Privacy Policy
MONOVANCE LTD – BlazorUI (v 1.0)
Effective date: 7 July 2025
Compliance: UK GDPR; Data Protection Act 2018; PECR 2003 (as amended)
1. Data Controller
| Legal entity: | MONOVANCE LTD (Company No 16379928 – England & Wales) |
| Registered office: | 71‑75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom |
| Trading name: | BlazorUI – blazorui.com |
| Data Protection Officer (DPO): | Alihan Güdenoğlu |
| E‑mail: | dpo@monovance.com / alihan.gudenoglu@monovance.com |
| ICO registration: | ZB889945 (pending update to MONOVANCE LTD) |
2. Scope of this Notice
This Privacy Policy explains how we collect, use, disclose and secure personal data when you visit blazorui.com, purchase digital content, obtain consultancy services, or otherwise interact with MONOVANCE LTD (together, "Services"). It supplements any product‑specific notices and forms part of our contractual terms.
3. Lawful Bases & Processing Purposes
| Purpose | UK GDPR Legal Basis | Details |
|---|---|---|
| Account creation & order fulfilment | Art 6 (1)(b) – contract | Manage user registration; deliver digital content; schedule consultancy sessions. |
| Payment processing & fraud prevention | Art 6 (1)(b)(f) – contract / legitimate interest | Exchange necessary data with Stripe Payments Europe and our banking partners; monitor unusual activity. |
| Statutory record‑keeping | Art 6 (1)(c) – legal obligation | Retain transaction data for HMRC, Companies Act 2006 and bookkeeping rules. |
| Service analytics (non‑essential cookies disabled by default) | Art 6 (1)(a) – consent | Understand aggregate usage patterns to improve Services. |
| Marketing communications | Art 6 (1)(a) – consent | Occasional e‑mails about new templates or features; you may opt out at any time. |
| Security & system integrity | Art 6 (1)(f) – legitimate interest | Log IP addresses and access events to detect abuse and ensure availability. |
We do not engage in automated decision‑making producing legal or similarly significant effects (Art 22 UK GDPR).
4. Categories of Personal Data Collected
- Identity & contact – full name (mandatory), e‑mail (mandatory), telephone (optional).
- Credentials & authentication – salted/hashed password, session tokens.
- Transaction data – purchased items, Stripe charge ID, currency, amount. Payment card numbers are handled solely by Stripe (PCI‑DSS Level 1); MONOVANCE never stores raw card details.
- Technical logs – IP address, user‑agent string, device identifiers, timestamp, error traces.
- Consent artefacts – wording & version of policies accepted, opt‑in check‑box state, acceptance timestamp, hash of the page.
We operate on a data‑minimisation principle and will not request information deemed unnecessary for the stated purposes.
5. Cookies & Similar Technologies
| Category | Name / Lifespan | Purpose | Default State |
|---|---|---|---|
| Essential | blazorui_session (7 days) | Maintains login across pages. | Active |
| Security | csrf_token (session) | Protects forms from CSRF. | Active |
| Analytics | analytics_id (1 year) | Pseudonymous analytics via Plausible Analytics (self‑hosted). | Disabled until consent |
| Marketing | None | We do not set third‑party ad or profiling cookies. | N/A |
Browser Do Not Track signals are honoured; essential cookies cannot be declined without losing core functionality.
6. International Transfers
- Hosting – Production servers are located in ISO 27001‑certified data centres in Helsinki, Finland (EEA). Under the UK adequacy regulations (28 June 2021) the EEA is deemed to provide an "essentially equivalent" level of protection.
- Payments – Stripe Payments Europe, Avoca Court, Lower Hatch Street, Dublin 2, Ireland (EEA adequacy).
- Other third countries – If we must make a "restricted transfer" outside approved regions, we will implement IDTA or the UK Addendum to the EU SCCs, together with supplementary measures where required.
A copy of relevant transfer mechanisms can be requested from the DPO.
7. Data Sharing
- Payment processor: Stripe Payments Europe (PCI‑DSS Level 1).
- Infrastructure providers: Upcloud Oy (hosting); Cloudflare Inc. (global CDN & DDoS mitigation).
- Professional advisers: accountants, auditors and legal counsel subject to confidentiality.
- Government & courts: where mandated by law or to establish, exercise or defend legal claims.
We never sell or rent personal data to advertisers or other third parties.
8. Retention Periods
| Data set | Retention Trigger | Duration |
|---|---|---|
| Identity & contact details | Account deletion | Up to 180 days, then anonymised or securely erased. |
| Transaction & invoice data | Financial year end | 6 years (HMRC / Companies Act). |
| Consent & log records | Date of collection | 6 years to evidence compliance. |
| Technical backups | Rolling 30‑day cycle | Automatic encrypted destruction thereafter. |
Backups are encrypted at rest (AES‑256) and inaccessible to operational staff without dual control.
9. Security Measures
- TLS 1.3 with HSTS and TLS OCSP stapling.
- Server hardening, container isolation and least‑privilege IAM roles.
- Nightly off‑site encrypted backups; quarterly disaster‑recovery drills.
- Mandatory MFA for staff and administrators; privileged actions are audit‑logged.
- Annual CREST‑approved penetration tests and dependency vulnerability scanning.
Despite robust controls, the internet is inherently insecure; MONOVANCE accepts no liability for unauthorised access beyond our reasonable control (data at rest and in transit are encrypted; however total immunity cannot be guaranteed).
10. Your Rights (UK GDPR Arts 15‑21)
You may exercise the following rights, subject to statutory exemptions:
- Access – obtain a copy of your personal data.
- Rectification – correct incomplete or inaccurate data.
- Erasure – request deletion where no lawful basis remains.
- Restriction – suspend processing pending verification.
- Portability – receive data in a machine‑readable format.
- Object – to processing based on legitimate interest or direct marketing.
- Withdraw consent – without affecting prior lawful processing.
Where requests are manifestly unfounded or excessive we may charge a reasonable fee or refuse (Art 12 (5)). Identity verification is required before release.
11. How to Make a Request
Write to the DPO at dpo@monovance.com or blazorui@monovance.com with:
- subject‑line: "Data Subject Request";
- the right you wish to exercise;
- sufficient information to verify identity (order ID, registered e‑mail, etc.).
We will respond within one month (extendable by two months for complex cases). If you are dissatisfied, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call +44 303 123 1113.
12. Children's Data
BlazorUI is not directed at individuals under 16 years of age. We do not knowingly process children's data. If we learn that such data has been collected, it will be erased without delay.
13. Limitation of Liability
Except for death or personal injury caused by our negligence, we shall not be liable for any indirect, consequential or incidental losses (including loss of profits or data) arising out of or in connection with the processing of personal data, to the maximum extent permitted by law. Nothing in this notice limits data subjects' statutory rights.
14. Changes to this Policy
MONOVANCE LTD reserves the right to amend this Privacy Policy at any time. Material changes will be announced via the website and, where appropriate, by e‑mail. The "Effective date" at the top will change; continued use of the Services after that date constitutes acceptance of the updated terms.
15. Governing Law & Jurisdiction
This Policy and any dispute or claim arising from it shall be governed by English law. Exclusive jurisdiction lies with the courts of England & Wales.
16. Contact
Questions, concerns or requests should be directed to:
- Alihan Güdenoğlu – Data Protection Officer
- E‑mail: dpo@monovance.com | alihan.gudenoglu@monovance.com
- Postal: MONOVANCE LTD, 71‑75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
We aim to resolve all privacy‑related issues promptly and fairly.