How Cerrax handles personal data, in plain terms.
Cerrax Ltd ("Cerrax", "we") provides a pricing engine for the removals industry. This policy explains what personal data we handle, why, and your rights. Questions: hello@cerrax.io.
Our role under UK data protection law depends on whose data it is:
From firms using Cerrax: account and contact details (name, company, email, phone), and the job inputs you enter to produce a price. Within job data: addresses/postcodes and job details, which may be personal data of your customers — processed only to produce and explain a price and record the outcome you tell us. From website visitors: what you submit in a demo or contact form. We do not record your browsing sessions or track behaviour for advertising.
We use only the cookies needed to make the site and service work (for example, keeping you signed in). We don't use advertising or cross-site tracking cookies. [If any analytics or non-essential cookies are added, a cookie banner and consent under PECR will be required — confirm current cookie use.]
Cerrax produces a price automatically from the inputs and settings provided. This is a tool for the firm: the firm decides what to charge its customer (see our Terms). The automated price is not a decision Cerrax makes about a customer that produces a legal or similarly significant effect on them within the meaning of UK GDPR Article 22. [Confirm with counsel given the model.]
Cerrax gets more accurate as it sees real outcomes. To do that we retain de-identified pricing and outcome data — the shape of a job and what it cost, stripped of the people involved. We erase the person and keep the anonymised job. Aggregated, anonymised insight may inform regional benchmarks; we never expose an individual firm's prices or any customer's identity. [Counsel to confirm the anonymisation standard and that, once de-identified, this falls outside personal-data processing.]
We don't sell personal data. We use a small set of service providers (sub-processors) under contract, currently including: cloud hosting and database (Google Cloud, UK/EU region) and geocoding (Google Maps, for distance from postcodes). Where the optional spreadsheet-import feature is used, those inputs are processed by an AI provider (Anthropic). [Maintain an accurate, current sub-processor list, reflect only services actually in use, and confirm what data each receives.]
We host data in the UK/EU. Some providers may process data outside the UK (for example, AI processing in the United States); where that happens we rely on appropriate safeguards such as the UK International Data Transfer Agreement / SCCs. [Confirm each provider's region and transfer mechanism, and that this matches the "UK-hosted" statement elsewhere on the site — and keep customers' personal data in the UK/EU unless a valid transfer mechanism is in place.]
Account and customer personal data: for as long as your account is active and a reasonable period after, unless we must keep it longer by law [specify periods]. De-identified outcome data: retained for the learning corpus. You can ask us to erase personal data (§12); committed pricing records are never silently altered, but personal identifiers within them can be redacted.
We'll send you service messages needed to run your account. If you ask for a demo or sign up, we may contact you about Cerrax; you can opt out of marketing at any time via the unsubscribe link or by emailing us. We follow PECR for any electronic marketing.
Under UK GDPR you can request access, correction, erasure, restriction, portability, and object to certain processing. For your customers' data (where we are processor), direct requests to the firm as controller; we assist them. To exercise a right, contact hello@cerrax.io.
Cerrax is a tool for businesses and is not directed at children. We don't knowingly collect data from children.
If you're unhappy with how we handle your data, tell us at hello@cerrax.io — we will acknowledge your complaint within 30 days and work to resolve it. You can also complain to the Information Commissioner's Office (ico.org.uk).
We protect data with access controls, encryption in transit and at rest via our cloud provider, and audited administrative actions. No system is perfectly secure, but we take reasonable measures appropriate to the data.
If a personal data breach occurs, we act promptly: where we are the controller we notify the ICO, and affected individuals where required; where we are a processor we notify the affected firm without undue delay so they can meet their own obligations.
We may update this policy; we'll post the new version here with a revised effective date.
Cerrax Ltd, [registered office address]. hello@cerrax.io.