Legal

Privacy Policy

How Didov Limited (trading as ReadyToday) handles your personal data.

Last updated: 17 June 2026

1. Who we are

Didov Limited (trading as ReadyToday) is the data controller for personal data processed through our website (readytoday.co.uk) and customer portal (portal.readytoday.co.uk).

  • Company name: Didov Limited
  • Company number: 16474852 (registered in England and Wales)
  • Registered office: Buttercup Cottage, Morgans Vale Road, Redlynch, Salisbury, England, SP5 2HY
  • Contact email: [email protected]

This policy covers both the public website and the customer portal. Where processing differs between them, we make this clear.

2. Personal data we collect

Public website

  • Contact form data: email address, phone number, and message. We use the email address to reply, the phone number to call you back if email is unsuitable, and the message to understand your enquiry.
  • Technical data: IP address, user-agent string, and request logs — collected automatically for security and rate limiting.

Customer portal — account data

  • User profile: email address, full name, first name, last name, phone number, job title, and avatar URL (via OAuth providers).
  • Company data: company name, email, phone, website, company number, VAT number, address (full), billing address (full), registration source, and internal notes.

Customer portal — transactional data

  • Quotes: items, quantities, unit prices, VAT rate, totals, status, dates, and notes.
  • Invoices: items, amounts, VAT, totals, status, due date, and payment details.
  • Contracts: title, description, value, start/end dates, status, terms, and auto-renewal flag.
  • Deliveries: items, quantities, tracking number, delivery address, status, dates, and notes.
  • Subscriptions: status, price, interval, and billing dates.
  • Quote requests: title, description, urgency, required-by date, and requested items.

Customer portal — AI support chat

  • Chat messages: the full text of messages you send and responses generated by the AI, along with your user ID, customer ID, and timestamps.
  • Context snapshots: when you use the support chat, we record a snapshot of your company name and aggregated financial summaries (e.g. number and total value of open quotes, unpaid invoices, active contracts, pending deliveries, and active subscriptions) at the time of each interaction. These snapshots persist as a record of what information the AI had access to when generating its response.
  • Escalation records: if you request escalation to a human, we log the escalation event along with an AI-generated summary of your issue.

Customer portal — system data

  • Audit logs: user actions, resource details, metadata, and timestamps.
  • Processed payment events: event IDs, types, and processing timestamps (for webhook integrity).
  • Access records: user ID, customer ID, role, who granted access, and when.

We do not intentionally collect special category data (e.g. health, ethnicity, political opinions) via either the website or the portal.

3. Lawful basis for processing

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

  • Contract performance (Article 6(1)(b)): processing your account, company, and transactional data to provide our services.
  • Legitimate interests (Article 6(1)(f)): transactional email, audit logs, rate limiting/abuse prevention, responding to enquiries, and providing AI-powered support.
  • Consent (Article 6(1)(a)): OAuth sign-in; and analytics and advertising cookies on the public website (Google Analytics 4 and Google Ads), which we set only after you accept them via our cookie banner (see our Cookie Policy).
  • Legal obligation (Article 6(1)(c)): retaining invoices and financial records as required by UK tax and accounting law.

4. How we use your data

  • Respond to enquiries submitted through our website contact forms
  • Create and manage your customer portal account
  • Process quotes, invoices, payments, contracts, deliveries, and subscriptions
  • Send transactional notifications (e.g. quote sent, invoice paid, welcome emails)
  • Provide AI-powered customer support (see AI-powered support chat)
  • Maintain audit trails for security, compliance, and operational monitoring
  • Operate and secure our services (authentication, rate limiting, CSRF protection)
  • Comply with legal obligations (tax records, accounting)

5. AI-powered support chat

Our customer portal includes an AI-powered support chat feature. When you use this feature, your data is processed as follows:

How it works

When you send a message in the support chat, our server builds a request that includes your conversation history, your company name, and a summary of your account's financial position (aggregated counts and values — not individual record details, unless you ask the AI to look up specific records). This request is sent to a third-party large language model (LLM) provider via a self-hosted API gateway (LiteLLM proxy), which generates a response.

Data sent to the AI provider

  • On every message: your company name, aggregated financial summaries (e.g. "3 open quotes totalling £5,000"), and your full conversation history for the current session.
  • On demand (when you ask about specific records): details of individual quotes, invoices, contracts, deliveries, or subscriptions — including item descriptions, amounts, statuses, and dates.

Data NOT sent to the AI provider

  • Your email address, phone number, or personal contact details
  • Your password or authentication tokens
  • Other customers' data (strict server-side isolation ensures the AI can only access your company's records)

Data stored

Your chat messages and the AI's responses are stored in our database alongside a context snapshot recording what account information the AI had access to at the time. If you request escalation to a human, we log the escalation and an AI-generated summary of your issue, and send a notification email to our support team.

Third-party AI provider

The upstream LLM provider is configurable and may include providers such as OpenAI, Anthropic, or Google. The provider processes your conversation data to generate responses. We require data processing agreements with our AI providers, but their data retention practices are governed by their own policies. The AI provider acts as a sub-processor under our data processing framework.

6. Who we share data with

We share personal data only with trusted service providers who act as data processors on our behalf. We do not sell your data to anyone.

Service providers (data processors)

  • Stripe: payment processing — receives customer name, email, phone, address, invoice line items and amounts, and subscription details. Subject to Stripe's Privacy Policy.
  • Supabase: database hosting and authentication — stores all portal data (user profiles, company records, transactional data, chat messages, audit logs) and manages user sessions and passwords. Subject to Supabase's Privacy Policy.
  • Microsoft Azure Communication Services: transactional email delivery — receives recipient email addresses and email content (which may include customer names, invoice details, quote details, portal links, and AI escalation summaries). Subject to Microsoft's Privacy Statement.
  • LiteLLM proxy (self-hosted) and upstream LLM provider: AI support chat — receives conversation text, company name, financial summaries, and (on demand) transactional record details. The LiteLLM proxy acts as a data processor; the upstream LLM provider (e.g. OpenAI, Anthropic, Google) acts as a sub-processor. See AI-powered support chat for details.
  • Google (Analytics & Ads): website analytics and ad measurement — receives online identifiers and usage data when you consent to analytics/advertising cookies.
  • Google (OAuth): authentication only — we receive your email, name, and profile picture when you sign in with Google. No customer data is shared with Google.
  • Microsoft (OAuth): authentication only — we receive your email, name, and profile picture when you sign in with Microsoft. No customer data is shared with Microsoft.

All data sharing with processors is governed by appropriate data processing agreements. We require all processors to handle your data in accordance with applicable data protection law.

7. International data transfers

Some of our service providers process data outside the UK and the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place:

  • Stripe processes data in the US and EU, relying on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) where applicable.
  • Supabase may process data outside the UK/EEA, subject to SCCs and equivalent safeguards.
  • Microsoft and Google transfers are covered by their respective data processing agreements, which include SCCs and the UK IDTA.
  • Google may process analytics/advertising data in the US under SCCs / the UK IDTA.
  • The upstream LLM provider (e.g. OpenAI, Anthropic) may process AI support chat data in the US. Transfers are subject to SCCs or equivalent safeguards under applicable data processing agreements.

We do not transfer personal data to any country without ensuring an adequate level of protection as required by UK GDPR (Chapter V) and EU GDPR (Chapter V).

8. Analytics and advertising

On our public website we use Google Analytics 4 and Google Ads, loaded through Google Tag Manager, to understand how the site is used and to measure and improve our advertising. These are activated only with your consent, collected via our cookie banner, and operate under Google Consent Mode v2 — if you do not consent, the tags run in a restricted mode and set no analytics or advertising cookies.

Google acts as a data processor for this activity. Data may be processed outside the UK/EEA under appropriate safeguards (see International data transfers). You can withdraw consent at any time via our Cookie Policy. The full list of cookies is in our Cookie Policy.

9. How long we keep your data

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. Our target retention periods are:

  • Website contact form submissions: up to 24 months after the last interaction, then deleted.
  • Portal user account data: retained while your account is active. If your account is deactivated, we aim to delete personal data within 12 months, unless legal retention obligations apply.
  • Company and transactional records (quotes, invoices, contracts, deliveries, subscriptions): retained for a minimum of 6 years to comply with UK tax and accounting requirements (Companies Act 2006, VAT regulations).
  • AI support chat messages and context snapshots: retained for up to 12 months for support quality and audit purposes, then deleted.
  • Audit logs: retained for up to 24 months for security and compliance purposes.
  • Authentication sessions: managed by Supabase Auth with automatic expiry.

Where data is no longer required for any lawful purpose, it will be securely deleted or anonymised. We are actively implementing automated data retention and deletion mechanisms in line with these periods.

10. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data:

  • All data in transit is encrypted using HTTPS/TLS
  • Database encryption at rest is handled by our infrastructure provider (Supabase)
  • Database access is protected by row-level security policies — users can only access data for companies they are authorised to see
  • Passwords are managed by Supabase Auth (hashed, never stored in plain text or in application tables)
  • Payment webhooks are verified using cryptographic signature validation
  • Input validation is enforced on all form submissions via schema validation
  • CSRF protection, rate limiting, and strict Content Security Policy headers are applied
  • AI support chat data is isolated per customer — the AI can only access your company's records, enforced server-side
  • API keys, secrets, and credentials are stored as environment variables, never in source code
  • Application containers run as non-root users

11. Your rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests, including the use of AI-powered support features.
  • Right to withdraw consent: where processing is based on consent (e.g. OAuth sign-in, or analytics and advertising cookies), you may withdraw consent at any time.
  • Rights related to automated decision-making: the AI support chat provides information and assistance but does not make automated decisions with legal or similarly significant effects. If you have concerns about AI processing of your data, please contact us.

To exercise any of these rights, email us at [email protected]. We will respond within one month as required by law. Requests for data deletion or export are currently processed manually by our team.

If you have a concern about how we handle your personal data, you can complain to us directly — see Data protection complaints. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), or with your local EU supervisory authority.

12. Data protection complaints

If you are unhappy with how we have handled your personal data, you have the right to complain to us. You can make a data protection complaint:

  • Online: using our contact form
  • By email: [email protected]
  • By post: Didov Limited, Buttercup Cottage, Morgans Vale Road, Redlynch, Salisbury, England, SP5 2HY

Please tell us that your message is a data protection complaint and include enough detail for us to look into it. We will acknowledge your complaint within 30 days of receiving it, then make appropriate enquiries, keep you informed of progress, and tell you the outcome without undue delay.

If you are not satisfied with our response — or you would prefer to raise it with the regulator — you also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, or to your local EU supervisory authority. We would welcome the chance to resolve your concerns first.

13. Cookies

We use strictly necessary cookies for security and basic functionality, and — with your consent — analytics and advertising cookies (Google Analytics 4 and Google Ads). For full details and to manage your consent, see our Cookie Policy.

14. Children's data

Our services are directed at businesses and business professionals. We do not knowingly collect personal data from children under 13 (or under 16 where required by applicable law). If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

15. Changes to this policy

We may update this privacy policy from time to time, including when we introduce new features or change our data processors. Significant changes will be communicated via our website. The date at the top of this page indicates when it was last updated. We encourage you to review this policy periodically.

16. Contact us

If you have questions about this privacy policy or how we handle your personal data:

  • Email: [email protected]
  • Post: Didov Limited, Buttercup Cottage, Morgans Vale Road, Redlynch, Salisbury, England, SP5 2HY

If you wish to make a data protection complaint, please see Data protection complaints. You also have the right to complain to the UK Information Commissioner's Office (ICO), or to your local EU data protection supervisory authority.

Questions about your data?

If you have questions about how we handle your personal data, get in touch.