Privacy Policy

01Introduction

This Privacy Policy (this "Policy") explains how Chanodil Ltd, a company incorporated in England and Wales (company number 11999422) with its registered office at Enterprise Centre, 6 David Lane, Basford, Nottingham NG6 0JU, United Kingdom, trading as "Seamless Source" (referred to in this Policy as "Seamless Source", "we", "us" or "our"), collects, uses, stores, shares and otherwise processes personal data in connection with:

• our websites, including seamlesssource.com and any sub-domains (the "Website");
• our Product Relationship Management (PRM) platform and related software-as-a-service offerings, including modules covering Product Information Management (PIM), Product Lifecycle Management (PLM), Digital Product Passport (DPP), Life Cycle Assessment (LCA), Supply Chain Management, Quality Control (QC), Digital Asset Management (DAM) and AI Agents (collectively, the "Platform"); and
• our marketing, sales, recruitment, business development and corporate activities (together with the Website and the Platform, the "Services").

By accessing the Website, registering for an account, using the Platform or otherwise interacting with us, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not access or use the Services.

This Policy is issued in compliance with the United Kingdom General Data Protection Regulation (the "UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), and, where applicable, Regulation (EU) 2016/679 (the "EU GDPR").

02Our role: Controller and Processor

Our role under data protection law depends on the context in which we process personal data. We act in two distinct capacities.

2.1 When we act as Controller

We are the "Controller" of personal data we collect and use for our own purposes, including:

• information you provide when visiting the Website, requesting demos, downloading content, attending events or subscribing to marketing communications;
• information collected from prospective and existing customers, partners, suppliers, investors and applicants in connection with our business operations;
• account registration data, billing data and administrator data of our customers; and
• information about authorised users of our customers when they interact with the Platform in their individual capacity (for example, login, support tickets, telemetry and security logs).

2.2 When we act as Processor

When our customers upload, input, generate or otherwise make available data through the Platform in the course of using the Services (the "Customer Data"), our customer is the Controller and we act as a Processor or sub-processor on their behalf. Our processing of Customer Data is governed by the relevant master services agreement, order form and Data Processing Agreement (the "DPA") entered into between us and the customer. In the event of any conflict between this Policy and the DPA in respect of Customer Data, the DPA prevails.

If you are an individual whose personal data appears within Customer Data (for example, an employee, contractor, supplier representative, worker in a manufacturing facility, factory auditor, end consumer, or similar) and you wish to exercise rights in respect of that data, you should contact the Controller (typically our customer) in the first instance. We will assist our customers in responding to such requests in accordance with the DPA.

03Personal data we collect

We may collect and process the following categories of personal data. The specific data collected will depend on how you interact with the Services.

3.1 Account, identity and contact data

• name, job title, role, employer, work email, work telephone number, business address and country;
• username, password (stored in hashed form), security questions, multi-factor authentication tokens and account preferences;
• identity verification information where required, including date of birth, national identifiers, company registration numbers, tax identifiers and, where reasonable, copies of identity or business documents; and
• information you choose to include in your user profile, biography, photograph or signature block.

3.2 Billing and financial data

• billing name, billing address, VAT/tax identifiers, purchase order references and invoice history;
• payment instrument details (collected and processed by our regulated payment service providers; we do not store full card numbers on our systems);
• financial information necessary to detect, investigate and prevent fraud, money laundering, sanctions breaches or other unlawful activity.

3.3 Platform usage, device and technical data

• IP address, device identifiers, hardware model, operating system, browser type and version, language settings, time zone;
• access logs, session identifiers, login timestamps, pages and features used, queries run, files uploaded or downloaded, integrations triggered, errors encountered, performance metrics and other telemetry data;
• information collected via cookies, pixels, SDKs, web beacons, server logs and similar technologies (see Section 7).

3.4 Communications and support data

• the content of messages, emails, support tickets, chat sessions, call recordings, voicemails, meeting transcripts (where notified), demo notes and any attachments;
• feedback, survey responses, testimonials, case study contributions and event registrations.

3.5 Marketing and engagement data

• marketing preferences, consent records, subscription status, source of acquisition (e.g., referrer, campaign);
• engagement signals such as email opens, link clicks, content downloads, webinar attendance and inferred interests;
• publicly available business information from sources such as LinkedIn, Companies House, trade registries and reputable data providers used for sales and business development.

3.6 Customer Data processed as Processor

When customers use the Platform, they may upload, generate, transmit or otherwise process Customer Data within our systems. Customer Data may include, without limitation:

• product, material, component, bill-of-materials, specification, sample, technical pack, tech-drawing, image, video and other design data;
• supplier, factory, mill, dyehouse, finishing house, agent, vendor and sub-tier supplier information, including names, addresses, contact details, certifications, audit data and capability information;
• worker, labour, social compliance, health & safety, grievance, wage and working-hours data where uploaded by the customer for due diligence, audit, ESG, modern slavery or Digital Product Passport purposes;
• Digital Product Passport (DPP) attributes, traceability claims, chain-of-custody records, sustainability metrics, recycled content claims, Life Cycle Assessment (LCA) inputs and outputs, carbon and water footprint data and substance/material declarations;
• quality control records, inspection reports, lab test results, certifications (e.g., OEKO-TEX, GOTS, GRS, ISO), regulatory compliance evidence (e.g., GPSR, REACH, CPSIA, EN/ISO standards), CE/UKCA conformity documentation and similar;
• customer, retailer, distributor and end-consumer data uploaded for the customer's own purposes, including sales, returns, recalls or warranty data;
• data generated by AI Agents and other automated features of the Platform when operating on Customer Data.

We do not control, monitor or assume responsibility for the content of Customer Data. The Customer is solely responsible for ensuring it has a valid legal basis (and, where required, consent or other authorisation) to upload such data to the Platform.

3.7 Special category and sensitive data

We do not require, request or wish to receive special category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, biometric data or data concerning sexual orientation) other than in narrow and lawful circumstances (for example, accessibility information voluntarily provided by an event attendee). Customers must not upload special category personal data to the Platform unless they have a valid Article 9 condition and the relevant DPA expressly permits it.

04How we collect personal data

• Directly from you – when you fill in a form, register, request a demo, communicate with us or otherwise interact with the Services.
• Automatically – through cookies, server logs and similar technologies when you use the Website or the Platform.
• From your organisation or our customer – when you are invited or provisioned as a user of a customer's instance of the Platform.
• From third parties – including identity verification providers, payment processors, fraud prevention agencies, data enrichment providers, marketing and advertising platforms, social networks, public sources (such as Companies House), referrers and partners.
• From integrations you authorise – when you connect the Platform to third-party systems (such as ERP, e-commerce, PIM, lab, factory or compliance databases), we will process the data made available through those integrations in accordance with your configuration.

05Lawful bases for processing

We process personal data only where we have a valid lawful basis under Article 6 UK GDPR (and Article 9 where applicable). Our lawful bases include the following:

5.1 Performance of a contract

To enter into and perform our contracts with you, your employer or our customer (including providing the Platform, account administration, billing, support, security and managing the customer relationship).

5.2 Legitimate interests

We rely on our (and, where applicable, third parties') legitimate interests, including the following non-exhaustive list:

• operating, securing, maintaining, monitoring, improving, evaluating and developing the Services, including the underlying infrastructure, models, algorithms and features;
• preventing, detecting and investigating fraud, abuse, security incidents, malicious activity, intellectual property infringement and breaches of our terms;
• understanding and analysing how the Services are used in order to enhance them and to develop new products, features, models and offerings (including AI/ML and Digital Product Passport capabilities);
• marketing our Services to business contacts and prospects (where consent is not required) and conducting business development activities;
• managing corporate transactions, investor relations, financing rounds, due diligence and reorganisations;
• enforcing, defending and exercising our legal rights and protecting our property, personnel and customers;
• producing aggregated, anonymised or de-identified data for benchmarking, analytics, research, publication and commercialisation purposes; and
• communicating with you about important matters relating to your account, the Services or our business.

We have carried out (and keep under review) legitimate interests assessments to ensure that our interests are not overridden by your rights and freedoms. You may request a summary of the relevant assessment by contacting us as set out in Section 19.

5.3 Consent

Where required by law (for example, for certain marketing communications, non-essential cookies, or the processing of special category data), we rely on your freely given, specific, informed and unambiguous consent. You may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5.4 Legal obligation

To comply with our legal, regulatory, tax, accounting, record-keeping, audit, sanctions, anti-money-laundering, health & safety, employment and similar obligations under UK or other applicable law.

5.5 Vital interests and public interest

In rare cases, to protect the vital interests of a data subject or another natural person, or where processing is necessary in the public interest.

06Purposes for which we use personal data

We use personal data for the purposes set out below. A single processing activity may rely on more than one lawful basis.

• To provide, configure, host, operate, maintain and support the Services and to authenticate users.
• To create, administer and manage accounts, including provisioning, deprovisioning, password reset, role and permission management.
• To process payments, invoicing, credit checks, collections, refunds and chargebacks.
• To provide customer service, respond to enquiries, fulfil information requests, and handle complaints, escalations and disputes.
• To monitor, secure, protect and maintain the integrity, availability, performance and resilience of the Services, including incident detection, vulnerability management and penetration testing.
• To prevent, investigate, mitigate and respond to fraud, abuse, security incidents, unlawful conduct, infringement and breaches of our terms.
• To develop, test, train, evaluate, validate, improve and enhance the Services, including AI/ML models, algorithms, classifiers, embeddings, knowledge bases and Agents (subject to the AI provisions in Section 8).
• To carry out research, statistical analysis, benchmarking, industry insights and trend analysis, including in anonymised and aggregated form.
• To facilitate the issuance, hosting, verification and accessibility of Digital Product Passports and related sustainability, traceability and compliance disclosures in accordance with applicable law and customer instructions.
• To send service messages, security notifications, product updates, policy changes and other operational communications.
• To send marketing communications and personalised content to existing and prospective business customers, where permitted (see Section 12).
• To plan, deliver and analyse events, webinars, conferences and recruitment.
• To carry out corporate transactions, including mergers, acquisitions, financing, restructurings and divestments.
• To comply with our legal, regulatory, accounting, tax and audit obligations and to respond to lawful requests by public authorities.
• To establish, exercise, defend and enforce legal claims.
• To process Customer Data on behalf of our customers, in accordance with their documented instructions and the DPA.

07Cookies and similar technologies

The Website and Platform use cookies and similar technologies (including local storage, pixels, SDKs and web beacons) to enable core functionality, secure the Services, remember preferences, measure performance, conduct analytics and (where consented) deliver tailored advertising.

Strictly necessary cookies are set by default because the Services cannot function without them. All other cookies are set only with your consent, which you can give, withdraw or manage at any time through our cookie banner or preference centre. Disabling certain cookies may impair functionality.

Full details of the specific cookies we use, their purposes, providers and retention periods are set out in our separate Cookies Notice.

08AI, machine learning and automated processing

Artificial intelligence and machine learning are integral to the Platform. We use AI/ML techniques to deliver and improve features such as classification, compliance checks, supplier risk scoring, quality control assistance, content generation, document understanding, anomaly detection, search, recommendations, summarisation and AI Agents.

8.1 Data used to develop and improve our AI

• Aggregated, anonymised, de-identified, synthetic, publicly available or properly licensed data;
• Personal data we process as Controller in accordance with this Policy, where consistent with our lawful bases and our legitimate interests in developing the Services;
• Telemetry, usage signals, feedback, prompts, outputs, error reports and similar operational data;
• Customer Data only to the extent permitted by the applicable DPA, and (unless the DPA expressly authorises otherwise) only on a de-identified or aggregated basis that does not result in the training of generally available models on identifiable Customer Data.

8.2 Third-party AI providers

Some AI/ML features are powered by sub-processors (such as large-language-model or foundation-model providers). We select sub-processors that offer appropriate contractual commitments, including (where applicable) commitments not to use Customer Data submitted via our API to train their own models. A current list of AI sub-processors is maintained on our trust page or made available on request.

8.3 Automated decision-making

We do not generally take decisions about you that have legal or similarly significant effects based solely on automated processing within the meaning of Article 22 UK GDPR. Where features of the Platform produce outputs (such as risk scores, compliance flags, classifications, suggestions or generated content), those outputs are intended to support, not replace, human decision-making by you or our customers. You should not rely on AI outputs as a sole basis for legal, regulatory, safety, employment, credit or similarly significant decisions.

8.4 Accuracy, hallucination and your responsibilities

AI outputs may be incomplete, inaccurate, biased or otherwise unsuitable for a particular purpose. You and our customers are responsible for reviewing, verifying and validating AI outputs before relying on or acting upon them, particularly in the context of regulated activities, safety claims, product compliance and Digital Product Passport disclosures. To the maximum extent permitted by law, we accept no liability for losses arising from reliance on AI outputs in breach of this Policy or the applicable customer agreement.

09Digital Product Passports and regulatory disclosures

The Platform enables our customers to create, manage, host and share Digital Product Passports ("DPPs") and related regulatory disclosures (including, where applicable, under Regulation (EU) 2024/1781 on Ecodesign for Sustainable Products (ESPR), Regulation (EU) 2023/988 on General Product Safety (GPSR), and analogous regimes in the UK and other jurisdictions).

• The customer (and not Seamless Source) is the regulated economic operator and remains solely responsible for the accuracy, completeness, lawfulness and timeliness of the data published in any DPP.
• Where personal data (such as the name of a supplier representative, factory operative or compliance officer) is included in a DPP, the customer warrants that it has identified an appropriate lawful basis (typically legal obligation or legitimate interests) and has provided any required transparency information to the relevant data subjects.
• We may be required to retain DPP data for the minimum retention period prescribed by the applicable regulation, irrespective of any earlier deletion request, and to make such data available to competent authorities upon lawful request.
• We may publish, expose or otherwise make accessible DPP data via QR codes, public-facing pages, registries, decentralised identifiers, blockchain anchors, APIs or other channels selected or required by the customer or applicable regulation. Once published in this way, certain DPP data may be irreversibly disseminated.

10How we share personal data

We share personal data only as set out below. We do not sell personal data.

10.1 Sub-processors and service providers

We engage carefully selected sub-processors and service providers to support the Services. These include providers of cloud hosting and storage, content delivery, security, monitoring, analytics, email and communications, identity and authentication, payments, AI/ML infrastructure and inference, customer support, CRM, marketing automation, professional services and similar functions. All sub-processors are subject to written agreements requiring appropriate confidentiality, security and data protection commitments. A current list of sub-processors involved in processing Customer Data is maintained on our trust page or available on request.

10.2 Our affiliates and group companies

We may share personal data with affiliates or other entities within our corporate group, including entities located outside the UK or the EEA, for the purposes set out in this Policy and subject to appropriate safeguards.

10.3 Customer-directed sharing

When you use the Platform, you and our customers may instruct us to share Customer Data and certain account data with third parties (such as suppliers, factories, agents, auditors, certifiers, retailers, regulators, recipients of DPP disclosures and downstream actors). We act on those instructions and are not responsible for those third parties' subsequent processing.

10.4 Professional advisors and corporate transactions

We may share personal data with our auditors, lawyers, accountants, bankers, insurers, consultants and other professional advisors, and with counterparties (and their advisors) in connection with any actual or proposed financing, merger, acquisition, divestment, reorganisation, insolvency or sale of all or part of our business or assets. In such cases, personal data is a transferable asset.

10.5 Authorities and legal compliance

We may disclose personal data to courts, regulators, law enforcement, tax authorities and other public bodies where we believe in good faith that disclosure is required or permitted by law, to comply with legal process, to enforce our terms, to protect the rights, property or safety of Seamless Source, our customers or others, or to investigate fraud or security incidents.

10.6 Aggregated and anonymised data

We may create, use, publish and share aggregated, anonymised or de-identified data (including for benchmarking, industry insights, research, marketing, product development and commercialisation) without restriction, provided it cannot reasonably be used to identify you.

11International data transfers

Personal data may be transferred to, processed in and stored in countries outside the United Kingdom and the European Economic Area, including jurisdictions that may not provide an equivalent level of data protection. This may include transfers to our sub-processors, group entities or contractors located in, for example, the United States, Sri Lanka, India and elsewhere.

Where we transfer personal data internationally, we put in place appropriate safeguards as required by applicable law, including:

• reliance on adequacy regulations or decisions (where available);
• the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses;
• the European Commission's Standard Contractual Clauses; and
• supplementary technical, contractual and organisational measures where required following a transfer risk assessment.

You may request further information about the safeguards in place by contacting us as set out in Section 19.

12Marketing communications

We may send marketing communications to existing business customers, prospects and individuals who have requested such communications, in each case in compliance with PECR and the UK GDPR.

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us. Opting out of marketing does not affect service-related communications, which are necessary for the operation of the Services.

13Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements, and for the establishment, exercise or defence of legal claims. Indicative retention periods include:

• Account data – for the duration of the contract plus up to seven (7) years thereafter for legal, audit and limitation period purposes;
• Billing and financial records – at least six (6) years from the end of the relevant accounting period (in accordance with UK tax and accounting law);
• Marketing data – until you opt out or for up to three (3) years from your last interaction, whichever is sooner;
• Security, audit and access logs – up to two (2) years (or longer where required for investigations or legal claims);
• Customer Data – in accordance with the DPA and customer instructions, with deletion or return at the end of the contract subject to legal obligations;
• DPP and regulatory data – for the minimum period required by the applicable regulation, which may extend beyond the end of the contract;
• Backup copies – may persist in encrypted backups for a limited period after deletion from primary systems, in accordance with our backup retention schedule.

Where personal data is no longer needed, we will delete, anonymise or securely destroy it. We may retain aggregated or anonymised data indefinitely.

14Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Such measures include access controls, encryption in transit and at rest (where appropriate), network and application security controls, secure software development practices, vulnerability management, logging and monitoring, employee training and confidentiality undertakings, and incident response procedures.

No system can be guaranteed to be completely secure. We do not guarantee, and you should not expect, that the Services will be free from unauthorised access or that personal data will always remain secure. You are responsible for keeping your credentials confidential, configuring your account securely (including using multi-factor authentication where available), and notifying us promptly of any suspected security incident affecting your account.

15Your rights

Subject to applicable law and any exemptions, you have the following rights in respect of personal data we process about you as Controller:

• Right of access – to obtain confirmation of whether we process your personal data and to receive a copy of it.
• Right to rectification – to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure ("right to be forgotten") – to request deletion of personal data in certain circumstances.
• Right to restriction of processing – to require us to restrict processing in certain circumstances.
• Right to data portability – to receive certain personal data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
• Right to object – to object to processing carried out on the basis of legitimate interests or for direct marketing.
• Right to withdraw consent – at any time where processing is based on consent.
• Right not to be subject to solely automated decisions producing legal or similarly significant effects.
• Right to lodge a complaint – with the Information Commissioner's Office (the "ICO") or another competent supervisory authority.

We may need to verify your identity before responding to a request and may charge a reasonable fee, or refuse to act, where requests are manifestly unfounded, excessive or repetitive. We will respond within the timeframes required by applicable law (usually one month, extendable by up to two further months for complex requests).

If your personal data appears within Customer Data, the relevant Controller is our customer and you should direct your request to them. We will support our customers in responding to such requests in accordance with the DPA.

16Children and young persons

The Services are intended for use by business users in the course of their employment or professional activities and are not directed to children. We do not knowingly collect personal data from individuals under the age of 18 through the Website or the Platform. If you believe that we have inadvertently collected personal data from a person under 18, please contact us and we will take appropriate steps to delete it.

17Third-party websites, integrations and content

The Services may contain links to, or integrations with, third-party websites, applications, platforms, plug-ins, content and services. We are not responsible for the privacy practices, content or security of such third parties. We encourage you to review the privacy notices of any third party before providing personal data to them or enabling an integration.

18Your obligations and warranties

By accessing the Services or submitting any personal data through them, you represent, warrant and undertake to us that:

• all personal data you provide is accurate, current, complete and lawfully obtained;
• you have all necessary rights, consents, authorisations, notices and lawful bases required to provide such personal data to us and to authorise our processing as described in this Policy;
• you will not upload to or process through the Platform any personal data in breach of any applicable law, contractual restriction, intellectual property right or right of any third party;
• you will comply with all applicable data protection, privacy, anti-spam, export, sanctions and consumer protection laws when using the Services;
• where you are a customer (or acting on behalf of a customer), you are the Controller of the Customer Data and you accept all corresponding responsibilities under the UK GDPR and the DPA.

You agree to indemnify, defend and hold harmless Seamless Source, its affiliates, officers, directors, employees, agents, contractors and licensors from and against any and all claims, losses, damages, liabilities, fines, penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) any breach of the warranties or undertakings in this Section 18; (b) the personal data you submit to the Services; or (c) your use of the Services in breach of this Policy, the applicable customer agreement or any applicable law. The foregoing is supplemental to (and does not limit) any indemnities set out in the applicable customer agreement.

19Contact and complaints

If you have any questions about this Policy, wish to exercise any of your rights, or wish to raise a complaint, please contact us at:

You also have the right to lodge a complaint with the ICO (https://ico.org.uk) or, where applicable, with another competent supervisory authority in the EEA.

20Disclaimers, limitation of liability and governing law

To the maximum extent permitted by applicable law:

• the Services and any information, outputs or content provided through them are made available on an "as is" and "as available" basis, without warranties of any kind, express or implied;
• we exclude all implied warranties, conditions and terms (including as to satisfactory quality, fitness for purpose, accuracy, completeness, reliability and non-infringement) to the fullest extent permitted by law;
• our liability arising out of or in connection with this Policy, the Website, or use of any non-paid Services is excluded to the maximum extent permitted by law; our liability in respect of the paid Platform is governed exclusively by the limitation and exclusion of liability provisions of the applicable customer agreement, which apply in full;
• nothing in this Policy excludes or limits liability that cannot be excluded or limited under English law (including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot lawfully be excluded).

This Policy is governed by the laws of England and Wales. Any dispute, claim or proceeding arising out of or in connection with this Policy is subject to the exclusive jurisdiction of the courts of England and Wales.

21Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, the Services, applicable law or for other operational or legal reasons. The "Effective Date" at the top of this Policy will indicate when it was last revised. We will provide additional notice (for example, by email or in-product notification) where the change is material. Your continued use of the Services after the effective date constitutes your acknowledgement and acceptance of the updated Policy, save that where a change requires fresh consent under applicable law, we will seek that consent before relying on it.

22Definitions

Capitalised terms used but not otherwise defined in this Policy have the following meanings:

• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor" and "Special Category Data" have the meanings given to them in the UK GDPR.
• "Customer" means any legal entity that has entered into a written agreement with us for the use of the Platform.
• "Customer Data" has the meaning given in Section 2.2.
• "DPA" means the data processing agreement entered into between Seamless Source and a Customer.
• "Digital Product Passport" or "DPP" has the meaning ascribed to it under the ESPR or any analogous regime.
• "Services", "Platform" and "Website" have the meanings given in Section 1.

— END OF PRIVACY POLICY —