Privacy Policy
Last updated: July 5, 2026
This document is not yet in effect. It takes effect on 17 August 2026. Until then, the current Privacy Policy applies.
This Privacy Policy forms part of our Terms of Service. Words defined in the Terms of Service — such as User, Pilot, Owner, VA Staff, Virtual Airline (VA), Services and Team vAMSYS — have the same meaning here.
§1 Who we are, and what this policy covers
This policy explains how we handle personal data across the whole vAMSYS service: the Virtual Airline management platform (the product), and our corporate website — including its feedback system and the changelog newsletter (covered separately in §4 and §7 below).
We are vAMSYS LTD (company number 09982167), a company registered in England and Wales with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. In this policy, "vAMSYS", "we", "us" and "our" mean vAMSYS LTD. You can contact us about anything in this policy at help@vamsys.co.uk.
We provide the Services from the United Kingdom. We process personal data in line with UK data-protection law — the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025. We are the controller of the personal data on the platform — we decide why and how it is processed. A VA becomes a controller of personal data only in the limited situations explained in §3.
In limited situations a VA controls personal data of its own (see §3) — for example, data it receives through the Pilot API or by export. There, the VA's own privacy policy governs what the VA does with that data.
§2 The short version
The detail is below, but in plain terms:
We collect what we need to run the Services — your name, email, login details, your linked accounts, your flight activity within a VA, and (for Owners) billing details. We do not collect dates of birth.
We are the controller of all your data on the platform — your identity, account, billing and access-log data, and your activity within a VA (flights, points and so on). A VA uses the platform to run its community; it only becomes a controller of data it holds itself — people it invites, or data it takes off-platform (with your consent). We are not joint controllers, and we are not a VA's processor.
We keep your data in the UK and the EEA. The only personal data that goes outside that is to Stripe (to take payment) and, when we need to check an IP for abuse or ban evasion, a momentary ProxyCheck.io check that keeps nothing (see §8).
We don't sell your data, and we don't send you marketing of our own. The only marketing route is a consent-based facility a VA can use, where the VA is responsible for the marketing (see §6).
We log IP addresses and related security information to keep accounts genuine and to stop banned users coming back (see §5 and §11).
Enforcement decisions are made by a real person. Automated systems give effect to a human decision; they do not decide on their own to restrict you. You can ask for a human to review any decision (see §11).
You have full rights over your data — access, correction, deletion and more — and you can complain to the Information Commissioner's Office (ICO) (see §12).
§3 Our role: when we are the controller, and when a VA is
vAMSYS is the controller of the personal data on the platform. We decide how it is processed, and we are the only party who can correct, export or delete it. This covers both the data that identifies you — your name, email, linked accounts, account settings, the billing data we hold for Owners, and the access and security logs we generate — and the operational data your activity creates within a VA: your bookings, flight reports, position reports, points, rank and similar.
A VA does not control that data. When a VA awards points, sets its scoring rules, leaves a comment on a flight, or removes an activity registration, it is using the Services to run its community — not deciding how your personal data is processed. A VA can view your data to run its roster, but it cannot edit, export or own it.
A VA is a controller only where it holds personal data itself. There are three such situations:
Pilot Invite. A VA can invite people by giving us their name and email address. The VA is responsible for that data and confirms it has the right to provide it to us; we use it to create a User (and Pilot) account and to send the invitation, and we then control that account as above.
Data a VA takes off the platform. When a VA receives your data through the Pilot API (with your consent) or exports it into its own systems, that VA becomes an independent controller of that copy and is solely responsible for it — including having its own privacy policy and handling it lawfully (see Terms of Service §11.5–§11.6).
Marketing. Where you consent, a VA can send you marketing through our export facility; the VA is the independent controller of the marketing it sends (see §6 and Terms of Service §11.4).
We are separate controllers, not joint, and we are not a VA's processor. vAMSYS and a VA are each independent controllers of the data they genuinely control. The terms covering data a VA receives from, or shares with, us are in our Data Sharing Agreement (see Terms of Service §11.1, "Who controls what (the controller map)").
Team vAMSYS support accounts can access all VAs and are disclosed in §10.
§4 The personal data we hold, and where it comes from
We group the data we hold into the categories below. Some of it you give us; some is generated as you use the Services; some comes from third-party accounts you choose to link; and, if a VA invited you, your name and email may first have come from that VA (see §3).
Account and identity data — your first and last name, your chosen display format of your real name (your full name, first name with last initial, or first name only — not a pseudonym), any previous name on record, and your Pilot username at each VA. Source: you, except the Pilot username, which the platform allocates automatically.
Contact data — your email address (and whether it is verified), and, where you provide them, your phone number, post code, city and country. Source: you.
Login and security credentials — your password (stored only as a secure bcrypt hash, never in readable form), your two-factor authentication secret and recovery codes if you enable it, and tokens we use to keep you signed in and to verify your email. Source: you and our systems.
Linked external accounts — identifiers and, where needed, access tokens for accounts you choose to link: VATSIM, IVAO, POSCON, APOC, Navigraph, SimBrief and Discord. Source: those services, when you link them. These are services you connect; they are governed by their own terms (see §7).
Access and security logs — when you sign in, we record your IP address, approximate location derived from it (country, region, city, post code, latitude/longitude), your device's user-agent, and your network/host details. Where we need to assess whether a connection is a known VPN, proxy or otherwise higher-risk — for example when investigating suspected abuse or ban evasion — we check the IP with ProxyCheck.io on-demand, not as automatic enrichment of every sign-in, and we query it so nothing is retained. Source: generated when you sign in; VPN/proxy/risk checks via ProxyCheck.io are on-demand. Why we do this, and the safeguards, are in §5 and §11.
Billing data (Owners only) — your billing name, email and address, VAT ID if you provide one, your invoices, and a card descriptor (the card type and last four digits). We do not store full card numbers or security codes — our payment processor holds those (see §7 and §8). Source: you and our payment processor.
Flight activity data — your live position reports while you fly (location, altitude, speed, flight phase) and your completed flight reports (times, distances, fuel, landing data, your notes and comments, and the flight log). vAMSYS controls this operational data as part of running the Services; a VA uses it to run its community but does not control it (see §3). Source: generated by your flying, plus anything you add.
Profile and preferences — any social links you add (such as YouTube or Twitch), your notification and privacy settings, units and similar preferences, and — for VA Staff — your staff title, contact email and image as shown within the VA. Source: you.
Staff notes and name review — notes that VA Staff or Team vAMSYS record about a Pilot, and the outcome and reasons of our name review. Source: generated by VA Staff and us.
Enforcement and ban records — where an account is frozen, restricted, banned or removed, the fact of it and the reason category. Where an account is or has been subject to a ban or restriction, we do not anonymise or delete it — we keep the account and its identifying data intact for as long as necessary to enforce the restriction. Source: generated by our enforcement process. See §9 and §11.
Corporate-site feedback data — if you use the feedback system on our corporate website, we hold your name and email, your link to your vAMSYS account and VA memberships where applicable, your notification preference, and the feedback you post (its title, body, tags and comments). The visibility of a post (public, internal or private) is set by Team vAMSYS, not by you. Source: synced from the product and provided by you.
Corporate-site newsletter data — if you subscribe to the changelog newsletter, we hold your email address and the tokens we use to confirm your subscription (double opt-in) and to let you unsubscribe. Source: you.
We do not collect dates of birth, and we do not hold any special-category data by design. See §13 on age.
§5 Why we use your data, and our lawful bases
We use personal data only for the purposes below, each with a lawful basis under UK data-protection law.
To provide your account and the Services you ask for — creating and running your User account, your Pilot memberships and (for Owners) your subscription; signing you in; processing your flight activity; and providing support. Lawful basis: performance of our contract with you (these Terms).
When a VA invites you — if a VA invites you by giving us your name and email, we process those details to create your account and send the invitation. Lawful basis: our legitimate interests in operating the invitation feature and onboarding members a VA has chosen to invite; the VA confirms it had the right to share your details with us.
To take payment (Owners) — billing your subscription, issuing invoices, and handling refunds and chargebacks. Lawful basis: performance of our contract with you; and, for keeping financial records, legal obligation.
To operate, secure and protect the Services — keeping the Services running and reliable; detecting and preventing fraud, abuse, multiple or fake accounts and ban evasion; investigating suspected breaches; reviewing names to keep the roster genuine; and improving the product. Lawful basis: our legitimate interests.
Our legitimate-interests rationale for security and IP processing. Running a fair, safe platform means we have to be able to tell genuine accounts apart from fake ones, and to make a ban actually stick. To do that we log IP addresses and derive related security information (such as approximate location and whether a connection is a known VPN or proxy). Where an account is or has been subject to a ban or restriction, we keep that account and its identifying data intact — rather than erasing it — for as long as necessary to enforce the restriction; for every other account, we anonymise fully once the retention period ends (see §9). We have weighed this against your interests: the data is limited to what security needs, it is kept for no longer than necessary for accounts with no restriction, it is not used to build a marketing profile or sold to anyone, and you can object and ask for human review (see §11 and §12). We consider this processing necessary and proportionate to protect the platform and its users, and not overridden by your rights and freedoms.
For account integrations you switch on — linking your external accounts (VATSIM, IVAO, POSCON, APOC, Navigraph, Discord), and optionally generating an Operational Flight Plan (OFP) through SimBrief/Navigraph. If you request an OFP, your name and SimBrief username are sent to generate it. Lawful basis: your consent, which you can withdraw at any time by unlinking the account or declining to generate an OFP.
For marketing a VA chooses to send — only through our consent-based export facility (see §6). Lawful basis: your consent.
For the corporate-site feedback system — handling your feedback submissions and comments, running the community feedback process, and using it to understand and improve the product. Lawful basis: our legitimate interests (managing and improving the product and handling community feedback); and, where you are signed in, performance of our contract with you.
To meet our legal obligations — keeping financial records, responding to lawful requests from authorities and courts, and meeting our duties around illegal content. Lawful basis: legal obligation.
Operational, safety and security communications that are part of running your account or a VA (for example, account, safety or security notices) are not marketing and do not need separate consent.
§6 Marketing — the consented export facility
We do not send you marketing of our own, and there is no bulk roster export a VA can use to extract its Pilots' contact details (see §7 and Terms of Service §4.3, "A VA's own legal obligations").
The only sanctioned way a VA can market to you through vAMSYS is our consent-based marketing-export facility:
the consent screen names the specific VA you would be hearing from;
consent is recorded per VA — it is granular, not a blanket opt-in across all the VAs you fly for; and
consent is freely given and freely withdrawable at any time.
When you consent, the VA becomes the controller of the marketing it sends you, and the VA — not vAMSYS — is responsible for including an unsubscribe option in every message and for complying with marketing law. We provide the consent and opt-out mechanics and keep a record of your consent and withdrawal (see §9). To withdraw consent you can use the controls in the platform, the unsubscribe link in any message, or email help@vamsys.co.uk. See Terms of Service §11.4, "Marketing-export consent", and Acceptable Use Policy §7, "Other users' data and privacy".
The corporate-site changelog newsletter is separate: it is our own product-update mailing, sent on a double opt-in basis (lawful basis: consent), and every email includes an unsubscribe link.
§7 Who we share data with
We do not sell your personal data. We share it only as set out below.
Our sub-processors. These are providers we use to run the Services. Each processes personal data on our instructions, under its own data-processing terms, and only for the purpose shown. Where a provider is part of a group established outside the UK/EEA (a US-headquartered company can be required to provide access to data even where it is stored in the EU), we rely on appropriate safeguards — the UK Addendum to the EU Standard Contractual Clauses, or the UK International Data Transfer Agreement (IDTA) — as part of that provider's terms (see §8):
Stripe — subscription billing for Owners. Stripe holds your card data; we hold only your billing address and a card descriptor.
Mailgun (EU region) — sending transactional email, such as verification and password-reset messages and notifications.
ProxyCheck.io — a momentary, on-demand check of an IP address for VPN/proxy/risk, used to protect accounts and prevent ban evasion. We query it so that the provider retains nothing from the check.
DigitalOcean Spaces (EU region) — object storage, such as OFP PDFs (which carry a pilot name) and images shown within a VA (such as a VA logo or a VA Staff image). DigitalOcean is a US-parented provider; we use its EU region, under the transfer safeguards above.
Cloudflare (EU region) — DNS, edge delivery and position-report ingestion (which carries no identity data), and our encrypted database backups on Cloudflare R2. Cloudflare is a US-parented provider; we use its EU region, under the transfer safeguards above.
Our own infrastructure. The rest we run ourselves, in the UK/EEA:
a self-hosted Sentry instance for error and exception monitoring (on our own UK/EEA infrastructure, not Sentry's hosted service); and
our primary database, hosted in the EEA, which holds the core data.
Services you connect. When you link an external account — Navigraph, Discord, VATSIM, IVAO, POSCON or APOC — you are connecting your own existing account, and your use of that service is governed by its own terms. When you link an account with one of these services, your account identifier and any data you choose to share through our platform (such as flight data) may be accessible to that service in accordance with your linked-account settings. These are not our sub-processors. If you choose to generate an OFP (which is optional and needs your own linked SimBrief/Navigraph account), the only data that goes out is your name and username, to produce the OFP.
A VA you are a member of. A VA can view the data needed to run its roster, but it does not control that data — vAMSYS does (see §3). A VA holds data of its own only where it has invited you, or where it takes data off the platform (through the Pilot API, with your consent, or by export); what it does with data it takes off-platform is governed by the VA's own privacy policy.
On a sale or reorganisation of our business. If we merge with, are acquired by, or transfer our business to a successor, your data may pass to that successor, which will be bound by terms and a privacy regime at least equivalent to these (see Terms of Service §13.6, "Transfer of our business").
To comply with the law. We may disclose personal data where we are required to by law, or by a binding legal request from an authority or a court, and to establish, exercise or defend legal claims.
No bulk roster export. A VA cannot use data portability, or any other route, to mass-extract its Pilots' personal data. Where a VA has a genuine legal or regulatory obligation that needs specific member data, we may provide that data case by case (see Terms of Service §4.3, "A VA's own legal obligations").
§8 Where we process your data
We process personal data in the United Kingdom and the European Economic Area (EEA). Our primary database and our self-hosted error monitoring are in the UK/EEA, and we use EU regions for email, object storage and backups.
Some of those providers, although we use their EU regions, are part of US-headquartered groups — which can amount to a transfer of personal data outside the UK/EEA (a US parent can be required to provide access even to EU-stored data). Where that is the case we rely on appropriate safeguards: each provider's data-processing terms together with the UK Addendum to the EU Standard Contractual Clauses, or the UK International Data Transfer Agreement (IDTA). This applies to:
Stripe (billing) — under Stripe's own Data Processing Agreement and the UK Addendum/SCCs;
DigitalOcean (object storage) and Cloudflare (DNS/edge and encrypted R2 backups) — US-parented, used in their EU regions, under their data-processing terms and the UK Addendum/SCCs; and
ProxyCheck.io — where we check an IP for VPN/proxy/risk (on-demand, not on every sign-in), we query it with the provider's no-logging option, so nothing is retained; no other personal data is sent.
We do not otherwise transfer your personal data outside the UK/EEA.
§9 How long we keep your data
We keep personal data only for as long as we need it for the purpose we collected it for, or for as long as the law requires. The main periods are:
| Data | How long we keep it | Why |
|---|---|---|
| Your User account and identity data | Kept while your account is open. If you ask to delete it, the account is first set inactive ("frozen"); signing in within 60 days cancels the deletion. After 60 days, if your account is not, and has not been, subject to a ban or restriction, we anonymise it: your name, email and linked-account identifiers are irreversibly scrubbed, and we do not keep anything that could later match a new sign-up back to you | Running your account; a reversal window, then genuine anonymisation |
| Banned or restricted accounts | Not anonymised or deleted. If your account is or has been subject to a ban or restriction, we keep it — and its identifying data — intact for as long as necessary to enforce the restriction, including to detect evasion and to review the decision (for example, on appeal, or when matching against other accounts) | Security and ban-evasion prevention (legitimate interests) — see §11 |
| Pilot removal (your membership of a VA) | Restorable by the VA for up to 12 months, so a returning pilot can be reinstated. After 12 months, if the removal was not a ban or permanent removal, the pilot record is removed and your flight activity is transferred to the "vAMSYS Robot" system account and de-identified. (Failed or incomplete flight reports and their bookings are deleted at removal.) If you were permanently removed or banned from a VA, that pilot record is not transferred or de-identified — we keep it intact, in the same way as a banned User account, for as long as necessary to enforce the restriction and support review | A restore window, then de-identification, unless the removal was a ban or permanent removal |
| Optional "Pilot Account Reset" (pilot-initiated, where your VA enables it) | At any time, a pilot can choose to transfer their bookings, flight reports and analytics to the "vAMSYS Robot" system account, while keeping their own account | A pilot-initiated way to hand over flight history |
| Unverified accounts that never joined a VA | Hard-deleted after 14 days | Clearing abandoned sign-ups |
| Access and security logs (IP, location, VPN/proxy/risk) | 12 months, then the location, VPN/proxy/risk, device and network details are deleted for everyone. If your account is, or has been, subject to a ban or restriction, we also keep the IP address and its link to your account for as long as necessary to prevent evasion; otherwise that link is not kept beyond 12 months | Security, fraud and ban-evasion prevention (legitimate interests) |
| API request logs | 90 days, then deleted | Operating and securing the APIs (legitimate interests) |
| Billing records and invoices | 6 years | Legal obligation — UK tax law requires records for 6 years (HMRC) |
| Proof of marketing consent | About 2 years after consent is withdrawn, then deleted | Demonstrating consent was validly obtained |
A removed VA's data is kept for a restore window of up to 60 days before it may be deleted or anonymised (see Virtual Airline Owner Terms §4, "What happens when a subscription ends").
How account deletion works. When you ask to delete your User account, we first set it inactive so the request can be reversed by signing in within the 60-day window; after that, if your account is not, and has not been, subject to a ban or restriction, we anonymise your account and identity data — irreversibly, and without keeping anything that could later match a future sign-up back to you. If your account is or has been subject to a ban or restriction, we do not anonymise or delete it — we keep it intact for as long as necessary to enforce that restriction (see §11). Removing a Pilot (your membership of a VA) is reversible too: a VA can restore a removed pilot for up to 12 months, after which — if the removal was not a ban or permanent removal — the pilot record is removed and that pilot's flight activity is transferred to our "vAMSYS Robot" system account and de-identified, so the VA's statistics stay intact without the data remaining linked to you. If you were permanently removed or banned from a VA, that pilot record is instead kept intact, in the same way as a banned User account, for as long as necessary. You can also exercise your erasure right at any time under §12, subject to the exception for accounts under a ban, restriction or legal hold. We keep only what the law requires (such as billing records, §9 above) and the enforcement records described in §11.
Backups. Our database backups on Cloudflare R2 are encrypted and kept on a 2-week rolling cycle, then overwritten. When data is deleted from the live Services, any copy in a backup persists only until that backup cycle rotates, after which it is gone.
After the relevant period, we anonymise personal data, delete it, or — where an account is or has been subject to a ban or restriction, or is otherwise under a legal hold — keep it intact for as long as necessary for that purpose (see §11).
§10 How we protect your data
Encryption in transit. Connections to the Services are encrypted (HTTPS).
Encryption at rest. Sensitive data is protected at rest, passwords are stored only as secure hashes, and our database backups on Cloudflare R2 are encrypted.
Access controls. Access to personal data is limited to those who need it to run, support and secure the Services, and is logged.
Two-factor authentication. You can enable 2FA on your account for extra protection, and we encourage it.
Team vAMSYS support accounts. So that we can provide support and carry out moderation across VAs, Team vAMSYS hold Pilot accounts on every VA, with the elevated access this needs. Like all accounts, their sign-ins are recorded in our access logs, and a VA cannot remove or ban a Team vAMSYS account. We disclose this openly (see Terms of Service §3.6, "Pilot usernames", and §11.8, "International transfers, sub-processors and Team vAMSYS").
No service can promise that data will never be lost or accessed without authorisation, but we take reasonable measures to protect it, and we handle breaches as set out in §15.
§11 Enforcement and automated decision-making
We use a mix of people and automated systems to keep the platform safe and fair. Under the Data (Use and Access) Act 2025 and the UK GDPR Articles 22A–22C, you have the right to know about automated decision-making that produces legal or similarly significant effects on you. Here is how we handle it, and your safeguards.
Decisions are made by people. Any decision to restrict, suspend or remove a User, Pilot, VA Staff member, Owner or VA is made by a real Team vAMSYS person, on review. Our automated systems do not decide, on their own, to restrict someone who is not already subject to a decision.
What automated systems do. Automated systems give effect to a human decision and protect it — principally, to stop a restricted person from evading a restriction and to detect multiple or fake accounts. Where we detect that a restricted person is accessing the Services or creating a new account, or that an attempt matches the signals of a restricted person (such as a shared IP address), our systems may apply the restriction to that access, account or new registration — including a person's linked accounts, and including a new or otherwise unlinked sign-up that matches those signals — to carry out the decision a person has already made. To do this we process IP addresses and the related access-log and security information described in §4 and §5.
Your safeguards. On any restriction, we will tell you that you are restricted, the general category of reason for it (for example, "suspected ban evasion" or "multiple accounts"), and how to ask for a human to review it. You have the right to that human review — contact help@vamsys.co.uk (see Terms of Service §8.3, "Notice, and your right to human review").
Records we keep after enforcement. Where your User account is or has been subject to a ban or restriction, we do not anonymise or delete it — we keep the account, including your identifying data, for as long as necessary to prevent evasion and to support review of the decision (for example, on appeal, or to match it against other accounts). Where a Pilot record (your membership of a VA) reaches the end of its 12-month restore window under §9 and the removal was not a ban or permanent removal, it is transferred and de-identified as described there. Where the removal was a ban or permanent removal, the pilot record is instead kept intact — not transferred or de-identified — so the restriction and its context remain available if a rejoin is attempted or the decision is reviewed. The lawful basis is our legitimate interest in protecting the Services and our users from evasion and repeat abuse (see §5 and Terms of Service §8.9, "Records we keep after enforcement").
§12 Your rights, and how to exercise them
Under UK data-protection law you have the right to:
access the personal data we hold about you;
have inaccurate data corrected (rectification);
have your data deleted (erasure), where the law allows;
restrict how we use your data in certain circumstances;
receive your data in a portable form (portability);
object to processing we carry out on the basis of legitimate interests; and
withdraw consent at any time, where we rely on consent (such as marketing or account integrations); and
complain to the Information Commissioner's Office (ICO) — the UK's independent data-protection supervisory authority.
How to exercise a right. Contact help@vamsys.co.uk. As a User, you can request a copy of your own personal data, and you can use the self-service controls in the platform — for example, to update your details, manage your notification and privacy settings, withdraw marketing consent, unlink an external account, enable 2FA, or request account deletion.
A note on objecting to security processing. Your right to object applies to processing we carry out for our legitimate interests. Where that processing protects the Services and other users — in particular security, fraud prevention and ban-evasion (see §5 and §11) — we may continue it where we have compelling legitimate grounds, or where we need it to establish, exercise or defend legal claims. This does not affect your other rights, including your right to human review of an enforcement decision (§11).
A note on erasure for banned or restricted accounts. Where your account is or has been subject to a ban or restriction, or is otherwise the subject of an active legal claim, dispute or investigation, we may need to pause the erasure and anonymisation timelines described in §9 for as long as that ground applies, consistent with Article 17(3) UK GDPR. This does not remove your other rights under this section.
Where a VA holds your data. For your data on the platform, vAMSYS is the controller and will action your request directly. A VA only controls data it holds in its own systems — data it received through the Pilot API (with your consent) or by export. Where your request concerns that, the VA is the controller of its copy; we will point you to the VA and assist as far as we reasonably can (see §3).
Complaints about your data. If you are unhappy with how we have handled your personal data, you can make a data-protection complaint at any time — email help@vamsys.co.uk and mark it as a data-protection complaint. We will acknowledge it within 30 days and respond without undue delay. You can also complain to the Information Commissioner's Office (ICO) at ico.org.uk at any time, though we'd appreciate the chance to put things right first.
Your right to complain. If you are unhappy with how we have handled your personal data, please tell us first so we can put it right. You also have the right to complain to the Information Commissioner's Office (ICO) — the UK's data-protection supervisory authority — at ico.org.uk.
§13 Children and minimum age
The Services are for adults. You must be at least 18 years old to use them, and by using them you confirm that you are 18 or over.
We do not collect dates of birth and we do not run hard age verification — we rely on your self-declaration at sign-up, and we remove any under-18 account we identify. We recognise that, despite the 18+ rule, some under-18s may access the Services, so we protect everyone by design — minimal data, no profiling, no targeted advertising, and a clean content standard (Acceptable Use Policy §3) — and we keep our approach under review. The detail is in our age-assurance assessment and our DPIA (see Terms of Service §2, "Eligibility and age", and §11.10, "Age and age-assurance").
§14 Cookies
In the platform (the product) we use strictly-necessary cookies only — for example, to keep you signed in, protect forms, apply rate limits, and for anti-bot protection. On our corporate website we also use Google Analytics, but only if you opt in through our cookie banner (analytics is off by default, and IP addresses are anonymised). We do not use advertising cookies. The detail — including how to change or withdraw your analytics consent — is in our separate Cookie Policy.
§15 Data breaches
If a personal-data breach occurs, we act on it promptly. As the controller of the personal data on the platform, where a breach is likely to result in a high risk to your rights we will notify the affected people and the ICO as and where the law requires. Where a breach on our side affects data a VA has received from us, we will also tell that VA without undue delay (our target is within 72 hours) so it can meet its own obligations as controller of its copy (see Terms of Service §11.3, "Personal-data breaches").
§16 Changes to this policy
We may update this Privacy Policy from time to time. Because it forms part of the Terms of Service, changes follow the same process: where a change materially and adversely affects you, we follow the change process in the Terms of Service §13.1, "Changes to these Terms"; other changes take effect when we update the 'Last updated' date at the top of this policy.
§17 How to contact us
For anything to do with this policy, your data, or your rights, contact us at:
vAMSYS LTD 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom Email: help@vamsys.co.uk (Company number 09982167.)
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk (see §12).