Privacy Policy

This Privacy Policy explains how Onlyintelligence Ltd, trading as StoreSpine ("we", "us", "our"), collects, uses, stores, shares, and protects your personal data when you use our AI-powered marketing automation SaaS platform ("the Service").

This policy applies to all users of our website at storespine.com and the StoreSpine platform, including free trial users, paying subscribers, and visitors to our marketing website.

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

Please read this policy carefully. By using our Service, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use the Service.

Onlyintelligence Ltd is the data controller responsible for your personal data. We are a company registered in England and Wales, trading as StoreSpine.

We collect and process the following categories of personal data:

We only process your personal data where we have a lawful basis to do so under UK GDPR Article 6. The table below sets out each purpose for which we process your data and the corresponding lawful basis.

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to ensure our interests do not override your fundamental rights and freedoms. You may request a copy of our LIA by contacting us at privacy@storespine.com.

We will only send you marketing communications (such as newsletters, product updates, promotional offers, and educational content) where you have given us your explicit consent to do so, in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).

You can withdraw your consent to marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your account settings
• Contacting us at privacy@storespine.com

Withdrawing your consent to marketing will not affect the lawfulness of any processing carried out before withdrawal. Please note that even if you opt out of marketing communications, we may still send you essential service-related messages (such as security alerts, billing notifications, and changes to our terms), as these are necessary for the performance of our contract with you.

Our website and platform use cookies and similar tracking technologies. In accordance with PECR and UK GDPR, we request your consent before placing any non-essential cookies on your device.

Types of Cookies We Use

You can manage your cookie preferences at any time through the cookie banner displayed on our website, or by adjusting your browser settings. Please note that disabling strictly necessary cookies may prevent you from using core features of the platform.

Cloudflare, which provides our CDN and security services, may also set cookies for bot detection and security purposes. These are classified as strictly necessary cookies. For more information, see Cloudflare's Privacy Policy.

We do not sell your personal data to third parties. We share your data only with the third-party sub-processors listed below, solely for the purposes described. Each sub-processor is bound by a Data Processing Agreement (DPA) that ensures compliance with UK GDPR.

We may also share your data with law enforcement or regulatory authorities if we are required to do so by law, or if we believe in good faith that disclosure is necessary to comply with legal obligations, protect our rights, or prevent harm.

Your personal data is primarily stored and processed within the European Economic Area (EEA) on our servers hosted by Hetzner in Germany and AWS in Ireland. However, some of our sub-processors are based in the United States, which means your data may be transferred outside the UK.

Where data is transferred internationally, we ensure that appropriate safeguards are in place as required by UK GDPR Article 46:

• EU/EEA transfers: The UK recognises the EEA as providing adequate data protection under UK adequacy regulations. Transfers to Germany (Hetzner) and Ireland (AWS) are therefore permitted without additional safeguards.
• US transfers (Stripe, Resend, Anthropic, Cloudflare): These transfers are protected by the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to the EU Standard Contractual Clauses (SCCs), which are approved by the ICO. We have executed appropriate agreements with each US-based sub-processor.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@storespine.com.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods for each category of data are:

When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions under applicable law.

To exercise any of the rights described above, please contact us using one of the following methods:

• Email: privacy@storespine.com
• Post: Data Protection, Onlyintelligence Ltd, Office 13724, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom
• Phone: 02381 222 319

When submitting a request, please provide enough information for us to verify your identity (such as your full name and the email address associated with your account). We may request additional information to confirm your identity before processing your request.

We will respond to your request within one calendar month of receiving it. In complex cases or where we receive a high volume of requests, we may extend this period by up to two additional months, but we will inform you of any extension within the initial one-month period, along with the reasons for the delay.

There is no fee for exercising your rights in most circumstances. However, we may charge a reasonable fee if your request is manifestly unfounded or excessive, or if you request additional copies of your data under a Subject Access Request.

Our platform uses AI and machine learning to provide features such as content generation, campaign optimisation, and audience targeting suggestions. These features are designed to assist and augment your marketing activities, not to make decisions that produce legal or similarly significant effects on you.

Specifically:

• AI content generation: Claude AI generates suggested content based on your prompts. You always have the final decision on whether to use, edit, or discard any AI-generated content.
• Campaign analytics: We provide automated insights and recommendations about your campaign performance. These are advisory only and do not automatically take action on your behalf.
• Fraud detection: We use automated systems to detect potential fraudulent activity on accounts. If an account is flagged, a human member of our team reviews the case before any action is taken.

We do not currently make any solely automated decisions that produce legal effects or similarly significantly affect you, as defined under UK GDPR Article 22. If this changes in the future, we will update this policy and, where required, obtain your explicit consent.

StoreSpine is a business-to-business marketing platform and is not intended for use by individuals under the age of 16. In accordance with the UK GDPR and the Age Appropriate Design Code (Children's Code), we do not knowingly collect or process personal data from children under 16 years of age.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data from our systems. If you believe we may have collected data from a child under 16, please contact us immediately at privacy@storespine.com.

We take the security of your personal data seriously and implement appropriate technical and organisational measures in accordance with UK GDPR Article 32 to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest: Databases and backups are encrypted at rest using AES-256.
• Password security: User passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text.
• Access controls: Strict role-based access controls limit employee access to personal data to only those who need it to perform their duties.
• Infrastructure security: Our servers are hosted in SOC 2 and ISO 27001 certified data centres (Hetzner, Germany). Cloudflare provides DDoS protection and a Web Application Firewall.
• Regular backups: Automated daily backups with encrypted off-site storage.
• Monitoring: Continuous security monitoring and logging of access to personal data.
• Payment security: Payment card details are handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor. Card data never touches our servers.

While we implement strong security measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incidents in accordance with our data breach procedures.

In the event of a personal data breach, we will follow the procedures required by UK GDPR Articles 33 and 34:

• Notification to the ICO: Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach.
• Notification to affected individuals: Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals without undue delay, providing clear information about the nature of the breach, the likely consequences, and the measures we are taking to address it.
• Internal documentation: All breaches, regardless of severity, are documented in our internal breach register, including the facts, effects, and remedial actions taken.
• Remediation: We will take immediate steps to contain and investigate the breach, mitigate its effects, and prevent future occurrences.

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" date at the top of this policy.
• For material changes that significantly affect how we process your data, we will notify you by email or through a prominent notice on our platform at least 30 days before the changes take effect.
• Where changes require your consent under UK GDPR, we will seek your consent before implementing those changes.

We encourage you to review this policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes take effect constitutes your acknowledgement of the updated policy.

If you are unhappy with how we have handled your personal data, we would like the opportunity to resolve your concerns. Please contact our data protection team first at privacy@storespine.com and we will do our best to address your concerns.

However, you also have the right to lodge a complaint with the supervisory authority. In the UK, this is the Information Commissioner's Office (ICO):

You can raise a concern or make a complaint with the ICO at any time. However, we appreciate the chance to address your concerns before you approach the ICO, so please contact us in the first instance.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us: