1. Who we are

This Privacy Policy explains how Norcrest Technologies Limited, 166 River Heights, 90 High Street, London E15 2GQ, United Kingdom (“Norcrest”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data in connection with Kayllo Control™.

2. Scope

This Privacy Policy applies to personal data processed through the Kayllo Control™ website, account access, customer onboarding, billing, support, communications, and related service operations.

This Privacy Policy does not replace any separate data processing agreement, enterprise contract, or other written agreement that may govern customer-controlled data processed within the service.

3. Controller and processor roles

Depending on the context, Norcrest may act as a controller or a processor of personal data. For example, we typically act as a controller for website, account, billing, support, and relationship-management data. We may act as a processor where we process customer-controlled service data on behalf of a customer under applicable contract terms.

4. Personal data we may collect

• identity and contact data, such as name, email address, role, organisation, and related business contact information;
• account and authentication data, including login events, access metadata, device or session data, and account identifiers;
• billing, subscription, and transaction data;
• support, enquiry, and communications data;
• service usage data, diagnostics, logs, telemetry, and security monitoring information;
• workflow, evidence, and control-plane metadata submitted through the service;
• other information you or your organisation choose to provide in connection with use of the service.

5. How we use personal data

• to provide, operate, and administer Kayllo Control™;
• to authenticate users and secure accounts;
• to provision subscriptions and process billing;
• to maintain, support, debug, and improve the service;
• to detect, investigate, prevent, and respond to security incidents, abuse, fraud, or suspected misuse;
• to maintain logs, evidence handling, verification, and operational records relevant to service delivery;
• to comply with legal, regulatory, contractual, and enforcement obligations;
• to communicate with customers, users, and prospective customers about the service.

6. Legal bases

Where UK GDPR or EU GDPR applies, we process personal data under one or more of the following legal bases: performance of a contract, legitimate interests, compliance with legal obligations, and where required, consent.

Our legitimate interests may include providing and securing the service, supporting users, maintaining records, detecting misuse, improving reliability, and protecting the rights, property, and safety of Norcrest, our customers, and others.

7. How we share personal data

We may share personal data with service providers, infrastructure providers, hosting providers, identity and authentication providers, payment processors, analytics and operational support providers, professional advisers, auditors, insurers, and public authorities where required by law or reasonably necessary to provide, secure, support, or enforce the service.

We do not sell personal data.

8. International transfers

Because customers may operate in the UK, EU, US, and other jurisdictions, personal data may be processed in multiple countries. Where required, we use appropriate safeguards for international transfers, including contractual, organisational, and technical measures designed to support lawful cross-border processing.

9. Security

We use technical and organisational measures designed to protect personal data, including access controls, authentication controls, logging, monitoring, infrastructure security measures, and operational controls appropriate to the nature of the service.

No method of transmission, storage, or processing is completely secure, and we cannot guarantee absolute security.

10. Retention

We retain personal data for as long as reasonably necessary to provide the service, maintain operational and security records, resolve disputes, enforce agreements, comply with legal obligations, and support legitimate business and security needs.

Retention periods may vary depending on the type of data, the applicable customer plan, legal requirements, contractual commitments, and the operational needs of the service.

11. Your rights

Depending on applicable law, you may have rights to request access to, correction of, deletion of, restriction of, or objection to our processing of your personal data, and in some cases the right to data portability and to withdraw consent where processing is based on consent.

You may also have the right to complain to a relevant supervisory authority.

12. Customer-controlled service data

Where Norcrest processes customer-controlled service data on behalf of a customer, requests relating to that data may need to be directed to the relevant customer as the party that determines the purposes and means of that processing.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on the website and update the effective date above.

14. Contact

Privacy enquiries may be sent to Norcrest Technologies Limited at 166 River Heights, 90 High Street, London E15 2GQ, United Kingdom, or by email to lee@norcresttech.com.