Privacy Policy
Last updated: 1 March 2026
1. Who We Are
ManufactureIQ (“we”, “us”, “our”) is the data controller for personal data processed through our platform at www.manufactureiq.org.uk. We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For all data protection enquiries, please contact us at: hello@manufactureiq.org.uk
2. Data We Collect
We collect the following categories of personal data:
- Account data — name, work email address, company name, job role, and hashed password
- Financial data — revenue, costs, margins, and other figures you upload or enter into the platform
- ESG data — emissions, energy use, workforce metrics, health & safety records, and production data you submit
- Usage data — pages visited, features used, timestamps, browser type, and IP address
- Billing data — subscription plan, payment status, and invoice history (card details are processed and held exclusively by Stripe — we do not store card numbers)
- Communications — emails and messages you send to our support address
- Audit log data — records of actions taken within your account for security and compliance purposes
3. Lawful Basis for Processing (UK GDPR Art. 6)
We process personal data only where we have a valid lawful basis. The basis for each processing activity is:
| Processing Activity | Lawful Basis |
|---|---|
| Providing the Service (account, reports, AI insights) | Contract (Art. 6(1)(b)) |
| Processing subscription payments | Contract (Art. 6(1)(b)) |
| Sending transactional emails (password reset, invitations, welcome) | Contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving and developing the platform | Legitimate interests (Art. 6(1)(f)) |
| Retaining billing records | Legal obligation (Art. 6(1)(c)) — UK tax law |
| Marketing emails (if opted in) | Consent (Art. 6(1)(a)) |
4. Data Retention Schedule
We retain personal data only for as long as necessary. Our retention schedule is:
- Account and profile data — retained while your account is active; deleted within 30 days of account closure upon request
- Financial and ESG data — retained for 7 years to meet HMRC requirements, then deleted
- ESG environmental/workforce data — retained for 5 years in line with UK ESG reporting best practice
- Billing and invoice records — retained for 7 years to comply with UK tax law
- Audit logs — retained for 3 years for security and compliance purposes
- Support communications — retained for 2 years, then deleted
You may request an export of your Customer Data within 30 days of account termination. After this period, data may be permanently deleted without recovery.
5. Third-Party Sub-Processors
We use the following trusted sub-processors. By using the Service, you consent to these transfers. We have data processing agreements in place with each sub-processor.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database & file storage | EU (Frankfurt) | Adequacy (EEA) |
| Railway | Backend application hosting | EU / US | Standard Contractual Clauses |
| Vercel | Frontend hosting & CDN | EU / US | Standard Contractual Clauses |
| Stripe | Payment processing | EU / US | Adequacy + SCCs |
| Resend | Transactional email delivery | US | Standard Contractual Clauses |
| AI Processing Partner | AI report & insights generation | US | Standard Contractual Clauses |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
6. International Data Transfers
Some of our sub-processors are located outside the UK. Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or adequacy regulations made under the UK GDPR. You may request a copy of the applicable transfer safeguards by emailing hello@manufactureiq.org.uk.
7. Your Rights Under UK GDPR
You have the following rights in respect of your personal data:
- Right of Access (Art. 15) — request a copy of the personal data we hold about you
- Right to Rectification (Art. 16) — correct inaccurate or incomplete data
- Right to Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”) where no overriding legal basis applies
- Right to Restrict Processing (Art. 18) — ask us to restrict processing in certain circumstances
- Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV)
- Right to Object (Art. 21) — object to processing based on legitimate interests, including profiling
- Right to Withdraw Consent (Art. 7(3)) — withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing
To exercise any of these rights, email us at hello@manufactureiq.org.uk with the subject line “Data Subject Request”. We will respond within 30 calendar days. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse, providing written reasons.
8. Cookies
We use essential cookies to maintain your login session and remember your display preferences. We do not use third-party advertising, tracking, or analytics cookies. For full details, see our Cookie Policy. You can disable cookies in your browser settings, but this will prevent you from logging in to the platform.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including: encrypted connections (HTTPS/TLS 1.2+), bcrypt password hashing, role-based access controls, regular dependency updates, and audit logging of sensitive operations. Access to production databases is restricted to authorised personnel only.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, in accordance with our obligations under UK GDPR Art. 33–34.
10. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO. Please contact us first at hello@manufactureiq.org.uk.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The current version will always be available at www.manufactureiq.org.uk/privacy.