Privacy Policy
VERSION 1.0EFFECTIVE effective date
This policy covers data for which Reload IT Ltd is the controller (account, billing, website and support data). Data your company uploads into MetlSys about its own customers is processed under the Data Processing Agreement, where Reload IT acts as processor.
This policy is being finalised — highlighted items are still to be confirmed, and it is subject to final legal review. For any question in the meantime, contact info@reloadit.co.uk.
1. Who we are
1.1 Reload IT Ltd (“Reload IT”, “we”, “us”) operates the MetlSys platform. We are registered in England and Wales, company number company number, registered office registered office address. We are registered with the Information Commissioner’s Office under registration number ICO registration number.
1.2 For data described in this policy, Reload IT is the data controller. You can contact us about data protection at info@reloadit.co.uk.
2. Controller vs processor
2.1 We are the controller for account registration details, billing information, usage and analytics data, support communications, and marketing data.
2.2 We are a processorfor data our business customers upload into their MetlSys tenant (for example their own customers’ names, order histories, delivery addresses, and personnel named on documents). That processing is governed by our Data Processing Agreement with the customer, who is the controller. If you believe a MetlSys customer holds data about you, please contact that business directly in the first instance.
3. Data we collect
- Account data — name, business email, job role, company name, and your role within your organisation’s tenant.
- Billing data — company billing details and VAT number. Card payments are processed by Stripe; we do not store full card numbers.
- Usage data — log-ins, feature usage, IP address, browser and device information, and diagnostic logs.
- Support data — the content of support requests and related correspondence.
- Website data — enquiries submitted via our website and cookie data as described in our Cookie Policy.
4. Purposes and lawful bases
- Providing and administering the Service, accounts and subscriptions — performance of a contract.
- Billing, VAT and accounting — legal obligation and performance of a contract.
- Securing the Service, preventing fraud and abuse, and enforcing our terms — legitimate interests.
- Improving and developing the Service, including aggregated and anonymised analytics — legitimate interests.
- Service communications (renewals, security notices, changes to terms) — performance of a contract / legitimate interests.
- Marketing to business contacts about our own similar products — legitimate interests, with the right to opt out at any time; or consent where required.
5. Who we share data with
5.1 We share personal data with service providers who help us run MetlSys, under contracts that restrict their use of the data:
- Supabase — database, authentication and file storage.
- Railway — backend application hosting.
- Vercel — website hosting and content delivery.
- Stripe — payment processing, billing and vat.
- Anthropic — ai-assisted document extraction and analysis.
- Resend — transactional email and notifications.
5.2 We may also disclose data where required by law, to professional advisers, and to a purchaser or prospective purchaser of our business.
5.3 We do not sell personal data.
6. International transfers
6.1 Some providers process data outside the UK. Where they do, we rely on UK adequacy regulations or appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. Details are available on request.
6.2 Primary hosting region: London, United Kingdom (eu-west-2).
7. Retention
- Account data — for the life of the account and up to 12 months after closure.
- Billing and VAT records — 6 years, as required by HMRC.
- Support correspondence — 24 months after resolution.
- Usage and security logs — 12 months.
7.1 Data we process on behalf of business customers is retained per their instructions and the Data Processing Agreement, including industry retention periods for mill test certificates and trading records.
8. Your rights
8.1 Under UK GDPR you have rights of access, rectification, erasure, restriction, portability and objection, and the right to withdraw consent where processing is based on consent. To exercise a right, contact info@reloadit.co.uk. We will respond within one month.
8.2 You have the right to complain to the Information Commissioner’s Office (ico.org.uk), although we would appreciate the chance to resolve concerns first.
9. Security
9.1We apply technical and organisational measures appropriate to the risk, including encrypted connections, database isolation of each customer’s tenant, role-based access controls, and signed, time-limited links for document access. No system is completely secure, and you are responsible for keeping your credentials confidential.
10. Changes
10.1 We may update this policy from time to time. Material changes will be notified within the Service or by email. The latest version will always be available at metlsys.com/privacy.