Privacy Policy

1.Who We Are (Data Controller)

This Privacy Policy explains how SortingEasy ("SortingEasy," "we," "us," or "our") collects, uses, shares, and safeguards personal data when you access the SortingEasy web application at sortingeasy.com (the "Service"), the SortingEasy mobile application, or any related websites, APIs, or services that link to this Policy.

For the purposes of the EU General Data Protection Regulation 2016/679 ("EU GDPR") and the UK GDPR / Data Protection Act 2018 ("UK GDPR"), the data controller for personal data processed in connection with the Service is:

Separately, Paddle.com Market Limited acts as an independent data controller for the personal data it processes in its capacity as Merchant of Record (see Section 6).

2.Scope of This Policy

This Policy applies to personal data we process about:

• Account holders — Owners and Administrators who register a SortingEasy organization and use the web application.
• Members — authenticated users invited to an organization.
• Operators — mobile-only users who join a specific project via invitation code or QR code (without a full web account); for Operators we typically process only a display name and a device identifier.
• Visitors to the SortingEasy public website.
• Billing contacts who purchase a Subscription via Paddle.

It does notapply to (a) personal data that you, as an organization Administrator, enter as User Content about your own customers, suppliers, or inspected items — for that data, you are the data controller and we act as your data processor under our Data Processing Addendum; or (b) third-party websites linked from the Service, which are governed by their own privacy notices.

3.Personal Data We Collect

4.How and Why We Use Your Data

We process personal data for the following purposes:

• Providing the Service. Creating and maintaining your account and organization, authenticating you, storing and synchronizing your projects and User Content across devices, and enforcing role-based permissions.
• Subscription and billing. Activating trials, processing Subscription orders through Paddle, applying tier limits, sending invoices and renewal reminders, and addressing billing disputes.
• Transactional communications. Sending you operational emails such as account verification, security alerts, invoices, renewal notices, service announcements, and responses to support requests. We do not send marketing emails to web users at this time.
• Service quality and security. Detecting fraud and abuse, investigating incidents, applying rate limits, diagnosing errors, and improving reliability and performance.
• Legal and compliance. Complying with tax, accounting, anti-fraud, and other legal obligations, and establishing, exercising, or defending legal claims.

5.Legal Bases for Processing (GDPR)

Where the EU GDPR or UK GDPR applies, we rely on the following legal bases:

Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your rights and freedoms. You can object to this processing at any time (see Section 11).

6.Payments — Paddle as Merchant of Record

All Subscription purchases made through SortingEasy are processed by our reseller and Merchant of Record, Paddle.com Market Limited(registered office: Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom), together with its affiliates ("Paddle").

7.Sharing With Third Parties (Processors)

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary for the purposes described in this Policy:

Each processor is bound by a written data-processing agreement that obliges them to handle your data only on our instructions and to apply appropriate security measures.

8.International Data Transfers

Our primary processing infrastructure is located in the European Union. Some of our processors (in particular Paddle in the United Kingdom and certain support tools in the United States) may process your data outside the European Economic Area (EEA).

Where personal data is transferred outside the EEA or the UK, we rely on one of the following safeguards as required by GDPR Articles 45–49:

• An adequacy decision of the European Commission and/or the UK Government (for example, the EU–US Data Privacy Framework where the recipient is certified, and the UK–US Data Bridge);
• The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented where necessary by additional technical and organisational measures;
• Your explicit consent or another derogation listed in Article 49 of the GDPR.

You can request a copy of the safeguards in place for a specific transfer by contacting us at info@sortingeasy.com.

9.Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law. Indicative retention periods are:

After expiry of the applicable retention period, we either delete or irreversibly anonymise the personal data.

10.Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

• TLS 1.2+ encryption in transit for all client–server traffic;
• Encryption at rest for object storage (AWS S3 SSE) and database storage;
• Role-based access control and short-lived bearer tokens issued by AWS Cognito;
• Principle of least privilege for internal access to production data;
• Centralised logging and monitoring of authentication events;
• Regular review of dependencies and patching of known vulnerabilities.

No security measure is perfect; if we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority and, where required by GDPR Articles 33–34, you directly without undue delay.

11.Your Rights

Subject to the conditions set out in the EU GDPR and the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to obtain confirmation of whether we process data about you and a copy of that data (Art. 15).
• Right to rectification — to have inaccurate or incomplete data corrected (Art. 16).
• Right to erasure ("right to be forgotten") — to request deletion of your data in certain circumstances (Art. 17).
• Right to restriction — to limit our processing of your data in certain circumstances (Art. 18).
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format (Art. 20).
• Right to object — to object to processing based on our legitimate interests (Art. 21).
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
• Right not to be subject to automated decision-making producing legal or similarly significant effects (Art. 22) — see Section 14.
• Right to lodge a complaint with a supervisory authority (Art. 77) — see Section 16.

To exercise any of these rights, contact us at info@sortingeasy.com. We will respond within one month, extendable by up to two further months for complex requests. We may need to verify your identity before acting on the request.

Where the request concerns payment data held by Paddle, we will forward it to Paddle or instruct you to contact Paddle directly — see Section 6.4.

12.Cookies and Similar Technologies

13.Children's Privacy

The Service is intended for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@sortingeasy.com and we will delete it.

14.Automated Decision-Making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22).

Paddle may, in its capacity as Merchant of Record, run automated fraud-screening checks on Subscription transactions. The outcome of those checks may cause a payment attempt to be declined; if this happens you may retry with another method or contact Paddle buyer support. See Paddle's Privacy Policy for details.

15.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email (to the address associated with your account), via an in-application notice, or by prominent posting on the SortingEasy website, at least 14 days before the change takes effect, except where a shorter period is required by law.

The "Effective" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16.Contact and Complaints

For any privacy-related question, request, or complaint, please contact:

Right to lodge a complaint. If you believe our processing of your personal data infringes the EU GDPR or the UK GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU authorities is available at edpb.europa.eu. In the United Kingdom the supervisory authority is the Information Commissioner's Office (ico.org.uk).

Billing-specific inquiries. Paddle is the Merchant of Record for Subscription purchases (see Section 6). For questions about a charge, invoice, refund, or payment method, please contact Paddle: