Privacy Policy — SummitBridge Horizon Ltd
1. Who we are
SummitBridge Horizon Ltd ("SBH", "we", "us") is a private limited company incorporated in England & Wales (Companies House 16419201), registered with the UK Information Commissioner's Office (ICO ZC112810), with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
SBH is the data controller for personal data processed under this notice, except where we act as data processor on a customer's behalf (covered by our customer Data Processing Agreement).
2. Contact
- General: [email protected]
- Privacy / data protection: [email protected]
- EU representative (where applicable): see /legal/eu-representative
- Postal: SummitBridge Horizon Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
3. Categories of data we process
- Account data: name, email, password hash, organisation, country
- Billing data: billing name, address, VAT number; payment cards processed by Stripe (PCI-DSS Level 1) — SBH does not store card numbers
- Usage data: portal logins, feature access, API calls, AuditLog entries (hash-chained)
- Communication data: support emails, chat messages
- Customer-supplied data: any data uploaded to SBH products (processed under DPA terms)
- Lead data: name, email, organisation, lead score, source attribution; encrypted PII at rest
- Cookies + telemetry: see our Cookies Policy
4. Purposes and legal bases (Article 6)
| Purpose | Legal basis |
|---|---|
| Account creation + service delivery | Contract (Art 6(1)(b)) |
| Billing + tax record retention | Legal obligation (Art 6(1)(c)) — HMRC, EU VAT, Companies Act 2006 |
| Security, fraud detection, AuditLog | Legitimate interest (Art 6(1)(f)) |
| Marketing to existing customers | Legitimate interest + PECR soft opt-in |
| Marketing to new prospects | Consent (Art 6(1)(a)) |
| Customer-supplied data processing in products | Processor under controller's instructions; controller-processor DPA |
5. Recipients (sub-processors and partners)
A current list of sub-processors used to deliver our services is published at /legal/sub-processors. We notify customers of material sub-processor changes via portal banner and email.
6. International transfers
SBH application storage and customer data are hosted at Hostinger International, Frankfurt am Main, Germany (within the EEA). The UK is recognised as adequate by the European Commission (decision extended December 2024, valid through December 2026). Onward transfers to LLM providers (Anthropic, OpenAI) and email/payments providers (Resend, Stripe) are governed by Standard Contractual Clauses or equivalent transfer safeguards published in our Sub-processor list.
7. Retention
- Account + billing records: 7 years (UK Companies Act + HMRC)
- AuditLog (security): indefinite (hash-chained, immutable)
- Customer-uploaded data: per DPA — typically until deletion request or contract end + 90-day backup window
- Marketing leads with no engagement: 24 months from last contact
- Support emails: 36 months from closure
- Cookies: per Cookies Policy
8. Your rights (Articles 15-22)
You have the right to: access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), portability (Art 20), object (Art 21), and not be subject to a decision based solely on automated processing (Art 22). To exercise any right, see /legal/data-subject-rights or email [email protected]. We respond within 30 days; complex cases may be extended by up to 60 additional days with notification.
You may also complain to the UK Information Commissioner's Office (ico.org.uk/concerns/) or your local EU supervisory authority. For Turkey-based data subjects, contact the KVKK Kurulu via kvkk.gov.tr.
9. Automated decision-making and AI
Where SBH products use AI to make or assist decisions affecting individuals (e.g. recruitment screening), we maintain Article 14 human oversight, publish per-product model cards at /legal/model-cards, and our customers (the controllers) are responsible for Article 13 transparency to data subjects. Solely-automated decisions with legal or similarly significant effects (Article 22) are prohibited by our customer Terms.
10. Security
SBH applies organisational and technical measures aligned to ISO/IEC 27001:2022 and the EU AI Act Article 15 (accuracy, robustness, cybersecurity). Customer PII at rest is encrypted with AES-256-GCM. All API access is JWT-scoped per tenant. Hash-chained AuditLog provides tamper-evident audit trail.
11. Children's data
SBH products are intended for B2B use only. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided personal data, contact [email protected] and we will delete it.
12. Changes to this notice
Material changes will be communicated via portal banner and email to active customers at least 30 days before taking effect. The version number and date at the top of this notice indicate currency.
This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].