ELLAYA PRIVACY POLICY
Effective Date : 11th June 2025
*Last Updated : 11th June 2025
Welcome to Ellaya www.ellaya.co.uk We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our platform
This policy applies to all users of Ellaya, including Buyers, Sellers, and visitors.
1.Data Controller
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller responsible for your personal data is:
Ellaya Limited
Suite 201 Quantrill House
2 Dunstable Road
Luton, LU1 1DX
United Kingdom
📧 Email:
info@ellaya.co.uk
đź“ž Tel: +44 20 7100 5454
As the data controller, we determine the purposes and means by which your personal data is collected, used, stored, and shared when you use the Ellaya platform.
We are registered in the United Kingdom and operate a digital platform that enables users to manage personal and business tasks, interact socially, and engage in e-commerce and service-based transactions.
If you have any questions or concerns about how we handle your personal information, or if you wish to exercise your data protection rights, you can contact us using the details above.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, at www.ico.org.uk.
2. Information We Collect
Depending on how you use Ellaya, we collect and process various types of personal data to operate the platform, provide services, and comply with legal obligations. This includes data you actively provide, data we collect automatically, and data received from third parties (where lawful).
We may collect the following categories of personal information:
A. Identity and Contact Data
Collected when you create or update your account, register for a service, or contact support.
- Full name
- Display name or username
- Email address
- Mobile phone number
- Gender or preferred pronouns (optional)
- Profile photo or avatar (optional)
- Date of birth (where required for eligibility or verification)
- Residential or business address
- Business registration number or trading details (for Sellers)
- Nationality or country of residence (if needed for compliance)
B. Account, Security & Authentication Data
Used to manage access and protect your account.
- Login credentials (encrypted password)
- Two-factor authentication tokens (if enabled)
- Account status and security logs
- Account verification documents (e.g. ID or proof of address — for high-risk Sellers or large-value transactions)
- Account roles and permissions (e.g. admin, user, business team)
C. Transaction and Payment Data
Collected when you make or receive payments, book a ride, or conduct business.
- Order history and receipts
- Products or services purchased or sold
- Payment method used (tokenised via third-party processor)
- Billing and delivery addresses
- VAT or tax ID (if required for invoicing)
- Refunds, returns, and disputes
- Commission or fee breakdown (for Sellers)
- RideHub bookings, fare amounts, and trip logs (where applicable)
D. Communications and Messaging Data
Generated through your interactions on the platform.
- Private messages and group chats
- Call or video conferencing logs (time, duration, participants)
- Voice or video call recordings (where permitted and notified)
- Customer support tickets and chat transcripts
- Notifications sent or received
- Reviews, ratings, comments, or testimonials
E. Scheduling and Smart Assistant Data
Collected and used by Ellaya’s intelligent scheduling tools.
- Calendar events and reminders
- Meeting times and invitees
- Preferences, routines, and availability settings
- Linked third-party calendars (e.g. Google Calendar)
- Task lists and deadlines
- AI-generated recommendations or summaries
F. Personal Vault and Databank Content
Voluntarily uploaded or stored by you.
- Files, documents, photos, or videos
- Contact lists or notes
- Encrypted private keys or passwords (if using secure storage tools)
- Tags, folders, or metadata associated with vault content
Ellaya does not access vault content unless explicitly authorised by the user for troubleshooting or legal compliance.
G. Technical, Device and Usage Data
Collected automatically when you access the platform.
- IP address
- Approximate location (derived from IP)
- Browser type and version
- Operating system and device type
- Device ID or advertising identifier
- Language settings
- Session timestamps and time zone
- Platform feature usage (clicks, page views, duration)
- Referring pages or links
H. Cookies and Tracking Technologies
Collected as part of analytics, personalisation, and platform optimisation.
- Cookie identifiers
- Session logs
- Behavioural profiles (e.g. page dwell time, click behaviour)
- Attribution data (e.g. ad campaign engagement)
See our Cookies Policy for full details and management tools.
I. Marketing and Engagement Data
Collected when you sign up for newsletters, campaigns, or promotions.
- Subscription preferences
- Email interaction (opens, clicks)
- Survey responses or competition entries
- Referrals or affiliate participation
- Marketing consent logs
J. Third-Party Integration Data
Collected when you link external services or platforms.
- Calendar or contact data (e.g. Google, Outlook)
- E-commerce accounts (e.g. Shopify, WooCommerce — if supported)
- Ride-booking partners (e.g. RideHub)
- Authentication tokens or permissions granted to Ellaya
We only access the data necessary to provide the feature you enable, and you can revoke access at any time.
K. Sensitive or Special Category Data (only with consent)
We do not intentionally collect sensitive data, but it may be submitted voluntarily in vault files, messages, or calendar notes. Examples may include:
- Health or medical information (e.g. stored records or ride needs)
- Religious views, ethnicity, or political beliefs
- Biometric identifiers (e.g. photo in ID upload)
We process such data only with your explicit consent and under strict security controls. Please avoid uploading unnecessary sensitive content.
3. How We Use Your Information
We collect and use your personal data to provide you with a secure, functional, and personalised experience on the Ellaya platform. The way we use your data depends on your role (e.g. Buyer, Seller, user of scheduling, storage, ride, or messaging features), and is always based on a lawful basis under the UK GDPR.
We may use your information for the following purposes:
A. To Provide, Operate, and Manage the Platform
- To register and manage your Ellaya account
- To authenticate your login and secure your sessions
- To enable features like intelligent scheduling, personal vault, e-commerce tools, ride bookings, and communication functions
- To process transactions between Buyers and Sellers, including payments, receipts, and refunds
- To manage deliveries and bookings via third-party providers (e.g. RideHub)
Lawful basis: Contractual necessity; Legitimate interests
B. To Personalise and Improve User Experience
- To recommend relevant products, events, or scheduling slots
- To tailor the dashboard and user interface based on your preferences or behaviour
- To learn from usage patterns and improve platform performance
- To track and prioritise feature popularity or UX issues
Lawful basis: Legitimate interests; Consent (for non-essential personalisation)
C. To Facilitate Communication and Social Interaction
- To send service-related communications (e.g. order updates, confirmations, alerts)
- To allow you to send and receive messages, calls, or conferencing invites
- To display usernames, reviews, or activity in line with your visibility settings
- To record communication logs for safety, support, or compliance
Lawful basis: Contractual necessity; Legitimate interests
D. To Provide Customer Support and Dispute Resolution
- To respond to enquiries, complaints, or helpdesk requests
- To assist in resolving disputes between Buyers and Sellers
- To verify identity where necessary for support or compliance
- To access communication or transaction records (when needed for fair resolution)
Lawful basis: Contractual necessity; Legitimate interests; Legal obligation
E. To Market Our Services and Engage With You
- To send you service updates, feature announcements, or platform-related news
- To deliver promotional emails, in-app notifications, or offers based on your preferences (only where consent is given)
- To analyse engagement with campaigns, newsletters, or product promotions
- To manage referrals, competitions, or loyalty rewards
Lawful basis: Consent; Legitimate interests (for service notices)
You can opt out of marketing at any time by adjusting your preferences or clicking “unsubscribe” in any message.
F. To Analyse, Audit, and Maintain Platform Security
- To monitor platform activity for misuse, fraud, or unauthorised access
- To log and investigate incidents or suspicious behaviour
- To apply automated moderation, spam detection, or abuse prevention tools
- To audit systems and ensure data integrity and platform resilience
Lawful basis: Legitimate interests; Legal obligation
G. To Store, Index, and Secure Vault and Scheduling Data
- To securely store your uploaded files and notes in your personal vault
- To manage your calendar, reminders, and AI-generated scheduling suggestions
- To allow encrypted, permission-controlled access to vault data (e.g. from multiple devices or verified delegates)
Lawful basis: Contractual necessity; Consent (where you upload sensitive content)
H. To Comply With Legal, Regulatory, and Tax Obligations
- To fulfil legal recordkeeping requirements (e.g. for payments, refunds, or VAT compliance)
- To cooperate with lawful requests from courts, regulators, or law enforcement
- To comply with financial regulations, anti-fraud, and anti-money laundering obligations (where applicable)
- To manage data retention schedules and deletion rights lawfully
Lawful basis: Legal obligation; Legitimate interests
4. Legal Bases for Processing
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for collecting and using your personal data. The legal basis we rely on depends on the specific purpose for which we process your data. These include:
A. Contractual Necessity
We process your personal data where it is necessary to enter into or perform our contract with you. This applies when:
- You create and maintain an Ellaya account
- You buy or sell goods or services on the platform
- We process orders, payments, deliveries, or ride bookings
- You use our scheduling, messaging, or secure vault features
đź“Ś If you do not provide data required for these purposes, we may not be able to provide our services to you.
B. Legal Obligation
We may process your data where we are required to comply with a legal or regulatory obligation. This includes:
- Recordkeeping for tax, VAT, and accounting compliance
- Responding to lawful access requests from regulators or authorities
- Preventing, detecting, and reporting fraudulent or unlawful activity
- Complying with consumer rights, distance selling, and e-commerce laws
C. Legitimate Interests
We may process your data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This applies when we:
- Monitor platform usage and performance
- Improve services and user experience
- Prevent abuse or security threats
- Resolve disputes or support users
- Send relevant service communications (non-marketing)
đź“Ś We always balance our interests against your privacy rights and give you control where appropriate.
D. Consent
We rely on your freely given, informed consent when:
- Sending you marketing emails or newsletters
- Using cookies or analytics tools (non-essential)
- Processing sensitive data voluntarily submitted (e.g. in your vault or scheduling notes)
- Connecting to third-party integrations like calendars or cloud storage
đź“Ś You can withdraw your consent at any time using your account settings or by contacting us at info@ellaya.co.uk. Withdrawing consent does not affect processing already carried out.
E. Vital Interests (rare and limited)
In exceptional cases, we may process personal data to protect someone’s life or physical safety — for example, in the event of an emergency during a ride booking. This is only used where no other lawful basis applies.
5. Sharing Your Information
We treat your personal data with care and confidentiality. We do not sell your information. However, in the course of providing and supporting the Ellaya platform, we may need to share your data with trusted third parties. We only share what is necessary, and always under a lawful basis and with appropriate safeguards.
Your data may be shared with the following categories of recipients:
A. Other Users (Platform Functionality)
Depending on your activity and privacy settings:
- Sellers may receive your name, delivery address, and order details when you make a purchase
- Buyers may see your display name and business profile when you list products or services
- Calendar invitees, message recipients, and contacts may see your display name or availability
- Users you interact with in messaging, conferencing, or social features will see information you choose to share
We encourage all users to respect each other's privacy and use platform communication features responsibly.
B. Our Service Providers and Data Processors
We use carefully vetted third-party providers to support core services. These include:
- Payment processors (e.g. Stripe, PayPal)
- Cloud hosting and data storage partners
- Calendar and email delivery services
- Video conferencing or messaging providers
- Customer support and helpdesk tools
- Analytics and monitoring tools (e.g. Google Analytics, Hotjar — where consented)
All providers are contractually bound to process your data only on our instructions and in accordance with data protection law (Article 28 UK GDPR).
C. Ride-Booking and Integration Partners
If you use RideHub or any third-party integration:
- We may share essential contact, booking, or location data needed to complete the ride or service
- You will be informed before data is shared, and you may need to accept the integration’s terms separately
- You can revoke access to integrations at any time in your settings
We do not share personal vault or calendar data with third parties unless explicitly authorised by you.
D. Regulators, Authorities, and Legal Requests
We may disclose your data if required to:
- Comply with a legal obligation (e.g. tax authority, court order, law enforcement)
- Respond to lawful requests for information
- Protect the rights, safety, or property of Ellaya, users, or the public
- Prevent, investigate, or address fraud, abuse, or violations of the law
We will assess the legitimacy of any such request and limit disclosure to what is legally required.
E. Business Transfers
In the event of a merger, acquisition, sale of assets, restructuring, or insolvency:
- Your data may be transferred to a successor or acquiring entity
- You will be notified in advance where required by law
- The new entity will be bound by similar privacy obligations
F. With Your Consent
We may share your data with third parties where you have explicitly authorised it — for example:
- When linking your calendar, storage service, or social media account
- When participating in joint promotions with partners
- When leaving a public review or testimonial
You can withdraw your consent at any time by contacting us.
6. International Transfers
Some of our service providers and technology partners are located, or process personal data, outside the United Kingdom. This means that your personal data may occasionally be transferred to, stored in, or accessed from countries that do not provide the same level of legal protection for personal data as the UK.
We take all necessary steps to ensure that such transfers comply with the UK General Data Protection Regulation (UK GDPR) and that your data remains protected.
A. Countries Outside the UK
We may transfer your personal data to countries outside the UK, including but not limited to:
- The European Economic Area (EEA)
- The United States
- Other jurisdictions where cloud infrastructure or third-party service providers are located
B. Safeguards We Use
Whenever we transfer your data internationally, we ensure that an equivalent level of data protection is in place by using one or more of the following safeguards:
â—Ź Adequacy Decisions
We may transfer data to countries that the UK government has recognised as providing an adequate level of protection (e.g. EEA countries, Japan, Switzerland).
â—Ź International Data Transfer Agreement (IDTA) or UK Addendum to Standard Contractual Clauses (SCCs)
For transfers to countries without an adequacy decision (such as the U.S.), we use:
- The UK-approved International Data Transfer Agreement (IDTA); or
- The UK Addendum to the European Commission’s Standard Contractual Clauses (SCCs)
These legally binding agreements impose contractual obligations on the recipient to protect your data in line with UK standards.
â—Ź Supplementary Measures (where required)
Where necessary, we apply additional technical, contractual, or organisational safeguards (such as encryption at rest, access restrictions, or pseudonymisation) in line with the guidance of the UK Information Commissioner’s Office (ICO).
C. Exceptions (Derogations under Article 49 UK GDPR)
In limited situations, we may rely on specific exceptions (derogations) to transfer data internationally, for example:
- With your explicit consent (e.g. when connecting to a third-party tool hosted overseas)
- To perform a contract with you or at your request (e.g. for cross-border communications or ride bookings)
- To comply with a legal obligation or defend legal claims
These exceptions are used only where strictly necessary and no other safeguard applies.
D. Your Rights and Controls
You have the right to request more information about international transfers of your personal data, including copies of relevant safeguards. To make such a request, contact us at privacy@ellaya.co.uk.
7. How We Protect Your Information
We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it against unauthorised access, accidental loss, misuse, alteration, or disclosure.
Our approach is based on the confidentiality, integrity, and availability of your data, in line with our obligations under UK GDPR Article 32.
A. Technical Security Measures
We use appropriate technical safeguards to secure your data, including:
- Encryption in transit and at rest (e.g. HTTPS, TLS, AES-256 for stored vault data)
- Firewall and intrusion detection systems to block unauthorised access
- Pseudonymisation and minimisation, especially for analytics and diagnostics
- Access controls, with role-based restrictions for staff and service providers
- Multi-factor authentication for administrative and payment system access
- Secure backups to prevent loss of data in case of system failure
B. Organisational and Administrative Controls
We also enforce strong internal policies to maintain your privacy, such as:
- Staff training on data protection, confidentiality, and handling sensitive data
- Access limitation to personal data on a need-to-know basis only
- Data protection impact assessments (DPIAs) for high-risk processing activities
- Supplier due diligence for any third-party tools or infrastructure
- Confidentiality agreements for employees and contractors with access to user data
- Regular audits and reviews of system and policy compliance
C. Platform-Specific Protections
Because Ellaya includes features such as messaging, scheduling, personal vaults, and e-commerce:
- Your vault content is encrypted and accessible only to you (unless shared explicitly)
- Your messages and conferencing data are transmitted securely and not accessed by Ellaya unless required for safety, abuse reports, or legal compliance
- Your transactional data is processed using PCI-DSS compliant third-party providers — we do not store your full payment card details
D. Security Incident Response
We maintain a formal incident response protocol. In the event of a data breach that poses a risk to your rights or freedoms:
- We will notify you without undue delay
- We will notify the UK Information Commissioner’s Office (ICO) within 72 hours (where legally required)
- We will take prompt action to contain and remedy the breach
E. Your Role in Keeping Data Secure
You also play a role in safeguarding your data. We encourage you to:
- Choose a strong, unique password for your Ellaya account
- Enable two-factor authentication if available
- Log out from shared devices and keep your login credentials confidential
- Report any suspicious activity or unauthorised access to support@ellaya.co.uk
8. Your Rights
As a user of Ellaya, you have rights under the UK General Data Protection Regulation (UK GDPR) in relation to your personal data. These rights empower you to understand, control, and, where appropriate, limit how we use your information.
You can exercise these rights at any time by contacting us at privacy@ellaya.co.uk. We will respond to all valid requests within one month, unless the request is particularly complex, in which case we may extend the deadline by up to two additional months (we will inform you if this happens).
A. Right to Access (Article 15)
You have the right to request:
- Confirmation that we process your personal data
- A copy of the personal data we hold about you
- Supplementary information about how and why we use your data
B. Right to Rectification (Article 16)
If your data is inaccurate or incomplete, you can request that we:
- Correct errors
- Complete any missing information
We may need to verify the accuracy of the new data you provide.
C. Right to Erasure (Right to Be Forgotten) (Article 17)
You may request that we delete your personal data where:
- It is no longer necessary for the purpose for which it was collected
- You have withdrawn consent (where consent was the lawful basis)
- You have objected and there are no overriding legitimate grounds
- We have unlawfully processed the data
- We are required to erase it under UK law
đź“Ś Note: This right may not apply if we are required to retain the data for legal, contractual, or regulatory purposes (e.g. tax records, dispute defence).
D. Right to Restrict Processing (Article 18)
You can ask us to temporarily restrict the processing of your personal data if:
- You contest the data’s accuracy
- Processing is unlawful but you do not want it deleted
- We no longer need the data, but you need it to establish, exercise, or defend legal claims
- You have objected and we are considering whether our legitimate grounds override yours
E. Right to Data Portability (Article 20)
You have the right to receive a copy of the personal data you provided to us in a structured, commonly used, and machine-readable format, and to ask us to transfer it directly to another controller (where technically feasible).
This applies only to data processed by automated means and on the basis of consent or contract.
F. Right to Object (Article 21)
You can object to the processing of your personal data where we rely on:
- Legitimate interests as our lawful basis
- Direct marketing, including profiling related to marketing
We will stop processing your data unless we have compelling legitimate grounds that override your interests or if we need it for legal claims.
G. Right to Withdraw Consent (Article 7)
Where we rely on your consent to process personal data (e.g. for email marketing, optional cookies, or third-party integrations), you have the right to withdraw that consent at any time.
Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
H. Right to Lodge a Complaint (Article 77)
If you are concerned about how we handle your data, you have the right to lodge a complaint with the UK’s data protection authority:
Information Commissioner’s Office (ICO)
www.ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first so we can resolve your concerns directly.
9. Cookies & Tracking
We use cookies to improve your experience, personalise content, and analyse traffic. You can manage your cookie preferences via our Cookie Banner or your browser settings.
For full details, see our Cookies Policy.
10. Data Retention
We only retain your personal data for as long as is necessary to fulfil the purposes for which we collected it — including to provide our services, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.
Once data is no longer required for those purposes, we securely delete or anonymise it.
A. General Retention Periods
We apply the following standard retention periods:
| Data Category | Retention Period |
|---|---|
| Account data (including profile info) | Retained while your account is active, and for up to 6 years after closure (for legal and tax reasons) |
| Order and transaction history | 6 years from transaction date (for HMRC/tax compliance) |
| Messaging and conferencing data | Up to 12 months unless subject to abuse reporting or dispute |
| Personal vault data | Retained until you delete it or close your account |
| Calendar and scheduling data | Retained for as long as you use scheduling services |
| Customer support messages | 3 years from resolution date |
| Email marketing preferences and consent logs | Up to 6 years (for audit and accountability) |
| Analytics and behavioural data | Anonymised after 12–24 months, where not required for service operations |
đź“Ś If you delete your account, we will securely delete or anonymise your personal data within a reasonable period, unless we are legally required to retain it.
B. Legal and Regulatory Obligations
We may retain certain information longer where necessary to:
- Comply with accounting, tax, or regulatory requirements
- Maintain evidence for dispute resolution or legal defence
- Enforce our Terms of Use or agreements with third parties
C. Data Minimisation and Anonymisation
Where appropriate, we:
- Anonymise data so it can no longer be linked to an identifiable individual
- Aggregate data for statistical, research, or product development purposes
- Delete unnecessary or duplicate information during regular audits
D. Your Right to Request Deletion
You may request that we delete your personal data at any time (see Section 8 – Your Rights). We will honour your request where:
- We no longer need the data
- You withdraw consent (if applicable)
- You object and we have no overriding legitimate interest
- The data was collected unlawfully
Certain deletions may be deferred where legal or contractual obligations require continued retention.
11. Third-Party Links
Our platform may contain links to external websites. We are not responsible for the privacy practices of third-party sites. Please read their policies separately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with a new “Last Updated” date. Continued use of the platform signifies your acceptance of the updated policy.