GDPR Statement

1. Scope

This statement summarises how SCOTT BARGAINS LTD complies with the UK GDPR and the EU General Data Protection Regulation (EU) 2016/679 in running the Scott Bargains AI service.

2. Data Controller

SCOTT BARGAINS LTD is the Data Controller for customer accounts, brand profiles, generated-content history, billing references and support records.

Contact: support@scottbargains.com — we act as the point of contact for data-protection enquiries (a formal DPO is not legally required given the size and nature of our processing, but one may be appointed as we grow).

3. Data Processors

We use the following processors under written Data Processing Agreements:

• Stripe — payments and subscription management.
• Vercel — application hosting.
• Our application database provider (EU region) — primary data store.
• Trusted LLM providers — model inference. We do not authorise model providers to use your data to train their models.
• Incident / monitoring tooling — operational visibility.

A current list of sub-processors is available on request.

4. Lawful bases

See the Privacy Policy section 4 for the full list of lawful bases we rely on.

5. Your rights under UK GDPR

• Access — you can download everything we hold about you.
• Rectification — you can correct inaccurate data from within the app or by emailing us.
• Erasure — you can request deletion of your account and associated data. Billing records we are legally required to keep will be retained for the statutory period.
• Restriction — you can ask us to stop processing while we investigate a concern.
• Portability — we provide your data in a structured, machine-readable format (JSON) on request.
• Objection — you can object to processing based on legitimate interests.
• Automated decision-making — the Service does not take automated decisions with legal or significant effects on you.

To exercise any of these rights, email support@scottbargains.com. We respond within one calendar month.

6. Supervisory authority

The UK supervisory authority is the Information Commissioner’s Office (ICO), reachable at ico.org.uk or on 0303 123 1113.

7. International transfers

Where data leaves the UK or EU, we rely on the UK International Data Transfer Addendum (IDTA) and the EU Standard Contractual Clauses (SCCs).

8. Security

We operate the Service under the following baseline controls: TLS encryption in transit, encryption at rest, role-based access control, 2FA on administrative interfaces, audit logging, third-party security testing.

9. Breach notification

In the unlikely event of a personal-data breach likely to result in risk to data subjects, we will notify the ICO within 72 hours and contact affected users without undue delay.

10. Children

The Service is not intended for children under 18 and we do not knowingly collect data from children.

11. Changes

Material changes to this statement will be notified by email to active customers at least 14 days before taking effect.