Privacy Policy
Effective Date: 11 April 2026 | Last Updated: 11 April 2026
Your privacy matters. This Privacy Policy explains how Goldilox Ltd ("Goldilox", "we", "us") collects, uses, stores, shares, and protects your personal data when you use the Goldilox platform. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation 2016/679), and the Italian Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018).
1. Data Controller
The data controller responsible for your personal data is:
Goldilox Ltd
Email: privacy@goldilox.co
If you are based in Italy or the European Economic Area (EEA), you may exercise your rights under the GDPR by contacting us at the address above.
2. Personal Data We Collect
2.1 Data You Provide Directly
- Account Information: Name, email address, username, and password hash when you create an account.
- Payment Information: Billing address and payment details processed by our third-party payment processor (Stripe). We do not store your full credit card number.
- Communications: Any information you provide when you contact us via email, support forms, or other channels.
- Preferences: Dashboard settings, notification preferences, and feature configurations.
2.2 Data Collected Automatically
- Usage Data: Pages visited, features used, session duration, click patterns, and interaction data within the Platform.
- Device and Technical Data: IP address, browser type and version, operating system, device type, screen resolution, language preferences, and time zone.
- Cookies and Similar Technologies: See Section 8 (Cookie Policy) below.
- Log Data: Server logs, error reports, and performance metrics.
2.3 Data from Third Parties
- Authentication Providers: If you sign in using a third-party service (e.g., Google), we receive basic profile information as permitted by your settings with that provider.
- Analytics Providers: Aggregated and pseudonymised data from analytics services.
3. Legal Bases for Processing
We process your personal data on the following legal bases under Article 6 of the GDPR:
| Purpose | Legal Basis |
|---|
| Providing and operating the Platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| Sending essential service communications | Performance of contract (Art. 6(1)(b)) |
| Improving and optimising the Platform | Legitimate interest (Art. 6(1)(f)) |
| Analytics and usage analysis | Legitimate interest (Art. 6(1)(f)) |
| Ensuring security and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
4. How We Use Your Data
- To create, maintain, and secure your account.
- To provide, personalise, and improve the Platform and its features.
- To process subscription payments and manage billing.
- To communicate with you about your account, service updates, and respond to your enquiries.
- To send marketing and promotional communications (only with your explicit consent, which you may withdraw at any time).
- To conduct analytics, research, and generate aggregated, anonymised insights to improve our services.
- To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
- To comply with applicable laws, regulations, and legal processes.
5. Data Sharing and Disclosure
We do not sell your personal data. We may share your data with:
- Service Providers: Third-party processors who assist us in operating the Platform (e.g., hosting providers, payment processors, email services, analytics providers). These processors act only on our instructions and are bound by data processing agreements compliant with Article 28 of the GDPR.
- Legal Requirements: When required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business Transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
We do not share your personal data with any Third-Party Broker. Any connection you make to a brokerage platform is initiated and controlled solely by you.
6. International Data Transfers
Your data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner's Office (ICO).
- Adequacy decisions by the European Commission or the UK Secretary of State.
- Other lawful transfer mechanisms under Chapter V of the GDPR.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.
- Account data: Retained for the duration of your account plus 2 years after deletion, unless longer retention is required by law.
- Payment records: Retained for 7 years as required by UK and Italian tax law (HMRC requirements and Italian fiscal obligations).
- Usage and analytics data: Retained in pseudonymised form for up to 26 months.
- Marketing consent records: Retained for as long as your consent is valid plus 3 years.
When data is no longer required, it is securely deleted or anonymised.
8. Cookie Policy
We use cookies and similar tracking technologies on the Platform. Cookies are small text files placed on your device that help us provide and improve our services.
8.1 Types of Cookies We Use
- Strictly Necessary Cookies: Essential for the Platform to function (e.g., authentication, security). These cannot be disabled.
- Functional Cookies: Remember your preferences and settings to enhance your experience.
- Analytics Cookies: Help us understand how visitors interact with the Platform using aggregated, anonymised data (e.g., Google Analytics with IP anonymisation enabled).
- Marketing Cookies: Used only with your consent to deliver relevant content and measure campaign effectiveness.
8.2 Managing Cookies
You can manage your cookie preferences through your browser settings or through our cookie consent banner. Under the Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive (2002/58/EC as amended), non-essential cookies require your consent. Disabling certain cookies may affect Platform functionality.
9. Your Rights
Under the UK GDPR, EU GDPR, and Italian data protection law, you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to Restrict Processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): The Platform does not make decisions with legal or similarly significant effects based solely on automated processing of your personal data.
To exercise any of these rights, contact us at privacy@goldilox.co. We will respond within one month (extendable by two months for complex requests) as required by Article 12 of the GDPR.
10. Supervisory Authority
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- Italy: Garante per la protezione dei dati personali — garanteprivacy.it
- Other EEA countries: Your local data protection authority.
11. Children's Privacy
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at privacy@goldilox.co.
12. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), secure password hashing, access controls, and regular security assessments. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 30 days before they take effect. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.
14. Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data practices:
Goldilox Ltd
Data Protection Enquiries
Email: privacy@goldilox.co