This Privacy Policy explains how Infigo Software Limited (“Infigo”, “we”, “us”, “our”) collects, uses, stores and protects personal data when: 

• you visit our website: www.infigo.net

• you contact us for information, support or sales 

• you use our Infigo platform as a customer or platform user 

This policy applies to all visitors and users globally. Additional rights may apply depending on the user’s jurisdiction. 

Data Controller (website and marketing activities): 

Infigo Software Limited 

Unit 10 Enterprise Park, Lewes Road, Lindfield, West Sussex, RH16 2LH, United Kingdom 

Email: privacy@infigo.net 

Tel: +44 (0)330 460 0071 

For our Infigo platform, we act as Data Processor on behalf of our customers, who remain the Data Controllers for data processed within their storefronts — as reflected in our Data Processing Agreement (DPA). 

A. When you visit our website or contact us

We may collect: 

• Name 

• Email address 

• Telephone number 

• Company name 

• Job title 

• Message/enquiry content 

• IP address, browser type and device identifiers 

• Website usage data (pages visited, time on site, etc.) 

• Marketing preferences 

• Cookie and tracking data (see Section 11) 

Infigo’s services are not intended for children under the age of 16 and we are not knowingly collect that data. Actions will be taken if such data is identified. 

B. When you use the Infigo platform (via your organisation)

On behalf of our customers (as Data Processor), Infigo may process: 

• Name 

• Email address 

• Address and contact details 

• Account login information 

• Order history and transaction details 

• Uploaded artwork, media files and templates 

• Personalised content such as variable images or text 

• Delivery instructions 

• IP address and device information 

• Activity logs (e.g., login history) 

These categories reflect the details in Schedule 1 of our Data Processing Agreement. 

1. Website and marketing operations (Infigo as Data Controller)

1. SaaS platform operations (Infigo as Data Processor)

We process data only on documented instructions from the customer, as stated in Clause 3 of our Data Processing Agreement  . 

Purposes include: 

• Managing user accounts and authentication 

• Processing orders and transactions 

• Generating artwork, templates and print files 

• Submitting order data to configured third-party systems (MIS, payment gateways, shipping providers) 

• Providing customer support 

• Hosting and storing media files 

• Logging activity for audit, security and performance 

Legal basis: The customer’s own lawful basis for their usage. 

1. Website and marketing activities

We may share data with: 

• CRM system (HubSpot) 

• Customer Success Platform (Custify) 

• Email service providers 

• Webinar/event platforms 

• Analytics providers 

• Hosting providers (AWS) 

1. SaaS platform data

As described in Schedule 1 of our DPA, we use authorised Sub-Processors such as: 

• AWS – hosting and infrastructure 

• HubSpot – CRM 

• Zendesk – support 

• MailChimp – communications 

• Dropbox – file storage 

• Microsoft – productivity tools 

• Xero – accounting 

Depending on the platform configuration, data will be shared with payment/shipping/tax providers and MIS systems to process the files. 

(Full list appears in our DPA, p.11) 

We never sell personal data nor share it with third parties other the above mentioned entities.

We may transfer data outside the UK/EEA when required (e.g., to sub-processors in the USA). 

When this happens, we use appropriate safeguards such as: 

• EU Standard Contractual Clauses (2021) 

• UK International Data Transfer Addendum 

• Adequacy Decisions where applicable 

This matches the framework set out in Clause 7 of our DPA.

We use multiple layers of organisational and technical security, including: 

• Hosting on AWS with industry-leading certifications (ISO 27001, 27017, 27018, 27701, etc.) 

• Encryption of all data in transit (TLS 1.2/1.3) 

• Encryption of all data at rest (AES-256) 

• Role-based access controls 

• Multi-factor authentication for administrators 

• Regular vulnerability scanning 

• Firewalls, monitoring and intrusion detection 

• Disaster recovery and incident response processes 

These measures reflect the Technical & Organisational Measures described in Schedule 2 of the DPA.

We retain personal data only for as long as necessary. 

Website/marketing data 

• Contact enquiries: up to 24 months 

• Marketing subscriptions: until you unsubscribe 

• Analytics data: according to cookie lifetime settings 

Platform data (processed for customers) 

Depending on customer instructions, we may retain: user account details; order information; artwork/assets; audit logs; configuration data; and workflow information. Platform data is deleted or anonymised 30 days after service termination.

You have the following rights under GDPR: 

• Right to access your personal data 

• Right to rectification 

• Right to erasure 

• Right to restrict processing 

• Right to data portability 

• Right to object 

• Right to withdraw consent (for marketing or cookies) 

• Right to lodge a complaint with the UK ICO 

If based in the US, you have the following rights:  

• Right to know what categories of data are collected 

• Right to access specific pieces of personal information 

• Right to request deletion 

• Right to request correction 

• Right to opt‑out of sale or sharing (Infigo does not sell personal data) 

• Right to limit use of sensitive data (Infigo does not process sensitive data) 

To exercise any of these rights, please contact: privacy@infigo.net 

For platform data, please contact the organisation that operates the storefront — they are the Data Controller.

We use cookies and similar technologies to: 

• Improve website functionality 

• Analyse traffic 

• Personalise content 

• Measure campaign effectiveness 

Non-essential cookies (e.g., analytics, advertising) are only activated with your consent. 

A full Cookie Policy describing cookie categories and lifetimes is available here: https://www.infigo.net/cookie-policy/

We may update this Privacy Policy from time to time to reflect legal, technical or business developments. 

The “Last updated” date will always be shown at the top.

In accordance with Article 27 GDPR, Infigo has appointed an EU Representative: 

EU Representative: Michael Zauner, Oberham 1, 84335 Mitterskirchen 

Email: privacy@infigo.net

We do not conduct automated decision‑making or profiling that produces legal or similarly significant effects. We do not use personalisation or behavioural profiling. Any fraud‑prevention measures are limited to basic technical checks.

Depending on customer configuration, data may be transferred to: payment gateways, shipping/tax providers, MIS/ERP systems, SSO providers, and custom webhook/API endpoints, including but not limited to: 

• Address Validation Providers 

• Addressy 

• Loqate 

• Third-Party Payment Processors 

• Worldpay 

• Paypal 

• Stripe 

• Authorize.Net 

• Opayo 

• PayTrace 

• Accept Blue 

• Square 

• Cyber Source 

• Pay Gate 

• Omnikassa 

• Mis/ERP/Workflow Systems 

• HP Site Flow 

• PrintIQ 

• Tharstern 

• Solprint 

• Presswise 

• CERM 

• LabelTraxx 

• Veracore 

• Optimus 

• Hybrid CLOUDFLOW 

• Enfocus Switch 

• Coupa 

• Ariba 

• Radius 

• Tax Providers 

• Avalara AvaTax 

• TaxJar 

• SSO/Procurement Providers 

• Coupa 

• Ariba 

• Okta 

• Microsoft Dynamics

If you have questions about this policy or how we handle data, please contact our privacy team: 

Contact us here or use our contact details below:  

Email: privacy@infigo.net 

Phone: +44 (0)330 460 0071 

Address: Unit 10 Enterprise Park, Lewes Road, Lindfield, West Sussex, RH16 2LH, UK