Omni Tend SaaS Platform Privacy Policy

Effective Date: 14 November 2025

This Privacy Policy explains how Omni Tend Ltd, Company Number: 15219162 collects, processes, stores, and protects personal and business data through its SaaS platform omnitend.io ("Platform"). This Policy is distinct from our general website Privacy Policy and applies to users of the Platform ("Customer", "you", or "your").

Account Holders: Only individuals aged 18 and over may create an Omni Tend account and use the Platform.

End-Customer Data Processing: Where you process personal data of your end-customers (including those under 18) through the Platform—whether via your web shop, point of sale system, or any other sales channel—you remain the Data Controller and are solely responsible for compliance with applicable laws regarding the processing of personal data, including obtaining any necessary parental consent for processing children's data under applicable data protection laws.

Omni Tend acts as:

• Data Controller: for personal information collected for account registration, billing, and communication purposes.
• Data Processor: for any data uploaded or managed by Customers using the Platform.

We are committed to full compliance with the UK Data Protection Act 2018 and the European Union General Data Protection Regulation (EU) 2016/679, GDPR.

1. Personal and Customer Data We Collect

We collect the following data depending on your use of the Platform:

• Account registration data: name, email address, company details, billing address, and password.
• Payment information: credit card, bank, or invoicing information (processed securely via payment processors).
• Platform usage data: login history, feature usage, API interactions, errors, and support requests.
• Customer-uploaded data: files, records, or other content uploaded or stored by you or your users, including:
  • End-customer data from web shops operated through the Platform (e.g., contact details, order information, marketing preferences)
  • Business data and records managed through the Platform
• Communication data: support tickets, emails, chat logs, and other communications with Omni Tend.
• Device and connection data: IP address, browser type, operating system, and usage metrics.

All personal data is collected directly from you or your authorised users, unless we have obtained consent or are legally required to collect it from a third party.

2. How We Use Your Data

Omni Tend uses collected data for the following purposes, in accordance with GDPR Article 6:

• Providing and improving the Platform services, including hosting, analytics, and support.
  Legal basis: Performance of contract (Art. 6(1)(b))

• Billing, invoicing, and payment processing.
  Legal basis: Performance of contract (Art. 6(1)(b))

• Communication regarding account activity, updates, and support requests.
  Legal basis: Performance of contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))

• Compliance with legal obligations and dispute resolution.
  Legal basis: Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))

• Security, fraud detection, and maintaining integrity of the Platform.
  Legal basis: Legitimate interests (Art. 6(1)(f)) - protecting our services and users from security threats

• Marketing communications (where you have provided consent).
  Legal basis: Consent (Art. 6(1)(a)) - you may withdraw consent at any time through your account settings on the Platform, by emailing privacy@omnitend.com, or by using the unsubscribe link provided in all marketing communications

3. Data Sharing and Third Parties

We may share personal data in the following circumstances:

• Service providers: hosting, data storage, analytics, email, payment, and support services.
• Legal requirements: courts, regulatory authorities, or law enforcement, as required by law.
• Business transfers: in the event of a merger, acquisition, or sale of assets (with appropriate safeguards).

All third parties processing your data on our behalf are required to comply with GDPR and UK data protection obligations, and only process data according to our written instructions.

Sub-Processors

We engage sub-processors in the following categories to provide the Platform services:

• Cloud infrastructure providers - hosting, databases, and content delivery
• Email service providers - transactional email delivery
• Payment processors - payment processing and billing
• Communication providers - SMS and messaging services
• Backup service providers - data backup and disaster recovery
• Monitoring and alerting services - internal system monitoring

All sub-processors are bound by data processing agreements with obligations equivalent to those in our GDPR Data Processing Addendum. Where sub-processors are located outside the UK/EEA, appropriate safeguards (such as Standard Contractual Clauses) are in place.

For an up-to-date list of sub-processors, please contact privacy@omnitend.com.

4. Responsibilities as a Data Processor

Dual Processing Roles

Omni Tend acts as a Data Processor for data you upload and manage through the Platform. This includes:

• Your business data: Customer records, inventory, business documents
• Your customers' personal data: When you operate a web shop through our Platform, we process personal data of your end-customers (web shop visitors and purchasers) on your behalf

Important: You remain the Data Controller for your end-customers' data. You are responsible for:

• Providing privacy notices to your end-customers
• Obtaining necessary consents (e.g., marketing consent for SMS/email)
• Ensuring lawful processing of their data
• Responding to data subject requests from your end-customers

Our Commitments as Your Data Processor

• We process your data and your end-customers' data only on your instructions.
• We implement technical and organisational measures to ensure the security and confidentiality of all data.
• We notify you of any personal data breaches affecting your data without undue delay upon becoming aware.
• Sub-processors are authorised in writing, and we ensure they meet the same data protection standards (see Section 3).
• We assist you in responding to data subject requests from your end-customers where reasonably possible.
• Upon termination, we delete or return your data as per your instructions and our retention policy.

GDPR Data Processing Addendum: Our SaaS Terms of Service incorporate by reference our comprehensive Data Processing Addendum (available at https://omnitend.com/gdpr-dpa), which governs how we process data on your behalf as a data processor. A copy is available upon request by emailing privacy@omnitend.com.

5. Customer Rights

Note for End-Customers: If you are a customer of a business that uses our Platform (i.e., you purchased from a shop powered by Omni Tend), you should direct your data subject rights requests to that business directly, not to Omni Tend. The business is the Data Controller for your personal data. We only process your data on their instructions as a Data Processor.

For Omni Tend Account Holders: Under GDPR and UK Data Protection law, you have the following rights:

• Right of access (Art. 15): Request access to your personal data and receive a copy in a structured, commonly used format.

• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.

• Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements or legitimate business needs.

• Right to restriction of processing (Art. 18): Request that we limit processing of your personal data in certain circumstances (e.g., while we verify accuracy).

• Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller.

• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.

• Right to withdraw consent (Art. 7(3)): Withdraw consent for any consent-based processing at any time without affecting prior lawful processing. You may withdraw consent through your account settings on the Platform, by emailing privacy@omnitend.com, or (for marketing communications) using the unsubscribe link in emails.

All other data subject rights requests should be submitted to privacy@omnitend.com. We will respond to requests within one month as required by GDPR, or inform you if an extension is necessary.

6. Data Security and Retention

Security Measures

• Data is protected through encryption, secure hosting practices, access controls, and audit logging.
• Only authorised Omni Tend personnel and contractors with a legitimate need have access to personal or Customer data.
• Customers are responsible for the security of their accounts and credentials.

Data Retention Periods

We retain different categories of data for specific periods:

• Account registration data: Retained for 30 days after account termination or deletion request, unless longer retention is required by applicable law or for legitimate business purposes such as defending legal claims, resolving payment disputes, or tax and regulatory compliance.

• Billing and financial records: Retained for 7 years after the last transaction, in compliance with UK tax and accounting regulations.

• Platform usage logs and monitoring data: Retained for 12 months for security, debugging, and service improvement purposes.

• Support communications: Retained for 3 years to maintain service quality and handle potential disputes.

• Customer-uploaded data (including end-customer data processed on behalf of Customers): Deleted within 30 days after account termination, or immediately upon Customer request, unless longer retention is required by applicable law or for legitimate business purposes such as defending legal claims, resolving disputes, or regulatory compliance. Data in backup systems may be retained for up to 180 days following normal backup deletion cycles.

• Payment processor data: Retained according to the payment processor's retention policies and legal requirements.

After these periods, data is securely deleted or anonymised beyond recovery.

7. Cookies and Analytics

• The Platform may use cookies and tracking tools for performance monitoring, analytics, and improving user experience.
• Third-party analytics providers may process aggregate, anonymised data.
• For more information, please see our Cookies Policy.

8. International Data Transfers

• Data may be processed outside the UK or EU, including by third-party service providers.
• Such transfers are safeguarded via Standard Contractual Clauses (EU Commission SCCs and UK International Data Transfer Addendum for UK personal data) or equivalent approved mechanisms.

9. Automated Decision-Making and Profiling

Omni Tend does not use automated decision-making or profiling that produces legal effects or similarly significantly affects Customers or end-customers.

All decisions regarding your account, services, or data processing involve human review and oversight.

10. Data Protection Officer

For data protection matters, you can contact our Data Protection Officer:

Data Protection Officer
Email: dpo@omnitend.com

The DPO is responsible for monitoring compliance with GDPR and UK Data Protection law, and is available to answer questions about how we process your data.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with data protection laws.

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113

EU Supervisory Authorities:
If you are located in the EU, you may contact your local data protection authority.

12. Contact Information

For privacy questions, complaints, or GDPR/UK Data Protection requests:

Omni Tend Ltd
Company Number: 15219162
22 Earsham Street, Bungay, Suffolk, United Kingdom, NR35 1AG
Email: privacy@omnitend.com

For data protection matters, contact our Data Protection Officer at dpo@omnitend.com.