscribe link in every issue or by emailing privacy@preshift.co.uk.

Security, fraud prevention, and protection of our network. Legal basis: legitimate interests, namely keeping our platform and our customers' data safe.

Product analytics on our website. Legal basis: consent for non-essential cookies, set through our cookie notice.

We do not sell your personal data and we do not use it to train third-party AI models. We will tell you if either of those things ever changes.

6. Reports: how we handle your operational data

Preshift Reports ingests data from your connected systems (POS, payment processors, review platforms, footfall and weather feeds) so it can produce daily, weekly and monthly operational reports. Three commitments apply specifically to that data.

Purpose limitation. Operational data ingested by Reports is used solely to produce, deliver and improve the Reports we generate for you. We do not use it for marketing. We do not share it with third parties beyond the sub-processors needed to operate Reports (listed at /sub-processors). We do not aggregate, anonymise and resell it. We do not use it to train any third-party AI model. The AI commentary in your daily Reports is generated by sending the day's metrics for your group to an inference provider under a strict no-training contract, never the wider model maker's commercial training pipeline.

Read-only by default. Where Reports connects to a source system (Lightspeed, Square, Toast, Vita Mojo, Tevalis and similar), we request read-only API scope. Where read-only scope is not available we ask you to set up a dedicated read-only user.

Deletion on off-boarding. When your contract with us ends, all customer operational data (raw feeds, derived metrics, AI commentary archive, alert history) is deleted from our production systems within ninety days of off-boarding. The same window applies to backups that contain the data, which cycle out within that period. We will confirm completion in writing if you ask us to.

7. Stack: how we handle your contract data

Preshift Stack handles vendor contracts you upload to track renewals, benchmark prices, and run AI-assisted negotiation prep. The same three commitments apply.

Purpose limitation. Contract data is used to deliver Stack to you. It is not sold, not used for marketing, and not used to train any third-party AI model. We use anonymised, aggregated contract data to improve our benchmarking dataset only with explicit opt-in by the customer; the default is opt-out, and even when you opt in your specific terms and vendor names are not exposed to other customers.

Free audits. If you submit contracts to us as part of a free audit (without being a customer), we hold the contracts only for the duration of the audit and delete them within thirty days of delivering the audit document, unless you become a customer and choose to keep them in Stack.

Deletion on off-boarding. As with Reports, customer contract data and the metadata Stack derived from it (extractions, risk scores, drafts, audit log) is deleted from our production systems within ninety days of off-boarding, including any backups that contain the data. Confirmation in writing on request.

8. Who we share your data with

We share personal data only with three categories of recipient.

Sub-processors. Third-party service providers that help us run our website, our products, and our internal operations. They are contractually bound to process the data only on our instructions and to a standard at least equivalent to our own. The current list is published at /sub-processors and we maintain a notification procedure for adding new ones.

Professional advisers. Our lawyers, accountants and insurers when we have a legitimate need, for example in the event of a dispute or audit.

Law enforcement or regulators. If we are legally compelled to share data (court order, statutory request from HMRC, ICO investigation), we will do so. We will tell you if we receive such a request that concerns your data unless legally prohibited.

We do not share your personal data with marketing partners, advertising networks, or data brokers.

9. International transfers

We host our production systems in the United Kingdom. Some of our sub-processors are based outside the UK, including in the United States and the European Economic Area. Where personal data leaves the UK, we rely on one of the following safeguards:

• An adequacy decision by the UK Government for the destination country (currently covers the EEA, Switzerland and a number of others). • The UK International Data Transfer Addendum (IDTA) attached to the EU Standard Contractual Clauses, with the additional supplementary measures the Information Commissioner expects following the Schrems II decision. • In the rare case neither applies, your explicit consent or another Article 49 derogation.

The specific transfer mechanism for each sub-processor is shown at /sub-processors.

10. Security

We take a layered approach to securing personal data.

Access control. All personnel access to production systems is via single sign-on with mandatory multi-factor authentication. Role-based access means staff can only see the data they need for their job.

Encryption. All customer data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 or provider-equivalent.

Isolation. Customer data is logically separated by tenant. Backups are encrypted and rotate out within ninety days, aligned to our deletion commitments.

Vulnerability management. Dependencies and infrastructure are kept patched. We run automated and manual security testing before significant releases.

Personnel. Everyone with production access is subject to confidentiality obligations as part of their employment. Annual security training is required.

Incident response. We have a documented procedure for personal data breaches. If a breach occurs that affects your data, we will notify you without undue delay and within seventy-two hours of becoming aware of it, in line with UK GDPR Article 33.

A fuller description of the technical and organisational measures we apply (Article 32) is included as Annex 2 to our Data Processing Agreement at /dpa.

11. How long we keep your data

We keep personal data for the shortest period reasonable for the purpose we collected it for.

Website visitor data and analytics. Up to 14 months from collection, then aggregated or deleted.

Prospect data (forms, emails, calls). Up to two years from the last meaningful interaction if no engagement follows.

Customer account and contact data. For the duration of the customer relationship plus six years to meet UK statutory record-keeping obligations.

Reports operational data. For the duration of the customer relationship, deleted within ninety days of off-boarding (see section 6).

Stack contract data. For the duration of the customer relationship, deleted within ninety days of off-boarding (see section 7).

Free-audit contract submissions. Up to thirty days from delivery of the audit document, unless the submitter becomes a customer.

The Briefing newsletter subscriptions. Until you unsubscribe, then we keep a suppression record indefinitely so we know not to email you again.

Accounting, invoicing and contract records. Six years from the end of the relevant tax year, to comply with the Companies Act and HMRC rules.

12. Your rights under UK GDPR

Under UK GDPR you have the following rights in relation to your personal data:

Access (Article 15). You can ask for a copy of the personal data we hold about you and the information about how it's processed.

Rectification (Article 16). You can ask us to correct anything that is inaccurate.

Erasure (Article 17), the so-called right to be forgotten. You can ask us to delete your personal data, subject to limited exceptions (for example we have to keep accounting records for six years).

Restriction (Article 18). You can ask us to pause processing in certain circumstances, for example while we investigate a complaint.

Portability (Article 20). You can ask us to provide your personal data in a structured, commonly used, machine-readable format, and to send it to another controller where technically feasible.

Objection (Article 21). You can object to processing based on legitimate interests or direct marketing. We will stop unless we have compelling legitimate grounds to continue.

Automated decision-making (Article 22). You can ask not to be subject to a decision based solely on automated processing that has a legal or similarly significant effect. See section 13.

Withdraw consent. Where we rely on consent (newsletter, non-essential cookies), you can withdraw it at any time without affecting earlier processing.

To exercise any of these rights, email privacy@preshift.co.uk. We will respond within one calendar month and may ask you to verify your identity before we act.

13. Automated decision-making and AI

Both Reports and Stack use AI to process customer data: Reports generates plain-English commentary on your daily numbers, and Stack extracts terms and risk-scores clauses in vendor contracts.

No decision that has a legal or similarly significant effect on a data subject is made by AI alone within either product. Reports commentary is advice for the operator reading it; the operator decides what to act on. Stack risk scores flag clauses for human review and are never used to take an action against any data subject. There is always a human in the loop.

Where AI processes data (an Anthropic API call to generate Reports commentary, or to extract terms from a Stack contract), the inference provider is contractually prohibited from using that data to train its models. If you want details of the exact safeguards we apply, ask and we will share them.

14. Cookies and tracking

We use a small number of cookies on preshift.co.uk. Strictly necessary cookies for things like maintaining your session and remembering your cookie preferences. Analytics cookies, only with your consent, for understanding how the site is used.

We do not use advertising cookies, cross-site tracking pixels, or third-party advertising network beacons.

The full Cookie Policy is at /cookies, including a list of every cookie we set, what it does, how long it lasts, and how to opt out.

15. Marketing communications

If you give us your email through a form on our website with a marketing consent option ticked, we will add you to The Briefing, our monthly newsletter for hospitality and retail operators. You can unsubscribe at any time using the link in every issue.

We will also email you operationally about our services (account changes, security incidents, billing). Those messages are not marketing under PECR and you cannot unsubscribe from them as long as you have an account with us.

16. Children's data

Our services are aimed at businesses and we do not knowingly collect personal data from anyone under sixteen. If you believe we have inadvertently collected such data, email privacy@preshift.co.uk and we will delete it.

17. Changes to this policy

We may update this policy from time to time. The most recent version is always at preshift.co.uk/privacy with the date at the top.

If we make a material change, for example adding a new processing purpose or a new sub-processor that materially changes our security posture, we will notify customers directly by email at least thirty days before the change takes effect, in line with our DPA.

18. Complaints

If you think we have mishandled your personal data, please tell us first by emailing privacy@preshift.co.uk so we can put it right. You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection.

ICO website: ico.org.uk. ICO helpline: 0303 123 1113. ICO address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

If you are in the EEA you may also have a right to complain to your local supervisory authority. The European Data Protection Board maintains a list at edpb.europa.eu.

19. Contact

Preshift Ltd. London, United Kingdom. privacy@preshift.co.uk for privacy enquiries. hello@preshift.co.uk for everything else.

Our Data Processing Agreement is at /dpa, our sub-processor list is at /sub-processors, and our Cookie Policy is at /cookies. We keep all three current.