Privacy Policy

BIMBI PHILIPS LIMITED is registered in England and Wales with company number 08944957. Our registered office is 63-66 Hatton Garden, Fifth Floor, Suite 23, London, England, EC1N 8LE.

For any privacy or data protection question, or to exercise your rights, contact privacy@readinesslayer.com. We do not currently have a named data protection officer; privacy matters are handled through that address. You can also reach general support at support@readinesslayer.com and send legal notices to legal@readinesslayer.com.

This policy covers the public readinesslayer.com website, the BRS application, BRS ID activation and sign-in, public lookup, the buyer, seller, broker, and partner journeys, payments and entitlements, evidence upload and review, claims, disputes, requests and shares, account settings, support, and our internal governance of these activities. It applies to public visitors, signed-in users, partner-introduced users, and people whose business or listing information appears in BRS.

Depending on how you use BRS, we may collect:

• Identity and account data, such as your name, email address, phone number, role, the organisation you act for, your BRS ID, and your sign-in and security information.
• Lookup and search data, such as the public-safe identifiers you search for, including BRS IDs, business or company names, company or registry numbers, listing references, and listing URLs, together with related search activity. Public lookup is business, listing, and BRS-ID centred and is not designed to search for individuals.
• Profile and assessment data, such as the readiness information you submit, your responses, your BRS Deal Readiness Score, readiness band, gaps, trust state, and next steps.
• Evidence and review data, such as documents you upload for evidence review, review status, reviewer comments, and the outcome of a review. Raw evidence is restricted by default.
• Registry and listing data about businesses and listings, drawn from official registries and from listing sources, kept separate from BRS readiness data.
• Partner, campaign, and attribution data, such as the source, campaign, and segment associated with your entry, and, where you arrive as an imported partner lead, the limited contact and reconciliation data described in Section 5.
• Payment and entitlement data, such as your entitlement status, billing records, and transaction references. Full payment-card details are handled by our payment provider and are not stored by us.
• Claim, dispute, request, and share data, such as claim role and proof, dispute details and deposits, request and share recipients, scope, expiry, and revocation.
• Account, device, and usage data, such as your settings, notification preferences, and technical information about your device and how you use BRS, including information collected through cookies and similar technologies as explained in our Cookie Policy.
• Identity-verification data, where a formal dispute, a high-risk claim, or an unresolved authority conflict requires verification through an approved identity-verification provider.

We do not seek to collect special category data through BRS. Please do not upload special category data unless it is genuinely required for a review and you are content for it to be processed for that purpose.

We collect personal data directly from you when you use BRS, activate a BRS ID, complete an assessment, upload evidence, make a payment, or contact us. We also receive personal data from other sources, including official business registries such as Companies House and equivalent registries in other countries, listing platforms and partner or introducer organisations, our service providers such as the payment provider and the identity-verification provider, and your device through cookies and similar technologies. Where business or listing information about you appears in BRS from these sources, this policy explains how we use it.

We use personal data for the purposes below. For each purpose we rely on one or more lawful bases under the UK GDPR: performance of a contract, legitimate interests, consent, or compliance with a legal obligation. Where we rely on legitimate interests, we have balanced those interests against your rights, and you can ask us about that assessment.

• To provide BRS and your BRS ID, run lookup, build profiles, calculate readiness, and operate requests, shares, claims, and disputes. Lawful basis: performance of a contract, and legitimate interests in operating an independent readiness service.
• To resolve business and listing records from registries and listings, and to keep BRS readiness data separate from registry, listing, and user-provided data. Lawful basis: legitimate interests in providing accurate, source-separated records.
• To take payment, manage entitlements, and keep billing and tax records. Lawful basis: performance of a contract, and compliance with a legal obligation.
• To run evidence review, including authorised reviewer access to raw evidence within the review workflow. Lawful basis: performance of a contract, and legitimate interests in operating a credible review process.
• To verify authority and identity for formal disputes, high-risk claims, and unresolved conflicts. Lawful basis: legitimate interests in preventing fraud and protecting profiles, and compliance with a legal obligation where relevant.
• To send service and transactional messages, such as security, payment, request, share, claim, dispute, and evidence notifications. Lawful basis: performance of a contract, and legitimate interests in operating the service. Some of these notices are mandatory while they apply.
• To send product updates and, where permitted, marketing or partner follow-up communications, including consent-based follow-up to imported partner leads. Lawful basis: consent, or legitimate interests where the law allows, and always with a way to opt out. We follow the direct-marketing rules in PECR.
• To produce partner-safe, aggregate, anonymised, or cohort-safe reporting and analytics. Lawful basis: legitimate interests, and consent where required for non-essential cookies.
• To use bounded AI-assisted features to help generate summaries and supporting content. Lawful basis: legitimate interests, subject to the governance and limits in Section 11.
• To keep audit logs, prevent and investigate misuse, protect security, and govern the service. Lawful basis: legitimate interests, and compliance with a legal obligation.
• To handle your requests, complaints, and rights, and to comply with law. Lawful basis: legal obligation and legitimate interests.

BRS keeps readiness data separate from official registry data, listing and partner information, the data you provide, evidence and review data, and audit events. Section-level information on a dashboard or full profile may show where particular information came from. Public typeahead and search rows do not prominently display registry or source labels. Full disclosure of our data sources sits in this policy and in our Legal Notices. Registry and listing information is public-source metadata. It is not a BRS readiness score, trust state, due-diligence output, quality endorsement, approval, or guarantee.

We share personal data only as needed to run BRS and as described here. Recipients include:

• Other BRS users you choose to interact with, within the scope you set, when you request access to a profile, respond to a request, or share a profile. Sharing is permissioned, and raw evidence is not shared by default. Visibility is not contact access.
• Our service providers (processors), who act on our instructions under contract. These currently include Supabase, which provides our database, authentication, and file-storage hosting; Resend, which delivers our emails; a third-party payment provider, which processes payments using tokenised billing; and an approved identity-verification provider, used only for the limited purposes in Section 5.
• Partners and introducers, who receive partner-safe, aggregate, anonymised, or cohort-safe reporting only. They do not receive raw evidence, protected contact data, reviewer notes, or broker-bypass data unless you have separately authorised a specific share.
• Professional advisers, auditors, and authorities, where we are required or permitted to share by law, or to establish, exercise, or defend legal claims.
• A successor organisation, if our business is reorganised, sold, or transferred, subject to this policy.

We do not sell your personal data.

BRS is available internationally and some of our service providers process personal data outside the United Kingdom. Where personal data is transferred outside the UK, we protect it using a transfer mechanism recognised under UK data protection law, such as UK adequacy regulations, the International Data Transfer Agreement, or the UK Addendum to the European Commission's standard contractual clauses, together with additional safeguards where appropriate. You can ask us for more information about the safeguards that apply.

We keep personal data only for as long as we need it for the purposes in this policy, and then delete or anonymise it. Our current retention approach is:

• Account and profile data: kept while your account is active and for up to 24 months after closure, unless we need to keep it longer for a legal reason.
• Evidence files and review records: kept for up to 24 months after the review outcome, unless a dispute or legal reason requires longer, after which raw evidence is deleted.
• Claim and dispute records: kept for up to 6 years, reflecting the period in which related legal claims may be brought.
• Payment, billing, and tax records: kept for 6 years, to meet accounting and tax obligations.
• Support requests: kept for up to 24 months after the matter is resolved.
• Audit and security logs: kept for up to 6 years to support security, governance, and legal needs.
• Cookie and analytics data: kept for the periods described in our Cookie Policy.

Where a specific legal obligation, dispute, or investigation requires a different period, we keep the relevant data for as long as needed and no longer.

Public lookup processes the public-safe identifiers you search for, and returns public-safe identity and listing information. Where a profile is not openly visible, BRS shows restricted visibility and that owner authorisation is required. Restricted visibility is an access and visibility state only and is not a trust state. Public lookup does not expose raw evidence, private profile data, protected contact data, protected contact-path data, seller or buyer contact records, reviewer notes, private score detail, payment-card details, commercial terms, or other confidential records.

BRS calculates a readiness score, band, and gaps from the information provided, which involves automated processing. These outputs are decision-support information. They do not approve you, do not confirm evidence, and do not by themselves determine a trust state or an evidence outcome, which depend on the rules in our Terms and, where relevant, eligible human review.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a lawful basis and appropriate safeguards. AI-assisted features that help generate summaries are bounded and governed; they are subject to human and governance review and may be limited or withheld. AI does not decide your trust state, evidence outcome, claim authority, entitlement, or payment or refund outcome. Where automated processing has a significant effect and the law gives you the right, you can ask for human involvement, express your view, and contest the outcome by contacting privacy@readinesslayer.com.

BRS uses cookies and similar storage and access technologies. Strictly necessary technologies keep BRS secure and working. Other categories, such as analytics or partner-attribution storage, are used in line with your choices where consent is required. Cookies and client-side storage are not used to store raw evidence, private profile data, protected contact data, protected contact-path data, reviewer notes, payment-card details, or other confidential records. Our Cookie Policy and Preference Centre explain the categories and let you manage your choices.

Under UK data protection law you have the right to be informed about how we use your personal data, and to access it, correct it, erase it, restrict or object to its processing, and to data portability, in each case subject to the conditions in the law. Where we rely on consent, you can withdraw it at any time, which does not affect processing already carried out. Where we rely on legitimate interests, you can object, and we will stop unless we have compelling legitimate grounds or need to continue for legal claims. You can object to direct marketing at any time, and we will stop.

To exercise any right, contact privacy@readinesslayer.com. We will respond within the time limits set by law, normally within one month, and we may extend this for complex requests or pause the clock where we reasonably need more information to verify your identity or locate your data. There is normally no charge.

If you have a concern about how we handle your personal data, please contact privacy@readinesslayer.com first so we can try to put it right. We will acknowledge your complaint and investigate it without undue delay. You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority, at ico.org.uk or by calling its helpline. If you are outside the UK, you may also be able to complain to your local data protection authority.

We use technical and organisational measures to protect personal data, including access controls that limit raw evidence, reviewer notes, and protected contact data to authorised roles, audit logging of sensitive actions, and measures to protect data in transit and at rest. No service can be completely secure, but we work to protect your information and to meet our legal obligations if a personal data breach occurs.

BRS is intended for business and professional users and is not directed at children. You must be at least 18 years old to use BRS. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact privacy@readinesslayer.com and we will take appropriate steps.

We may update this policy to reflect changes in the service or the law. We will change the "Last updated" date above and, where a change is significant, take reasonable steps to bring it to your attention.

Privacy and data protection: privacy@readinesslayer.com. General support: support@readinesslayer.com. Legal notices: legal@readinesslayer.com. Postal: BIMBI PHILIPS LIMITED, 63-66 Hatton Garden, Fifth Floor, Suite 23, London, England, EC1N 8LE.