Privacy Policy — Performalise

Contents

1. Who we are 2. Data we collect 3. Legal basis for processing 4. How we use your data 5. Who we share data with 6. Data retention 7. International transfers 8. Your rights 9. Cookies 10. Security 11. Children 12. Changes to this policy 13. Contact us

Summary: We collect minimal data to provide the Performalise platform. Your team data is yours. We never sell personal data. This policy complies with UK GDPR, EU GDPR, and the Data Protection Act 2018.

1. Who we are

In this Privacy Policy, "Personal Data" means any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, and online identifiers. Anonymised or aggregated data that cannot identify any individual is not Personal Data.

Performalise FZ LLC ("we", "us", "our") is a free zone limited liability company that develops and operates the Performalise Product Development Intelligence platform.

We are the Data Controller in respect of personal data collected through our website and the Data Processor in respect of personal data that our B2B customers upload to or generate within the platform.

Our data protection contact is: [email protected]

2. Data we collect

2.1 Data you provide directly

Account information: name, work email address, job title, organisation name when you register or your employer sets up an account.
Contact and enquiry data: information you submit via our website contact forms, demo booking (Calendly), or email.
Platform content: sprint data, retrospective notes, team feedback, and other content you or your team enter into Performalise.

2.2 Data collected automatically

Log and usage data: IP address, browser type, pages visited, timestamps, referring URLs, device identifiers.
Cookies and analytics: we use cookies for session management and aggregate analytics. See Section 9.

2.3 Data we do not collect

We do not collect special category personal data (health, biometric, racial, religious data). We do not collect payment card data — payments are processed by our PCI-DSS compliant payment provider and we receive only a transaction token.

3. Legal basis for processing (UK & EU GDPR Article 6)

Purpose	Legal basis
Providing the platform under a subscription contract	Article 6(1)(b) — performance of a contract
Account registration and management	Article 6(1)(b) — performance of a contract
Responding to enquiries and demo requests	Article 6(1)(f) — legitimate interests
Sending service-related communications	Article 6(1)(b) — performance of a contract
Sending marketing communications	Article 6(1)(a) — consent, or Article 6(1)(f) — legitimate interests
Security monitoring and fraud prevention	Article 6(1)(f) — legitimate interests
Compliance with legal obligations	Article 6(1)(c) — legal obligation
Processing customer team data on behalf of the Controller	Article 6(1)(b) — contractual necessity (via our DPA)

4. How we use your data

Create and manage your account and provide access to Performalise;
Deliver, maintain, and improve the platform and our services;
Respond to support requests, enquiries, and feedback;
Send service notifications, updates, and security alerts;
Send marketing communications where you have consented or where we have a legitimate interest under PECR;
Generate anonymised, aggregated usage analytics to improve our product;
Prevent fraud, abuse, and ensure platform security;
Comply with legal and regulatory obligations.

We will never use your personal data to train third-party AI models, sell it to third parties, or use it for purposes incompatible with those stated here.

5. Who we share data with

5.1 Sub-processors

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting and infrastructure	US (adequacy safeguards in place)
HubSpot	CRM and marketing communications	EU (Dublin, Ireland)
Stripe	Payment processing	EU / US

5.2 Legal obligations

We may disclose personal data where required by law, court order, or a regulatory or governmental authority with jurisdiction.

5.3 What we never do

We do not sell, rent, or trade personal data to any third party for their own marketing purposes.

6. Data retention

Account data: retained for the subscription duration plus 12 months, then deleted or anonymised.
Platform content: retained per the customer's subscription terms. Customers have 30 days to request export on termination.
Marketing data: retained until you withdraw consent or opt out, or for 3 years from your last interaction.
Legal and financial records: retained for 7 years as required by applicable law.

7. International transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place including:

UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs);
Transfer only to countries with an adequacy decision where available;
TLS 1.3 encryption in transit and AES-256 at rest for all international transfers.

If you would like a copy of the applicable transfer mechanism, please contact us at [email protected].

8. Your rights

Right	What it means
Right of access	Request a copy of the personal data we hold about you
Right to rectification	Request correction of inaccurate or incomplete personal data
Right to erasure	Request deletion of your personal data
Right to restrict processing	Request that we limit how we use your data
Right to data portability	Receive your data in a structured, machine-readable format
Right to object	Object to processing based on legitimate interests or for direct marketing
Right to withdraw consent	Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please email [email protected]. We will respond within 30 days (UK GDPR Article 12).

Note for B2B platform users: If you are an Authorised User on a customer's account, your personal data is primarily controlled by your employer. Please direct data rights requests to your employer in the first instance.

9. Cookies

Category	Purpose	Consent required
Strictly necessary	Session management, authentication, security	No
Analytics	Understanding how visitors use our website (aggregated, anonymised)	Yes
Marketing	Tracking conversions from marketing campaigns	Yes

You can manage your cookie preferences via our cookie consent banner or your browser settings.

10. Security

TLS 1.3 encryption for all data in transit;
AES-256 encryption for data at rest;
ISO/IEC 27001:2013 aligned information security management;
Regular third-party penetration testing;
99.88% uptime with AWS multi-region infrastructure;
Access controls, audit logging, and role-based permissions.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours in accordance with UK GDPR Article 33.

11. Children

Performalise is a B2B platform for use by organisations and their employees. It is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. Customers are responsible for ensuring platform access is not provided to minors.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email notification to registered users and/or by a prominent notice on our website at least 30 days before taking effect.

13. Contact us

Performalise FZ LLC
Email: [email protected]

Governing law

This Privacy Policy is governed by the laws of England and Wales. If you are not satisfied with our response, you may contact the ICO at ico.org.uk/make-a-complaint (if you are in the UK or EEA), or the relevant data protection authority in your jurisdiction.