← Back to home

Privacy policy

Last updated: February 6, 2026

1. Introduction

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Data Controller is Lewis Wigmore trading as Till (“we”, “us”, or “our”).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it. It applies to the Till website, web application, and all related services (the “Service”).

2. Data we collect

We collect and process the following categories of data:

a) Data you provide directly

  • Account information: Name, email address, and password when you create an account.
  • Business profile: Business name, category, location, and website URL that you enter during onboarding.
  • Waitlist sign-up: Email address when you join our waitlist.
  • Contact forms: Name, email, and message content when you contact us or apply for a role.

b) Data from connected integrations

When you choose to connect a third-party service, we receive data from that service on your behalf. The specific data depends on the service. Current and planned integrations include:

  • Payment & point-of-sale providers (currently Square; Stripe and others planned): Sales transactions, order data, product catalogue and payment summaries. We store OAuth access tokens, never your login credentials.
  • Analytics & search platforms (e.g. Google Analytics, Search Console): Website traffic metrics, page views, search queries and click-through data for properties you authorise.
  • Productivity tools (e.g. Google Calendar, Google Drive): Calendar events and files you explicitly select. We access only what you authorise through the provider's consent screen.

We may add new integrations over time. Each new integration will require your explicit authorisation before any data is accessed, and the data collected will be described within the Service at the time of connection.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

c) Publicly available data

  • Competitor information: Business names, addresses, ratings, reviews and website content sourced from public listings (e.g. Google Places) and publicly accessible websites for competitive intelligence features.

d) Automatically collected data

  • Usage data: Pages visited, features used, session duration and interaction patterns within the Service.
  • Device & browser data: IP address, browser type, operating system and device identifiers.
  • Cookies & similar technologies: See section 8 below.

3. How we use your data

  • To provide the Service: Process your data to deliver analytics, AI-generated insights, competitive intelligence and action management features.
  • To personalise your experience: Tailor dashboards, recommendations and AI assistant responses to your business context.
  • To communicate with you: Send account-related emails, product updates and, only with your consent, marketing communications. You can unsubscribe at any time.
  • To improve the Service: Analyse aggregated, anonymised usage patterns to fix issues and develop new features.
  • To ensure security: Detect and prevent fraud, abuse, and unauthorised access.

We do not sell your personal data to third parties. We do not use your data to build advertising profiles.

4. Lawful basis for processing

Under the UK GDPR, we rely on the following lawful bases:

  • Contract: Processing your account and integration data is necessary to deliver the Service you signed up for.
  • Legitimate interest: Analysing aggregated usage data to improve the Service, and processing publicly available competitor data for intelligence features.
  • Consent: Marketing emails and optional cookies. You can withdraw consent at any time.
  • Legal obligation: Where we are required to retain data by law (e.g. financial record-keeping).

5. AI and automated processing

Parts of the Service use artificial intelligence (including Google Gemini) to analyse your business data, generate insights, score your AI search visibility and suggest actions. This processing is automated but does not produce legal or similarly significant effects on you.

When you use AI-powered features, relevant data (such as business profiles, competitor information and sales summaries) may be sent to third-party AI providers for processing. This data is used solely to generate your results and is not used by those providers to train their models. AI outputs are for informational purposes only. See our Terms of Use for more detail.

6. Data processors & third parties

We share your data only with trusted processors who help us deliver the Service:

  • Google Cloud (Firebase): Authentication, database storage, and analytics.
  • Google (Gemini AI, Places API, Analytics, Search Console): AI analysis, business data retrieval, and web analytics integration.
  • Payment providers (currently Square; Stripe and others planned): Payment and sales data integration, activated only when you connect your account.
  • Vercel: Application hosting and edge delivery.
  • Cloudflare: Content delivery, DDoS protection and DNS.

As we add new integrations, additional processors may be introduced. We will update this list accordingly. Each processor is bound by data processing agreements and processes your data only on our instructions. We do not share your data with third parties for their own marketing purposes.

7. International data transfers

Some of our processors (including Google, Vercel and Cloudflare) are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or reliance on the processor's participation in recognised data protection frameworks.

8. Cookies & tracking technologies

We use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics cookies: Firebase Analytics and Google Analytics collect anonymised usage data to help us understand how the Service is used and where to improve.

You can manage cookie preferences through your browser settings. Disabling analytics cookies will not affect the core functionality of the Service.

9. Data retention

  • Account data: Retained for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except where we are required by law to retain it.
  • Integration data: Sales, analytics, and other integration data is retained while the integration is connected. When you disconnect an integration, associated data is deleted within 30 days.
  • Waitlist & contact data: Retained until you unsubscribe or request deletion.
  • Anonymised data: We may retain fully anonymised, aggregated data indefinitely for statistical analysis and service improvement.

10. Data security

We take appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • OAuth-based access to third-party services. We never store your third-party passwords.
  • Role-based access controls for internal systems.
  • Regular review of security practices and processor agreements.

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at support@tillspot.com.

11. Your rights

Under the UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate or incomplete data.
  • Erasure: Ask us to delete your personal data (“right to be forgotten”).
  • Restriction: Ask us to limit how we process your data.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at support@tillspot.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

12. Children's privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice within the Service at least 14 days before the changes take effect. We encourage you to review this page periodically.

14. Contact us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at: support@tillspot.com.