1. Two different roles
We act in two distinct privacy roles depending on what you are doing:
- Marketing website & pre-sales (Controller). When you visit the website, request a demo, or send us an enquiry, we are the controller of your personal data.
- Inside the EMS application (Processor). When you create a workspace and upload Customer Data (engagements, people records, timesheets, invoices, etc.), you are the controller and we are your processor. The processing terms are governed by our Data Processing Agreement.
The rest of this policy describes the controller activities. Processor-side processing is described in the DPA.
2. Which entity is your controller
| If you are located in | Your controller | Identifier |
|---|---|---|
| The United Kingdom | Alsvior Global Limited Churchill House, 31 Banbury Road, Ettington, Warwickshire, CV37 7SN, United Kingdom | Companies House number 13689323 VAT GB412134549 |
| Portugal | Alsvior Global - Portugal, Lda. Rua do Engenheiro Ferreira Dias, n.º 924, 3.º R, 347, Ramalde, Porto, 4100-246, Portugal | NIPC 517254832 VAT PT517254832 |
| Spain, rest of EU / EEA, or any other location | Alsvior Global - Spain, S.L. Carrer Romaguera 16, Sant Quirze del Vallès, 08192, España | CIF B10971539 VAT ESB10971539 |
Where we share personal data between two of the entities to deliver the Service, we act as joint controllers within the meaning of Article 26 GDPR. The essential terms of our joint-controller arrangement: each entity is responsible for compliance within its own jurisdiction; you may contact any entity to exercise your rights; the privacy address below is the single point of contact regardless of which entity holds your data.
EU Article 27 representative. Because Alsvior Global Limited is established outside the EU but offers services to data subjects in the EU, it has appointed Alsvior Global - Spain, S.L. (Carrer Romaguera 16, Sant Quirze del Vallès, 08192, España) as its representative under Article 27.
Single contact for all entities.
- Privacy and data-subject requests: privacy@alsviorglobal.com
- Data Protection Officer: dpo@alsviorglobal.com
- Security / responsible disclosure: security@alsviorglobal.com
3. Personal data we collect (controller side)
3.1 Information you give us
- Account data — name, work email, employer, job title, the workspace you create.
- Billing data — billing address, VAT number, and the last four digits of your card via Stripe (we do not see or store full card numbers).
- Communication content — the body of your enquiry, demo notes, support tickets.
3.2 Information we collect automatically
- Technical data — IP (truncated for analytics), device, browser, operating system, referring URL, language, timezone.
- Usage data on the marketing site — pages visited and aggregate clicks, via the privacy-first analytics tool described in our Cookie Policy. No cross-site tracking, no advertising cookies.
- Service telemetry — once you sign in to the application, anonymised performance metrics tagged with TenantId. Never with email or name. See our DPA for the processor side.
3.3 Information from third parties
- OAuth providers (Microsoft, Google) when you sign in with them.
- Stripe (billing) when you start a paid subscription.
- Public business profiles (LinkedIn) where you have made information publicly available.
We do not knowingly collect data from anyone under 16 and we do not seek special-category data through this website.
4. Why we use your data & lawful bases
| Purpose | Data | Lawful basis |
|---|---|---|
| Provide the Service to your workspace | Account, billing, communication | Article 6(1)(b) — contract performance |
| Respond to enquiries before a contract | Account, communication | Article 6(1)(b) pre-contract steps; 6(1)(f) legitimate interest |
| Billing, invoicing, tax record-keeping | Billing | Article 6(1)(c) legal obligation (UK Companies Act 2006, Spanish Código de Comercio, Portuguese Código das Sociedades Comerciais and HMRC / AEAT / AT rules) |
| Secure the Service and detect abuse | Technical, usage, telemetry | Article 6(1)(f) legitimate interest in protecting Customers and Users |
| Improve the Service (aggregated analytics) | Aggregate usage | Article 6(1)(f) legitimate interest — with privacy-first tooling, no cross-site tracking |
| Direct marketing to existing customers (B2B) | Account, contact | Article 6(1)(f) legitimate interest, PECR / ePrivacy soft opt-in for B2B; you can object any time |
| Compliance, defending legal claims | All as relevant | Article 6(1)(c) and (f) |
Where we rely on legitimate interests, we have carried out a legitimate-interests assessment (LIA). You can request a copy by emailing privacy@alsviorglobal.com.
5. Who we share data with
We do not sell personal data. We share it only with sub-processors who help us operate the Service and only under binding contracts. The full list is published at /ems/legal/sub-processors/ and includes Microsoft Azure (hosting, Azure SQL, Entra ID), Stripe (subscription billing), Anthropic (Claude AI inference, zero-retention API), Postmark (transactional email), Cloudflare (CDN, WAF), Google Workspace (OAuth sign-in), Sentry (error monitoring, customer data scrubbed), and Plausible (privacy-first marketing-site analytics, EU-hosted).
6. International transfers
Customer Data inside the Service is stored in Azure West Europe (Ireland) by default. Some marketing and service providers process data outside the UK / EEA (notably in the United States). We rely on at least one of: EU adequacy decisions; the European Commission 2021 Standard Contractual Clauses; the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs; the EU-US Data Privacy Framework / UK Extension where the recipient is certified.
7. Retention
- Active workspace data — while your subscription is active and for 30 days after termination, to allow you to export.
- Closed workspace data — deleted 30 days after closure, except for billing records kept for the period required by tax law (typically 6 years UK, 6 years Spain, 10 years Portugal).
- Enquiry / proposal records — 24 months after last contact.
- Backups — rolled off the system within 90 days.
- Analytics — aggregated only; no event-level retention beyond 14 months.
8. Your rights under the GDPR
- Access (Article 15)
- Rectification (Article 16)
- Erasure (Article 17)
- Restriction (Article 18)
- Portability (Article 20)
- Objection, including direct marketing (Article 21)
- Withdraw consent at any time, without affecting prior processing (Article 7(3))
- Be free from solely-automated decision-making with legal or similarly significant effect (Article 22). The Service’s AI features produce suggestions, not solely-automated decisions, and require human action to take effect.
We respond within one month, with a two-month extension for complex requests. Email privacy@alsviorglobal.com to exercise any right.
9. Complaints & supervisory authorities
Tell us first so we can put it right. You also have the right to complain to the relevant supervisory authority: Information Commissioner's Office (ICO) (UK), Agencia Española de Protección de Datos (AEPD) (Spain / rest of EU), Comissão Nacional de Proteção de Dados (CNPD) (Portugal).
10. Security
We apply technical and organisational measures appropriate to the risk (Article 32 GDPR): TLS 1.2+ in transit, AES-256 at rest, tenant isolation at the database layer, MFA on admin accounts, least-privilege IAM, encrypted backups, vendor security reviews, and a documented incident-response process. Breach notification to the supervisory authority within 72 hours where required. See our Security overview for the technical detail.
11. Changes
We review this policy at least annually and whenever a material change is needed.
12. Contact
- Email: privacy@alsviorglobal.com
- Post: any registered office in section 2.