BiMarket

Data Protection Notice

Last updated: May 2026

This Data Protection Notice supplements our Privacy Policy and describes in more technical detail how BiMarket UK protects personal data in accordance with the UK GDPR, the Data Protection Act 2018 and applicable guidance from the Information Commissioner's Office (ICO).

1. Accountability and governance

  • BiMarket UK is the data controller for personal data processed in connection with the operation of bimarket.co.uk.
  • We maintain an internal Record of Processing Activities (RoPA) in line with UK GDPR Article 30.
  • Staff handling personal data are trained on data-protection obligations.
  • We carry out Data Protection Impact Assessments (DPIAs) for processing that is likely to result in a high risk to individuals.

2. Lawful, fair and transparent processing

We identify and document a lawful basis for every processing activity (Article 6) and, where special category data is processed, an Article 9 condition. Where consent is the basis, it is freely given, specific, informed and unambiguous, and can be withdrawn at any time.

3. Data minimisation and purpose limitation

We collect only the personal data necessary for the purposes set out in our Privacy Policy and do not reuse it for incompatible purposes without further lawful basis.

4. Storage and retention

Data retention periods are defined by category and aligned with legal, regulatory and business requirements. Summary:

  • Account data — for the life of the account plus up to 24 months of inactivity.
  • Order, invoicing and tax records — 6 years from end of relevant tax year (HMRC).
  • Customer service correspondence — up to 3 years.
  • Marketing consent and opt-out records — kept to honour user preferences.
  • Security logs — typically up to 12 months.

At the end of the retention period data is securely deleted or anonymised.

5. Technical security measures

  • Encryption in transit: all traffic between your browser and our servers uses TLS 1.2 or higher.
  • Encryption at rest: sensitive datastores and backups are encrypted at the storage layer.
  • Password protection: passwords are stored as one-way hashes using modern algorithms (bcrypt/argon2). We never see or store your plaintext password.
  • Payment data: processed by Stripe under PCI-DSS Service Provider Level 1; we do not handle full card numbers, CVV or PINs.
  • Access controls: least-privilege access, role-based permissions, multi-factor authentication for staff accounts where supported, and audit logging.
  • Network and application security: firewalling, rate limiting, automated patching, vulnerability scanning and ongoing monitoring.
  • Backups: regular encrypted backups, tested for restoration.

6. Organisational measures

  • Data-protection induction and refresher training for staff.
  • Confidentiality clauses in employment and contractor agreements.
  • Documented incident-response and breach-notification procedures.
  • Vendor due-diligence and written data-processing agreements with all processors.

7. Sub-processors

We engage carefully selected sub-processors to deliver our service. Categories include:

  • Cloud hosting and storage providers.
  • Payment processing (Stripe Payments UK Ltd).
  • Courier and logistics (DHL Parcel UK).
  • Transactional email and SMS gateways (Brevo).
  • Analytics and customer-support tooling.

All sub-processors are contractually bound to apply appropriate technical and organisational measures consistent with UK GDPR.

8. International transfers

Where personal data is transferred outside the United Kingdom, we rely on UK adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, supplemented by additional safeguards where necessary.

9. Breach response and notification

  • We maintain an incident-response plan covering detection, triage, containment, eradication, recovery and post-incident review.
  • Where a personal-data breach is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware.
  • Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

10. Your rights

Please see Section 8 of our Privacy Policy for the full list of rights and how to exercise them.

11. Complaints

If you have any concerns about how we handle personal data, please contact us at [email protected]. You also have the right to complain to the ICO — ico.org.uk.

12. Updates to this notice

We may update this notice from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top shows when this notice was last revised.

WhatsApp

Bio

BiMarket AI Assistant

Online

Bio's responses may be inaccurate.