Privacy Policy

Combinate Ltd ("Combinate", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our platform ("Service").

• Registered Address: 86-90 Paul Street, London, EC2A 4NE
• Company Number: 16941389 (registered in England and Wales)
• ICO Registration Number: ZC092641

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. For purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we act as a data controller for the information you provide to us.

2.1 Personal Information

We collect personally identifiable information that you voluntarily provide to us, including but not limited to:

• Contact Information: Name, email address, and mailing address
• Account Information: Username, password, and profile information
• Business Information: Company name, role, industry, and manufacturing capabilities
• Payment Information: Billing address and subscription details. All payment card data is processed directly by Stripe; we never access or store your full card details
• Communication Data: Messages, emails, and other communications you exchange on our platform
• Files and uploads: Documents, images, specifications, drawings, and other files you attach to quote requests, projects, your profile, or messages (including business logos and certification documents where you upload them)

2.2 Automatically Collected Information

When you use our Service, we automatically collect certain information, including:

• Usage Data: Pages visited, time spent on the site, clicks, and interactions
• Device Information: IP address, browser type, operating system, and device information
• Location Data: General location information derived from IP address
• Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar technologies

2.3 Marketing short links and campaign measurement

We may promote the Service using short URLs (for example, links beginning with /r/ on our website) on printed materials, QR codes, NFC tags, or other offline or digital formats. When you open such a link, our systems:

• Record an aggregate count of how many times each marketing link has been used (a running total per link).
• Do not, in our application database, store a separate log of each visit tied to your identity for this purpose.

As with any request to our website, our hosting and security providers may process technical data (such as IP address and requested URL) in server or infrastructure logs in line with Section 9 and our agreements with those providers. Application and error logs may also include limited diagnostic information from requests (for example when a form submission fails and we need to fix a bug), which could in rare cases include content you had just entered. That processing is separate from the aggregate marketing link counters described above.

Special Category Data: We do not intentionally collect special category data (such as health information, biometric data, or data revealing racial or ethnic origin). Please do not upload or share such information on the Service.

Under the UK GDPR, we process your personal data on the following legal grounds:

Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment (LIA) for each processing activity, including a balancing test, to ensure our interests do not override your rights and freedoms. You may request a copy of the relevant assessment by contacting us at [email protected]. You have the right to object to processing based on legitimate interests — see Section 8.

We use your information for the following purposes:

• To provide and maintain our Service
• To process and complete transactions
• To facilitate communication between Product Creators and Production Partners
• To manage your account and provide customer support
• To send you important service updates and administrative messages
• To personalise your experience and improve our Service
• To detect, prevent, and address technical issues, fraud, and security breaches
• To send you marketing communications (with your consent where required)
• To send you marketing communications under the PECR “soft opt-in” where applicable (for example, about similar services you have purchased), with a clear option to unsubscribe in every message
• To analyse usage patterns and improve our Service
• To comply with legal obligations

We comply with the Privacy and Electronic Communications Regulations (PECR) for electronic marketing. You can opt out of marketing at any time by using the unsubscribe link in our emails or by contacting us at [email protected].

We use cookies and similar technologies to support core functionality and security, and to understand how visitors use our Service. Cookies are small data files placed on your device when you visit our website.

We use the following types of cookies:

• Essential Cookies: Necessary for the functioning and security of our website (e.g., session management, CSRF protection, Cloudflare security, reCAPTCHA). These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website. These use a randomly generated identifier and do not directly identify you. Analytics cookies are only set if you consent via our cookie banner.
• Marketing Cookies: Used by Google Ads (Google Ireland Limited) to measure the effectiveness of our advertising campaigns (for example, knowing whether someone who clicked one of our Google ads went on to create an account). Marketing cookies are only set if you grant separate consent for them via our cookie banner. The Google tag library is not loaded from Google's servers until you grant marketing consent under the current cookie policy version, so until you opt in, no request is made to Google for advertising purposes from your browser. We use these cookies for measurement of our own advertising only; we do not sell your data to advertising networks and do not use Google Ads remarketing or audience building.

We do not use functionality cookies. We do not engage in cross-site behavioural advertising or sell your data to advertising networks.

If you reject analytics or marketing cookies via our cookie banner, they will not be set. You can withdraw your consent at any time using the "Cookie Settings" link in our footer or cookie policy. You can also instruct your browser to refuse all cookies, though this may affect some website functionality.

For full details of the specific cookies we use, please see our Cookie Policy.

We comply with the Privacy and Electronic Communications Regulations (PECR) regarding the use of cookies and similar technologies.

We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

Specifically:

• Account information is retained as long as your account is active
• Transaction records are kept for a minimum of 7 years for tax and accounting purposes
• Communication data is retained for 2 years after the completion of a project
• Usage data is typically anonymised after 2 years
• Error monitoring and infrastructure logs are retained only as long as needed for security and operations, in line with our settings and each provider’s retention (see Section 6.1)

When your personal data is no longer required, we will delete or anonymise it.

6.1 Detailed Retention Schedule

We maintain a comprehensive data retention schedule that specifies the retention periods for different types of personal data:

6.2 Data Deletion Procedures

We have implemented automated and manual procedures to ensure that data is deleted or anonymised once the retention period has expired:

• Automated Deletion: System-triggered data purging based on retention schedules
• Anonymisation: Replacing identifiable data with randomly generated values while preserving statistical usefulness
• Data Minimisation: Regular audits to ensure we only collect and store necessary data
• Account Deletion: When you delete your account, your personal data is immediately anonymised from active systems. A secure recovery backup is retained for 30 days (see Section 6.3) and then permanently deleted.

6.3 Account Deletion and Recovery Period

When you request deletion of your account, we follow a comprehensive process to protect your rights while allowing for recovery in case of accidental deletion:

• Immediate Anonymisation: Upon processing your deletion request, we immediately anonymise all your personal data, including:
  • Email address, name, and contact information
  • Business name, tagline, and description
  • Physical address and location data
  • Business registration numbers
  • Business profile logos (the image shown on your Product Creator or Production Partner profile)
• File uploads (quote requests, projects, and messaging): Files you upload in connection with quote requests, projects, collaborations, or messaging are not automatically deleted from storage when you delete your account if they form part of shared or archived business records that other users may still need for contractual, legal, or operational reasons. Those files remain subject to the retention periods in Section 6.1 (including project files) and the business continuity points below. This is separate from your profile logo, which is removed from storage as part of immediate anonymisation.
• 30-Day Recovery Period: We maintain a secure backup of your personal data for 30 days after deletion solely for the purpose of account recovery. This backup is not used for any operational purpose, is not accessible to other users, and is stored separately from active systems. During this period you may:
  • Recover your account if you change your mind
  • Restore all your personal information and account settings
  • Resume access to your projects and business relationships
• Business Data Preservation: To maintain business continuity for other users:
  • Your projects remain accessible but show "Deleted User" as the owner
  • Messages you sent remain visible to other participants
  • Bids and quotes are archived but preserved for business records
  • Other users' work and files are not affected
• Permanent Deletion: After the 30-day recovery period expires:
  • Your backup data is permanently deleted
  • Recovery is no longer possible
  • Your account remains anonymised permanently

We do not sell your personal information. However, we may share your information with third parties in the following circumstances:

• Third-Party Processors: We may share your information with third-party processors who perform services on our behalf, such as payment processing, data analysis, email delivery, and customer service (see Section 9.1 for a full list)
• Other Users: With your consent, we may share your information with Product Creators or Production Partners for manufacturing collaborations
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities
• Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company
• With Your Consent: We may share your information for other purposes with your explicit consent

7.1 Data Shared Between Users

A core function of our platform is connecting Product Creators with Production Partners. When you use the Service, certain personal data may be shared with other users in the course of normal platform activity, including:

• Your name, business name, and profile information with users you interact with
• Project details, specifications, and files with Production Partners who receive your quote requests
• Contact information with users you communicate with via the platform's messaging or video features
• Bid and quote details with Product Creators who posted the relevant quote request

You control what information you share on the platform. We process this user-to-user data sharing on the basis of contractual necessity (it is essential to providing the Service) and legitimate interest (facilitating business connections between users).

Once you share information with another user, that user may retain it independently of the platform. Combinate is not responsible for how other users handle information you have chosen to share with them.

7.2 International Transfers

Your information may be transferred to — and processed in — countries outside the United Kingdom.

Where transfers are made to countries that are not subject to a UK adequacy regulation, we implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

7.3 Data Processor Agreements

We ensure that all third-party processors who process data on our behalf have signed Data Processing Agreements (DPAs) that include:

• Processing data only on our documented instructions
• Ensuring confidentiality of the data
• Implementing appropriate security measures
• Assisting with data subject requests
• Deleting or returning data after processing

Depending on your location, you may have certain rights regarding your personal data:

• Right to Access: You have the right to request copies of your personal data
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete
• Right to Erasure (Right to be Forgotten): You have the right to request that we erase your personal data, under certain conditions. When you exercise this right:
  • Your personal data is immediately anonymised
  • A secure backup is maintained for 30 days for recovery purposes
  • You can reverse your decision within this 30-day period
  • After 30 days, the backup is permanently deleted and recovery is no longer possible
  • See Section 6.3 for detailed information about our account deletion process
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions
• Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions
• Right to Data Portability: You have the right to request that we transfer the data we have collected to another organisation, or directly to you, under certain conditions
• Right to Withdraw Consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section. We will respond to your request within one calendar month. In certain circumstances, we may ask you to verify your identity before processing your request.

8.1 How to Exercise Your Rights

We provide several methods for you to exercise your data protection rights:

• Self-Service Options: From your account profile, you can directly access, update, or download most of your personal information
• Data Subject Request Form: For more complex requests, use our Data Subject Request Form
• Email Request: Contact our Data Protection Contact at [email protected]

8.2 Response Timeline

We are committed to responding to data subject requests in a timely manner:

• Initial acknowledgment within 3 business days
• Substantive response within one calendar month
• If we require more time (up to an additional 60 days), we will inform you of the delay and reasons

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

• Encryption of sensitive data
• Regular security assessments and testing
• Access controls and authentication procedures
• Regular backups and data recovery processes
• Staff training on data protection

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

9.1 Third-Party Sub-processors

We use trusted third-party processors (sub-processors) to help us provide our Service. These providers act as data processors under UK GDPR Article 28 and may have access to your personal data. We ensure all sub-processors are subject to contractual obligations to process data only as per our instructions and maintain appropriate security standards.

• Render: Hosts our web application, background and scheduled jobs (cron), PostgreSQL database, and Redis (caching, sessions, and real-time channels). Our production deployment uses Render’s infrastructure in the European Union (e.g. Frankfurt). Render processes all application data needed to run the Service.
• Amazon Web Services (AWS): Used for object storage (S3) for static assets, media, and backups. We may send outbound email through Amazon SES when that is our configured email provider. Our primary application database is not hosted on AWS; it is hosted on Render as described above.
• Brevo: We may use Brevo (formerly Sendinblue) to send transactional and/or marketing email on our behalf when Brevo is our configured email provider. When used, Brevo processes recipient identifiers (such as email addresses), message content, templates, and delivery-related events (for example bounces or complaints) as needed to send email and maintain deliverability.
• Cloudflare: Used for DNS, reverse proxy, CDN (including caching in front of our asset domain where configured), DDoS protection, WAF, and SSL/TLS. Because traffic passes through Cloudflare’s network, Cloudflare also processes HTTP request metadata and IP addresses and provides us with edge analytics (for example request volumes, latency, cache and security events) to operate and monitor the service. We do not use Cloudflare’s optional Web Analytics beacon. For cookies and similar technologies, see our Cookie Policy.
• Stripe: Used for secure payment processing and billing.
• Google Maps Platform: Used for address validation, geocoding, and displaying interactive maps on certain pages. When the maps widget is displayed, the Google Maps JavaScript API loads from Google's servers and may set cookies. Google's privacy policy applies to this processing. See our Cookie Policy for details.
• OpenStreetMap Nominatim (OpenStreetMap Foundation / community geocoding): When Google geocoding is unavailable or as a fallback, we may send address or location queries to the public Nominatim service to obtain coordinates. That service is operated for the OpenStreetMap project; do not upload special category data in addresses. See Nominatim usage policy for how the service may log requests.
• Daily.co: Used for real-time video calling functionality.
• Sentry: Used for application error tracking and (where configured) performance monitoring of our server-side code and routes. This is separate from Cloudflare’s edge metrics: Sentry helps us diagnose bugs and slow requests in the app; Cloudflare shows latency and traffic at the proxy/network layer. We configure Sentry to reduce automatic collection of common identifiers; however, an error report may still include information you submitted (for example text from a form) if it is present in the error message or diagnostic data attached to the event.
• Google reCAPTCHA: Used to protect sign-up forms from automated abuse. reCAPTCHA processes IP addresses and user interaction data to distinguish humans from bots. Google may use this information for its own purposes, including improving its services and security systems, and acts as an independent data controller for this processing. Google's privacy policy applies.
• Google Ads (Google Ireland Limited): Used to measure the effectiveness of our advertising campaigns (for example, attributing a sign-up back to the Google ad you clicked). The Google tag library (gtag.js) is not fetched from Google's servers until you have granted marketing consent under the current cookie policy version — so until you opt in, no request leaves your browser to Google for advertising purposes and Google does not receive your IP address or browser headers in connection with our Ads measurement. Once consent is granted we load the tag and Google's Consent Mode v2 is set to the granted state; the tag may then set cookies including _gcl_au, _gcl_aw, and NID for conversion attribution and may transmit limited event data (such as the URL of the page where a conversion occurred) to Google. If you withdraw consent we update Consent Mode to denied and delete the first-party Google Ads cookies set on this site. Google acts as our data processor for this conversion measurement; Google's own privacy policy applies. We do not currently use Google Ads remarketing, audience building, or Enhanced Conversions; if we introduce these in future we will update this Policy and (where the change is material) bump the policy version so you are re-prompted to consent.

We do not make solely automated decisions about you that produce legal or similarly significant effects within the meaning of UK GDPR Article 22. Search and matching results on the platform (for example, the order in which manufacturer profiles or quote requests are returned) are algorithmically ordered based on relevance signals, plan tier and other ranking factors. These are tools to help you find counterparties; they do not by themselves decide who you can or cannot work with.

If you believe an algorithmic ranking has materially affected you and you would like a human to review your situation, please contact us at [email protected]. If we introduce any feature that does involve solely automated decisions with legal or similarly significant effect, we will update this Privacy Policy and ensure appropriate safeguards are in place, including the right to obtain human intervention.

Our Service is not directed to individuals under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from Children. If you are a parent or guardian and you are aware that your Child has provided us with personal data, please contact us. If we become aware that we have collected personal data from Children without verification of parental consent, we will take steps to remove that information from our servers.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy. For significant changes, we will provide a more prominent notice, which may include email notification.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Contact at:

[email protected]

If you have a complaint about our use of your personal data or response to your requests, you can contact us using the details provided above. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO). You can do so at https://ico.org.uk/make-a-complaint/, by phone on 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.