We're committed to protecting your privacy and being transparent about how we handle your data.
Effective date: January 1, 2024
Controller: Letsy Formation Ltd ("Letsy", "we", "us")
Registered office: [Insert registered office address]
Company number: [Insert number]
Contact (privacy/DPO): [Insert DPO or privacy email]
Scope: UK GDPR and Data Protection Act 2018
This Policy explains how we collect, use, disclose, and protect personal data when you use Letsy's websites, APIs, dashboard, and services.
Account creation, dashboard usage, and support requests
When you are a Partner, you send officer/PSC data to Letsy
Cookies, logs, analytics, service providers (IDV vendors), and public sources (Companies House)
| Purpose | Legal basis |
|---|---|
| Provide the Services (formations, webhooks, VO services) | Contract necessity |
| Identity verification & AML/ECCTA obligations | Legal obligation; substantial public interest where applicable |
| Security, fraud prevention, audit logs | Legitimate interests; legal obligation |
| Billing, invoicing, account management | Contract necessity; legitimate interests |
| Improve Services (analytics, troubleshooting) | Legitimate interests |
| Marketing communications | Consent (you can withdraw anytime) |
| Legal claims & compliance | Legitimate interests; legal obligation |
Important: We do not routinely process special category data. Do not submit such data unless requested for compliance and permitted by law.
We may share personal data with:
We do not sell personal data.
Where data is transferred outside the UK/EEA, we use approved safeguards (UK adequacy regulations, ICO-approved Standard Contractual Clauses, or equivalent). Details available on request.
We keep personal data only as long as necessary:
At least 5 years after the end of the business relationship (AML requirement)
Duration of contract + statutory limitation periods
Per our internal retention schedules
We implement technical and organisational measures appropriate to risk (encryption in transit, access controls, least privilege, monitoring, backups). No system is 100% secure.
Contact: [Insert privacy/DPO email]. We may need to verify your identity.
We use necessary cookies and, with consent, analytics cookies to improve the site. See our Cookie Policy: [Insert URL]. You can manage preferences via our banner or your browser.
Our Services are for businesses and are not directed to children under 16. Do not submit children's data.
We do not rely on solely automated decisions producing legal effects. Where automated risk scoring is used, human review is available.
Where we process personal data on behalf of Partners, we act as processor under a Data Processing Addendum (DPA). Partners are responsible for providing privacy notices and obtaining required consents from their users.
We use vetted subprocessors to deliver the Services. Current list: [Insert URL to subprocessor list]. We impose contractual obligations and security requirements on all subprocessors.
We may update this Policy from time to time. We will post the updated version with a new effective date. Significant changes may be notified by email or dashboard notice.
Data protection contact / DPO: [Insert name/email]
Postal: [Insert address]
You may complain to the UK ICO if you believe we have not complied with data protection law: https://www.ico.org.uk
If you have any questions about this Privacy Policy or how we handle your data, please don't hesitate to contact us.