Apilot Marketplace Intelligence
Login Start free with Google
Legal

Privacy Policy

How APILOT LTD collects, uses, stores, shares and protects personal data.

Effective date: 25 April 2026

Overview

This Privacy Policy explains how APILOT LTD collects, uses, stores, shares and protects personal data when you visit Apilot.co, create an account, subscribe to our services, contact us, or otherwise interact with Apilot.

This Privacy Policy is intended to be used together with our Terms of Service and Cookie Policy.

APILOT LTD is a company registered in England and Wales under company number 17156688, with registered office at 124 City Road, London, England, EC1V 2NX.

In this Privacy Policy:

  • “Apilot”, “we”, “us” and “our” mean APILOT LTD;
  • “Services” means Apilot.co and any related Apilot websites, applications, dashboards, reports, alerts, exports, APIs, documentation and support services;
  • “Customer”, “you” and “your” mean the person, company, organisation or other legal entity using or interacting with the Services;
  • “personal data” means information relating to an identified or identifiable individual.

For the purposes of UK data protection law, APILOT LTD is the controller of personal data described in this Privacy Policy, except where we process personal data on behalf of a customer under a separate data processing agreement.

1. Contact details

For privacy or data protection questions, or to exercise your data protection rights, contact:

APILOT LTD

Company number: 17156688

Registered in England and Wales

Registered office: 124 City Road, London, England, EC1V 2NX

Privacy email: [email protected]

For legal notices: [email protected]

For account, billing or technical support: [email protected]

We are not currently required to appoint a Data Protection Officer. If this changes, we will update this Privacy Policy.

2. Who this Privacy Policy applies to

This Privacy Policy applies to personal data we process about:

  • visitors to Apilot.co;
  • users of Apilot;
  • account owners and workspace users;
  • trial users and subscribers;
  • people who contact us for support, sales or general enquiries;
  • business contacts, prospects and customer representatives;
  • people who receive service, account, billing or marketing communications from us;
  • people whose information may appear in customer-submitted data, marketplace data or public-source business data processed by the Services.

The Services are primarily intended for business and professional use and are not intended for children or anyone under 18.

3. Personal data we collect

We may collect and process the following categories of personal data.

3.1 Account and identity data

This may include:

  • name;
  • business name;
  • job title;
  • email address;
  • telephone number, if provided;
  • username;
  • password hash;
  • authentication information;
  • account status;
  • workspace membership;
  • user role and permissions;
  • account preferences.

3.2 Billing and subscription data

This may include:

  • billing name;
  • billing email;
  • billing address;
  • company details;
  • tax or VAT details, if applicable;
  • selected plan;
  • subscription status;
  • invoice history;
  • payment status;
  • payment processor references.

We do not normally store full payment card numbers. Card payments are handled by our payment processor, such as Stripe, and are subject to that provider’s own terms and privacy notice.

3.3 Product usage data

This may include:

  • login and logout activity;
  • pages and dashboard areas used;
  • features used;
  • watchlists created;
  • product identifiers tracked;
  • seller identifiers tracked;
  • marketplace URLs submitted;
  • alert settings;
  • export activity;
  • report generation activity;
  • API usage;
  • error logs;
  • account configuration;
  • support and diagnostic information.

3.4 Technical and security data

This may include:

  • IP address;
  • browser type and version;
  • device type;
  • operating system;
  • approximate location derived from IP address;
  • session identifiers;
  • login timestamps;
  • security logs;
  • server logs;
  • request metadata;
  • fraud prevention and abuse detection signals.

3.5 Communication and support data

This may include:

  • emails and messages you send to us;
  • support requests;
  • technical issue reports;
  • feedback;
  • survey responses;
  • meeting notes;
  • call notes;
  • marketing preferences;
  • unsubscribe or opt-out records.

3.6 Customer Data

When you use the Services, you or your organisation may submit or configure data such as:

  • marketplace URLs;
  • product identifiers;
  • seller identifiers;
  • watchlists;
  • notes;
  • tags;
  • alert rules;
  • account settings;
  • uploaded files;
  • exports;
  • API requests;
  • other business data submitted to or generated through the Services.

Some Customer Data may contain personal data, especially where it relates to a sole trader, small business owner, seller, customer representative or named business contact.

3.7 Marketplace and public-source business data

The Services may process marketplace-related or publicly available business data, such as:

  • seller names;
  • store names;
  • business names;
  • public business addresses;
  • public marketplace profiles;
  • product listings;
  • listing URLs;
  • prices;
  • availability;
  • descriptions;
  • ratings or public seller indicators;
  • public business contact information, where lawfully available;
  • changes to listings, sellers or marketplace pages.

Some public-source or marketplace business data may relate to individuals, sole traders or small business owners and may therefore be personal data.

3.8 Marketing and sales data

This may include:

  • business contact details;
  • lead source;
  • campaign source;
  • referral parameter, if used;
  • email engagement data;
  • marketing preferences;
  • notes about business requirements;
  • responses to outreach or campaigns.

4. How we collect personal data

We collect personal data from:

  • you directly, when you create an account, subscribe, contact us or use the Services;
  • your organisation, where it invites you to a workspace or manages your account;
  • your use of the Services;
  • payment processors;
  • authentication and hosting providers;
  • support, communication and email providers;
  • public marketplace pages and other public sources;
  • customer-submitted identifiers, watchlists and URLs;
  • business contact sources, where lawfully used;
  • cookies and similar technologies, as described in our Cookie Policy.

5. How we use personal data

We use personal data to:

  • provide, operate and maintain the Services;
  • create and manage accounts;
  • authenticate users;
  • manage workspaces, permissions and access;
  • process subscriptions, invoices and payments;
  • provide product tracking, seller tracking, watchlists, alerts, history, reports and exports;
  • provide API access and integrations, where applicable;
  • provide support and respond to enquiries;
  • diagnose technical issues and fix bugs;
  • secure the Services and prevent fraud, abuse, misuse and unauthorised access;
  • monitor performance, reliability and service usage;
  • improve the Services and user experience;
  • develop new features;
  • communicate service, security, billing and account updates;
  • send marketing communications where permitted;
  • manage trials, onboarding and customer success;
  • manage referrals, campaign links or promotional URLs, where used;
  • comply with legal, tax, accounting and regulatory obligations;
  • enforce our Terms of Service;
  • establish, exercise or defend legal claims.

6. Lawful bases under UK GDPR

Where UK GDPR applies, we rely on one or more of the following lawful bases.

Purpose Lawful basis
Creating and managing your account Contract, legitimate interests
Providing the Services Contract, legitimate interests
Managing workspace users and permissions Contract, legitimate interests
Billing, invoicing and subscription administration Contract, legal obligation, legitimate interests
Payment processing Contract, legitimate interests
Customer support Contract, legitimate interests
Security, fraud prevention and abuse detection Legitimate interests, legal obligation
Product diagnostics, reliability and service improvement Legitimate interests
Service, account, billing and security communications Contract, legitimate interests
Marketing to business contacts Consent or legitimate interests, depending on the context and applicable law
Cookie-based analytics or marketing, if used Consent, where required
Processing public marketplace or business data Legitimate interests
Legal, tax and accounting compliance Legal obligation
Legal claims and enforcement Legitimate interests

Our legitimate interests include operating and improving a secure SaaS business, providing marketplace intelligence to business customers, preventing misuse, supporting customers, maintaining service reliability, understanding product performance, communicating with business users, protecting our rights and developing our business.

Where we rely on consent, you may withdraw consent at any time. Withdrawal does not affect processing that occurred before consent was withdrawn.

7. Cookies and similar technologies

Apilot.co may use cookies and similar technologies.

At present, Apilot uses a strictly necessary first-party cookie named apilot_session for login, session management, authentication, security and core service functionality. In production, this cookie can last up to 7 days and uses SameSite=Lax, Secure and HttpOnly protections.

This cookie is required for the Services to work properly. It is not used for advertising, retargeting or selling personal information.

If we introduce non-essential cookies or similar technologies in the future, such as analytics cookies, advertising cookies, retargeting pixels, heatmap tools or marketing attribution cookies, we will update our Cookie Policy and provide consent controls where required by law.

You can find more information in our Cookie Policy.

8. Marketing communications

We may send marketing communications to business contacts where permitted by law.

You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting [email protected] or [email protected].

Even if you opt out of marketing, we may still send service, security, billing, legal and account-related messages.

If you receive an email from us in error or no longer want to hear from us, please let us know and we will update our records.

9. Referral links and campaign parameters

We may use referral parameters, promotional links or campaign URLs, including parameters such as ?ref=, to understand where visitors or customers came from.

Unless we introduce a formal affiliate, referral or partner programme under separate written terms, referral parameters are used only for internal attribution, diagnostics, campaign analysis or abuse prevention.

We do not use referral parameters to create automated legal rights to commission, payment, credit or revenue share.

10. Sharing personal data

We may share personal data with trusted third parties where necessary for the purposes described in this Privacy Policy.

These may include:

  • hosting and cloud infrastructure providers;
  • database and storage providers;
  • payment processors, such as Stripe;
  • authentication and security providers;
  • email and communication providers;
  • customer support or ticketing providers;
  • analytics or diagnostics providers, if used;
  • AI model or processing providers, if used for service features;
  • professional advisers, including lawyers, accountants and auditors;
  • regulators, courts, law enforcement or public authorities where required;
  • potential buyers, investors, lenders, insurers or advisers in connection with a merger, acquisition, financing, restructuring or sale of assets;
  • third parties where necessary to enforce our Terms, protect rights, prevent harm, investigate abuse or comply with law.

We require service providers to process personal data only for agreed purposes and to apply appropriate security measures.

We do not sell personal data for money.

11. International transfers

Apilot is based in the United Kingdom.

Some of our service providers may process personal data outside the United Kingdom or outside your country of residence, including in the United States or the European Economic Area.

Where required, we use appropriate safeguards for international transfers, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, standard contractual clauses or other legally recognised transfer mechanisms.

12. Security

We use technical and organisational measures designed to protect personal data, including appropriate combinations of:

  • access controls;
  • authentication;
  • password hashing;
  • encryption where appropriate;
  • logging and monitoring;
  • backups;
  • least-privilege access;
  • supplier controls;
  • secure development and deployment practices;
  • security review processes.

No online service is completely secure. You are responsible for keeping your login credentials secure, controlling workspace access, protecting API keys and promptly notifying us of suspected unauthorised access.

13. Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, support audits and preserve business records.

Indicative retention periods are:

Data type Typical retention
Account data For the life of the account plus a reasonable closure period
Billing and tax records Up to 7 years or as required by law
Support records Up to 6 years after the last interaction, unless deleted earlier
Security and server logs Usually between 30 days and 24 months, depending on risk and operational need
Marketing contacts Until opt-out, deletion request or loss of business relevance
Cookie/session data For the period required for login, session and security purposes
Customer Data According to account status, plan limits, operational requirements and backup cycles
Backups Deleted or overwritten according to backup cycles

We may anonymise or aggregate data so that it no longer identifies an individual. We may use anonymised or aggregated data for analytics, benchmarking, product improvement and business purposes.

14. Your UK and EEA data protection rights

Depending on your location and the applicable law, you may have rights to:

  • access your personal data;
  • correct inaccurate personal data;
  • request deletion of personal data;
  • restrict processing;
  • object to processing;
  • receive a copy of your personal data in a portable format;
  • withdraw consent, where processing is based on consent;
  • complain to a supervisory authority.

To exercise your rights, contact [email protected].

We may need to verify your identity before responding. Some rights are subject to exemptions and limitations. For example, we may need to keep certain information for legal, security, tax, accounting, fraud prevention or dispute purposes.

If you are in the United Kingdom, you can complain to the Information Commissioner’s Office. We would appreciate the opportunity to resolve your concern first, so please contact us before making a complaint where possible.

15. EU users and customers

Apilot is established in the United Kingdom and operates from the United Kingdom.

If you are located in the European Union or European Economic Area, you may have rights under applicable EU data protection laws. We will respect applicable mandatory rights where they apply.

Where required by law, we may appoint an EU representative or take other steps to comply with EU data protection requirements. If this becomes necessary, we will update this Privacy Policy.

Nothing in this Privacy Policy is intended to remove mandatory privacy or data protection rights that cannot be excluded by law.

16. US privacy notice

US privacy laws vary by state. Depending on where you live and whether applicable thresholds are met, you may have rights to know, access, correct, delete or obtain a copy of personal information, and to opt out of certain processing.

Apilot does not sell personal information for money.

Apilot does not knowingly sell or share personal information of children.

Apilot does not intentionally collect personal information from children under 18.

If we introduce advertising cookies, retargeting pixels or cross-context behavioural advertising in the future, we will update this Privacy Policy and provide any required opt-out mechanisms.

16.1 Categories of personal information collected

In the last 12 months, we may have collected the following categories of personal information:

  • identifiers, such as name, email address, IP address and account identifiers;
  • commercial information, such as subscription, billing and invoice records;
  • internet or electronic network activity, such as usage logs, device data and session data;
  • approximate geolocation data derived from IP address;
  • professional or employment-related information, such as company name and job title;
  • inferences, such as product usage preferences or likely feature interests.

16.2 Sources

We collect personal information from you, your organisation, your use of the Services, service providers, payment processors, public sources, marketplaces and business contact sources.

16.3 Purposes

We use personal information for the purposes described in this Privacy Policy, including providing the Services, security, billing, support, product improvement, marketing, compliance and legal claims.

16.4 Disclosure

We may disclose personal information to service providers, contractors, professional advisers, legal authorities and business transaction parties as described in this Privacy Policy.

16.5 Sale or sharing

We do not sell personal information for money.

If we use advertising, retargeting or cross-context behavioural advertising cookies in the future, this may be considered “sharing” or “targeted advertising” under some US state laws. In that case, we will provide required notices and opt-out mechanisms.

16.6 Sensitive personal information

We do not intentionally collect or use sensitive personal information for the purpose of inferring characteristics.

16.7 California and similar state rights

Where applicable law gives you these rights, you may have the right to:

  • know what personal information we collect, use, disclose, sell or share;
  • access personal information;
  • correct inaccurate personal information;
  • delete personal information;
  • obtain a copy of personal information;
  • opt out of sale, sharing or targeted advertising where applicable;
  • limit use and disclosure of sensitive personal information where applicable;
  • not be discriminated against for exercising privacy rights.

To exercise rights, contact [email protected]. You may use an authorised agent where permitted by law. We may verify your identity before responding.

17. Children

The Services are not intended for children or anyone under 18.

We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact [email protected] and we will take appropriate steps.

18. Automated processing and AI-assisted features

The Services may use automation and AI-assisted features to generate alerts, summaries, classifications, explanations, recommendations or reports for business users.

We do not intend to make decisions based solely on automated processing that produce legal or similarly significant effects on individuals.

Customers are responsible for reviewing outputs before relying on them or taking action based on them.

19. Data processing on behalf of customers

Where a customer provides personal data for Apilot to process on the customer’s behalf, the customer is responsible for ensuring that it has a lawful basis, provides required notices, respects individual rights and complies with applicable law.

In that context, Apilot may act as a processor, service provider or contractor, and additional data processing terms may apply.

If you require a data processing agreement, contact [email protected].

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

The updated version will be posted on our website with a new effective date. If changes are material, we will use reasonable efforts to notify active customers.

Your continued use of the Services after the updated Privacy Policy takes effect means that you acknowledge the updated Privacy Policy.