Privacy Notice

Fortium Technologies Ltd, registered in England and Wales, is the data controller for your personal data under the UK GDPR and the Data Protection Act 2018. You can reach our data protection contact at [email protected]. [LAWYER REVIEW: confirm whether a formal Data Protection Officer is required based on headcount + processing scale.]

We collect the following categories of personal data:

• Account data — name, email, hashed password, MFA secret (when you enable it), and authentication-provider identifiers (from Google / Microsoft OAuth when you sign in that way).
• Organisation data — your role, the organisation you belong to, the date you joined, and the person who invited you.
• Usage data — session events (sign in, sign out, playback start / end / heartbeat), audit events, IP address and user agent of requests that hit our API.
• Content you upload — disc images, disc metadata, display names, policy rules, distributions, and any personal data embedded in those.
• Support data — any messages you send us through support channels.

We process personal data for the following purposes:

• To provide the Service you signed up for (the legal basis is performance of a contract).
• To keep your account secure, prevent abuse, and investigate suspected breaches of these terms (legitimate interests).
• To comply with legal obligations, including responding to content-takedown notices and subject access requests (legal obligation).
• To send you transactional emails about your account and your invitations (performance of a contract).

We do not process your data for advertising, marketing, or profiling. We do not sell your data to anyone.

We keep personal data only as long as necessary for the purposes above. The table below shows the default retention windows; individual customers on enterprise tiers can agree shorter windows in their contract.

We share personal data with a small number of processors, each bound by a UK-compliant data processing agreement:

• DigitalOcean — application hosting and object storage. Our primary region is EU-West.
• Cloudflare — DNS, DDoS protection, and TLS at the edge.
• Resend — transactional email delivery (invitation, verification, password reset).
• Anthropic — the AI model we use for Phase 6 content enrichment. Only disc metadata and titles are sent, not the disc bytes themselves. [LAWYER REVIEW: the Anthropic DPA covers this but needs to be confirmed + listed once Phase 6 lands.]

We do not transfer personal data outside the UK / EEA except where the recipient is covered by an adequacy decision or standard contractual clauses.

Under the UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Ask us to delete your data (“right to be forgotten”).
• Object to or restrict processing.
• Receive a machine-readable copy of your data (portability).
• Complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within one month. There is no charge for most requests.

We use industry-standard measures to protect your data in transit (TLS 1.3) and at rest (AES-256). Every Disc distribution is forensic-watermarked on playback so leaks can be traced. We run a full security penetration test before each major release and publish a summary of findings. [LAWYER REVIEW: confirm the language on breach notification + 72-hour ICO deadline.]

We may update this notice from time to time. Material changes will be notified by email and take effect 30 days after the notice. Non-material changes (clarifications, typos) take effect immediately.