Welcome to the Privacy and Data Protection Policy ("Privacy Policy") of Avasam Limited, trading as Esetrix, registered in England and Wales under company number 11556922, with its registered office at 9 Oliver Business Park, Oliver Road, Park Royal, London, NW10 7JB, United Kingdom (referred to in this policy as "Esetrix", "we", "us", or "our"). We are committed to protecting and respecting your privacy and personal data in compliance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and all other applicable data protection laws and regulations of the United Kingdom.
This Privacy Policy explains how we collect, process, store and safeguard your data when you interact with our enterprise marketplace infrastructure platform, our website (esetrix.com), and any related services. It informs you of your privacy rights and how the law protects you.
The individuals from whom we may gather and use data include: enterprise clients and their authorised users, suppliers and vendor partners, business contacts and prospects, employees and staff members, website visitors, and any other individuals with whom we have a business relationship.
Avasam Limited, trading as Esetrix (company number 11556922), is the Data Controller responsible for your personal data. If you have any questions about this Privacy Policy or how we handle your data, please contact us by email at [email protected] or by post at 9 Oliver Business Park, Oliver Road, Park Royal, London, NW10 7JB, United Kingdom.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, welcome the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
In carrying out our responsibilities as Data Controller, we have authorised employees and contracted third parties who process data on our behalf (known as "Processors"). All Processors are bound by obligations of confidentiality and are required to implement appropriate technical and organisational security measures. They process personal data only on our documented instructions, maintain records of processing activities, and cooperate with supervisory authorities as required.
"Personal Data" means any information about an individual from which that person can be identified. It does not include data where identity has been removed (anonymous data). We may collect, use, store and transfer the following categories of personal data:
First name, last name, job title, company name, and role within the organisation.
Business email address, telephone number, postal address, and company website.
IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our platform.
Information about how you use our website, platform, and services, including login history, features accessed, and session duration.
Banking details (such as account number and sort code) for supplier settlement purposes, transaction records, payment history, commission calculations, and settlement reports processed through our Payment and Settlement Infrastructure.
Records of correspondence with us, support tickets, enquiry forms, strategic briefing requests, and marketing preferences.
When you connect sales channels, ERP systems, or other third-party platforms via our integration infrastructure, certain transactional and product data is synchronised through APIs. This may include order data, product information, inventory levels, and customer delivery details. Data not directly linked to your Esetrix account operations is permanently deleted within 5 calendar days. Personally identifiable information required for order fulfilment is obfuscated and removed from live servers after 30 days.
We also collect and use Aggregated Data (for example, the proportion of orders processed by category or sales channel over time). Aggregated Data may be derived from your personal data but is not considered personal data in law because it does not directly or indirectly reveal your identity. If we combine Aggregated Data with your personal data in a way that could identify you, we treat the combined data as personal data.
We do not collect any Special Categories of Personal Data (details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information, or genetic and biometric data). We do not collect information about criminal convictions and offences.
We rely on the following lawful bases under the UK GDPR when collecting and processing your personal data:
Where you have given clear, informed consent for us to process your personal data for specific purposes, such as subscribing to communications, requesting a strategic briefing, or scheduling a platform demonstration.
Where processing is necessary to perform our contract with you or to take steps at your request before entering into a contract. This includes providing access to the Esetrix platform, processing orders, managing supplier settlements, and delivering the services described in our enterprise agreements.
Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes maintaining the security and performance of our platform, understanding how our services are used, improving our infrastructure and services, and communicating relevant service updates.
Where processing is necessary to comply with a legal obligation, such as regulatory requirements, tax obligations, fraud prevention, and responding to lawful requests from public authorities.
We use your personal data only when the law allows us to do so. The following describes the primary purposes for which we process your data:
To create and manage your enterprise account, authenticate your identity, configure platform access for authorised users within your organisation, and maintain your account settings and preferences.
To deliver our enterprise marketplace infrastructure services, including supplier orchestration, catalogue intelligence, order lifecycle management, payment and settlement processing, inventory synchronisation, service and returns governance, and commercial intelligence reporting.
To manage the implementation process from contract to go-live, provide ongoing technical support, manage support tickets and service escalations, and maintain our client success operations.
To respond to your enquiries and support requests, send service-related notifications and platform updates, communicate important changes to our infrastructure or terms, and (where you have opted in) send marketing communications about our services and features.
To monitor and analyse the usage and performance of our platform, identify and resolve technical issues, improve our infrastructure modules and user experience, and generate aggregated, anonymised insights about platform usage patterns.
To detect, prevent and address fraud, security breaches, and other harmful activity, to comply with legal obligations, and to enforce our terms of service.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.
Under the UK GDPR, you have the following rights in relation to your personal data:
You have the right to request a copy of the personal data we hold about you. You will not normally be required to pay a fee for this. We may need to verify your identity before processing your request.
You have the right to request correction of any personal data we hold about you that is inaccurate or incomplete.
You have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it. Please note that we may not always be able to comply with your request where specific legal reasons apply, which will be communicated to you at the time of your request.
You have the right to request that we suspend the processing of your personal data in certain circumstances, for example if you want us to verify its accuracy or our reason for processing it.
You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Where we are relying on consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to all legitimate requests within one month. In some cases, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data.
We may share your personal data with the following categories of recipients:
Third-party companies that provide services on our behalf, including cloud hosting and infrastructure providers, payment processing partners (such as Stripe, Adyen, TrustPay, and Ryft), analytics and monitoring tools, and communication platforms. These providers are contractually bound to process your data only as instructed by us and to implement appropriate security measures.
Where necessary to fulfil orders and manage marketplace operations, core transactional data (such as product details, order information, and delivery addresses) will be shared with relevant suppliers through our Supplier Orchestration and Order Lifecycle Management modules.
When you connect third-party sales channels, ERP systems, or other platforms through our integration infrastructure, data flows between Esetrix and those connected systems as required to deliver the integrated service.
We may disclose your personal data where required to do so by law, in response to a valid request from a law enforcement or regulatory authority, or to protect our rights, property, or safety and those of our clients and partners.
If Avasam Limited (trading as Esetrix) is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
We do not sell your personal data to third parties. We may share non-personal, aggregated data with third parties for research, analysis, or industry benchmarking purposes.
Our website and platform may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy practices. We encourage you to review the privacy policy of every external service you engage with.
We retain your personal data only for as long as reasonably necessary to fulfil the purposes for which we collected it, including to satisfy any legal, regulatory, tax, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, and contractual requirements.
In general: active account data is retained for the duration of the client relationship and a reasonable period thereafter; transactional records are retained in accordance with applicable tax and accounting regulations (typically six years in the UK); personally identifiable information pulled via API integrations and required for order fulfilment is obfuscated and removed from live servers after 30 days; integration data not directly linked to your Esetrix operations is permanently deleted within 5 calendar days; and marketing consent records are retained until consent is withdrawn.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you.
We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. Our security measures include:
Encryption of data in transit and at rest using industry-standard protocols; secure, cloud-based server infrastructure; network firewalls and intrusion detection systems; removal of personal information from live servers 30 days after orders are processed; secure account authentication with restricted login failure attempts; role-based access controls ensuring personal data is accessible only to authorised personnel; documented incident response planning and reporting procedures; and regular security assessments and monitoring.
Where we engage subcontractors to store or process your data, we do not relinquish control of your personal data or expose it to security risks that would not have arisen had the data remained in our direct possession.
While we implement robust measures to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. If you believe that your interaction with us is no longer secure, please contact us immediately at [email protected].
Our website uses cookies and similar tracking technologies to distinguish you from other users, to improve your browsing experience, and to help us understand how our website is used.
These are strictly necessary for the operation of our website and platform. They enable core functionality such as security, account authentication, and session management. You cannot opt out of these cookies.
These allow us to recognise and count visitors and to understand how visitors navigate our website and platform. This helps us improve the way our services work and the user experience we deliver.
These are used to recognise you when you return to our website, enabling us to personalise content for you, remember your preferences, and improve your experience.
These track your activity across websites to help us deliver relevant communications and measure the effectiveness of our marketing efforts. These are only set with your consent.
You can manage your cookie preferences at any time through the cookie settings control on our website or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our platform.
Esetrix is headquartered in the United Kingdom. Our primary data processing and storage infrastructure is located within the UK and the European Economic Area (EEA).
In certain circumstances, your personal data may be transferred to, stored in, or processed in countries outside the UK or EEA where our service providers or integration partners operate. Where such transfers occur, we ensure that appropriate safeguards are in place to protect your personal data, including: transfers to countries that the UK government has confirmed provide an adequate level of data protection; Standard Contractual Clauses approved by the UK Information Commissioner; or other lawful transfer mechanisms recognised under the UK GDPR.
If you would like further information about the specific safeguards applied to the international transfer of your personal data, please contact us at [email protected].
We keep this Privacy Policy under regular review and will place any updates on this page. Where changes are significant, we will take reasonable steps to inform you, for example by email notification or a prominent notice on our website.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of our platform and services after changes are published constitutes your acceptance of the updated Privacy Policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us using any of the following methods:
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
Our platform and services are designed for business use by individuals aged 18 or older. We do not knowingly collect personal data from children or individuals under the age of 18. If you believe that we have inadvertently collected data from a person under 18, please contact us immediately so that we can take appropriate steps to delete that information.