Cascadeby Aftora
Register Interest
Legal

Privacy Policy

Last updated: 31 March 2026

This policy applies to the Cascade platform operated by Aftora Limited ("Aftora", "we", "us", "our"). Aftora is incorporated in England and Wales. Registered address and company number available on request. We are registered with the UK Information Commissioner's Office (ICO) — registration details available at ico.org.uk.

1. Who we are

Aftora Limited is the data controller for personal data processed through the Cascade platform (usecascade.io) and our corporate websites (aftora.io, aftora.co.uk).

Where you use Cascade to manage services for your own customers, you act as the data controller for your customers' data and Aftora acts as your data processor. Our obligations in that capacity are set out in the Data Processing Agreement.

2. Data we collect about you

2.1 Account and identity data

  • Name, email address, password (hashed)
  • Business name and billing address
  • VAT number (where applicable)
  • Communications you send us

2.2 Payment data

Payment card details are processed by our payment providers (Stripe, PayPal) and are not stored on Aftora systems. We retain billing records, invoice history, and transaction references.

2.3 Usage and technical data

  • IP address and approximate location (country/city)
  • Browser type, operating system, and device type
  • Pages visited, features used, and time spent in the platform
  • API request logs (retained for 90 days)
  • Error and crash reports

2.4 Communications

If you contact us by email, live chat, or our support system, we retain those communications and any metadata (timestamps, subject lines) for up to three years.

3. How we use your data

PurposeLegal basis (UK GDPR Art. 6)
Providing and operating the Cascade platformArt. 6(1)(b) — performance of a contract
Processing payments and issuing invoicesArt. 6(1)(b) — performance of a contract
Fraud prevention and security monitoringArt. 6(1)(f) — legitimate interests
Improving and developing the platformArt. 6(1)(f) — legitimate interests
Legal and regulatory complianceArt. 6(1)(c) — legal obligation
Sending service updates and security noticesArt. 6(1)(b) — performance of a contract
Marketing communications (where opted in)Art. 6(1)(a) — consent

4. Sub-processors and third parties

We share your data with the following categories of third party:

CategoryExamplesPurpose
Payment processorsStripe, PayPalProcessing subscription and one-off payments
InfrastructureHetzner, CloudflareHosting, CDN, DDoS protection
Customer supportOur ticketing systemManaging support requests
AnalyticsPrivacy-first analytics (no cookies)Understanding platform usage
Error monitoringInternal toolingDiagnosing and fixing bugs

We do not sell your personal data to third parties. We do not share your data with advertisers.

5. International transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or equivalent adequacy decisions. Our primary infrastructure is located within the EEA (Germany).

6. Data retention

  • Account data — retained for the duration of your subscription plus 6 years (UK statutory accounting requirements)
  • Billing records — 7 years (HMRC requirement)
  • Support communications — 3 years from closure
  • API and access logs — 90 days
  • Marketing preferences — until you withdraw consent

7. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data (subject to legal retention obligations)
  • Restriction — ask us to restrict processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw at any time

To exercise any right, email us at privacy@aftora.io. We will respond within one calendar month. You may also lodge a complaint with the ICO.

8. Cookies and tracking

Our marketing website uses no third-party tracking cookies. We use privacy-first, cookieless analytics that do not require a cookie banner under UK PECR. The Cascade platform dashboard uses strictly necessary session cookies for authentication.

9. Security

We implement appropriate technical and organisational measures including encryption in transit (TLS), encryption at rest, access controls, regular security testing, and incident response procedures. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the ICO within the timeframes required by UK GDPR.

10. Changes to this policy

We may update this policy from time to time. Where changes are material, we will notify you by email or via an in-platform notice. The "last updated" date at the top of this page reflects the most recent revision.

11. Contact us

For privacy-related enquiries:
Aftora Limited
Email: privacy@aftora.io
Web: aftora.io