Privacy Policy

1. About This Policy

This Privacy Policy explains how TIMVERO Ltd ("TIMVERO", "we", "us", "our") collects, uses, stores, and shares personal data when you visit timvero.com (the "Website") or contact us regarding our timveroOS lending management platform.

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR 2016/679). We also take note of data protection requirements under applicable North American legislation, including the California Consumer Privacy Act (CCPA/CPRA).

This policy applies to all personal data collected through the Website, including data submitted via contact or demo-request forms. It does not govern data processed within the timveroOS platform under separate Data Processing

Agreements with our clients.

2. Who We Are (Data Controller)

The data controller responsible for your personal data is:

Company: TIMVERO Ltd

Website: timvero.com

Privacy contact: privacy@timvero.com

If you are located in the European Economic Area (EEA), you may also have the right to contact your local supervisory authority. For the UK, the relevant authority is the Information Commissioner's Office (ICO), reachable at www.ico.org.uk.

3. What Personal Data We Collect

3.1 Data You Provide Directly

When you fill out a demo request or contact form on our Website, we collect:

• First and last name
• Business email address
• Job title and company name
• Country or region
• Any message or inquiry you include in the form

3.2 Data Collected Automatically

When you visit our Website, we and our technology partners automatically collect certain technical data:

• IP address and approximate geolocation (country/city level)
• Browser type, version, and operating system
• Pages visited, referral source, and time spent on pages
• Device type and screen resolution
• Cookie identifiers and session data

3.3 Data Collected via Third-Party Tools

We use the following third-party services that may collect personal data on our behalf or independently:

Google Analytics 4 & Google Tag Manager (Google LLC): Website usage analytics, page performance, and user journey data. Google may process data on servers in the USA. Data is anonymised where possible.

Google Ads (Google LLC): Conversion tracking and remarketing, including Enhanced Conversions which match hashed email addresses submitted via forms to Google account profiles, for advertising measurement purposes.

HubSpot (HubSpot Inc.): Customer relationship management (CRM). Form submissions are stored in HubSpot for lead management and follow-up communications. HubSpot may process data in the USA under Standard Contractual Clauses.

LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company): Demographic and professional data about website visitors for analytics and LinkedIn advertising campaigns.

Cloudflare (Cloudflare Inc.): Content delivery network, DDoS protection, bot management, and web application firewall. Cloudflare may process IP addresses and technical request data as a security sub-processor.

4.Lawful Basis for Processing

Under UK GDPR / EU GDPR, we rely on the following lawful bases for processing your personal data:

4.1 Consent (Article 6(1)(a) UK/EU GDPR)

We process your data with your consent in the following cases:

• Non-essential cookies and analytics tracking (Google Analytics, LinkedIn Insight Tag)
• Remarketing and advertising tracking (Google Ads Enhanced Conversions)

You may withdraw consent at any time via our Cookie Preferences Centre or by contacting privacy@timvero.com. Withdrawal does not affect the lawfulness of processing before withdrawal.

4.2 Legitimate Interests (Article 6(1)(f) UK/EU GDPR)

We process certain data on the basis of our legitimate business interests, provided these do not override your fundamental rights:

• Responding to demo requests and sales enquiries submitted by business professionals
• Preventing fraud, abuse, and security threats (Cloudflare WAF, bot protection)
• Improving Website performance and user experience through analytics
• Sending follow-up communications to prospects who have expressed interest in timveroOS

Our target audience is B2B professionals at financial institutions. We conduct a Legitimate Interest Assessment (LIA) for relevant processing activities, records of which are available on request.

4.3 Contract Performance (Article 6(1)(b) UK/EU GDPR)

Where a demo or trial has been arranged, we process contact data as necessary to perform pre-contractual steps at your request.

4.4 Compliance with Legal Obligations (Article 6(1)(c) UK/EU GDPR)

We may retain or disclose data where required by applicable law, court order, or regulatory obligation.

5. How We Use Your Personal Data

We use personal data collected through the Website for the following purposes:

• To respond to your demo request or enquiry about timveroOS
• To schedule and conduct product demonstrations
• To follow up on your interest and provide relevant product information
• To manage your contact record in our CRM (HubSpot)
• To send marketing communications (with your consent or on the basis of legitimate interest, with an easy opt-out)
• To measure the effectiveness of our marketing campaigns (Google Ads, LinkedIn)
• To analyse Website traffic and improve our content and user experience
• To protect the Website against security threats and unauthorised access
• To comply with our legal and regulatory obligations

We do not use your personal data for automated decision-making or profiling in ways that produce legal or similarly significant effects.

6. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve our services.

6.1 Types of Cookies We Use

Strictly Necessary Cookies: Essential for the Website to function correctly, including security cookies set by Cloudflare. No consent required.

Analytics Cookies: Set by Google Analytics to collect anonymised usage data about how visitors interact with our Website. Active only with your consent.

Marketing Cookies: Set by Google Ads and LinkedIn Insight Tag to enable conversion tracking and targeted advertising. Active only with your consent.

Functional Cookies: Set by HubSpot to remember your preferences and track form submissions across sessions.

6.2 Managing Cookies

On your first visit, you will be presented with a Cookie Consent Banner allowing you to accept or decline non-essential cookies. You can update your preferences at any time via the Cookie Preferences link in the footer of our Website.
You may also control cookies through your browser settings. Note that disabling certain cookies may affect Website functionality. For more information, visit www.allaboutcookies.org.

7. Sharing Your Personal Data

We do not sell your personal data to third parties. We may share your data in the following circumstances:

7.1 Service Providers (Data Processors)

We share personal data with trusted third-party service providers who process data on our behalf under written Data Processing Agreements:

• HubSpot Inc. — CRM and marketing automation
• Google LLC — Analytics (GA4/GTM) and advertising (Google Ads)
• LinkedIn Ireland Unlimited Company — Professional analytics and advertising
• Cloudflare Inc. — Security, CDN, and infrastructure services
• Webflow Inc. — Website hosting and content management

7.2 Legal Disclosure

We may disclose personal data to competent authorities, regulators, courts, or law enforcement agencies where required by applicable law or legitimate legal process.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, provided they agree to process it in accordance with this Privacy Policy.

8. International Data Transfers

Some of our third-party service providers (including Google LLC, HubSpot Inc., LinkedIn Corporation, and Cloudflare Inc.) are based in the United States and may process your data on servers located outside the UK and EEA.

Where such transfers occur, we ensure they are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the UK ICO (International Data Transfer Agreements — IDTAs) or the European Commission
• Adequacy decisions where applicable
• Supplementary technical and organisational measures as required

You may request a copy of the relevant transfer mechanisms by contacting privacy@timvero.com.

9.How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law:

Demo request / contact form data: Retained in HubSpot CRM for up to 3 years from last meaningful interaction, after which inactive records are reviewed and deleted.

Marketing communications: Retained until you unsubscribe or request deletion.

Analytics data: Google Analytics data is retained for 14 months (configured at account level). LinkedIn Insight Tag data follows LinkedIn's retention policies.

Security logs (Cloudflare): Typically retained for up to 30 days.

Cookie consent records: Retained for 12 months to evidence compliance.

After the applicable retention period, personal data is securely deleted or anonymised.

10. Your Data Protection Rights

Depending on your location, you have the following rights regarding your personal data:

10.1 Rights Under UK GDPR / EU GDPR

If you are in the UK or EEA, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your data where there is no compelling reason for continued processing
• Restriction — request that we limit how we process your data
• Data portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests or for direct marketing purposes
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing
• Lodge a complaint — with the UK ICO (ico.org.uk) or your local EU supervisory authority

10.2 Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell
• Delete personal information we have collected from you
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (note: we do not sell personal data)
• Non-discrimination for exercising your privacy rights

To exercise these rights, please contact us at privacy@timvero.com with the subject line "CCPA Privacy Request."

10.3 How to Exercise Your Rights

To submit any data subject request, please email privacy@timvero.com with:

• Your full name and email address used when contacting us
• A description of the right you wish to exercise

We will respond within 30 days (UK/EU GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request. We do not charge a fee for reasonable requests.

11. How We Protect Your Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• HTTPS encryption across all Website connections (TLS 1.2+)
• Web Application Firewall (WAF) and DDoS protection via Cloudflare
• Bot management and rate-limiting controls
• Access controls limiting data access to authorised personnel only
• Regular security reviews and vendor due diligence

While we apply industry-standard safeguards, no method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

12. Children's Privacy

Our Website and services are directed exclusively at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact privacy@timvero.com and we will promptly delete it.

13. Third-Party Links

Our Website may contain links to third-party websites, resources, or partner pages. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party websites you visit, as we have no control over their data practices.

14. Marketing Communications

If you have submitted a demo request or otherwise expressed interest in timveroOS, we may contact you with relevant product updates, case studies, and industry information. We do so on the basis of legitimate interest (B2B professional context) or consent, as appropriate.

You can opt out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Emailing privacy@timvero.com with "Unsubscribe" in the subject line

Opting out of marketing will not affect transactional or service-related communications.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or services. When we make material changes, we will update the "Last Reviewed" date at the top of this page and, where appropriate, notify you by email or a prominent notice on the Website.

We encourage you to review this Policy regularly. Continued use of the Website after changes have been published constitutes acceptance of the updated Policy.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Email: privacy@timvero.com

Website: timvero.com

Subject line for data requests: "Privacy Request — [Your Name]"

For complaints regarding our data processing, you also have the right to contact the UK Information Commissioner's

Office:

ICO Website: www.ico.org.uk

ICO Helpline: 0303 123 1113