Privacy Policy

1. Introduction

1.1 Who We Are

This Privacy Policy explains how Oventro Technologies Ltd (trading as "ConsentProof"), a company registered in England and Wales (Company Number: 16737923) with its registered office at 14 Albemarle Street, London, W1S 4HL, United Kingdom ("we", "us", "our", or "ConsentProof") collects, uses, stores, and protects your personal information.

1.2 Our Commitment to Privacy

We are committed to protecting your privacy and complying with:

• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (EU GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• All applicable data protection and privacy laws

1.3 Scope of This Policy

This Privacy Policy applies to:

• Our website at https://consentproof.io
• Our API and developer services
• Our dashboard and user interfaces
• All services provided by ConsentProof (collectively, the "Service")

1.4 Important Notice

2. Data Controller and Contact Information

2.1 Data Controller

The data controller responsible for your personal information is:

Oventro Technologies Ltd (trading as ConsentProof)
Company Number: 16737923
Registered Office: 14 Albemarle Street, London, W1S 4HL, United Kingdom

2.2 Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

• Legal & Privacy: legal@consentproof.io
• General Support: support@consentproof.io
• Postal Address: 14 Albemarle Street, London, W1S 4HL, United Kingdom

2.3 Data Protection Officer

We are not currently required to appoint a Data Protection Officer under UK GDPR. If this changes, we will update this Privacy Policy with their contact details.

2.4 Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

ICO Contact Information:
Website: https://ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

3. What Personal Data We Collect

3.1 Information You Provide Directly

When you create an account, use our Service, or contact us, we collect:

(a) Account Registration Information:

• Full name
• Email address
• Password (encrypted)
• Company name (if registering as a business)
• Country/location
• Phone number (optional)

(b) Payment Information:

• Payment card details (stored securely by Stripe, our payment processor - we do NOT store full card details)
• Billing address
• VAT number (if provided)
• Purchase history and transaction records

(c) Profile and Preferences:

• Account settings and preferences
• Communication preferences
• Dashboard customizations
• API key names and descriptions (not the keys themselves)

(d) Communications:

• Support tickets and correspondence
• Feedback and survey responses
• Messages sent through contact forms
• Email communications with our team

(e) Business Information (for Enterprise customers):

• Company size and industry
• Use case and implementation details
• Custom contract requirements

3.2 Information Collected Automatically

When you use our Service, we automatically collect:

(a) Technical Information:

• IP address
• Browser type and version
• Device type and operating system
• Screen resolution
• Time zone setting
• Browser plug-in types and versions

(b) Usage Information:

• Pages visited on our website
• Features used in the Dashboard
• API calls made (endpoint, timestamp, response codes)
• Time and date of access
• Referring website/source
• Click patterns and navigation paths

(c) API Usage Data:

• API key identifiers (hashed)
• Request/response logs
• Rate limit tracking
• Error logs and debugging information
• Consent records stored (as your Data Processor)

(d) Cookies and Similar Technologies:

• We use minimal essential cookies only
• Local storage for Dashboard functionality
• Session authentication tokens

3.3 Information from Third Parties

We may receive information about you from:

(a) Stripe (Payment Processor):

• Payment confirmation and transaction status
• Fraud detection signals
• Chargeback and dispute information

(b) Public Sources:

• Company information verification (for business accounts)
• Publicly available professional information

3.4 Sensitive Personal Data

We do NOT knowingly collect or process sensitive personal data (also known as "special categories" of personal data under GDPR), including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation, or criminal convictions or offenses.

If you inadvertently provide sensitive personal data, please contact us immediately at legal@consentproof.io.

3.5 Children's Data

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will delete it immediately. If you believe we have collected data from a child, please contact us at legal@consentproof.io.

4. How We Use Your Personal Data

4.1 Legal Bases for Processing

We process your personal data under the following legal bases as required by UK GDPR Article 6:

• Contractual Necessity (Article 6(1)(b)): Processing necessary to perform our contract with you (our Terms & Conditions)
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests (specified below)
• Legal Obligation (Article 6(1)(c)): Processing required to comply with legal obligations
• Consent (Article 6(1)(a)): Processing based on your explicit consent (which you can withdraw at any time)

4.2 Purposes of Processing

(a) To Provide the Service (Legal Basis: Contractual Necessity)

• Create and manage your account
• Process your API requests
• Generate cryptographic proofs and PDF Consent Certificates
• Store and retrieve your consent records
• Provide access to the Dashboard
• Deliver webhook notifications
• Enable data export functionality

(b) To Process Payments (Legal Basis: Contractual Necessity)

• Process subscription payments
• Issue invoices and receipts
• Manage billing cycles and renewals
• Handle refund requests (per our no-refund policy)
• Detect and prevent payment fraud

(c) To Communicate with You (Legal Basis: Contractual Necessity & Legitimate Interests)

• Send service-related notifications (downtime, maintenance, security alerts)
• Respond to your support requests and inquiries
• Send account-related emails (password resets, billing notifications)
• Provide technical support and troubleshooting
• Send important updates about the Service or these policies

(d) To Improve and Develop the Service (Legal Basis: Legitimate Interests)

• Analyze usage patterns to improve features
• Identify and fix bugs and technical issues
• Develop new features and functionality
• Conduct internal research and analytics
• Optimize performance and user experience
• Test new features and improvements

(e) For Security and Fraud Prevention (Legal Basis: Legitimate Interests & Legal Obligation)

• Detect and prevent fraud, abuse, and security incidents
• Monitor for unauthorized access or suspicious activity
• Investigate Terms & Conditions violations
• Protect against malicious, deceptive, or illegal activity
• Enforce our Terms & Conditions
• Comply with security best practices

(f) For Marketing (Legal Basis: Consent or Legitimate Interests under PECR soft opt-in)

• Send promotional emails about new features or services (you can opt out)
• Display your company name/logo as a customer (unless you opt out)
• Create case studies or testimonials (with your explicit consent)
• Conduct customer surveys and feedback requests

(g) For Legal Compliance (Legal Basis: Legal Obligation)

• Comply with court orders, legal process, or regulatory requests
• Respond to law enforcement or government agency requests
• Maintain records for tax and accounting purposes
• Comply with anti-money laundering (AML) and know-your-customer (KYC) requirements
• Meet regulatory reporting obligations

(h) For Business Operations (Legal Basis: Legitimate Interests)

• Manage our business relationship with you
• Process corporate transactions (mergers, acquisitions)
• Maintain accurate financial and business records
• Exercise or defend legal claims
• Conduct audits and compliance reviews

4.3 Automated Decision-Making

We use limited automated decision-making for:

(a) Fraud Detection:

• Automated systems flag suspicious payment patterns or account activity
• You have the right to request human review of any automated decision

(b) Rate Limiting:

• Automated systems enforce API rate limits based on your subscription plan
• This is necessary to ensure fair usage and system stability

We do NOT use automated decision-making that produces legal effects or similarly significantly affects you without human involvement.

5. How We Share Your Personal Data

5.1 General Principle

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

5.2 When We Share Data

We share your personal data only in the following limited circumstances:

(a) Service Providers and Sub-Processors (Article 28 GDPR)

We engage trusted third-party service providers to help us deliver the Service:

Security certifications of our sub-processors:

• Stripe: PCI-DSS Level 1, SOC 2 Type II, ISO 27001
• Render: SOC 2 Type II compliant, uses AWS infrastructure (ISO 27001, SOC 2 Type II certified)

All sub-processors are bound by data processing agreements that require them to:

• Process data only on our instructions
• Implement appropriate security measures
• Maintain confidentiality
• Comply with GDPR requirements

We will notify you of any changes to our sub-processors. You can object to new sub-processors on reasonable data protection grounds.

(b) Legal Requirements and Law Enforcement

We may disclose your personal data if required by law or in response to:

• Court orders, subpoenas, or legal process
• Law enforcement or government agency requests
• Regulatory investigations or inquiries
• National security requirements
• Legal obligations under UK or EU law

We will notify you of such requests unless legally prohibited.

(c) Protection of Rights and Safety

We may disclose personal data to:

• Enforce our Terms & Conditions
• Investigate fraud, security incidents, or Terms violations
• Protect our legal rights and property
• Protect the safety of our users or the public
• Defend against legal claims

(d) Business Transfers

If we are involved in a merger, acquisition, asset sale, bankruptcy, or corporate reorganization:

• Your personal data may be transferred to the successor entity
• We will notify you before your data is transferred
• The successor will be bound by this Privacy Policy (or will provide notice of changes)

(e) With Your Consent

We may share your personal data with third parties when you explicitly consent, such as:

• Using your company name/logo in marketing materials (with opt-out)
• Creating case studies or testimonials (with explicit approval)
• Integrating with third-party tools you authorize

5.3 International Data Transfers

(a) Data Storage Location:

Your personal data is primarily stored in the European Union (Frankfurt, Germany) on infrastructure provided by Render Services, Inc., which uses AWS data centers.

(b) Transfers Outside UK/EEA:

Some sub-processors (e.g., Stripe) are located outside the UK/EEA. When we transfer data internationally, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs): Approved by the UK ICO and European Commission
• EU-U.S. Data Privacy Framework: For transfers to certified U.S. organizations
• Adequacy Decisions: For countries deemed to provide adequate data protection
• Additional Security Measures: Encryption, access controls, and contractual protections

You have the right to request copies of the safeguards we use for international transfers by contacting legal@consentproof.io.

(c) Your Rights Regarding Transfers:

You can object to international data transfers on reasonable grounds. If we cannot accommodate your objection, you may terminate your account (subject to our no-refund policy).

6. How Long We Keep Your Data

6.1 Retention Principles

We retain your personal data only for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations
• Resolve disputes and enforce our agreements
• For legitimate business purposes

6.2 Retention Periods

6.3 Deletion Process

When retention periods expire:

• Data is permanently deleted from production systems
• Backup copies are overwritten during normal rotation
• Deletion is irreversible and cannot be undone

6.4 Your Right to Request Deletion

You can request deletion of your personal data at any time by:

• Terminating your account via the Dashboard
• Emailing legal@consentproof.io with a deletion request

Note: We may retain certain data if required by law or for legitimate business purposes (e.g., billing records, fraud prevention).

7. Your Rights Under UK GDPR

7.1 Overview of Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure ("Right to be Forgotten") (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Rights Related to Automated Decision-Making (Article 22)
• Right to Withdraw Consent (Article 7(3))
• Right to Lodge a Complaint (Article 77)

7.2 Right of Access (Subject Access Request)

What it means: You can request a copy of the personal data we hold about you.

How to exercise:

• Email legal@consentproof.io with subject line "Subject Access Request"
• We will respond within 1 month (may be extended by 2 months for complex requests)

What we provide:

• Confirmation of what data we hold
• Copy of your personal data in a commonly used format
• Information about how we use your data
• Details of who we share it with
• How long we retain it

Cost: Free (unless requests are manifestly unfounded or excessive)

7.3 Right to Rectification

What it means: You can request correction of inaccurate or incomplete personal data.

How to exercise:

• Update your information directly in the Dashboard settings
• Email legal@consentproof.io for data you cannot update yourself
• We will respond within 1 month

7.4 Right to Erasure ("Right to be Forgotten")

What it means: You can request deletion of your personal data in certain circumstances.

When this applies:

• Data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Legal obligation requires deletion

Exceptions (we may refuse deletion if we need the data for):

• Legal obligations or defense of legal claims
• Fraud prevention
• Compliance with UK tax law (billing records)

7.5 Right to Restriction of Processing

What it means: You can request we limit how we use your data in certain circumstances.

When this applies:

• You contest the accuracy of data (while we verify)
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You objected to processing (while we verify legitimate grounds)

7.6 Right to Data Portability

What it means: You can request your data in a machine-readable format to transfer to another service.

When this applies: When processing is based on consent or contract AND processing is automated

What we provide:

• Your account data in JSON format
• Consent records in JSON or CSV format
• API access for bulk export

How to exercise:

• Use the Dashboard export functionality
• Email legal@consentproof.io for assistance
• We will respond within 1 month

7.7 Right to Object

What it means: You can object to processing based on legitimate interests or for direct marketing.

Objection to Direct Marketing:

• You can opt out at any time
• Click "unsubscribe" in any marketing email
• Email sales@consentproof.io
• Update preferences in Dashboard settings
• We must comply immediately

Objection to Legitimate Interests Processing:

• You can object to processing based on our legitimate interests
• We will stop processing unless we demonstrate compelling legitimate grounds that override your interests

7.8 Rights Related to Automated Decision-Making

What it means: You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

Our practice:

• We use limited automated decision-making (fraud detection, rate limiting)
• You can request human review of automated decisions
• Email legal@consentproof.io to request review

7.9 Right to Withdraw Consent

What it means: Where processing is based on consent, you can withdraw it at any time.

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal

How to exercise:

• Update preferences in Dashboard
• Click "unsubscribe" in emails
• Email legal@consentproof.io

7.10 Right to Lodge a Complaint

What it means: You can complain to the supervisory authority if you believe we've violated your data protection rights.

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Our preference: Please contact us first at legal@consentproof.io so we can address your concerns.

7.11 How to Exercise Your Rights

Contact Methods:

• Email: legal@consentproof.io (preferred)
• Postal Address: Oventro Technologies Ltd, 14 Albemarle Street, London, W1S 4HL, United Kingdom

What to include in your request:

• Your full name and email address associated with your account
• Clear description of which right you're exercising
• Any relevant details or documentation

Our response timeline:

• 1 month from receipt of request (standard) for GDPR rights
• May be extended by 2 additional months for complex requests (we'll explain why)
• 5 business days for general privacy inquiries

Identity Verification: We may request additional information to verify your identity. This protects your data from unauthorized access.

8. How We Protect Your Data

8.1 Security Commitment

We implement appropriate technical and organizational measures to protect your personal data against:

• Unauthorized or unlawful processing
• Accidental loss, destruction, or damage
• Unauthorized access or disclosure

8.2 Technical Security Measures

(a) Encryption:

• Data in Transit: TLS 1.2 or higher encryption for all data transmission
• Data at Rest: AES-256 encryption (or equivalent) for stored data
• Database Encryption: Encrypted database storage
• Password Storage: Bcrypt hashing with salt (passwords never stored in plain text)

(b) Access Controls:

• API Key Authentication: Secure token-based API authentication
• Role-Based Access Control (RBAC): Dashboard access controls
• Multi-Factor Authentication: Available for account security
• Principle of Least Privilege: Staff access limited to necessary data only

(c) Network Security:

• Firewalls: Network segmentation and firewall protection
• Intrusion Detection: Real-time monitoring for suspicious activity
• DDoS Protection: Protection against distributed denial-of-service attacks
• Security Scanning: Regular vulnerability scans

(d) Application Security:

• Secure Coding Practices: Following OWASP Top 10 guidelines
• Input Validation: Sanitization of all user inputs
• Regular Security Testing: Penetration testing and security audits
• Dependency Management: Regular updates of libraries and frameworks

(e) Monitoring and Logging:

• Security Event Logging: Comprehensive logging of security-relevant events
• Real-Time Monitoring: 24/7 automated monitoring systems
• Anomaly Detection: Automated alerts for unusual activity
• Incident Response: Documented procedures for security incidents

(f) Backup and Recovery:

• Daily Backups: Automated backup systems
• Encrypted Backups: All backups encrypted at rest
• Disaster Recovery: Business continuity and recovery plans
• Testing: Regular testing of backup restoration procedures

8.3 Organizational Security Measures

• Staff Training: Regular data protection and security training for all personnel
• Confidentiality: All staff sign confidentiality agreements
• Background Checks: Background verification for personnel with data access (where legally permitted)
• Vendor Management: Security assessments of all sub-processors
• Incident Response: Documented incident response plan with defined roles and responsibilities
• Physical Security: Our infrastructure provider (Render/AWS) maintains physical security of data centers including:
  • 24/7 security personnel, video surveillance, and intrusion detection systems
  • Multi-factor access controls including biometric verification
  • Environmental controls including fire suppression, climate control, and redundant power systems

8.4 Data Breach Notification

In the event of a personal data breach:

(a) Our Obligations:

• We will notify the ICO within 72 hours of becoming aware (where required by law)
• We will notify affected individuals without undue delay if high risk to their rights and freedoms
• We will document the breach and our response

(b) What We'll Tell You:

• Nature of the breach
• Categories and approximate number of individuals affected
• Likely consequences
• Measures taken or proposed to address the breach
• Contact point for further information

(c) Your Obligations:

As a data controller using our service to store consent records, you may have separate notification obligations for breaches involving your users' data.

8.5 Security Limitations

Your Responsibilities:

• Use strong, unique passwords
• Enable multi-factor authentication
• Keep API keys secure and confidential
• Do not share account credentials
• Report security concerns immediately to support@consentproof.io

9. Cookies and Tracking Technologies

9.1 Current Position

We do NOT currently use cookies on our website or in our Service.

9.2 Local Storage

We use browser local storage for:

• Dashboard functionality and preferences
• Session authentication (keeping you logged in)
• Temporary data caching for performance

This is not "tracking" - it's essential for the Service to function.

9.3 Future Use of Cookies

If we introduce cookies in the future:

• We will update this Privacy Policy
• We will implement a cookie consent banner (as required by PECR)
• We will provide clear information about what cookies we use and why
• You will be able to opt out of non-essential cookies

9.4 Third-Party Cookies

We do not currently allow third-party cookies. If this changes, we will notify you.

9.5 Analytics

If we implement analytics in the future:

• We will use privacy-respecting analytics tools
• We will anonymize IP addresses
• We will comply with PECR cookie consent requirements
• We will provide opt-out options

10. Links to Other Websites

10.1 Third-Party Websites

Our website and Service may contain links to third-party websites, including Stripe (for payment processing), documentation and support resources, and partner websites.

10.2 No Responsibility

We are NOT responsible for privacy practices, content, security of third-party websites, or how third parties collect or use your data.

10.3 Stripe

Payment processing is handled by Stripe, Inc.:

• Stripe's Privacy Policy: https://stripe.com/privacy
• Stripe is PCI-DSS Level 1 Service Provider
• We do not store full payment card details

11. Changes to This Privacy Policy

11.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• New features or services
• Changes in applicable laws
• Feedback from regulators or users

11.2 How We Notify You

When we make changes:

(a) Material Changes:

• We will update the "Last Updated" date at the top
• We will notify you via email (to your registered email address)
• We will provide at least 30 days' notice before changes take effect
• We may display a prominent notice in the Dashboard

(b) Non-Material Changes:

• We will update the "Last Updated" date
• Changes take effect immediately upon posting
• No advance notice required for minor updates or clarifications

11.3 Your Acceptance

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to changes:

• Contact us at legal@consentproof.io to discuss
• You may terminate your account (subject to our Terms & Conditions no-refund policy)

11.4 Review Regularly

We encourage you to review this Privacy Policy periodically:

• Check the "Last Updated" date
• Review changes when notified
• Contact us with questions at legal@consentproof.io

11.5 Previous Versions

You can request previous versions of this Privacy Policy by emailing legal@consentproof.io.

12. Special Situations

12.1 Data Controller vs. Data Processor

12.2 Your Responsibilities as a Data Controller

When you use ConsentProof to store consent records from your users, you must:

• Have your own Privacy Policy for your users
• Disclose that you use ConsentProof as a data processor
• Obtain proper consent from your users (where required)
• Honor your users' data subject rights
• Comply with GDPR and all applicable laws

We are NOT responsible for:

• Your compliance with GDPR
• Validity of consents you collect
• Your privacy notices
• Your users' data subject requests

12.3 Business Transfers

If Oventro Technologies Ltd is involved in a merger, acquisition, asset sale, bankruptcy, or corporate reorganization:

• Your personal data may be transferred to the successor entity
• We will notify you at least 30 days before transfer
• The successor will be bound by this Privacy Policy (or must provide notice of changes)
• You have the right to object and/or delete your account before transfer

12.4 Legal Disclosure

We may disclose your personal data without your consent when:

(a) Required by Law:

• Court orders, subpoenas, or warrants
• Regulatory investigations or requests
• Law enforcement inquiries
• Tax authority requests
• National security requirements

(b) To Protect Rights:

• Enforce our Terms & Conditions
• Investigate fraud or security incidents
• Protect our legal rights and property
• Defend against legal claims
• Protect safety of users or public

We will notify you of legal requests unless:

• Legally prohibited from doing so
• Notice would compromise an investigation
• Emergency circumstances exist

12.5 Aggregated and Anonymized Data

We may create aggregated or anonymized data that cannot identify you:

• Usage statistics and trends
• Performance metrics
• Industry benchmarks

This data:

• Is no longer personal data under GDPR
• Can be used, shared, or published without restriction
• Cannot be used to re-identify you

12.6 Enterprise Customer Audits

For Enterprise customers with separate agreements:

• We may audit your use of the Service for compliance with our Terms & Conditions
• We may request information about data processing practices
• This is necessary for our legitimate interests in compliance monitoring and contract enforcement

13. International Users

13.1 UK/EEA Users

This Privacy Policy is designed to comply with UK GDPR and EU GDPR. If you are located in the UK or EEA, all provisions of this policy apply to you.

13.2 Users Outside UK/EEA

If you are located outside the UK/EEA:

• This Privacy Policy still applies
• Your data may be transferred to and processed in the UK/EEA
• We apply the same data protection standards globally
• You may have additional rights under local laws

13.3 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Categories of personal information collected, sources, purposes, and third parties we share with
• Right to Delete: Request deletion of personal information (subject to exceptions)
• Right to Opt-Out: We do NOT sell personal information. If this changes, we will provide an opt-out mechanism
• Right to Non-Discrimination: You cannot be discriminated against for exercising CCPA rights

How to Exercise CCPA Rights: Email legal@consentproof.io with "CCPA Request" in subject line. We will respond within 45 days.

13.4 Brazil Residents (LGPD)

If you are in Brazil, you have rights under Lei Geral de Proteção de Dados (LGPD) similar to GDPR rights described in Section 7.

13.5 South Korea Residents (PIPA)

If you are in South Korea, you have rights under the Personal Information Protection Act (PIPA) including access, correction, and deletion rights.

13.6 Contact for International Users

For questions about your rights under local laws, email legal@consentproof.io and specify your location and applicable law.

14. Your Consent

14.1 Consent to This Privacy Policy

By using our Service, you consent to:

• Collection, use, and processing of your personal data as described in this Privacy Policy
• Transfer of your data to sub-processors as described in Section 5
• International data transfers as described in Section 5.3
• Use of your data for the purposes described in Section 4

14.2 Withdrawal of Consent

Where processing is based on consent (not contractual necessity or legal obligation):

• You can withdraw consent at any time
• Email legal@consentproof.io
• Withdrawal does not affect lawfulness of processing before withdrawal
• Withdrawal may limit your ability to use certain features

14.3 Consent for Marketing

We will only send marketing communications if:

• You opted in during account creation, OR
• You are an existing customer and we're marketing similar services (soft opt-in under PECR)

You can opt out at any time:

• Click "unsubscribe" in any email
• Update preferences in Dashboard
• Email sales@consentproof.io

14.4 Recording Your Consent

Important Notice: We use our own ConsentProof technology to record your acceptance of this Privacy Policy, including timestamp of acceptance, IP address, user agent, and cryptographic proof of acceptance. This creates tamper-evident evidence of your consent.

15. Questions and Complaints

15.1 Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices:

Primary Contact:

• Email: legal@consentproof.io
• Response time: 5 business days for general inquiries; 1 month for GDPR rights requests

Alternative Contacts:

• General Support: support@consentproof.io
• Sales: sales@consentproof.io

Postal Address:
Oventro Technologies Ltd (trading as ConsentProof)
Attn: Privacy Team
14 Albemarle Street
London, W1S 4HL
United Kingdom

15.2 Our Commitment to Resolution

When you contact us:

• We will acknowledge your inquiry within 5 business days
• We will investigate thoroughly
• We will provide a substantive response within 30 days (or 1 month for GDPR requests)
• We will work with you to resolve issues

15.3 Escalation

If you're not satisfied with our response:

(a) Internal Escalation:

• Request escalation to our management team
• Email: legal@consentproof.io with subject "Privacy Escalation"

(b) Supervisory Authority:

• You have the right to lodge a complaint with the ICO
• Website: https://ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• This right exists regardless of whether you've contacted us first

15.4 Alternative Dispute Resolution

For EU residents, you may also use the European Commission's Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr

16. Final Provisions

16.1 Entire Privacy Notice

This Privacy Policy, together with our Terms & Conditions and Cookie Policy, constitutes our complete privacy notice to you.

16.2 Interpretation

• Headings are for convenience only
• "Including" means "including without limitation"
• References to laws include amendments and replacements
• Singular includes plural and vice versa

16.3 Severability

If any provision of this Privacy Policy is found invalid or unenforceable, the remaining provisions remain in full effect. The invalid provision will be modified minimally to be enforceable.

16.4 No Waiver

Our failure to enforce any provision does not waive our right to enforce it later.

16.5 Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

16.6 Language

This Privacy Policy is written in English. Any translation is for convenience only. The English version controls in case of conflict.