Privacy Policy

EYREACT LTD eyreact.com

Effective date: 1 April 2025 Last updated: March 2026 Version: 2.0

1. Who We Are

EYREACT LTD (“EYREACT”, “we”, “us”, “our”) is a company registered in England and Wales (Company No. 16711574), with its registered office at 19 Lake Court, Medway Drive, Royal Tunbridge Wells, TN12FH Kent, United Kingdom. We operate an AI compliance automation platform designed to help organisations meet the requirements of the EU AI Act and associated European regulatory frameworks.

EYREACT also operates an EU entity registered in Estonia (EYREACT OÜ) for the purposes of serving clients within the European Economic Area.

For the purposes of UK GDPR, EYREACT LTD is the data controller in respect of personal data collected through our website (eyreact.com) and our platform. For EU-based users and clients, EYREACT OÜ acts as the data controller where applicable.

Data Controller (UK): EYREACT LTD, 19 Lake Court, Medway Drive, Tunbridge Wells, TN12FH, Kent, England & Wales
Data Controller (EU): EYREACT OÜ, Harju Maakond, Kesklinna linnaosa, Tornimäe tn.5, Tallinn, 10145, Estonia
Contact: privacy@eyreact.com

2. Applicable Legal Frameworks

This Privacy Policy is designed to comply with all applicable data protection and regulatory legislation, including:

  • UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018)
  • Data Protection Act 2018
  • EU GDPR (Regulation (EU) 2016/679)
  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • EU ePrivacy Directive (2002/58/EC, as amended)
  • EU AI Act (Regulation (EU) 2024/1689) — applied to our own internal AI systems and data practices
  • NIS2 Directive (Directive (EU) 2022/2555) — for network and information security obligations
  • DORA (Regulation (EU) 2022/2554) — for digital operational resilience where applicable to our regulated-sector clients

As a UK-registered company processing data of EEA individuals, we operate under both UK and EU data protection regimes simultaneously. Where requirements differ, we apply the higher standard.

3. Data We Collect

Website visitors

  • IP address and approximate location (country/region level)
  • Browser type, device type and operating system
  • Pages visited, time on site and referral source
  • Cookie identifiers (see Section 11)

Contact and enquiry submissions

  • Name, email address, organisation name and job title
  • Content of your message or enquiry
  • Communication preferences

Platform users (B2B accounts)

  • Account credentials (name, work email address, role within organisation)
  • Organisation name and sector
  • Activity logs, compliance inputs and evidence documentation uploaded to the platform
  • Audit trail records associated with your account actions
  • Support ticket correspondence

Commercial and contractual contacts

  • Contact details of individuals at client and partner organisations
  • Contractual correspondence and negotiation records
  • Payment and billing information (processed via third-party payment processors; EYREACT does not store card data)

We do not collect special category data (as defined under UK/EU GDPR Article 9) through our website or platform. We ask that users do not upload such data to the platform unless expressly agreed under a separate Data Processing Agreement.

4. Legal Basis for Processing

Under UK GDPR and EU GDPR, we are required to identify a lawful basis for each processing activity. Our primary bases are as follows:

Processing ActivityLawful BasisArticle
Delivering the platform to clientsPerformance of a contractArt. 6(1)(b)
Responding to enquiriesPre-contractual steps / Legitimate interestsArt. 6(1)(b)/(f)
B2B marketing communicationsLegitimate interestsArt. 6(1)(f)
Consumer/individual marketingConsentArt. 6(1)(a)
Website analyticsLegitimate interestsArt. 6(1)(f)
Security monitoring and audit loggingLegitimate interests / Legal obligationArt. 6(1)(c)/(f)
Compliance with legal obligationsLegal obligationArt. 6(1)(c)
Non-essential cookiesConsentArt. 6(1)(a)

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to ensure our interests do not override the rights and freedoms of data subjects. You have the right to object to such processing — see Section 10.

5. How We Use Your Data

We use personal data for the following purposes:

  • Providing, maintaining and improving the EYREACT platform and associated services
  • Managing client accounts, onboarding and support
  • Communicating with you about your account, our services and relevant regulatory developments
  • Sending marketing communications where we have a lawful basis to do so
  • Conducting analytics to understand how our website and platform are used
  • Ensuring the security and integrity of our systems and detecting fraudulent or unauthorised activity
  • Meeting our legal, regulatory and contractual obligations
  • Defending or pursuing legal claims where necessary

We will not use your personal data for automated individual decision-making that produces legal or similarly significant effects without your explicit consent or another lawful basis under UK/EU GDPR Article 22.

6. Sharing Your Data

We do not sell, rent or trade personal data to third parties. We share personal data only in the following circumstances.

Infrastructure and technology providers

We use a limited set of sub-processors to operate our platform. All are bound by Data Processing Agreements (DPAs) and comply with applicable data protection law:

  • Google Cloud Platform — cloud infrastructure (EU data centres: Frankfurt, Germany and the Netherlands)
  • Auth0 — identity and access management
  • CloudAMQP — internal messaging infrastructure
  • Resend — transactional email delivery

Professional advisors

We may share data with legal advisors, accountants or auditors where necessary for the conduct of our business, subject to professional confidentiality obligations.

Regulatory and law enforcement authorities

We may disclose personal data where required by law, court order, or where disclosure is necessary to protect the rights, property or safety of EYREACT, our clients or others.

Corporate transactions

In the event of a merger, acquisition or sale of assets, personal data may be transferred to the relevant party, subject to equivalent data protection commitments.

7. International Data Transfers

EYREACT is committed to ensuring that personal data is not transferred outside the UK or EEA without appropriate safeguards in place.

UK to EEA: Transfers from the UK to EEA countries are permitted under the UK’s adequacy regulations currently in force.

EEA to third countries: Where any service provider processes data outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under EU GDPR Chapter V.

UK international transfers: For transfers from the UK to third countries, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs as appropriate.

All personal data processed through the EYREACT cloud platform is stored exclusively within Google Cloud’s EU data centres (Frankfurt, Germany and the Netherlands). No personal data is routinely transferred outside the EEA for storage or processing purposes.

8. Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:

  • Active client account data: Duration of the contract plus 7 years (UK statutory limitation periods and Companies Act accounting obligations)
  • Marketing and prospect data: 3 years from last meaningful engagement, or until you opt out
  • Website analytics data: 26 months
  • Audit logs and security records: 12 months on a rolling basis, unless a longer period is required by applicable law or contract
  • Enquiry and general correspondence: 3 years from the date of last communication
  • Recruitment data (unsuccessful applicants): 6 months from the date of the decision

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or alteration, including:

  • Encryption of all data in transit using TLS 1.3
  • AES-256 encryption of data at rest
  • Role-based access controls (RBAC) and mandatory multi-factor authentication (MFA) for all platform accounts
  • Immutable audit logging using WORM-compliant storage (Google Cloud Storage)
  • Cryptographically signed, append-only audit trails
  • Regular penetration testing and independent security audits
  • ISO 27001-aligned information security management practices (certification in progress, target Q4 2026)
  • Internal incident response procedures aligned to UK GDPR Article 33 and EU GDPR Article 33 (72-hour supervisory authority notification requirement)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where required.

10. Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

Right of access — Request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification — Request correction of inaccurate or incomplete personal data.

Right to erasure — Request deletion of your personal data where there is no compelling reason for continued processing (“right to be forgotten”).

Right to restrict processing — Request that we limit how we use your personal data in certain circumstances.

Right to data portability — Receive your personal data in a structured, commonly used and machine-readable format, and have it transmitted to another controller where technically feasible.

Right to object — Object to processing based on legitimate interests, or to direct marketing at any time and without giving reasons.

Rights in relation to automated decisions — Not be subject to solely automated decisions that produce significant legal or similarly significant effects without human review.

Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@eyreact.com. We will respond within one calendar month of receiving your request. We may need to verify your identity before processing the request. We will not charge a fee unless a request is manifestly unfounded or excessive.

11. Cookies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device that helps us operate our website and understand how it is used.

Strictly necessary cookies are essential to the operation of the website (for example, session management and security). These do not require your consent under PECR or the EU ePrivacy framework and cannot be disabled without affecting site functionality.

Analytics cookies help us understand how visitors interact with our website. Where these are not strictly necessary, we only place them with your prior consent.

Marketing and tracking cookies measure the effectiveness of our advertising and campaigns. These are placed only with your explicit consent.

You may manage or withdraw your cookie preferences at any time through our cookie consent tool, available on our website, or by adjusting your browser settings. Withdrawing consent does not affect the lawfulness of any cookie placement that occurred prior to withdrawal.

A full list of cookies we use, together with their purpose and duration, is available in our separate Cookie Policy at eyreact.com/cookies.

12. Children

The EYREACT platform and website are directed exclusively at business professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly upon discovery.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or business operations. Where changes are material, we will notify registered platform users by email and update the “Last updated” date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website or platform following notification of material changes constitutes acceptance of the updated policy.

Previous versions of this policy are available on request by contacting privacy@eyreact.com.

14. Contact and Complaints

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a concern about how we handle your personal data, please contact us:

Email: privacy@eyreact.com Post: Data Protection, EYREACT LTD, [Address], England Website: eyreact.com

UK Supervisory Authority

If you are not satisfied with our response to a complaint or rights request, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

EU Supervisory Authority

If you are located in the EEA, you may lodge a complaint with your local data protection supervisory authority. For matters relating to EYREACT’s Estonian entity, the lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):

  • Website: aki.ee
  • Email: info@aki.ee

© 2026 EYREACT LTD. Registered in England & Wales.