GDPR Policy
Last Updated: June 1, 2026
1. Controller and Processor Roles
Under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, WMSBIZ acts in two distinct capacities depending on the context of the data processed:
- Data Controller: We are the Controller for account credentials, subscription information, and communication logs of users signing up for our services. This means we determine the purposes and means of processing this data. Our details are: Suffolk IT Services t/a WMSBIZ, Vyoren, Lowestoft Road, Beccles, Suffolk UK NR34 7DE.
- Data Processor: We are the Processor for the operations data you input into our ERP platform (e.g., your stock inventory records, customer names, vendor lists, and client billing logs). You remain the Controller of that data, and we process it strictly on your instructions to run the ERP system.
2. Legal Bases for Data Processing
As a Controller, we only process your personal data when we have a valid legal basis. These include:
- Contractual Necessity: To set up your account, process trial signups, and deliver the core ERP services.
- Legitimate Interests: To run our business, send transactional alerts, protect system security, debug application errors, and manage invoicing.
- Consent: For analytics cookies (Google Analytics G-65HQSSFQS1), which we only activate if you explicitly opt-in on our cookie banner.
- Legal Obligation: To maintain appropriate accounting records for tax and HMRC compliance in the United Kingdom.
3. Your Legal Rights Under GDPR
If you are a resident of the United Kingdom or the European Economic Area (EEA), you have the following rights:
You can request a copy of the personal details we hold about you to confirm we process them lawfully.
You can request that we update or correct any incomplete or inaccurate data.
Also known as the 'right to be forgotten'. You can request that we delete your personal details when they are no longer required.
You can ask us to temporarily suspend the processing of your data while we verify inaccuracies or resolve disputes.
You can request a copy of your personal details in a machine-readable, structured, and commonly used format.
Where processing relies on consent (such as analytics tracking), you can withdraw consent at any time.
4. How to Exercise Your Rights
To exercise any of your GDPR rights, please contact our support department at support@wmsbiz.cloud. We will respond to your request within 30 days.
Please note that we may ask you to verify your identity before responding to such requests to ensure the security of customer information. If we act as a Data Processor for your data, please contact the respective Data Controller (your organization or employer) directly to execute your rights.
5. Third-Party Subprocessors
We work with third-party vendors to handle hosting, analytics, emails, and payments. Below is a list of our core subprocessors, their functions, and their GDPR compliance statuses:
| Subprocessor | Service Provided | Data Location |
|---|---|---|
| Supabase | Database Hosting | EEA / UK |
| Stripe | Payment Gateway | Global (US/EEA) |
| SMTP2GO | Transactional Email Service | UK / Europe |
| Google Analytics | Website Analytics | Global |
6. International Data Transfers
Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring standard contractual clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office are implemented, or by verifying that the recipient has equivalent data security practices in place.
7. Right to Complain to the ICO
If you believe our data processing activities violate GDPR requirements, you have the right to lodge a formal complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk