MadisonvilleMadisonville
Legal

Privacy Policy

Last updated: 12 May 2026

Madisonville Limited ("Madisonville", "we", "us", "our") operates the website madisonville.pro and the Madisonville commerce platform (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU GDPR, and equivalent regulations in other jurisdictions.

1. Who we are

The data controller is Madisonville Limited, registered in England and Wales, registered office: 82a James Carter Road, Mildenhall, IP28 7DE, United Kingdom. You can contact our data team at [email protected].

2. Personal data we collect

2.1 Account data

  • Identifiers: first name, last name, email, optional phone number.
  • Authentication: hashed password, session tokens, multi-factor secrets.
  • Workspace: company name, role, preferred language and currency.

2.2 Billing data

  • Billing address, VAT number, bank reference (for bank transfers).
  • Payment metadata returned by our payment providers (last four digits, brand, country). We never store full card numbers.

2.3 Usage and device data

  • Pages visited, features used, click events, error reports.
  • IP address, browser, operating system, language, approximate location derived from IP.
  • Cookie identifiers, as described in our Cookie Policy.

2.4 Customer content

Content you upload or generate inside the Service, including product catalogues, media, contact lists, and conversations between your customers and the AI assistant. You remain the controller of customer data; we act as processor under our Data Processing Addendum (DPA).

3. Lawful bases

  • Contract β€” to provide the Service you have purchased.
  • Legitimate interests β€” to operate, secure and improve the Service, prevent fraud and abuse, and communicate about your account.
  • Legal obligation β€” to keep accounting records, respond to lawful requests, enforce sanctions screening.
  • Consent β€” for non-essential cookies, marketing emails, and any optional features that explicitly require it.

4. How we use your data

  • Create and manage your account and workspace.
  • Process payments, refunds and credit balances.
  • Send service emails (security alerts, invoices, downtime notices).
  • Provide customer support and investigate incidents.
  • Improve the Service through analytics, A/B tests and aggregated reporting.
  • Train and tune AI models using only data we are explicitly permitted to use; customer conversation logs are never used to train shared models without opt-in.

5. Sharing and sub-processors

We share personal data with vetted sub-processors that host our infrastructure, deliver email, process payments, and provide AI model inference. Each is bound by a written contract requiring confidentiality, security and equivalent data-protection commitments. A current list is published at [email protected] on request, and we provide 30 days' notice before adding a new sub-processor that materially changes how customer data is processed.

6. International transfers

Where personal data leaves the UK or the EEA, we rely on adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with appropriate supplementary measures.

7. Retention

  • Account data: while your account is active and for 30 days after closure, then deleted or anonymised.
  • Billing records: 7 years after the end of the financial year, to meet UK accounting and tax requirements.
  • Support tickets: 24 months from resolution.
  • Backups: rolling 35 days, after which deleted records cannot be restored.

8. Security

We protect personal data with TLS 1.2+ in transit, AES-256 at rest, scoped API keys, role-based access control, mandatory MFA for staff, continuous vulnerability scanning, annual penetration testing, and 24/7 incident response. We will notify affected users and the relevant supervisory authority of any qualifying personal data breach within 72 hours.

9. Your rights

You may at any time:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase data ("right to be forgotten") where applicable.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent for marketing or cookies at any time.
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

To exercise any right, email [email protected]. We respond within 30 days.

10. Children

The Service is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes

We will update this policy when our practices change. Material changes are notified by email to account owners and posted on this page at least 14 days before they take effect.