Privacy Policy

  • Home
  • Privacy Policy
image

Elseware Limited (“we”, “us”, “our”) is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect personal data when you:

  • Visit our website
  • Enquire about or use our Bacs payment software services
  • Communicate with us
  • Work with us as a customer, partner, or supplier

In most circumstances, we act as a data controller in relation to the personal data described in this policy. In limited situations where we provide technical support that requires access to customer payment files, we may process personal data on behalf of the customer, who remains the data controller. More information on this is in section 3.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable regulatory requirements.

1. Who we are

Elseware Limited
Registered in England and Wales: 03378892
Registered Office: 8b Kelvin House, Kelvin Way, Crawley, England, RH10 9WE
Email: info@elseware.org.uk
Telephone: 0208 123 0063

For data protection purposes, we act as a Data Controller in relation to the personal data described in this policy.

2. Information we collect

We may collect and process the following personal data information:

  • Name
  • Job title
  • Company name
  • Company address
  • Business email address
  • Business telephone number

3. Important information about our software

Our Bacs approved payments software (Front2Bax) is deployed on customers’ own IT systems (on-premise).

We do not:

  • Host customer data
  • Store customer payment files
  • Have ongoing visibility of personal data processed through our software

Remote access to customer systems may occur only where required for technical support and onboarding, using secure remote access software (e.g., AnyDesk) and only with the customer’s knowledge and authorisation.

During such support and onboarding sessions:

  • Access is customer-initiated and controlled.
  • Where necessary to provide technical support, we may temporarily access or process personal data contained within payment files for the sole purpose of resolving the identified issue.
  • We do not retain personal data extracted during support beyond what is necessary to resolve the issue. Any copies created for troubleshooting purposes are securely deleted once the issue has been rectified.
  • Responsibility for the personal data processed within the customer’s environment remains with the customer as data controller.

Customers are solely responsible for the personal data they process using our software and for ensuring compliance with applicable data protection laws.

Our privacy obligations relate only to the personal data we collect directly as part of running our own business.

4. How we collect personal data

We collect personal data:

  • Directly from you (e.g., enquiries, onboarding, support requests)
  • Through contractual relationships
  • Through our CRM system when recording communications
  • Automatically via our website (cookies and analytics). We use Google Analytics to analyse how visitors use our website. Google Analytics collects information such as IP Address (anonymised where possible), device type, browser information, and pages visited
  • From your organisation where you are a user of our services

5. How we use personal data

We use personal data for the following purposes:

  • Providing and managing our Bacs software products
  • Managing customer relationships
  • Responding to enquiries and support requests
  • Communicating important service updates
  • Improving our services
  • Meeting legal and regulatory obligations
  • Maintaining system security and integrity

We use our CRM system to manage customer communications and maintain accurate contact records.

Where we use analytics cookies, we rely on your consent as the lawful basis for processing.

We do not sell personal data.

6. Lawful basis for processing and your rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
  • Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
  • Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice in Section 1.

ICO Contact Details:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://www.ico.org.uk/make-a-complaint
Tel: 0303 123 1113

7. How we share personal data

We may share personal data with:

  • Trusted service providers (e.g., CRM provider)
  • Professional advisers (legal, compliance, audit)
  • Regulatory bodies where required
  • Law enforcement or authorities if legally required

All third-party providers are required to process personal data securely and in accordance with applicable data protection laws.

8. International transfers

Some of our service providers may operate outside the United Kingdom.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations
  • UK-approved International Data Transfer Agreements (IDTAs)
  • Appropriate contractual safeguards

9. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Access controls and role-based permissions
  • Encryption where appropriate
  • Secure infrastructure
  • Regular monitoring and review
  • Compliance with Bacs and BASS scheme requirements

10. Data retention

We will retain personal data with us for 90 days to 2 years after users terminate their subscription or for as long as we need it to fulfil the purposes for which it was collected as detailed in this Privacy Policy. Data will be retained only for as long as necessary to:

  • Fulfil the purposes for which it was collected
  • Meet contractual obligations
  • Comply with legal and regulatory requirements

11. Marketing communications

We may send service-related communications where necessary to fulfil our contract.

We will only send marketing communications where we have a lawful basis to do so. You can opt out at any time by contacting us at info@elseware.org.uk.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Where changes are made, we will take reasonable steps to notify you.