Privacy Policy

 

Company

Pyro.Solutions Ltd. (“Pyro.Solutions”, “we”, “us”, “our”) is a private limited company registered in England and Wales with company number 12819642. Our registered office is:

85 Great Portland Street, First Floor,
London, W1W 7LT, United Kingdom.

Pyro.Solutions Ltd. is registered with the UK Information Commissioner’s Office (ICO) under registration name and number: Pyro.Solutions Ltd – ZB003213, renewed annually.

This Privacy Policy (“Privacy Policy”), together with our Service Agreements and any other documents referred to in it, sets out the basis on which any personally identifiable information (“Personal Data”) we collect, receive, or otherwise process will be handled by us.

Roles

Pyro.Solutions may act as both a data controller and a data processor, depending on the context in which we process personal data.

When we are a Data Controller

We act as a controller when we decide why and how personal data is processed for our own purposes, including:

  • managing user accounts and access to our services

  • sending necessary service communications and product updates

  • managing contracts, invoicing and account administration

  • carrying out business development and customer relationship management

  • securing and improving our services and infrastructure

  • complying with our legal and regulatory obligations

  • performing analytical processing using public-register and other public sources of information (e.g. for philanthropic capacity insight).

In relation to our use of publicly available corporate information, we are a data controller only at the point when we process this information because we determine the purposes and means of analysing public data to provide insights to our clients.

When we are a Data Processor

We act as a processor when we process personal data on behalf of our clients and only in line with their documented instructions, typically under a Service Agreement. This includes situations where:

  • clients upload or transfer their own data into Orbit, Nova, or other Pyro.Solutions tools

  • we host, store, process, or analyse that client-supplied data solely to deliver our contracted services.

In these cases, the client is the data controller, and Pyro.Solutions is the data processor.

Legal Basis for Processing

We are required by UK data protection law to identify a lawful basis for each category of processing we carry out.

As a Data Controller

We rely on the following lawful bases:

  • Contractual necessity (Article 6(1)(b) UK GDPR) – where processing is necessary to enter into or perform a contract with you or your organisation, for example:

    • creating and managing user accounts

    • providing access to our services

    • handling billing, invoicing, and account queries.

  • Legal obligation (Article 6(1)(c)) – where we must process personal data to comply with laws and regulations, including tax and accounting rules, and obligations under data protection law itself.

  • Legitimate interests (Article 6(1)(f)) – where processing is necessary for our legitimate interests or those of a third party, and those interests are not overridden by the rights and freedoms of individuals. Our legitimate interests include:

    • operating, maintaining and improving our services

    • safeguarding our systems, preventing fraud, misuse or security incidents

    • managing relationships with existing and potential clients

    • sending service-related updates, training information, and relevant product information to existing users

    • analysing publicly available data to provide philanthropic capacity insights and prospect analysis to our clients.

Legitimate Interests – Public Data Analysis

When we process publicly available corporate information (for example, data from Companies House and other market registers) to provide philanthropic capacity analysis, prospect identification, and strategic planning insights, we rely on legitimate interests as our lawful basis.

In particular:

  • the processing supports not only our legitimate business interests but also the charitable and public-benefit objectives of our clients (for example: education, health, poverty relief, international development, community projects);

  • we use only non-sensitive, publicly disclosed information, typically relating to corporate and financial roles, directorships, shareholdings, business activity, and other data made public under statutory regimes;

  • we do not use consumer credit histories, behavioural tracking, special category data, or criminal offence data for these purposes;

  • our outputs are advisory, not determinative – they are used by fundraising professionals as one input into human-led decision-making, and they do not themselves decide eligibility for any product or service.

We have carried out a Legitimate Interests Assessment to ensure that these interests are not overridden by the rights and freedoms of individuals whose information appears in public registers.

As a Data Processor

When acting as a processor on behalf of clients, we rely on the lawful basis determined by the client (the data controller). We process such data solely under their instructions, as set out in the relevant Service Agreement or Data Processing Agreement.

Information We May Hold

Information you give us

If you decide to use our services, you may be required to provide some or all of the following information (depending on the service and contract):

  • full name

  • work email address

  • job title or role

  • organisation / employer

  • contact details (such as phone number)

  • correspondence relating to the service, e.g. support requests.

This information is typically collected when:

  • you or your organisation sign up to or trial one of our services (such as Code-fi, Orbit, Nova)

  • you contact us with a question or support request

  • you enter into a contract with us on behalf of your organisation.

Service-Specific

  • Code-fi – we require user information such as name and email for logins. Code-fi can be used with publicly available information sourced by the user, or optional functionality that may involve personally identifiable information. Before service commences, we will issue a Service Agreement contract setting out roles and responsibilities.

  • Orbit – we require user information such as name and email for logins. The use of the service relies on the provision of client data, which may include personally identifiable information. Before service commences and any data is provided, we will issue a Service Agreement contract confirming that, in respect of client-supplied data, we act as a processor.

  • Nova – we require user information such as name and email for logins. The use of the service relies on the provision of client data, which may include personally identifiable information. Before service commences and any data is provided, we will issue a Service Agreement contract confirming the controller–processor relationship.

We will not request irrelevant or excessive information. We will never knowingly request or process special category data (such as data about health, religion, or political beliefs) in the provision of our services.

Where users input personal data into our services and software, Pyro.Solutions acts as a controller or processor in line with the contractual arrangements agreed with the client.

Information we use for service provision – Public and Corporate Sources

For provision of our analytical services, Pyro.Solutions uses publicly available information from reputable business and financial sources. These may include:

  • London Stock Exchange, New York Stock Exchange, NASDAQ, ASX, Euronext Paris, Deutsche Börse

  • Companies House (accessed under the Companies Act 2006, Small Business Enterprise & Employment Act 2015 and Open Government Licence v3.0)

  • The Securities and Exchange Commission (SEC) and other official market regulators

  • Established business and financial news outlets

  • Newspapers such as the Financial Times, The Telegraph, The Times and City AM

  • Company websites, investor relations pages, annual reports and press releases

  • Sector, recruitment and industry reports.

Source of Public Data (Article 14 Transparency)

All public-register data we use originates from statutory and official registers and similar corporate registries.

  • We do not collect this data directly from individuals.

  • The original collection, validation and publication of this data are the responsibility of the register operator.

  • We do not alter the underlying factual information; instead, we analyse and model them to generate derived insights.

When individuals submit information to such registers, they are informed through their Privacy Notice which we review to ensure adequate notification is provided on the relevant of use of such data.

Purpose and Use of Public Data

We process this publicly available information solely to:

  • identify potential prospects for philanthropy;

  • assess financial capacity and create indicative capacity bands or scores, such as philanthropic capacity;

  • support prioritisation of prospects by philanthropy teams;

  • help charities and non-profits understand capacity patterns and concentrations in their supporter or prospect base;

  • provide analytics and reports to assist with strategic planning.

We do not use this public data for unrelated purposes, nor do we sell raw public-register datasets to third parties.

Impact and Minimisation

The public-register data we use is:

  • non-sensitive (no special category data)

  • generally focused on corporate roles and business activities rather than private life

  • already lawfully in the public domain by statutory requirement

Our analysis is advisory in nature. The outcomes are used by our clients as one input in their broader prospect development and fundraising strategies. We do not make solely automated decisions that have legal or similarly significant effects on individuals (for example, we do not decide whether anyone may receive a product, be granted credit, or be refused a service solely on the basis of our processing).

Information we may collect about you

Website Information

Each time you visit our website or use our services, we may automatically collect information about your device and interaction with our platforms, such as:

  • IP address

  • browser type and version

  • operating system

  • pages or screens visited and time spent on them

  • date and time of access

  • referring URLs

  • basic diagnostic logs and error reports.

We use this information to:

  • operate and secure our services

  • understand how our platforms are used

  • detect and prevent fraud and abuse

  • improve performance and usability.

Some of this information may be collected using cookies or similar technologies. Our cookie usage is kept to what is necessary to operate and improve the service; where we use non-essential cookies for analytics or similar purposes, we will seek consent in line with applicable laws.

Information we may obtain from other sources (CRM and business development)

In the context of our own customer relationship management and business development, we may collect and use information about existing and potential clients and users from publicly available sources, such as:

  • professional social media (e.g. LinkedIn)

  • corporate websites and staff profiles

  • conference or event speaker lists and delegate lists (where lawfully made available)

  • business directories and sector publications.

The information we may research includes:

  • job title and role

  • business contact email address

  • employer organisation and sector

  • professional biography or profile.

We use this information to:

  • maintain and update our customer records

  • verify contract and billing information

  • understand our user base and markets

  • send relevant communications about training, product updates or services, where it is lawful to do so.

Disclosure of Your Information

We use the information we hold for the purposes set out above and may share it only in the circumstances below.

We may share personal data with:

  • Members of our corporate group, meaning our subsidiaries, our ultimate holding company and its subsidiaries (if any), as defined in section 1159 of the UK Companies Act 2006.

  • Service providers and sub-processors who supply infrastructure, hosting, storage, security, email, logging, analytics or similar services required for us to provide, secure and optimise our services.

  • Professional advisers, such as auditors, legal advisers, accountants or insurers, where necessary for legitimate business purposes.

  • Regulators, law enforcement, courts or other public authorities, where we are legally obliged to do so or where it is necessary to protect our rights, property or safety, or that of our clients or others.

  • Potential buyers or investors, in the event of a merger, acquisition, restructuring, or sale of our business or assets, in which case personal data may be disclosed under appropriate confidentiality terms.

We do not sell, rent or trade personal data to third parties for their own independent marketing purposes.

Where we engage a third party as a processor, we ensure that they are bound by a written contract that requires them to:

  • process personal data only on our documented instructions;

  • keep personal data secure;

  • assist us in meeting our obligations under data protection law.

International Transfers

Some of our service providers and sub-processors may be located outside the UK (and, where relevant, outside the European Economic Area). Where this is the case, and their processing involves the transfer of personal data internationally, we will ensure that such transfers are carried out in accordance with applicable data protection law, for example by:

  • relying on an adequacy decision; or

  • entering into appropriate standard contractual clauses or international data transfer agreements; and

  • assessing the level of protection in the destination country and applying additional safeguards where necessary.

Marketing Communications

Pyro.Solutions does not currently operate a general marketing newsletter. However, we may from time to time send you email communications in order to:

  • update you about new features of a product you use

  • provide information about training or support relevant to your existing service

  • inform you of changes to our terms, policies, or technical status.

We rely on legitimate interests or, where required, your prior consent, to send these communications. You may opt out of non-essential communications at any time by following the unsubscribe instructions in the email or by contacting us at team@pyro.solutions.

We do not use public-register data to send marketing communications directly to individuals whose details appear on those registers.

Security

Pyro.Solutions uses appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction or damage. These measures include, where appropriate:

  • encryption of data in transit and at rest

  • logical access controls and role-based access permissions

  • secure development and testing practices

  • regular patching and maintenance of infrastructure

  • logging and monitoring for security events

  • staff training and confidentiality obligations.

Where we have given you (or you have chosen) a password to access certain parts of our services, you are responsible for keeping this password confidential and not sharing it with anyone else.

For a more detailed description of our information security measures, please request our Security Policy.

Sub-Processor List

A sub-processor is a third-party technology provider engaged by Pyro.Solutions to assist with the delivery of our services (for example, cloud hosting, database, logging or email delivery).

Where we act as a data processor on behalf of a client, sub-processors may have access to client-provided personal data only to the extent necessary to provide their service. Pyro.Solutions ensures that sub-processors are contractually bound by equivalent data protection obligations.

A current list of sub-processors, including their roles and locations, is available upon request.

Data Retention

As a Data Controller

We retain personal data for as long as reasonably necessary for the purposes set out in this Privacy Policy, including to:

  • manage your account and provide services

  • respond to queries or complaints

  • maintain business and financial records

  • comply with legal and regulatory obligations

  • prevent fraud or misuse.

When your account is closed or you cease using the service, we may retain certain limited account, contract and transaction data where reasonably necessary to comply with our legal obligations, meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our agreements and manage informed customer relationship activity. If no such obligations apply, we aim to delete or anonymise personal data within 24 months of account closure.

As a Data Processor

When we process personal data on behalf of a client, we retain it only for as long as instructed by the client and will securely delete or return it on request or on termination of the relevant agreement, subject to any legal obligations that require a longer retention by the client.

Links to Other Websites & Services

Our website or services may contain links to third-party websites, services or resources (for example, partners, industry bodies, or media sources). These sites and services have their own privacy policies, and we do not accept responsibility or liability for their content or practices. We encourage you to review the privacy policies of any third-party sites you visit.

Automated Decision-Making & Profiling

We do not carry out automated decision-making that produces legal effects concerning individuals or similarly significantly affects them.

We do carry out profiling and scoring in the sense that we analyse public corporate and business data to generate indicative capacity assessments and segment prospects into groups. These profiles and scores are:

  • based on public, non-sensitive information

  • advisory only, to aid human judgement

  • used by our clients (charities and philanthropy teams) as one input to their prospect development and strategy

  • not do not make credit, employment, insurance, or other high-impact decisions.

Your Rights

Under UK data protection law, you have a number of rights in relation to your personal data. These may include (subject to certain conditions and exemptions):

  • Right of access – to obtain confirmation as to whether we process your personal data and, if so, to receive a copy.

  • Right to rectification – to have inaccurate or incomplete personal data corrected.

  • Right to erasure – to request deletion of certain personal data where there is no compelling reason for its continued processing. Please note that we do not control and therefore cannot erase information originating from public registers, however we can suppress processing your personal data from our services upon request.

  • Right to restriction – to request that we suspend processing of your personal data in certain circumstances (for example, while we verify its accuracy or consider an objection).

  • Right to object – to object to processing based on legitimate interests, including profiling; we will stop processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or the processing is for legal claims.

  • Right to data portability – to receive certain personal data in a structured, commonly used and machine-readable format and/or request that we transmit it to another controller.

  • Right to withdraw consent – where we rely on consent, you have the right to withdraw it at any time. This will not affect the lawfulness of processing based on consent before withdrawal.

You can exercise your right to erasure or suppression by contacting team@pyro.solutions.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in law, regulation, or our services. We will post any updates on this page and, where appropriate, notify you via email or through the service.

This Privacy Policy was last reviewed in October 2025.

Contact Us

If you have any questions, comments or requests regarding this Privacy Policy or our handling of personal data, please contact us at:

  • Email: team@pyro.solutions

  • Office: Pyro.Solutions Ltd, 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom.