GDPR Compliance
Uflorecer is committed to protecting your personal data in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated: February 2026
Our Commitment
Lawful Processing
Clear legal basis for all data processing
Data Minimisation
Only collecting what is necessary
Transparency
Clear information about how we use data
Security by Design
AES-256 encryption and SOC 2 practices
User Rights
Full support for all GDPR data subject rights
Accountability
Dedicated DPO and documented compliance
Contents
1. Data Controller
Who we are
Merchants Hoard Limited is the data controller responsible for your personal data processed through the Uflorecer platform. We are a company registered in England and Wales. As data controller, we determine the purposes and means of processing your personal data and are accountable for ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. You can contact our DPO for any questions regarding our data processing practices, to exercise your rights, or to raise a concern.
Contact details
Data Protection Officer, Merchants Hoard Limited, London, United Kingdom. Email: dpo@uflorecer.com. For general data protection enquiries: privacy@uflorecer.com.
2. Lawful Basis for Processing
Contract performance (Article 6(1)(b))
We process your personal data as necessary to perform our contract with you, including providing the Uflorecer platform services, managing your account, processing payments, delivering AI-powered features (Lotus AI and Petal), and providing customer support. This is our primary legal basis for most data processing activities.
Legitimate interests (Article 6(1)(f))
We process certain data based on our legitimate interests, including: improving and developing our platform and AI capabilities; ensuring network and information security; preventing fraud and abuse; conducting internal analytics and research; and communicating service updates. We conduct legitimate interest assessments to ensure our interests do not override your fundamental rights and freedoms.
Consent (Article 6(1)(a))
We rely on your consent for: sending marketing communications and newsletters; setting non-essential cookies (analytics and marketing); processing special category data where applicable; and sharing data with third-party marketing partners. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Legal obligation (Article 6(1)(c))
We process data as necessary to comply with legal obligations, including: tax and accounting requirements; responding to lawful requests from regulatory authorities; maintaining records required by financial regulations; and fulfilling obligations under employment law for specialist/provider relationships.
3. Your Data Subject Rights
Right of access (Article 15)
You have the right to obtain confirmation of whether we are processing your personal data and to request a copy of that data. You can download a copy of your data at any time through your account settings under Privacy & Data > Export My Data, or by contacting our DPO.
Right to rectification (Article 16)
You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can update most of your personal data directly through your account settings. For data you cannot modify yourself, please contact our support team.
Right to erasure (Article 17)
You have the right to request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or deletion is required by law. Please note that we may retain certain data where required by law or for the establishment, exercise, or defence of legal claims.
Right to restriction of processing (Article 18)
You may request that we restrict processing of your data while we verify its accuracy, if the processing is unlawful but you prefer restriction over erasure, if we no longer need the data but you require it for legal claims, or if you have objected to processing pending verification of our legitimate grounds.
Right to data portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller. This right applies to data you have provided to us and that we process by automated means on the basis of consent or contract performance.
Right to object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. For other objections, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights related to automated decision-making (Article 22)
Our AI features (Lotus AI and Petal) provide recommendations and generate content, but we do not make solely automated decisions that produce legal or similarly significant effects on you. Where AI is used to assist in decisions (such as lead scoring or content recommendations), human oversight is maintained and you can request human review at any time.
4. Data Retention
Retention principles
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. We apply a data minimisation principle, ensuring we do not hold more data than needed and regularly review our retention practices.
Retention periods
Active account data is retained for the duration of your account plus 30 days after deletion request. Financial and billing records are retained for 7 years as required by UK tax legislation (HMRC). Customer support records are retained for 3 years after resolution. Marketing consent records are retained for as long as consent is active plus 1 year. Security and audit logs are retained for 2 years. Anonymised analytics data may be retained indefinitely as it no longer constitutes personal data.
Deletion process
When you request account deletion or your retention period expires, we systematically purge your personal data from all active systems within 30 days and from backup systems within 90 days. We maintain a deletion log to ensure completeness and can provide confirmation of deletion upon request.
5. International Data Transfers
Transfer locations
Your data is primarily stored and processed within the United Kingdom and European Economic Area. However, some of our third-party service providers may process data in countries outside the UK/EEA, including the United States (for services such as cloud hosting, analytics, and payment processing).
Safeguards
Where we transfer personal data outside the UK, we implement appropriate safeguards in accordance with UK GDPR Article 46. These include: UK International Data Transfer Agreements (IDTAs) or addendums; Standard Contractual Clauses (SCCs) approved by the European Commission with UK-specific supplementary measures; transfers to countries with UK adequacy decisions; and binding corporate rules where applicable.
Transfer impact assessments
We conduct Transfer Impact Assessments (TIAs) for all international data transfers to evaluate the level of protection in the recipient country, assess any risks to your data, and implement supplementary measures where necessary. These assessments are reviewed annually or when circumstances change.
6. Technical and Organisational Measures
Encryption
All personal data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Database fields containing sensitive data are additionally encrypted at the application level. Encryption keys are managed through a dedicated key management service with automatic rotation.
Access controls
We implement role-based access control (RBAC) with the principle of least privilege. Access to personal data is limited to authorised personnel who require it for their role. All access is logged and audited. Multi-factor authentication is required for all staff accessing personal data.
Security practices
Our security programme includes: regular penetration testing and vulnerability assessments; continuous monitoring and intrusion detection; incident response procedures with defined escalation paths; staff security awareness training; secure development lifecycle practices; and regular review of security policies and procedures aligned with SOC 2 and ISO 27001 frameworks.
Breach notification
In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where the breach is likely to result in a risk to your rights and freedoms. Where the breach is likely to result in a high risk, we will notify you directly without undue delay, providing details of the breach and recommended protective actions.
7. Data Processors and Sub-Processors
Our processors
We engage carefully vetted third-party processors to assist in providing our services. All processors are bound by UK GDPR-compliant Data Processing Agreements (DPAs) that include obligations regarding data security, confidentiality, breach notification, and sub-processor management. Key processor categories include: cloud infrastructure (hosting and storage), payment processing, email delivery, analytics, and customer support.
Sub-processor management
We maintain a current list of sub-processors and conduct due diligence on each before engagement. We assess their data protection practices, security measures, and compliance status. You may request our current sub-processor list by contacting dpo@uflorecer.com. We will notify you of any new sub-processors and provide an opportunity to object.
8. Data Protection Impact Assessments
When we conduct DPIAs
We conduct Data Protection Impact Assessments (DPIAs) before implementing any processing activity that is likely to result in a high risk to individuals' rights and freedoms. This includes: introducing new AI features or algorithms; implementing new profiling or automated decision-making; processing personal data at scale; using new technologies or innovative processing methods; and processing special category data.
Our DPIA process
Our DPIA process includes: systematic description of the processing; assessment of necessity and proportionality; identification and assessment of risks to data subjects; identification of measures to mitigate risks; consultation with our DPO; and documentation of decisions and outcomes. Where risks remain high after mitigation, we consult the ICO before proceeding.
9. Complaints and Supervisory Authority
Internal complaints
If you have a concern about how we process your personal data, we encourage you to contact our Data Protection Officer first at dpo@uflorecer.com. We will investigate your concern and respond within 30 days. We take all data protection complaints seriously and are committed to resolving them promptly and fairly.
Supervisory authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. The ICO can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Telephone: 0303 123 1113.
10. Contact Our DPO
How to reach us
For all GDPR-related enquiries, to exercise your data subject rights, or to raise a data protection concern, please contact our Data Protection Officer: Email: dpo@uflorecer.com. Post: Data Protection Officer, Merchants Hoard Limited, London, United Kingdom. We aim to respond to all requests within 30 days, as required under UK GDPR. In exceptional circumstances requiring an extension, we will inform you within the initial 30-day period and explain the reason for the delay.