1. Introduction

This GDPR Data Protection Policy explains how World Business Software Solutions processes, protects and manages personal data in accordance with the General Data Protection Regulation (GDPR) for individuals located within the European Economic Area (EEA) and the United Kingdom.

This policy applies to all personal data processed in connection with:

• Websites
• Software systems
• Ecommerce platforms
• Wholesale systems
• Recycling and buyback systems
• Backend infrastructure
• Hosting environments
• APIs and integrations
• Business automation platforms
• Client-managed systems

World Business Software Solutions operates as a provider of advanced digital infrastructure for serious commercial businesses, including wholesalers, retailers, distributors, recycling companies and global trading organisations.

Due to the nature of our services, we may process personal data both directly and on behalf of our clients.

This policy is designed to clearly explain:

• How GDPR applies to our operations
• How personal data is handled
• What rights individuals have
• How responsibilities are divided between us and our clients

2. Scope of GDPR Application

This policy applies where:

• Personal data relates to individuals located in the EEA or UK
• Data is processed in connection with offering services to those individuals
• Data is processed within systems accessible from Europe
• Data is handled as part of international business operations involving European markets

GDPR applies regardless of where our systems or servers are physically located if the data relates to EU or UK individuals.

3. Data Controller and Data Processor Roles

Due to the nature of our services, we operate in two distinct roles.

3.1 When We Act as Data Controller

We act as a data controller when processing personal data for our own purposes, including:

• Website enquiries
• Client onboarding
• Business communications
• Account management
• Support services
• Billing and invoicing
• Internal operations
• Security monitoring

In these cases, we determine:

• What data is collected
• Why it is collected
• How it is processed

3.2 When We Act as Data Processor

We act as a data processor when:

• Hosting client platforms
• Managing infrastructure
• Supporting databases
• Processing data within client systems
• Providing technical services

In these situations:

• The client is the data controller
• We process data only on their instructions
• We do not control how or why the data is collected

3.3 Client Responsibilities Under GDPR

Clients using our systems must ensure:

• Lawful basis for data collection
• Clear privacy notices to their users
• Proper consent mechanisms where required
• Handling of data subject rights
• Compliance with GDPR and local laws

We are not responsible for how clients collect or use personal data within their own systems.

4. Categories of Personal Data

We may process the following categories of personal data:

4.1 Identification Data

• Name
• Company name
• Job title

4.2 Contact Data

• Email address
• Phone number
• Business address

4.3 Account Data

• Login credentials
• User roles
• Access permissions

4.4 Transaction Data

• Orders
• Payments
• Invoices

4.5 Technical Data

• IP addresses
• Browser information
• Device data
• Usage logs

4.6 Operational Data

• Inventory records
• Customer orders
• Supplier data
• Business activity records

4.7 Communication Data

• Emails
• Support tickets
• Messages

5. Lawful Basis for Processing

Under GDPR, we process personal data only where there is a lawful basis.

5.1 Contractual Necessity

Processing required to deliver services, systems and support.

5.2 Legitimate Interests

Processing necessary for:

• Business operations
• Security
• System improvement
• Fraud prevention

5.3 Legal Obligation

Processing required for:

• Tax compliance
• Legal reporting
• Regulatory requirements

5.4 Consent

Used where required, including:

• Marketing communications
• Certain cookies

6. Principles of Data Processing

We follow GDPR core principles:

6.1 Lawfulness, Fairness and Transparency

Data is processed lawfully and clearly.

6.2 Purpose Limitation

Data is used only for defined purposes.

6.3 Data Minimisation

Only necessary data is collected.

6.4 Accuracy

Data should be accurate and up to date.

6.5 Storage Limitation

Data is not kept longer than necessary.

6.6 Integrity and Confidentiality

Data is protected against unauthorised access.

7. Data Subject Rights

Individuals under GDPR have the following rights:

7.1 Right of Access

To request access to their personal data.

7.2 Right to Rectification

To correct inaccurate data.

7.3 Right to Erasure

To request deletion of data where applicable.

7.4 Right to Restrict Processing

To limit how data is used.

7.5 Right to Data Portability

To receive data in a usable format.

7.6 Right to Object

To object to certain types of processing.

7.7 Right to Withdraw Consent

Where consent is used as a legal basis.

7.8 Handling of Requests

We may:

• Request identity verification
• Limit requests where legally justified
• Refer requests to the data controller (client) where applicable

8. Data Security and Protection Measures

We implement appropriate security measures, including:

• Access controls
• Authentication systems
• Secure infrastructure
• Monitoring and logging
• Data handling procedures

However:

• No system is completely secure
• Clients must also maintain their own security practices

Responsibility for external systems such as hosting, domains, SSL, Cloudflare and third-party tools may remain with the client unless managed under agreement.

9. Data Retention

We retain personal data only as long as necessary for:

• Service delivery
• Legal obligations
• Business records

After this:

• Data may be deleted
• Data may be anonymised

Clients are responsible for their own retention policies within their systems.

10. International Data Transfers

As a global service provider, we may transfer data internationally.

This may include:

• Cloud infrastructure
• Global clients
• Cross-border operations

We take reasonable steps to ensure safeguards are in place.

11. Third-Party Processors

We may use third-party providers for:

• Hosting
• Payments
• Communication
• Analytics

These providers are expected to:

• Maintain data protection standards
• Process data securely
• Follow contractual obligations

We are not responsible for failures of third-party services.

12. Data Breach Procedures

In the event of a data breach:

• We may investigate immediately
• We may notify affected parties where required
• We may take corrective action

Clients must also secure their own systems and access.

13. Data Protection by Design and Default

We consider data protection in system design, including:

• Access controls
• Role-based permissions
• Secure architecture
• Data minimisation

However, final implementation and usage depend on the client’s setup and operation.

14. Cookies and Tracking (GDPR Context)

Where required under GDPR:

• Consent may be obtained before using non-essential cookies
• Users may manage preferences

Full details are provided in the Cookie Policy.

15. Accountability and Compliance

We take reasonable steps to:

• Maintain compliance awareness
• Apply data protection practices
• Work with clients responsibly

However:

• Clients remain responsible for their own compliance
• We do not act as a legal authority

16. Limitations of Responsibility

We are not responsible for:

• Client misuse of data
• Failure to obtain consent
• Incorrect data collection practices
• External system failures
• Third-party breaches

Our role is to provide systems, not control how businesses use them.

17. Updates to This Policy

We may update this policy to reflect:

• Legal changes
• System updates
• Business operations

Continued use of services indicates acceptance.

18. Contact Information

For GDPR-related enquiries:

World Business Software Solutions
A Division of Syhtek Software Solutions

Contact via official company channels.

19. Final Statement

This GDPR Policy reflects our role as a provider of serious digital infrastructure for businesses operating at scale.

We are committed to:

• Responsible data handling
• Clear operational boundaries
• Supporting compliant system use

However:

• Clients remain responsible for their own data practices
• Business systems must be properly managed
• GDPR compliance is a shared responsibility