Skip to Content

Privacy Notice 

Effective Date: 1 January 2025
Version: UK-v1.0



 

1. Who is the Data Controller?2. Legal Basis and Definitions3. What Data Do We Process, For What Purpose, Under What Legal Basis, and For How Long?4. Recipients and Data Processors5. Data Transfer Outside the EU/EEA (Third Countries)6. Security7. Data Subject Rights8. Right to Complain and Judicial Remedies9. Special Notes10. Changes and Availability

1. Who is the Data Controller?

Name: Krisztian Eyssen (operating as a Self-Employed Individual/Sole Trader)
Address: Flat D, 129-131 Sutherland Avenue, W9 2QJ, London, United Kingdom
Email: [email protected]
Phone: +44 7867 212236 (Primary contact for the service)
Website: https://www.eyssen.com

This Notice applies to data processing activities related to the website https://www.eyssen.com and the eYssen/Odoo based services ( “System”).

Roles in Brief

  • We act as a  Data Controller when processing personal data for our own customer relationship management, invoicing, contractual, and website operation purposes (e.g., contact persons' details).
  • We act as a  Data Processor when operating the eYssen/Odoo instances on behalf of our Clients, and processing the Client’s own business data stored within those instances (e.g., customer/supplier/employee/user data). In this case, a separate  Data Processing Agreement (DPA) will be concluded.

2. Legal Basis and Definitions

Data processing is governed particularly by the  UK General Data Protection Regulation (UK GDPR) and the  Data Protection Act 2018. Definitions should be interpreted according to the UK GDPR.

3. What Data Do We Process, For What Purpose, Under What Legal Basis, and For How Long?

Category Data Processed Purpose Legal Basis Retention Period
3.1 Client Relationship & Contract (B2B) Name, job title/position, company, email, phone, communication history. Contacting, offering services, contract execution and performance. UK GDPR Art. 6(1)(b) (Contract performance or pre-contractual steps); additionally,  Art. 6(1)(f) (Legitimate Interest – B2B communication). 5 years from termination of the legal relationship (general limitation period); accounting documents 8 years.
3.2 System Access & User Account Name, email/username, password (strong cryptographic hash only), role, log data (login/out, IP/timestamp), access events. Service provision, access management, IT security, audit. Art. 6(1)(b)(Contract performance) and  Art. 6(1)(f)(Legitimate Interest – information security). Account termination + 12 months (audit and security logs); if litigation: until closure of the case.
3.3 Customer Service / Support / Ticketing Contact details, ticket content, logs, attachments. Troubleshooting, documentation of support. Art. 6(1)(b) and  Art. 6(1)(f)(Legitimate Interest – quality assurance). 3 years from ticket closure; if litigation: until closure of the case.
3.4 Invoicing and Finance Billing name/address, VAT number, transaction data, payment status. Invoice issuance, accounting, fulfilment of tax obligations. Art. 6(1)(c) (Legal Obligation – accounting/tax law, specifically the UK tax laws). 8 years (UK accounting law).
3.5 Communication & Marketing (Optional) Name, email, preferences. Newsletter, event, and product information. Art. 6(1)(a)Consent. Until withdrawal; after unsubscribing, the fact and time of consent are retained for 1 year for evidential purposes.
3.6 Website Logs & Cookies Log data (IP, timestamp, URL, user-agent), functional and – with consent – analytical/marketing cookies. Website operation, information security; optionally analytics/marketing. Art. 6(1)(f)(Legitimate Interest – security, troubleshooting); for analytics/marketing:  Art. 6(1)(a)(Consent). Operational logs 90 days; cookies according to the cookie table. Note: details in separate Cookie Notice and consent interface.
3.7 Data Processor Role – Client Data in the System Personal data stored in the Client’s own instance (e.g., customers, employees, users) are managed by the Client as the Controller; we process them as a Processor according to the contract and the DPA. The purpose/duration of processing is defined by the Client; deletion is subject to the Client's instructions. N/A (Client is Controller) Art. 28 (Processor obligations) As per Client instructions.

4. Recipients and Data Processors

Personal data may be accessed – to the extent necessary – by:

  • Hosting/Infrastructure: OVHcloud (EU data centres), Backblaze (backup; EU region or – if necessary – utilizing SCCs).
  • Software Vendor: Odoo S.A. (e.g., in case of a bug ticket).
  • Payment Provider/Bank, Accountant, Legal Counsel/Auditor (for legal/accounting obligations in the UK and internationally).
  • Ticketing/Communication Tools (for support purposes).

The current list of subprocessors is available upon request; we have UK GDPR-compliant contracts with all processors.

5. Data Transfer Outside the EU/EEA (Third Countries)

Data is primarily processed within the EU/EEA. If transfer to a third country is necessary, it is performed only by using:

  • an  Adequacy Decision (granted by the UK Secretary of State); or
  • the  UK International Data Transfer Agreement (IDTA) or  Addendum to the EU Standard Contractual Clauses (SCCs), and – if required – additional technical/legal safeguards.
  • We will provide separate notification regarding such transfers.

6. Security

  • Encryption during transmission (TLS) and – where possible – during storage.
  • Access controls based on the principle of  'least privilege', Admin MFA, logging.
  • Segregated storage of backups and regular restoration tests (upon Client request).
  • Notification and reporting procedures in case of data processing incidents, as required by the  UK GDPR.

7. Data Subject Rights

You are entitled to the following rights under the UK GDPR:

  • Right of access (Art. 15).
  • Right to rectification (Art. 16).
  • Right to erasure ( ‘Right to be forgotten’, Art. 17) – subject to exceptions for legal retention obligations.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20 – where the legal basis is contract or consent).
  • Right to object (Art. 21 – legitimate interest/marketing).
  • Right to withdraw consent (where the legal basis is consent).
  • Non-subject to automated decision-making/profiling – we do not perform such activities.

Response Deadline: Maximum 1 month (plus 2 months in justified cases). Requests are accepted at the contact details provided above.

8. Right to Complain and Judicial Remedies

Primarily, please notify us ( [email protected]). Furthermore, you are entitled to file a complaint with the  Information Commissioner's Office (ICO) or initiate judicial remedies in a competent UK court.

UK Supervisory Authority Details
Name Information Commissioner’s Office (ICO)
Address Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline 0303 123 1113
Website https://ico.org.uk

9. Special Notes

  • Children: Our services are not aimed at persons under 16 years of age.
  • Contractual Obligation: Provision of certain data is necessary for the provision of the service; without it, the service cannot be provided.
  • DPA: When we process personal data in the System on your behalf, the details of the processing are stipulated in a separate  Data Processing Agreement (DPA).

10. Changes and Availability

This Notice may be updated from time to time; the effective version is available on the website https://www.eyssen.com.