Privacy Policy

How Phytoventures Ltd collects, uses, and protects your personal data.

Last updated: 30 March 2026 Phytoventures Ltd (Company No. 16388003)

1. Introduction

Phytoventures Ltd ("we", "us", "our") is committed to protecting your privacy and handling your personal data transparently and lawfully. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit or interact with our website at phytoventures.net (the "Website"), use our Client Portal, or engage with any of our services.

Phytoventures Ltd (Company Number: 16388003), registered at Belmont Suite, Chorley New Road, Horwich, Bolton, BL6 6HG, is the data controller for the purposes of applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our Data Protection Officer (DPO) can be contacted at [email protected].

This policy covers all personal data processed by Phytoventures Ltd across all of our services, including the Client Portal, CannConnect events, Ask Patients surveys, the intelligence service, the free website programme, and all professional services we provide.

2. Information We Collect

2.1 Account Information

When you register for a Client Portal account or engage our services, we may collect:

  • Full name
  • Email address
  • Phone number
  • Business name
  • Business address
  • VAT number
  • Company registration number
  • Industry sector

2.2 Authentication Data

To secure your account, we process:

  • Magic link tokens (stored in hashed form only)
  • Two-factor authentication (2FA) secrets (stored in encrypted form)
  • Session data (session identifiers and expiry timestamps)

2.3 Financial Data

In connection with our billing and payment services, we may collect and process:

  • Invoice records and payment history
  • Bank details (for Accounts Payable purposes)
  • GoCardless Direct Debit mandate references
  • Revolut payment references
  • Credit facility records and credit limit information

2.4 Usage Data

When you use the Website or Client Portal, we automatically collect:

  • Login timestamps
  • IP addresses
  • User agent strings (browser type, version, operating system)
  • Pages visited and actions taken
  • Audit log entries (recording significant account actions for security purposes)

2.5 Communications

We collect data from your interactions with us, including:

  • Support tickets and correspondence
  • Comments and feedback
  • Survey responses (where we act as data processor — see Section 6)
  • Project files and deliverables shared through the Client Portal

2.6 Event Data

When you book or attend CannConnect events, we may collect:

  • Event bookings and attendance records
  • Sponsorship details and contracts
  • Electronic signatures

2.7 Third-Party Data

We may receive data from third-party services we use to process payments and deliver communications:

  • GoCardless: mandate status, payment status, and confirmation data
  • Revolut: payment confirmation data
  • Resend: email delivery status (delivered, bounced, opened)

3. How We Use Your Information

We use the personal data we collect for the following purposes:

  • Provide and manage our services — delivering web development, branding, platform development, AI and automation, compliance support, consulting, and other professional services.
  • Process payments and manage billing — issuing invoices, processing payments via GoCardless and Revolut, managing credit facilities, and generating financial statements.
  • Send transactional emails — invoices, magic link authentication emails, payment confirmations, status updates, and other service-related communications.
  • Manage your Client Portal account — account creation, authentication, session management, and account settings.
  • Process event bookings and sponsorships — managing CannConnect event registrations, sponsorship agreements, and related communications.
  • Distribute surveys — processing and distributing Ask Patients surveys on behalf of data controllers (clients).
  • Generate statements and financial reports — producing account statements, payment summaries, and financial reports for clients.
  • Provide customer support — responding to support tickets, resolving issues, and managing client communications.
  • Ensure security — audit logging, rate limiting, fraud prevention, and protecting against unauthorised access.
  • Comply with legal obligations — meeting our regulatory, tax, and legal requirements, including responding to law enforcement requests.
  • Improve our services — analysing usage patterns to enhance the Website, Client Portal, and our service delivery.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR:

  • Contract performance (Article 6(1)(b)) — processing necessary to perform our contractual obligations to you, including delivering services, managing your Client Portal account, and processing payments.
  • Legitimate interests (Article 6(1)(f)) — processing necessary for our legitimate business interests, including operating and improving our Website and services, ensuring security, preventing fraud, and maintaining audit logs. We ensure these interests do not override your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c)) — processing required to comply with our legal obligations, including tax record-keeping (HMRC requirements), anti-money laundering regulations, and responding to law enforcement requests.
  • Consent (Article 6(1)(a)) — where we process data based on your consent, such as for marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Data Sharing

We share your personal data only with the following categories of recipients, and only to the extent necessary:

  • GoCardless — payment processing service. We share mandate and payment data to process Direct Debit payments. See GoCardless Privacy Policy.
  • Revolut — payment processing service. We share payment references to process and reconcile payments. See Revolut Privacy Policy.
  • Resend — email delivery service. We share email addresses for the purpose of sending transactional emails only (invoices, magic links, status updates). See Resend Privacy Policy.
  • Cloudflare — content delivery and DDoS protection. Cloudflare may process IP addresses and request headers to protect our Website from malicious traffic. See Cloudflare Privacy Policy.
  • Debtist — debt collection service. Where an invoice remains unpaid for 30 days past its due date, we may share your name, company name, email address, phone number, postal address, and details of the outstanding debt (invoice number, amount, and due date) with Debtist GmbH for the purpose of debt recovery. This processing is carried out on the basis of our legitimate interest in recovering monies owed under Article 6(1)(f) UK GDPR. See Debtist Privacy Policy.
  • Law enforcement — we will only share personal data with law enforcement agencies when we are legally compelled to do so, such as in response to a valid court order or statutory obligation. For more information, see our Law Enforcement & Data Disclosure Policy.

We do NOT sell your personal data. We do NOT share your personal data with third parties for their marketing purposes.

6. Ask Patients — Data Processor Role

When clients create and distribute surveys through our Ask Patients service, the following data protection arrangements apply:

  • The client is the data controller for all survey respondent data. The client determines the purposes and means of processing survey respondent personal data.
  • Phytoventures Ltd is the data processor, processing survey respondent data solely on behalf of and in accordance with the instructions of the client.
  • Survey respondents consent to the client's privacy policy, not ours. It is the client's responsibility to provide respondents with a clear and lawful privacy notice.
  • We do not use survey response data for our own purposes. We do not access, analyse, or share survey response data except as necessary to provide the Ask Patients service to the client or as required by law.
  • A Data Processing Agreement (DPA) is included as part of the Ask Patients contract with each client.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

  • Account data: retained while your account is active, plus 6 years after account closure (to meet legal and tax obligations).
  • Financial records: 6 years from the date of the transaction (as required by HMRC).
  • Audit logs: 2 years from the date of the log entry.
  • Magic link tokens: deleted immediately after use or upon expiry (15 minutes), whichever occurs first.
  • Session data: automatically expires after 8 hours of inactivity.
  • Support tickets: retained while your account is active. Deleted upon account closure, subject to any legal retention requirements.
  • Survey responses (Ask Patients): retained until the data controller (client) requests deletion. As data processor, we delete survey data in accordance with the client's instructions.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to restrict processing — request that we limit how we use your data in certain circumstances.
  • Right to data portability — request your data in a structured, commonly used, machine-readable format.
  • Right to object — object to our processing of your personal data where we rely on legitimate interests as the legal basis.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to complain — lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.

How to exercise your rights: You may submit a request by emailing [email protected], or by using our Subject Access Request page. We will respond to your request within one month. In complex cases, we may extend this by a further two months, and we will inform you if this is necessary.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

  • HTTPS everywhere — all data transmitted between your browser and our servers is encrypted using TLS.
  • Helmet security headers — HTTP security headers to protect against common web vulnerabilities.
  • Bcrypt password hashing — where passwords are used, they are hashed using bcrypt with appropriate salt rounds.
  • Encrypted sessions — session data is encrypted and stored securely.
  • Rate limiting — protection against brute-force attacks and abuse on all authentication endpoints and forms.
  • Two-factor authentication (2FA) — available for all Client Portal accounts for enhanced security.
  • Regular security audits — periodic reviews of our security practices and infrastructure.
  • Access controls — strict role-based access controls to limit who can access personal data within our organisation.
  • Data minimisation — we only collect and process personal data that is necessary for the stated purpose.

10. Cookies

Our Website uses only essential session cookies required for the site and Client Portal to function correctly:

  • connect.sid — a session cookie used for authentication in the Client Portal. This cookie is essential for maintaining your logged-in state and expires when your session ends or after 8 hours of inactivity.

We do not use analytics cookies, advertising cookies, or tracking cookies.

Cloudflare, which provides content delivery and security for our Website, may set its own security cookies (such as __cf_bm) to distinguish between humans and bots. These are strictly necessary cookies and do not track you for advertising purposes.

11. International Transfers

Your personal data is primarily stored on servers located in the United Kingdom and the European Union.

Some of our third-party service providers may process data in the United States or other countries outside the UK. Where international transfers occur, we ensure appropriate safeguards are in place:

  • GoCardless — may process data in the EU/UK under their own GDPR compliance framework.
  • Resend — may process data in the United States under Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner.
  • Cloudflare — operates a global network and may process data in various jurisdictions under Standard Contractual Clauses and their own data processing addendum.
  • Debtist — based in Germany (EU). Data transfers are covered by the UK-EU adequacy decision and Debtist's own GDPR compliance framework.

12. Children

Our Website and services are not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe that we have inadvertently collected personal data from a person under 18, please contact us immediately at [email protected] and we will take steps to delete the data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. Any changes will be published on this page with an updated "Last updated" date.

Where we make material changes that significantly affect how we process your personal data, we will notify you via email or through a notification in the Client Portal, in addition to updating this page.

14. Contact

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us:

  • Company: Phytoventures Ltd
  • Address: Belmont Suite, Chorley New Road, Horwich, Bolton, BL6 6HG
  • Privacy enquiries: [email protected]
  • Data Protection Officer: [email protected]
  • Company Number: 16388003
  • Registered in: England and Wales

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):