Winnow Technology
Privacy and Data Protection Policy
Version 2.0 — February 2026
Company Number: 14508913
1. Introduction
Welcome to the Privacy and Data Protection Policy (“Privacy Policy”) of Winnow Technology Ltd (“we”, “us”, or “our”), a company registered in England and Wales.
We are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR”), and all other applicable data protection laws and regulations of the United Kingdom. Where we process personal data of individuals located in the European Economic Area (“EEA”), we also comply with the EU General Data Protection Regulation (EU) 2016/679 (“EU GDPR”).
This Privacy Policy explains how we collect, process, store, and protect your data. It will inform you of your privacy rights, how the law protects you, and sets out the obligations of our employees and staff when processing data.
1.1 Individuals Covered by This Policy
This Privacy Policy applies to data we collect from and about:
Visitors to our website
Customers and prospective customers
Business contacts and suppliers
Third parties connected to our customers
Newsletter subscribers and marketing contacts
and any other individuals with whom we have a relationship or may need to contact.
2. Data Controller
Winnow Technology Ltd is the Data Controller responsible for your Personal Data.
Contact email: hello@winnowtechnology.com
Registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
We are not currently obliged under the UK GDPR to appoint a Data Protection Officer and have not voluntarily appointed one at this time. All enquiries regarding your data should be directed to the email address above.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
ICO website: www.ico.org.uk
3. Personal Data We Collect
3.1 Types of Personal Data
“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store, and transfer the following kinds of Personal Data:
Profile/Identity Data: first name, last name, gender, date of birth.
Contact Data: postal address, email address, telephone number.
Marketing and Communications Data: your preferences in receiving marketing information and communications from us.
Technical Data: IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
Customer Support Data: feedback, survey responses, and correspondence with us.
Usage Data: information about how you use our website, products, and services.
We do not collect any Special Categories of Personal Data (including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, or genetic and biometric data). We do not collect any information about criminal convictions and offences.
3.2 Lawful Basis for Processing
We rely on the following lawful bases under the UK GDPR for collecting and processing your Personal Data:
Consent: Where you have given clear consent for us to process your Personal Data for a specific purpose, such as subscribing to our newsletter.
Contractual Obligation: Where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract.
Legal Compliance: Where processing is necessary to comply with a legal obligation to which we are subject.
Legitimate Interest: Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
The table below sets out the lawful basis we rely on for each category of data:
4. How We Use Your Personal Data
We will only use your Personal Data when the law allows us to do so.
4.1 Marketing and Content Updates
You will receive marketing and content communications from us only if you have opted in to receiving those communications. You may unsubscribe at any time by clicking the “unsubscribe” link at the bottom of any marketing email, or by contacting us at hello@winnowtechnology.com.
Where you opt out of receiving marketing messages, we will continue to retain other Personal Data provided to us as a result of other interactions not related to your marketing preferences.
4.2 Change of Purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
We may process your Personal Data without your knowledge or consent where this is required or permitted by law.
4.3 Automated Decision-Making
We do not currently use automated decision-making or profiling in a way that produces legal effects or similarly significantly affects you. Should this change in the future, we will update this Privacy Policy and provide you with information about the logic involved, as well as the significance and envisaged consequences of such processing.
5. Cookies and Tracking Technologies
Our website may use cookies and similar tracking technologies to distinguish you from other users, improve your experience, and analyse how our website is used.
5.1 Types of Cookies We Use
Strictly Necessary Cookies: Required for the operation of our website. They include cookies that enable you to use essential features.
Analytical/Performance Cookies: These allow us to recognise and count the number of visitors and see how visitors move around our website. This helps us improve how our website works.
Functionality Cookies: These are used to recognise you when you return to our website and enable us to personalise content for you.
In accordance with PECR, we will obtain your consent before placing any non-essential cookies on your device. You can manage your cookie preferences through our cookie consent mechanism on the website, or by adjusting your browser settings.
6. Your Rights
Under UK GDPR, you have the following rights in relation to your Personal Data:
Right to be informed: You have a right to be informed about how we collect and use your Personal Data. This Privacy Policy fulfils that obligation.
Right of access: You may request a copy of the Personal Data we hold about you (a “data subject access request”).
Right to rectification: You may request correction of any incomplete or inaccurate Personal Data we hold about you.
Right to erasure: You may request that we delete or remove your Personal Data where there is no good reason for us continuing to process it. Note that we may not always be able to comply for specific legal reasons, which will be notified to you at the time of your request.
Right to restrict processing: You may request that we restrict the processing of your Personal Data in certain circumstances, such as where you contest its accuracy or object to our processing of it.
Right to data portability: You may request the transfer of your Personal Data to you or to a third party in a structured, commonly used, machine-readable format. This right applies only to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you.
Right to object: You may object to the processing of your Personal Data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object. You also have the absolute right to object to processing for direct marketing purposes.
Right to withdraw consent: Where we rely on consent as the lawful basis for processing, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
To exercise any of these rights, please contact us at hello@winnowtechnology.com. You will not have to pay a fee to access your Personal Data or to exercise any of the other rights. However, we may charge a reasonable fee or refuse to comply if your request is clearly unfounded, repetitive, or excessive.
We may need to request specific information from you to confirm your identity and ensure your right to access your Personal Data. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
7. Data Security
We are committed to keeping your data secure. Any Personal Data collected by us is only accessible by a limited number of employees who have special access rights to such systems and are bound by obligations of confidentiality.
We have implemented appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
Access controls limiting Personal Data access to authorised personnel only
Confidentiality obligations for all employees and contractors who handle Personal Data
Regular review of our data processing practices and security measures
Unfortunately, no transmission of data over the internet is guaranteed to be completely secure. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any data you transmit to us. Any such transmission is at your own risk.
8. Data Processing Agreements
Where we engage third-party processors to process Personal Data on our behalf, or where we process Personal Data on behalf of our business clients, we enter into appropriate Data Processing Agreements (“DPAs”) in accordance with Article 28 of the UK GDPR.
These agreements ensure that:
Processors only act on our documented instructions
Appropriate technical and organisational security measures are in place
Personal Data is kept confidential
Sub-processors are only engaged with our prior written authorisation
Data subjects’ rights are respected and facilitated
Personal Data is deleted or returned at the end of the processing relationship
Compliance can be demonstrated through audits and inspections
If you are a business client and require a DPA in connection with our services, please contact us at hello@winnowtechnology.com
9. Processors and Responsibilities
In discharging our responsibilities as Data Controller, we may have employees or authorised third parties who process your data on our behalf (“Processors”). We ensure that all Processors:
Process Personal Data only in accordance with our documented instructions and a valid lawful basis under the UK GDPR
Are committed to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organisational security measures
Assist us in fulfilling our obligation to respond to data subject rights requests
Make available all information necessary to demonstrate compliance with UK GDPR obligations
Cooperate with the supervisory authority upon request
Notify us without undue delay upon becoming aware of a Personal Data breach
We do not currently engage any third-party sub-processors for the storage or processing of your Personal Data. Should this change, we will update this Privacy Policy accordingly.
10. Sharing Your Data with Third Parties
We may share anonymised, non-Personal Data with third parties for analytical and research purposes.
We may share your Personal Data with:
Professional advisers (e.g., legal, accounting, or audit services) who are bound by professional obligations of confidentiality
Regulatory or governmental bodies where required by law or regulation
Potential acquirers or investors in the event of a sale, merger, or restructuring of all or part of our business, subject to appropriate confidentiality obligations
In the event of a transfer of ownership, the acquiring entity’s privacy policy may govern the further use of your Personal Data. In all other situations, your data will remain protected in accordance with this Privacy Policy.
11. International Data Transfers
As a UK-registered company, we primarily store and process Personal Data within the United Kingdom and the European Economic Area. Where it is necessary to transfer your Personal Data outside the UK or EEA, we will ensure that appropriate safeguards are in place, including:
Transfers to countries that have been deemed to provide an adequate level of data protection by the UK Secretary of State or the European Commission
Use of UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs), as applicable
Any other legally recognised transfer mechanism under the UK GDPR or EU GDPR
If you would like further information about the specific safeguards applied to the transfer of your Personal Data, please contact us at hello@winnowtechnology.com.
12. Data Retention
We will retain your Personal Data only for as long as reasonably necessary to fulfil the purposes for which it was collected. In determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.
As a general guide:
Account and profile data: Retained for the duration of your account and for up to 12 months following account closure or your last interaction with us
Marketing and communications preferences: Retained until you withdraw consent or unsubscribe
Technical and usage data: Retained for up to 24 months
Contractual and transactional data: Retained for 6 years following the end of the relevant contract, in line with the Limitation Act 1980
Legal and regulatory data: Retained for as long as required by applicable law
We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
13. Age Restrictions
Our website and services are not intended for children. You must be aged 16 or older to use our services. We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16, we will take steps to delete that data as soon as practicable.
14. Changes to This Privacy Policy
We keep this Privacy Policy under regular review and will place any updates on this page. Where changes are significant, we will endeavour to notify you by email or through a notice on our website.
This version was last updated on 17 February 2025.
15. Contact Us
If you have any questions about this Privacy Policy, your Personal Data, or wish to exercise any of your rights, please contact us:
Email: hello@winnowtechnology.com
Postal address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office:
Website: www.ico.org.uk
Telephone: 0303 123 1113
16. Interpretation
All uses of the word “including” mean “including but not limited to” and the enumerated examples are not intended to limit the term which they serve to illustrate.
Our staff are not authorised to contract on behalf of Winnow Technology Ltd, waive rights, or make representations (whether contractual or otherwise). If anything contained in an email from a Winnow Technology Ltd address contradicts anything in this Policy, our terms, or any official public announcement on our website, the Policy, terms, or official announcement shall take precedence.
