Privacy Policy

Last updated: 19th November 2025

This Privacy Policy explains how The Wagon Company ("we", "us", "our") collects, uses and shares personal data when you visit our website, create an account or use our data processing platform.

This Policy is designed to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, and may also be relevant to the EU GDPR where we handle personal data of individuals in the EEA.

1. Who we are and how to contact us

Controller:
The Wagon Company
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Email: dpo@thewagoncompany.com

We act as:

a controller for personal data about our customers, users, prospects and website visitors; and
a processor on behalf of our business customers for Customer Data they connect to or upload into the Platform (typically data about their own customers and end-users).

If you have any questions about this Policy or how we use your personal data, contact us at dpo@thewagoncompany.com.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

2. Scope of this Policy

This Policy applies to:

visitors to our website;
users who create or are invited to an account on our Platform;
employees and representatives of our business customers; and
individuals whose personal data our customers process through the Platform (Customer Data), to the extent we act as a processor.

Where we act as a processor, we process personal data on the instructions of our customers and the customer's own privacy notice will primarily govern how their data is used. This Policy supplements that, explaining our role.

3. Personal data we collect

3.1 Data you provide to us

Account and profile data: name, email address, password, job title/role, company name, and any other information you include in your profile or communications with us.
Billing and subscription data: billing contact details, billing address, tax/VAT numbers, subscription plan, and payment status.
Support and communications: information you provide in emails, support requests and other communications with us.
Marketing preferences: your choices about receiving marketing and product update communications.

Payment card details are collected and processed directly by our payment processor (Stripe). We do not store your full card details.

3.2 Data we collect automatically

When you visit our website or use the Platform, we automatically collect:

Usage data: pages visited, features used, actions taken, timestamps, and similar information about how you interact with our website and Platform.
Log data: IP address, browser type and version, operating system and device information, referral URLs, and error logs.
Cookies and similar technologies: small files placed on your device to enable core functionality (e.g. login sessions), analytics and (where applicable) marketing. See section 6 (Cookies and analytics).

We use tools including PostHog to help us understand how users interact with the Platform.

3.3 Customer Data processed through the Platform

Our customers may connect the Platform to a range of ecommerce and related tools. Customer Data may include personal data about:

buyers and shoppers;
subscribers and leads;
website visitors and ad audiences;
individuals contacting customer support;
users of ecommerce platforms and related tools.

Customer Data can include:

contact details (e.g. name, email, physical address, phone);
order and transaction details;
browsing and behavioural data, identifiers, advertising IDs;
customer service communications and metadata;
events, metrics and other analytics.

The exact data depends on the systems you connect and the configuration you choose.

Our customers are responsible for ensuring they have a lawful basis and appropriate notices or consents in place before sending Customer Data to us. We process Customer Data only on our customers' instructions and only as necessary to provide the Service and related support.

We do not intend to collect special categories of personal data (e.g. health, biometric or political data) via the Platform. If you choose to include such data in Customer Data, you are responsible for ensuring this is lawful and appropriate.

4. How we use personal data and legal bases

Where we act as a controller, we use personal data for the purposes and on the legal bases summarised below.

Purpose	Examples of data used	Legal basis (UK/EU)
Provide and operate the Service	Account, profile, usage, log and billing data	Contract – to perform our contract with you or the organisation you represent
Billing, payments and account administration	Billing details, subscription plan, transaction records	Contract and legal obligation (e.g. tax, accounting)
Security, monitoring and abuse prevention	Log data, usage data, device and IP info	Legitimate interests – to maintain security and prevent misuse
Product improvement and analytics	Usage data, feature usage, aggregated metrics	Legitimate interests – to understand and improve the Service
Customer support and communications	Contact details, support communications	Contract and legitimate interests
Marketing (B2B)	Contact details, marketing preferences	Consent (where required) or legitimate interests for B2B marketing, with opt-out rights
Legal and regulatory compliance	All relevant categories	Legal obligation and legitimate interests (establishing or defending legal claims)

Where we rely on legitimate interests, we balance our interests against your rights and freedoms and implement safeguards where appropriate.

Where we rely on consent (for example, for certain marketing communications or non-essential cookies), you may withdraw your consent at any time using the methods described in this Policy.

For Customer Data where we act as a processor, our legal basis is determined by our customer (the controller). Typically, they rely on contract, legitimate interests and/or consent, depending on their use case.

5. AI-related processing

Some features of the Platform may involve using AI models to analyse or transform data (for example, to generate insights or summaries).

Where we use third-party AI providers, we do so in line with the terms and data-use policies of the platforms from which the relevant data originates and our agreements with those providers.
We do not use Customer Data to train general-purpose AI models in a way that would allow data from one customer to be exposed to other customers.
We do not engage in automated decision-making that produces legal or similarly significant effects on individuals solely based on automated processing.

6. Cookies and analytics

We use cookies and similar technologies to:

enable core site and Platform functionality (e.g. login, session management, security);
understand how visitors and users interact with our website and Platform (analytics);
support marketing and advertising activities, including via third-party platforms such as Meta, Google Ads, LinkedIn and RB2B.

Under the Privacy and Electronic Communications Regulations (PECR) and UK GDPR, non-essential cookies (such as analytics and advertising cookies) typically require consent, while strictly necessary cookies for providing an online service you request do not.

In practice this means:

Essential cookies are set to provide the website/Service (for example, to keep you logged in and keep requests secure).
Analytics and advertising tags should only operate with your consent, which we obtain via appropriate mechanisms (for example, a banner or similar control) where required by law.
You can also control cookies through your browser or device settings and, where applicable, through our cookie settings interface.

More detailed information about the specific cookies and tools we use may be provided in a separate cookie notice.

7. When we share personal data

We share personal data with:

Infrastructure and hosting providers: e.g. cloud providers such as AWS and Google Cloud, used to host and run the Platform.
Product and analytics tools: e.g. PostHog (product analytics).
Email and communication tools: e.g. Postmark and Google Workspace for sending and receiving emails and notifications.
Payment processor: Stripe, which processes payments and related data.
Professional advisers: such as lawyers, accountants and auditors, where necessary for our legitimate interests and legal obligations.
Authorities and regulators: where required by law, regulation or court order, or to protect our rights or those of others (for example, to prevent fraud or security incidents).

We require our service providers to handle personal data only in accordance with our instructions, under appropriate contracts, and to implement suitable security measures.

We do not sell personal data.

8. International transfers

We aim to store and process personal data primarily in the UK (and where appropriate, the EEA).

If we need to transfer personal data outside the UK/EEA (for example, where a service provider operates or stores data in another country), we will ensure that appropriate safeguards are in place, such as:

an adequacy regulation; or
standard contractual clauses or equivalent mechanisms approved under UK data protection law.

You can contact us for more information about such transfers.

9. Data retention

We retain personal data for as long as necessary for the purposes described in this Policy, including to comply with legal, accounting and reporting requirements. In general:

Customer account and billing data: retained for the duration of the customer relationship and typically for up to 6–7 years afterwards, to comply with tax and accounting obligations and to maintain records of contracts and transactions.
User account data: retained for as long as the user’s account is active. If an account is closed, we may retain limited information (such as email address, role and activity logs) for a reasonable period (for example, up to 3 years) for security, record-keeping and dispute resolution.
Marketing data: retained for as long as you remain subscribed to our marketing communications and for a reasonable period afterwards (for example, up to 2 years) to record your preferences and prove compliance.
Logs and security data: retained for a period appropriate for security and troubleshooting purposes (for example, typically up to 12–24 months, unless longer is needed for an investigation).
Customer Data (as processor): retained for the duration of the contract and for a limited period afterwards (for example, up to 90 days) to allow export and account closure, after which we will delete or anonymise such data, subject to any legal obligations requiring longer retention.

We may retain anonymised or aggregated data that does not identify individuals indefinitely.

10. Security

We take appropriate technical and organisational measures to protect personal data, including:

Encryption in transit (e.g. HTTPS/TLS) and at rest, where applicable;
access controls and authentication for staff and systems;
role-based access, restricting access to personal data to personnel who need it for their role;
secure development and deployment practices, including regular patching and updates;
monitoring for unusual activity and abuse;
contractual obligations of confidentiality with staff and service providers.

No system is perfectly secure, but we work to reduce risks and respond promptly to incidents. If we become aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected customers and, where required, the ICO and/or other authorities.

11. Your data protection rights

Subject to applicable law, and typically where we act as a controller, you have the following rights in relation to your personal data:

Right of access – to obtain confirmation as to whether we process your personal data and to request a copy.
Right to rectification – to request that inaccurate or incomplete data be corrected.
Right to erasure – to request deletion of your personal data, in certain circumstances.
Right to restriction – to request that we restrict processing in certain circumstances.
Right to data portability – to receive personal data you provided to us in a structured, commonly used format and to ask us to transfer it to another controller, where technically feasible.
Right to object – to object to processing based on legitimate interests and to direct marketing, at any time.
Right to withdraw consent – where we rely on consent, you may withdraw it at any time (this will not affect the lawfulness of processing before withdrawal).

You can exercise these rights by emailing dpo@thewagoncompany.com or hi@thewagoncompany.com. We may ask for information to verify your identity before responding.

Where we process Customer Data as a processor, we may need to refer your request to the relevant customer (the controller), who is responsible for responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Details of how to do so are available on the ICO's website.

12. Marketing communications

We may send B2B marketing emails and product updates to business contacts:

where you have opted in to receive them; or
where permitted under applicable law based on our legitimate interests in promoting our services to existing or prospective business customers, subject to your right to opt out at any time.

You can unsubscribe:

by clicking the “unsubscribe” link in any marketing email; or
by emailing us at hi@thewagoncompany.com.

We will continue to send service and transactional communications (such as notices about your subscription, security alerts and significant product updates) even if you opt out of marketing.

13. Children

Our Service is intended for business use by adults and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided us with personal data, please contact us and we will take steps to delete it.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes to how we use personal data, we will take reasonable steps to notify you (for example, by email or via the Platform) and will update the "Last updated" date at the top of this Policy.

We encourage you to review this Policy periodically to stay informed about how we use personal data.