Privacy Policy
Last updated: 16 March 2026
1. Introduction and Key Information
This Privacy Policy explains how Ditto.ID Ltd (“Ditto”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit our website at www.ditto.id (the “Website”), interact with us through our contact forms, attend our events, or otherwise engage with us.
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679), the Privacy and Electronic Communications Regulations 2003 (PECR), and applicable data protection laws worldwide, including US state privacy laws.
Please read this Privacy Policy carefully. If you have any questions or concerns about our use of your personal data, please contact us using the details provided in Section 12 below.
1.1 Data Controller
The data controller responsible for your personal data is:
Ditto.ID Ltd
Company number: 16781449
Registered office: 186 Shoreditch High Street, London, E1 6HU, United Kingdom
Where this Privacy Policy refers to “Ditto”, “we”, “us”, or “our”, it refers to Ditto.ID Ltd as the data controller for the processing activities described herein, unless otherwise stated.
1.2 Data Protection Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
Email: [email protected]
Postal address: Ditto.ID Ltd, 186 Shoreditch High Street, London, E1 6HU, United Kingdom
1.3 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practices. Where changes are material, we will notify you by posting a prominent notice on our Website or, where appropriate, by contacting you directly. We encourage you to review this Privacy Policy periodically. The “Last Updated” date at the top of this document indicates when it was most recently revised.
2. Personal Data We Collect
We collect personal data in the following ways and categories:
2.1 Information You Provide Directly
When you complete a form on our Website (for example, to request a product demonstration, request pricing information, subscribe to our newsletter, or contact us), we collect:
- First name and last name
- Email address
- Telephone number
- Company name and job title
- Country of residence
- The content of any message you submit
- Your communication preferences (including consent to receive marketing communications)
2.2 Information We Collect Automatically
When you visit our Website, we automatically collect certain technical information through cookies and similar technologies, including:
- IP address (which may be truncated or anonymised depending on our analytics configuration)
- Browser type and version, operating system, device type, and screen resolution
- Pages visited, date and time of visit, time spent on pages, clickstream data, and referring URL
- Cookie identifiers and similar tracking data (see Section 9 below for full details)
This information is collected through cookies, web beacons, and similar technologies deployed by us and our third-party service providers. For full details on the cookies we use, please see Section 9 (Cookies and Similar Technologies).
2.3 Information from Third-Party Sources
We may receive personal data about you from third-party sources, including:
- Publicly available business information
- Professional networking platforms (such as LinkedIn) where you have made your profile publicly available
- Event organisers or co-hosts where you have registered for an event we are sponsoring or participating in
- Our group companies, including Uniken Inc., for business purposes related to the services we provide
3. Purposes and Lawful Bases for Processing
Under the UK GDPR and EU GDPR, we must have a lawful basis for each processing activity. The table below sets out the purposes for which we process your personal data and the corresponding lawful basis.
| Purpose of Processing | Lawful Basis (Art. 6(1)) | Data Categories |
|---|---|---|
| Responding to your enquiries, demo requests, and pricing requests | Performance of a contract or pre-contractual steps at your request (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)): to respond to business enquiries |
Contact details, message content, company information |
| Providing access to our services and fulfilling contractual obligations | Performance of a contract (Art. 6(1)(b)) | Contact details, account information, company information |
| Sending you marketing communications about our products, services, and industry insights | Consent (Art. 6(1)(a)) where required by applicable law (e.g., PECR Reg. 22); Legitimate interests (Art. 6(1)(f)) where the “soft opt-in” exception applies (existing customers, similar products) |
Contact details, communication preferences |
| Sending you our newsletter | Consent (Art. 6(1)(a)) | Email address, communication preferences |
| Analysing Website usage and performance to improve user experience | Legitimate interests (Art. 6(1)(f)): to understand how our Website is used and improve it | Technical data, usage data, cookie data |
| Ensuring the security and integrity of our Website | Legitimate interests (Art. 6(1)(f)): to protect our Website, systems, and users from security threats | Technical data, IP address, access logs |
| Preventing fraud and verifying identity in connection with our digital identity services | Legitimate interests (Art. 6(1)(f)): fraud prevention and security; Legal obligation (Art. 6(1)(c)) where applicable |
Contact details, technical data, identity verification data |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) | Any personal data necessary for compliance |
| Inviting you to provide feedback, participate in surveys, or attend events | Legitimate interests (Art. 6(1)(f)): to improve our products and services | Contact details, survey responses |
| Exercising or defending legal claims | Legitimate interests (Art. 6(1)(f)): to establish, exercise, or defend legal claims | Any relevant personal data |
3.1 Legitimate Interests
Where we rely on legitimate interests as the lawful basis for processing, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. Our legitimate interests include: operating and improving our Website and services; understanding how visitors use our Website; responding to business enquiries; maintaining the security of our systems; and promoting our products and services to business contacts. You have the right to object to processing based on legitimate interests at any time (see Section 7).
3.2 Consent
Where we rely on your consent as the lawful basis for processing (for example, for sending marketing emails where the soft opt-in exception does not apply, or for setting non-essential cookies), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You may withdraw your consent by:
- Clicking the “unsubscribe” link in any marketing email we send you
- Adjusting your cookie preferences via the cookie settings on our Website
- Contacting us at the details provided in Section 12
4. Who We Share Your Personal Data With
We do not sell, rent, or trade your personal data. We may share your personal data with the following categories of recipients:
4.1 Group Companies
We may share your personal data with our parent company, Uniken Inc., and other companies within the Uniken group, for internal business administration purposes, to provide our services, and to ensure consistent service delivery across our group. Where such sharing involves transfers of personal data outside the UK or EEA, we ensure appropriate safeguards are in place (see Section 6).
4.2 Service Providers (Sub-Processors)
We engage trusted third-party service providers who process personal data on our behalf, under our instructions, and subject to appropriate data processing agreements. These include:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| HubSpot, Inc. | Customer relationship management (CRM), form processing, email communications | Contact details, form submissions, email engagement data | United States |
| Google LLC (Google Analytics) | Website analytics and performance measurement | IP address (anonymised), browsing behaviour, device data | United States |
| Google LLC (reCAPTCHA) | Bot detection and spam prevention on forms | IP address, browser data, interaction patterns | United States |
| Google LLC (Google Maps) | Displaying maps and location services on relevant pages | IP address, location data | United States |
| WP Engine, Inc. | Website hosting and content delivery | All data processed through the Website | United States / EU |
We maintain an up-to-date list of our sub-processors, which is available upon request by contacting us at the details in Section 12.
4.3 Professional Advisers
We may share personal data with our professional advisers, including lawyers, auditors, bankers, and insurers, who provide us with legal, audit, accounting, insurance, and consultancy services, where necessary for the provision of those services.
4.4 Law Enforcement and Regulatory Authorities
We may disclose personal data where we are required to do so by law, regulation, court order, or other legal process, or where disclosure is reasonably necessary to protect our rights, property, or safety, or the rights, property, or safety of third parties.
4.5 Business Transfers
In the event of a merger, acquisition, reorganisation, sale of assets, or similar corporate transaction, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your personal data.
5. How Long We Retain Your Personal Data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods depend on the nature of the data and the purpose of processing:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Enquiry and demo request data | 3 years from last interaction | Business relationship management and follow-up |
| Marketing contact data | 3 years from last engagement or until consent is withdrawn | Direct marketing and relationship management |
| Newsletter subscriber data | Until you unsubscribe, plus 30 days for processing | Newsletter delivery |
| Contractual and transactional records | 6 years from end of contract | Legal obligation (Limitation Act 1980); tax and accounting requirements |
| Website analytics data (aggregated) | 26 months | Website performance analysis (Google Analytics default) |
| Server access logs | 12 months | Security monitoring and incident investigation |
| Cookie consent records | 3 years from consent | Demonstrating compliance with PECR/ePrivacy requirements |
When personal data is no longer required, we will securely delete or anonymise it. Anonymised data (from which you can no longer be identified) may be retained indefinitely for statistical and analytical purposes.
6. International Data Transfers
Ditto.ID Ltd is based in the United Kingdom. However, some of our group companies, service providers, and sub-processors are located outside the UK and the European Economic Area (EEA), including in the United States. This means that your personal data may be transferred to, stored, and processed in countries that may not provide the same level of data protection as the UK or EEA.
Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place to protect your personal data, in accordance with Chapter V of the UK GDPR and EU GDPR. Specifically:
6.1 Transfers from the UK
For transfers of personal data from the UK to countries that have not received an adequacy decision from the UK Secretary of State, we rely on the International Data Transfer Agreement (IDTA) issued by the Information Commissioner’s Office, or the EU Standard Contractual Clauses supplemented by the UK Addendum to the EU SCCs, as appropriate.
6.2 Transfers from the EEA
For transfers of personal data from the EEA to countries that have not received an adequacy decision from the European Commission, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organisational measures where appropriate.
6.3 Transfer Impact Assessments
Before transferring personal data to a third country, we carry out a transfer impact assessment to evaluate whether the laws and practices of the recipient country ensure an essentially equivalent level of protection. Where we identify risks, we implement supplementary measures (such as encryption, pseudonymisation, or contractual commitments) to address them.
You may request a copy of the safeguards we have put in place by contacting us at the details in Section 12.
7. Your Data Protection Rights
Under applicable data protection law, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exceptions under applicable law.
7.1 Rights Under UK GDPR and EU GDPR
Right of access (Art. 15): You have the right to request confirmation of whether we process your personal data and, if so, to request a copy of that data together with certain supplementary information.
Right to rectification (Art. 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to erasure (Art. 17): You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have challenged.
Right to data portability (Art. 20): Where processing is based on your consent or performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Art. 21): You have the right to object to processing based on legitimate interests (including profiling) at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. Where you object to processing for direct marketing purposes, we will cease such processing immediately.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently make any such automated decisions in relation to Website visitors.
7.2 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.
For UK residents, the relevant authority is the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For EEA residents, the relevant authority is the data protection supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU/EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
7.3 How to Exercise Your Rights
To exercise any of the rights described above, please contact us at the details provided in Section 12. We will respond to your request within one month of receipt. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it within one month of receiving your request.
We may need to verify your identity before processing your request. We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
8. Additional Rights for US Residents
If you are a resident of a US state with applicable privacy legislation (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws), you may have additional rights regarding your personal data.
8.1 California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), California residents have the following additional rights:
Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom we share personal information.
Right to delete: You may request that we delete your personal information, subject to certain exceptions.
Right to correct: You may request that we correct inaccurate personal information.
Right to opt out of sales/sharing: We do not sell your personal information, nor do we share it for cross-context behavioural advertising purposes within the meaning of the CCPA.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA. In the preceding 12 months, we have collected the categories of personal information described in Section 2 of this Privacy Policy.
To exercise your CCPA rights, please contact us using the details in Section 12. You may also designate an authorised agent to make a request on your behalf. We may require verification of your identity and, where applicable, proof of your authorised agent’s authority.
8.2 Other US State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may exercise rights under their respective state laws, including the rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects.
To exercise these rights, please contact us using the details in Section 12. If we decline to take action on a request, you may appeal our decision by contacting us, and we will respond to your appeal within the timeframe required by applicable law.
9. Cookies and Similar Technologies
Our Website uses cookies and similar technologies to distinguish you from other visitors, to analyse how our Website is used, and to improve your browsing experience. A cookie is a small text file placed on your device by a website you visit.
9.1 Types of Cookies We Use
| Category | Purpose | Examples | Lawful Basis |
|---|---|---|---|
| Strictly Necessary | Essential for the Website to function (e.g., security, session management, cookie consent preferences). These cookies cannot be switched off. | Cookie consent record, session cookies, CSRF tokens | Exempt from consent under PECR Reg. 6(4) / ePrivacy Art. 5(3) |
| Analytics / Performance | Help us understand how visitors interact with our Website by collecting and reporting information. Data is aggregated and anonymised where possible. | Google Analytics (_ga, _gid, _gat) | Consent (PECR Reg. 6 / ePrivacy Art. 5(3)) |
| Functional / CRM | Enable enhanced functionality and personalisation, including form processing and customer relationship management. | HubSpot tracking cookies (__hssc, __hssrc, __hstc, hubspotutk) | Consent (PECR Reg. 6 / ePrivacy Art. 5(3)) |
| Security | Used for bot detection and spam prevention to protect our forms from automated abuse. | Google reCAPTCHA cookies | Legitimate interests / Consent depending on implementation |
9.2 Your Cookie Choices
When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept all cookies, decline non-essential cookies, or set your preferences individually for each category of cookie.
You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our Website. You may also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Website.
For more information about cookies and how to manage them, visit www.allaboutcookies.org or www.youronlinechoices.eu.
9.3 Do Not Track
Our Website does not currently respond to “Do Not Track” (DNT) signals. However, you can manage your privacy preferences through our cookie consent mechanism and your browser settings as described above.
10. How We Protect Your Personal Data
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of personal data in transit using TLS/SSL technology
- Access controls to limit access to personal data to authorised personnel who require it for their role
- Regular security assessments and vulnerability testing
- Staff training on data protection and information security
- Incident response procedures to detect, report, and investigate personal data breaches
- Data processing agreements with all sub-processors requiring them to implement equivalent security measures
While we take all reasonable steps to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (and, where applicable, the relevant EU supervisory authority) without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.
11. Children’s Privacy
Our Website and services are directed at business professionals and are not intended for use by children. We do not knowingly collect personal data from anyone under the age of 16 (or such lower age as may apply in the relevant jurisdiction, being no lower than 13 in the United Kingdom under the Data Protection Act 2018, section 9).
If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information as soon as reasonably practicable. If you believe that we may have collected personal data from a child, please contact us at the details provided in Section 12.
12. How to Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data, please contact us:
By email: [email protected]
By post:
Ditto.ID Ltd
186 Shoreditch High Street
London, E1 6HU
United Kingdom
We aim to respond to all legitimate requests within one month. If we require additional time (up to a further two months), we will inform you and explain the reason for the delay.
13. Governing Law
This Privacy Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales, without prejudice to any mandatory provisions of data protection law that may apply in your jurisdiction of residence (including the UK GDPR, EU GDPR, and applicable local implementing legislation).
Nothing in this Privacy Policy limits your rights under mandatory consumer protection or data protection laws in the jurisdiction in which you reside.
Schedule A: Cookie Schedule
| Cookie Name | Provider | Purpose | Category | Type | Expiry |
|---|---|---|---|---|---|
| _ga | Google Analytics | Distinguishes unique users by assigning a randomly generated number as a client identifier | Analytics | Persistent | 2 years |
| _gid | Google Analytics | Stores and updates a unique value for each page visited | Analytics | Persistent | 24 hours |
| _gat | Google Analytics | Used to throttle request rate | Analytics | Persistent | 1 minute |
| __hssc | HubSpot | Keeps track of sessions | Functional / CRM | Persistent | 30 minutes |
| __hssrc | HubSpot | Determines if the visitor has restarted their browser | Functional / CRM | Session | Session |
| __hstc | HubSpot | Tracks visitors across visits | Functional / CRM | Persistent | 13 months |
| hubspotutk | HubSpot | Keeps track of visitor identity | Functional / CRM | Persistent | 13 months |
| reCAPTCHA cookies | Bot detection and spam prevention | Security | Various | Various |
Schedule B: Data Subject Access Request Procedure
This schedule outlines the internal procedure for handling data subject access requests (DSARs) and other rights requests. It is included for operational reference and should be maintained as an internal document.
Receipt and Logging
All rights requests received (by email, post, or other means) must be logged in the DSAR register with the date of receipt, the identity of the requester, and the nature of the request.
The clock starts on the date the request is received. The deadline for response is one calendar month from that date.
Identity Verification
Where we have reasonable doubts about the identity of the requester, we may request additional information to confirm their identity before acting on the request.
Verification should be proportionate and should not create an undue barrier to exercising rights.
Response
Respond within one calendar month of receipt.
If the request is complex or multiple requests have been received, the deadline may be extended by a further two months. The requester must be notified of the extension and the reasons within the initial one-month period.
Responses should be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
Exemptions and Refusals
Where a request is manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse to act, providing reasons.
Where we refuse a request, we must inform the requester of the reasons and of their right to lodge a complaint with the ICO or other supervisory authority.