Didov Limited trading as ReadyToday (“we”, “us”, “our”) is the data controller for personal data processed through the Custal customer portal (“Portal”). We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights in relation to it.
1. Personal Data We Collect
1.1 Account and Profile Data
When you register for and use the Portal, we collect:
- Full name, first name, and last name
- Email address
- Phone number (optional)
- Job title (optional)
- Profile picture URL (if you sign in via Google or Microsoft)
1.2 Company Information
When your company is registered on the Portal, we collect:
- Company name, email, and phone number
- Registered address and billing address
- Company registration number and VAT number (optional)
- Website URL (optional)
1.3 Transactional Data
Through the course of our business relationship, we process data relating to:
- Quotes and quote requests (items, quantities, pricing, status, dates)
- Invoices (items, amounts, VAT, payment status, due dates)
- Contracts (values, terms, renewal dates)
- Deliveries (items, tracking numbers, delivery addresses, status)
- Subscriptions (status, pricing, billing periods)
1.4 AI Support Chat Data
When you use the AI support chat, we collect and store:
- The full text of your messages and the AI’s responses
- A contextual snapshot of your account at the time of each conversation (including summary counts and values of your quotes, invoices, contracts, deliveries, and subscriptions)
1.5 Technical and Usage Data
- Authentication data (session tokens, OAuth provider identifiers)
- Audit logs recording actions performed within the Portal (e.g. quote approvals, invoice views)
- Timestamps of account activity
2. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing the Portal and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing quotes, invoices, and payments | Performance of a contract (Art. 6(1)(b)) |
| Providing AI-powered customer support | Legitimate interest (Art. 6(1)(f)) — efficient customer service |
| Sending transactional emails (invoice notifications, quote updates, payment confirmations) | Performance of a contract (Art. 6(1)(b)) |
| Maintaining audit logs for security and compliance | Legitimate interest (Art. 6(1)(f)) — security and fraud prevention |
| Compliance with legal obligations (e.g. tax records, financial regulations) | Legal obligation (Art. 6(1)(c)) |
3. Who We Share Your Data With
We share your personal data with the following categories of third-party service providers (data processors), each of whom processes data on our behalf and under our instructions:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (database and authentication) | Hosting all Portal data; managing user authentication | All personal and transactional data described in Section 1 |
| Stripe (payment processing) | Processing invoice payments and managing subscriptions | Name, email, phone, address, invoice details, subscription data |
| Microsoft Azure Communication Services (email) | Delivering transactional emails | Email addresses, email content (which may include names, invoice/quote details, and portal links) |
| Google / Microsoft (OAuth authentication) | Enabling sign-in via your Google or Microsoft account | Authentication request only; we receive your email, name, and profile picture |
| AI language model provider (via LiteLLM proxy) | Powering the AI support chat | Chat messages, company name, and summarised account data (counts and values of quotes, invoices, contracts, deliveries, subscriptions). On-demand: detailed quote, invoice, contract, delivery, and subscription information. We do not share your email, phone number, or password with the AI provider. |
We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.
4. International Data Transfers
Some of our service providers may process your data outside the United Kingdom and European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office or the European Commission
- Adequacy decisions where the recipient country has been deemed to provide an adequate level of data protection
- The service provider’s binding corporate rules or equivalent safeguards
5. Cookies
The Portal uses only strictly necessary cookies for authentication and session management. These cookies are essential for the Portal to function and cannot be switched off. They include:
- Authentication session cookies — to keep you securely signed in
- OAuth security cookies — to protect the sign-in flow when using Google or Microsoft login (temporary, removed after sign-in completes)
We do not use any analytics, advertising, or third-party tracking cookies. Because we only use strictly necessary cookies, a cookie consent banner is not required under applicable regulations.
6. Data Retention
We retain your personal data as follows:
- Account and profile data: retained for the duration of your account and for a reasonable period thereafter to fulfil any outstanding obligations.
- Transactional data (invoices, quotes, contracts): retained for a minimum of six (6) years after the end of the financial year in which the transaction occurred, in line with UK tax and accounting requirements.
- AI chat messages: retained for the duration of the business relationship to provide continuity of support and for quality improvement purposes.
- Audit logs: retained for a minimum of two (2) years for security and compliance purposes.
When data is no longer required, it will be securely deleted or anonymised.
7. Your Rights
Under the UK GDPR and, where applicable, the EU GDPR, you have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete personal data. You can update some information directly through your Portal profile.
- Right to erasure — request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention requirements.
- Right to restrict processing — request that we limit how we use your data in certain circumstances.
- Right to data portability — request your personal data in a structured, commonly used, machine-readable format.
- Right to object — object to processing based on legitimate interests, including in relation to the AI support chat feature.
- Rights related to automated decision-making — the AI support chat provides informational assistance only and does not make automated decisions that produce legal or similarly significant effects.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one (1) month.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Row-level security at the database level, ensuring you can only access data belonging to your own company
- Role-based access controls within the Portal
- Input validation and sanitisation
- Audit logging of significant actions
- Secure authentication via JWT tokens stored in HTTP-only cookies
9. Children’s Data
The Portal is a B2B service not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Portal or by email. The “Last updated” date at the top of this page indicates when this policy was last revised.
11. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner’s Office (ICO) — ico.org.uk
- EU: Your local data protection authority
12. Contact Us
For any questions about this Privacy Policy or to exercise your data protection rights, please contact us:
- Email: [email protected]
- Phone: 03333 404 600