Legal

Privacy Policy

Last updated: 12 April 2026

This policy is provided for transparency. It does not constitute legal advice. If you need terms for your own SaaS product or a Data Processing Agreement (DPA), we can address those in your project contract.

1. Who we are

Addicted Software (“we”, “us”) operates addictedsoftware.com and delivers digital product engineering, design, and related professional services (including SaaS, mobile, and AI-enabled applications for clients). For the purposes of UK/EU data protection law, we are typically the data controller of personal data described in this policy when we decide why and how it is processed (for example, website visitors and business contacts). You can reach us about privacy through our contact page.

2. Scope

This policy applies to:

  • Visitors to our website and users of our online forms;
  • Individuals who communicate with us by email, phone, or messaging in a business context;
  • Prospective and current clients, and their personnel, in connection with proposals, contracts, and delivery of services;
  • Job applicants when you apply via our careers flows or as directed in listings;
  • Newsletter or marketing recipients where you have opted in or we rely on soft opt-in where permitted.

It does not govern your end users’ data inside your product when we build software for you: that is covered by your own privacy policy and, where applicable, a separate data processing agreement (DPA) with us (see section 6).

3. Categories of personal data

Depending on how you interact with us, we may process:

  • Identity and contact: name, job title, company name, email, phone, billing or contract addresses where relevant;
  • Communication content: messages, call notes, support tickets, and attachments you send us;
  • Recruitment: CV, cover letter, portfolio links, interview notes, and references as applicable;
  • Technical and usage: IP address, browser and device type, operating system, referral URL, pages viewed, and approximate location derived from IP;
  • Cookies and similar technologies: as set out in our Cookie Policy and your cookie choices;
  • Financial: bank or payment references only where needed for invoicing and anti-fraud checks (we do not store full card data on our marketing site).

4. Purposes and legal bases (GDPR)

We process personal data on the following bases where the UK/EU GDPR applies:

  • Performance of a contract or pre-contract steps: scoping work, delivering services, invoicing, and account management;
  • Legitimate interests: operating and securing our IT systems and website, fraud prevention, quality assurance, limited business analytics, and telling you about services similar to those you already use (where allowed); we balance these against your rights;
  • Consent: non-essential cookies, certain marketing, and optional tools where consent is the appropriate basis;
  • Legal obligation: tax, accounting, and regulatory record-keeping;
  • Vital or public interest: only in rare situations required by law.

5. Client projects and hosting (processor role)

When we design, build, host, or operate environments on your behalf and process personal data only according to your instructions, we act as a processor and our obligations are defined in your statement of work, master services agreement, and (where required) a DPA including subject-matter, duration, nature and purpose of processing, types of data, and your obligations as controller. We assist with appropriate technical and organisational measures and support you in responding to data subject requests where contractually agreed.

6. Artificial intelligence and automation

We may use AI-assisted tools (for example, code assistance, documentation drafting, or internal productivity) in line with our security and confidentiality standards. Outputs are reviewed by our team; we do not rely on fully automated decisions that produce legal or similarly significant effects about you without human involvement. If we introduce new tools that process personal data in a materially different way, we will update this policy or notify you as appropriate.

For products we build for clients that include AI features (e.g. LLM-based assistants), privacy notices, model behaviour, and subprocessor lists are your responsibility as product owner unless otherwise agreed in writing.

7. Retention

We retain data only as long as necessary for the purposes collected, including: active client records for the engagement plus statutory limitation periods; enquiry and CRM data for a reasonable period for follow-up; recruitment data for the campaign plus a limited period unless you ask us to delete sooner; logs on a rolling schedule; and financial records as required by tax law. When retention ends, we delete or anonymise data where feasible.

8. Recipients, subprocessors, and transfers

We share personal data with categories of recipients such as: cloud hosting and infrastructure providers, email and collaboration tools, analytics providers (where you consent), applicant tracking or HR tools, and professional advisers where required. We use subprocessors under written terms that require appropriate security and, for processors, instructions consistent with GDPR.

Where data is transferred outside the UK or EEA, we use mechanisms such as the UK IDTA/addendum or EU Standard Contractual Clauses, transfer impact assessments where appropriate, and supplementary measures as needed. You may request a summary of key subprocessors relevant to your engagement via contact.

9. Security

We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit where standard for the service, backups, patching, and staff training. No system is perfectly secure; we monitor and improve our posture and will notify you and, where required, supervisory authorities and data subjects of a personal data breach affecting your project in accordance with law and contract.

10. Your rights

Subject to conditions in applicable law, you may have the right to: access, rectification, erasure, restriction of processing, objection (including to direct marketing), data portability, and to withdraw consent without affecting prior lawful processing. You may lodge a complaint with a supervisory authority (for example, in your country of residence).

To exercise rights, use our contact page. We may need to verify your identity. We respond within statutory time limits (typically one month for GDPR, subject to extension for complex requests).

11. Marketing

We send commercial email only where permitted (consent or legitimate interest for similar services, as applicable). Every marketing email includes an unsubscribe or preference link. You may also object at any time via our contact page.

12. Children

Our website and B2B services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it promptly.

13. Business transfers

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred as a business asset. We will require the successor to honour this policy or notify you of changes as required by law.

14. Changes

We may update this policy to reflect legal, technical, or business changes. We will revise the “Last updated” date and, where changes are material, provide additional notice (for example, a banner or email where we have your contact details).

15. Contact

Questions about this Privacy Policy: Contact us.