Note: This is a UK-GDPR-aligned privacy policy ready for legal review. Please have it checked by a qualified data protection lawyer, and update the registered-office address and ICO registration number before public launch. Contact privacy@amessolutions.io with any questions.
Legal
Privacy Policy
This policy explains how Ames Solutions Ltd(“AMES”, “we”, “us”, “our”) collects, uses, and protects personal data. It covers two groups:
- Business users — the owners and staff of activity providers (our direct customers) who sign up for and use the AMES platform.
- End users — parents, members, and (indirectly) children whose data is processed by AMES on behalf of our business customers.
For business users, AMES acts as data controller. For end users, our business customers are the data controllers and AMES acts as a data processor under a Data Processing Addendum.
1. Who we are
Ames Solutions Ltd is a company registered in England and Wales. Our registered office will be confirmed here before public launch. We are registered with the UK Information Commissioner's Office (ICO).
Our Data Protection contact: privacy@amessolutions.io.
2. What data we collect
From business users (at signup and during use):
- business name and type, website, and subdomain
- owner name, email address, and UK phone number
- billing information (processed by Stripe — we don't store card data)
- account activity, usage metrics, and support communications
- device, browser, and IP information (for security and analytics)
From end users (on behalf of our business customers):
- names and contact details of parents/guardians and members
- children's names, ages, class bookings, and progress records
- limited health information (e.g. allergies, medical conditions) where provided by parents for safety purposes
- booking and payment history
3. Legal bases for processing
We rely on the following UK GDPR lawful bases:
- Contract — to provide the Service you have signed up for
- Legitimate interest — to operate, secure, and improve the Service, and to verify that signups are genuine businesses (including blocking direct competitors)
- Legal obligation — to comply with tax, accounting, and regulatory requirements
- Consent — for optional marketing communications (you can withdraw consent at any time)
4. How we use data
- to create and manage your AMES account
- to process payments through AMES Pay, Stripe, or GoCardless
- to provide customer support
- to send transactional emails (signup verification, receipts, alerts)
- to verify new signups (we may automatically check your website against a list of known competitor platforms, and look for basic business signals)
- to detect fraud, abuse, and security incidents
- to improve and develop the Service
- to send product updates and occasional marketing (only with your consent — you can unsubscribe at any time)
5. Who we share data with
We only share personal data with trusted service providers (“sub-processors”) that help us run the Service. These include:
- Supabase — database and authentication hosting (EU region)
- Vercel — application hosting and edge delivery
- Stripe and GoCardless — payment processing
- Sentry — error monitoring
- Better Stack / Logtail — application logging
- Resend / email providers — transactional email delivery
Each sub-processor is bound by a Data Processing Agreement. A current list is available on request. We do not sell personal data.
6. International transfers
Our primary infrastructure is hosted in the EU and UK. Where data leaves the UK/EEA (for example to US-based vendors), we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or equivalent safeguards.
7. How long we keep data
- Active account data — for as long as your account is active
- After account closure — we delete or anonymise Customer Data within 90 days, except where we are legally required to retain it (e.g. tax records for 6 years)
- Support tickets — up to 3 years for quality and training
- Security and audit logs — up to 12 months
8. Children's data
AMES is used by activity providers who work with children. We process children's data only on behalf of our business customers, who are responsible for obtaining the necessary consent from parents or guardians. Business users must ensure their use of AMES complies with the UK Age Appropriate Design Code and any sector-specific safeguarding requirements. Our Service is not designed to be used directly by children.
9. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you
- request correction of inaccurate data
- request deletion (right to be forgotten) in certain circumstances
- request restriction of processing
- request a portable copy of your data
- object to processing based on legitimate interest
- withdraw consent for marketing at any time
- lodge a complaint with the Information Commissioner's Office
To exercise any of these, email privacy@amessolutions.io. We will respond within one month.
10. Cookies
We use strictly necessary cookies to keep you signed in and to secure the Service. We use optional analytics cookies (Vercel Analytics, PostHog where configured) to understand aggregate usage — you can opt out of these via our cookie banner. We do not use third-party advertising cookies.
11. Security
We take appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest, strict access controls, row-level security on all data, regular backups, and continuous monitoring. If a personal data breach occurs we will notify affected users and the ICO within the timeframes required by law.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated in advance by email or in-app notice. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact us
Questions, concerns, or data requests? Email privacy@amessolutions.io or use our contact page. We aim to respond to every enquiry within 3 working days.
