Privacy Policy

Last updated: 16 May 2026

Summary: We are Ionel Viorel trading as Addlify. We collect only the data needed to sell add-ins, support customers, run analytics/ads (with consent) and meet tax and legal duties. Data is kept up to 7 years (tax) or until you unsubscribe. You can access, correct, delete or port your data — email legal@addlify.uk. EU users can contact our EU representative EU Rep (BizLegal Ltd) at eurep.ie.

1. Who we are (Data Controller)

This Privacy Policy explains how Ionel Viorel trading as Addlify collects, uses, stores and shares personal data when you visit addlify.uk, purchase one of our Microsoft Excel or Word add-ins, subscribe to our newsletter or otherwise contact us.

We are the data controller under the UK GDPR, the Data Protection Act 2018, and (for EU data subjects) the EU GDPR (Regulation 2016/679).

Trading name: Addlify (also Addlify Finance, Addlify Medic, IT Solutions VIP)
Legal name: Ionel Viorel — sole trader, United Kingdom
Address: Droitwich, WR9 9EZ, United Kingdom
Email (privacy): legal@addlify.uk
UK ICO registration number: ZC141977
DPO: not required by law

2. EU Representative under Article 27 GDPR

We have appointed EU Rep as our Representative under Article 27 of the EU GDPR. All GDPR queries from EU Data Subjects or Data Protection Authorities should be submitted via eurep.ie's dedicated form.

BizLegal Limited trading as EU Rep, registered office: 27 Cork Road, Midleton, Co. Cork, Ireland. Company number 635921.

3. Personal data we collect, why, and on what lawful basis

Category	Examples	Lawful basis	Retention
Identity & contact	Name, email, phone, billing address, country	Contract; legal obligation; legitimate interests	7 years (HMRC)
Order & licence	Order ID, products, licence keys, downloads, support tickets	Contract; legal obligation	7 years
Payment metadata	Last 4 digits of card, Stripe/PayPal IDs (no full card data)	Contract; legal obligation	7 years
e-Factura / SAF-T submission metadata (Romanian customers)	Submission timestamps, ANAF reference IDs, CIF, status — invoice content itself is not stored by Addlify	Legal obligation (Legea 82/1991 art. 25; OUG 120/2021)	Minimum 10 years
HMRC / ANAF integration tokens	OAuth access & refresh tokens and qualified digital certificate references used to connect the add-in to HMRC Making Tax Digital or ANAF SPV — encrypted at rest with AES-256	Contract (performance of the add-in service)	Duration of the subscription + 30 days
Marketing	Newsletter subscriber email, preferences, opens/clicks	Consent (PECR + UK GDPR Art. 6(1)(a))	Marketing profile deleted within 30 days of unsubscribe. A minimal consent record (that consent was given or withdrawn, and when) is kept for 12 months afterwards as proof of consent under UK GDPR Art. 7(1).
Technical & analytics	IP, device, browser, OS, pages, timestamps	Consent (non-essential); legitimate interest (security)	Up to 26 months
Advertising	Meta Pixel, Google Ads conversion, retargeting	Consent (UK GDPR Art. 6(1)(a) + PECR Reg. 6)	Up to 13 months
Communications	Contact form, emails, support tickets	Legitimate interest; contract; consent	3 years from last contact

3.1 Addlify Finance add-in — data processing scope

The Addlify Finance Microsoft Excel add-in is a SaaS-licensed product distributed via Microsoft AppSource and direct sideload. This section describes specifically what data the add-in processes when running inside your Excel workbook, independent of the rest of the website.

Stays on your computer — invoice rows, SAF-T data, e-Factura XML payloads, accounting records you import or generate. Addlify Finance does not upload your documents, spreadsheets or fiscal data to our servers. XML payloads are submitted from your Excel directly to the ANAF SPV API using your own SPV credentials. We never see the content.
Sent to our server for license control — your licence key, email address, plan name, device fingerprint, IP, and add-in version. Used to authenticate the licence, count active devices on multi-seat plans, and send transactional emails (invoice, key recovery, deadline reminders).
Sent to ANAF webservices (not to Addlify) — CIF/VAT numbers you check, SAF-T XML files you submit, e-Factura UBL files you submit. These calls go directly from your computer to ANAF's public endpoints over HTTPS. Addlify is not a data processor for these flows.
Sent to Stripe (not to Addlify) — card data on checkout. Stripe is the payment processor; we never store full card numbers (only last 4 digits returned by Stripe for invoice display).
Optional OneDrive integration — if you enable backup-to-OneDrive, the add-in uses Microsoft's OAuth flow to obtain a delegated token tied to your own OneDrive. The token never leaves your machine; backups are written directly to your drive.

Retention for add-in usage data: licence and device records are kept while the subscription is active plus 7 years after cancellation (HMRC tax requirement). You can request deletion of optional records (analytics events, support emails) at any time by emailing legal@addlify.uk.

By installing the Addlify Finance add-in from Microsoft AppSource or by sideload, you accept this processing scope. The full EULA and Terms & Conditions govern the licence agreement.

4. How we collect personal data

Directly from you — contact form, newsletter signup, account creation, checkout, email/social media.
Automatically — cookies and similar technologies (see Cookie Policy).
From third parties — payment processors (Stripe, PayPal), email providers, analytics, public sources for B2B verification.

5. How we use your personal data

Process Orders, deliver Products, generate licence keys, provide support.
Manage your account.
Take payment, prevent fraud, meet anti-money-laundering/accounting duties.
Send transactional emails (contract).
Send marketing (consent or PECR soft opt-in for existing customers, with opt-out in every message).
Improve the Website, Products and customer experience (analytics).
Comply with legal obligations and respond to lawful authority requests.
Protect against abuse and unauthorised access.

6. Sharing personal data

We do not sell your personal data. We share it only with the following processors under Article 28 GDPR contracts:

Payment: Stripe (UK + Europe + US), PayPal (Luxembourg + US)
Hosting: Hostico SRL (cPanel hosting), hostico.ro
Email/Newsletter: SendGrid (Twilio Inc.)
Analytics & Ads: Google Analytics 4, Google Ads (Google Ireland Ltd / Google LLC), Meta Pixel, Meta Ads (Meta Platforms Ireland / Meta Platforms Inc.) — only with cookie consent
Security: Cloudflare Inc.
Messaging: WhatsApp Business / Meta Platforms Inc. (USA) — when you click the WhatsApp contact widget on our Website, your IP address and click metadata are shared with Meta. By clicking the widget you provide explicit consent for this transfer.
Add-in platform: Microsoft Corporation (USA / EU per tenant) — Office Add-in runtime. Microsoft acts as a Processor for add-in storage and as an Independent Controller for its own product telemetry; the Microsoft Online Services Data Protection Addendum applies.
Accountants, tax advisors, lawyers and HMRC — for legal/tax/audit duties
Public authorities, courts, regulators — where legally required

7. Cookies

Our Website uses cookies and similar technologies. We rely on:

Strictly necessary cookies — for cart, checkout, security, anti-fraud, consent state. Placed without consent (PECR reg. 6(4)(b)).
Functional, analytics and advertising cookies — placed only with your prior, freely given, specific, informed and unambiguous consent via our cookie banner. Withdraw consent any time via "Cookie settings" in the footer.

Full list and lifetimes are in our Cookie Policy.

8. International transfers

Some processors are based outside the UK and EEA (e.g. Google, Meta in the US). We rely on:

UK adequacy regulations / EU adequacy decisions (including the UK Extension to the EU-US Data Privacy Framework).
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.
EU Standard Contractual Clauses 2021/914 with supplementary measures, after a transfer impact assessment.

9. Retention

We keep personal data only as long as necessary. Retention periods are shown in clause 3. Where the law requires longer (e.g. HMRC = 6+ years for accounting), we keep data for that longer period and then delete or anonymise.

10. Your rights

Under UK GDPR / EU GDPR you have the rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and lodging a complaint with the ICO or your local supervisory authority. To exercise any right, email legal@addlify.uk with subject "Data subject request". We respond within one month (extendable up to two further months for complex requests).

11. Automated decision-making and profiling

We do not carry out automated decision-making with legal or similarly significant effects (Article 22 GDPR). Some advertising partners may carry out limited profiling for ads — only with your cookie consent, and you can opt out at any time.

12. Children

The Website and Products are not directed at children under 16. We do not knowingly collect data from children. If we do, we delete it on notification.

13. Security

We use TLS encryption, salted-hashed passwords, restricted access, encrypted backups, 2FA on admin accounts, regular updates, and monitoring. No system is 100% secure.

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority — the UK Information Commissioner's Office (ICO) and, for data subjects in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP) — without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Articles 33–34 of the UK GDPR and EU GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

14. Changes to this Privacy Policy

We may update this Policy. The "Last updated" date reflects the most recent change. For material changes we notify you by email or by prominent notice on the Website before they take effect.

15. Contact and complaints

Email: legal@addlify.uk · Address: Droitwich, WR9 9EZ, United Kingdom · EU representative: EU Rep (BizLegal Limited), 27 Cork Road, Midleton, Co. Cork, Ireland (Company number 635921), via eurep.ie.

Complaint to ICO: ico.org.uk, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · Tel: 0303 123 1113. Or your local EU supervisory authority — see edpb.europa.eu.