Records of Processing Activities

Article 30 GDPR / UK GDPR — Last updated: 16 May 2026

Public version: This is a transparency summary of our Article 30 ROPA. The full record is available to supervisory authorities on request and is held by our EU representative (BizLegal Limited, Ireland).

1. Controller and EU representative

Field	Details
Legal name	Ionel Viorel
Trading names	Addlify; Addlify Finance; Addlify Medic; IT Solutions VIP
Status	Sole trader registered in the United Kingdom
Address	Droitwich, WR9 9EZ, United Kingdom
Email	legal@addlify.uk
UK ICO registration	ZC141977
EU Representative (Art. 27)	BizLegal Limited (trading as EU Rep), 27 Cork Road, Midleton, Co. Cork, Ireland — Co. No. 635921 — eurep.ie
DPO	Not appointed (not required under Article 37 GDPR)

2. Data subjects

Customers (consumer and B2B individual contacts)
Prospective customers
Newsletter and marketing subscribers
Website visitors
Account holders
Support enquirers
Business contacts (suppliers, processors, partners)
End users at customer organisations using multi-seat licences

We do not knowingly process personal data of children under 16.

3. Categories of personal data

Identity and contact (name, email, phone, billing address, country, business name and VAT number)
Account credentials (username, salted-hashed password, 2FA tokens)
Order, transaction and licence data
Payment metadata (no full card numbers stored)
Marketing data (subscriber email, preferences, consent records, engagement events)
Technical, device and log data
Cookies and online identifiers
Communications data
B2B contact data

No special category data (Article 9 GDPR) is processed. No criminal conviction data (Article 10 GDPR). For Addlify Medic, patient health data is processed locally on the user's device and is never collected, transmitted or stored by us.

4. Purposes and lawful bases

Activity	Lawful basis (GDPR Art. 6)
Sale of digital products	(b) Contract
Customer support	(b) Contract; (f) Legitimate interests
Transactional emails	(b) Contract; (c) Legal obligation
Newsletter / marketing	(a) Consent; PECR soft opt-in for existing customers
Website analytics	(a) Consent (PECR Reg. 6)
Online advertising	(a) Consent
Fraud prevention & security	(f) Legitimate interests; (c) Legal obligation
Tax & accounting compliance	(c) Legal obligation
Audit logs — Addlify Finance (HMRC / ANAF submissions, device & access records)	(c) Legal obligation — Legea contabilității 82/1991, OUG 120/2021; (f) Legitimate interests (security & fraud prevention)
Legal claims and regulatory cooperation	(c) Legal obligation; (f) Legitimate interests

5. Categories of recipients (processors)

UK: Stripe Payments UK; PayPal UK; SendGrid; hosting; accountant; HMRC; ICO; courts
Ireland (EU): Stripe Europe; Google Ireland (Analytics, Ads); Meta Ireland (Pixel, Ads); Microsoft Ireland; EU Rep / BizLegal Limited; Irish Revenue (OSS VAT)
Luxembourg (EU): PayPal Europe S.a.r.l.
USA: Google LLC; Meta Platforms Inc.; Cloudflare Inc.; Twilio/SendGrid Inc.; Stripe Inc.; PayPal Inc.
EU Member States: sub-processors and supervisory authorities where applicable
Tax authorities (recipients of filings you authorise): HM Revenue & Customs (HMRC, United Kingdom) — Making Tax Digital submissions; ANAF, Agenția Națională de Administrare Fiscală (Romania) — e-Factura and SAF-T submissions via ANAF SPV. These filings are transmitted on your instruction, as the legal filer of record.

6. International transfer safeguards

Adequacy decisions including the UK Extension to the EU-US Data Privacy Framework
EU Standard Contractual Clauses 2021/914 + ICO UK Addendum, or UK IDTA
Article 28 GDPR data processing agreements with all processors
Transfer Impact Assessments and supplementary technical/organisational measures
Article 49 derogations only on an exceptional, non-repetitive basis

We do not sell personal data.

7. Retention

Data category	Retention
Customer accounts, transactions, payment metadata	7 years from last transaction (HMRC)
UK VAT records	6 years
EU OSS VAT records	10 years
Customer support / email correspondence	3 years from last contact
Newsletter subscribers	Until unsubscribe + 12 months proof of consent
Marketing engagement events	24 months rolling
Cookie consent record	Up to 12 months
Website analytics (GA4)	Up to 26 months
Advertising identifiers	Up to 13 months or until consent withdrawn
Server / access logs	Up to 30 days
Encrypted backups	90 days rolling
ROPA, DPIAs, breach records, consent records	Duration of processing + minimum 3 years
Data subject request records	3 years from response
Processor contracts	Duration of relationship + 7 years

8. Technical and organisational measures (Art. 32)

TLS 1.2+ for all web/API traffic; HSTS
Encryption at rest; encrypted backups
Salted-hashed passwords (bcrypt/argon2); 2FA on admin and processor accounts; least-privilege RBAC
Web Application Firewall, DDoS protection (Cloudflare); rate limiting; secure HTTP headers; CSP
Regular patching, dependency scanning, parameterised queries (no SQLi), output encoding (no XSS), CSRF tokens
Hosting on ISO 27001 / SOC 2 certified providers; logical separation of prod / staging / dev
PCI-DSS Level 1 payment processors only (Stripe, PayPal); 3-D Secure (SCA) enabled; no card numbers stored
Centralised logging and monitoring; documented breach response with 72-hour ICO notification
Encrypted daily backups, 90-day rolling retention, periodic restore tests
Data minimisation; automated deletion / anonymisation at end of retention
Article 28 DPAs with all processors; sub-processor register maintained
Cookie consent platform with Reject All as prominent as Accept All
Devices protected by full-disk encryption, strong PIN/password and screen lock

9. Data subject rights and contact

To exercise your UK GDPR / EU GDPR rights (access, rectification, erasure, restriction, portability, objection, withdraw consent, complaint to a supervisory authority): email legal@addlify.uk or contact our EU representative via eurep.ie.

10. Document control

Owner: Ionel Viorel · Version 1.1 · Last updated: 16 May 2026 · Next review: within 12 months or upon material change.