This Privacy Policy explains how Citrus (operated by Software Citrus Ltd, "we", "us", "our") collects, uses, and protects your personal data when you use our website, book a free audit, or sign up to one of our service plans.
We follow UK GDPR (the UK General Data Protection Regulation) and the Data Protection Act 2018. If anything below isn't clear, email us at [email protected] and we'll explain in plain English.
1. Who we are
Citrus is a trading name of Software Citrus Ltd, a company registered in England and Wales. We provide done-for-you growth systems for UK service businesses across multiple industries.
For the purposes of UK GDPR, we are the data controller for any personal data we collect directly from visitors to our website, prospects who book an audit, and customers who sign up to a Citrus plan.
When we deliver our services to paying customers, we act as a data processor on behalf of those customers (who are the data controllers of their own end-customer data). A separate Data Processing Agreement governs that relationship.
2. What data we collect
Information you give us
- Booking and contact details when you book a free audit or fill in a form on our site — typically your name, email address, phone number, business name, website, and brief details about your business.
- Account details if you sign up to a Citrus plan — including billing address, payment information (processed by our payment provider), and any access credentials you choose to share with us so we can set up your system.
- Communications — emails, support messages, call recordings (with notice and consent), and notes from any calls or video meetings we have with you.
Information we collect automatically
- Website usage data — IP address, browser type, device type, pages visited, time on site, and referring URL. Collected via cookies and similar technologies (see our Cookie Policy).
- Cookies — small files placed on your device to make the site work and (with consent) to measure performance and effectiveness.
3. How we use your data
We use your personal data for the following purposes:
- To respond to enquiries — booking your audit, sending confirmations, following up on questions.
- To deliver our services — setting up your Citrus system, integrating with your existing tools, ongoing support and account management.
- To process payments and manage your account — billing, invoicing, payment collection.
- To communicate with you — service updates, important notices about your account, occasional product news (you can opt out of marketing emails at any time).
- To improve our service — analysing how people use our website and which features customers value most.
- To comply with legal obligations — keeping records for tax, anti-money laundering, and other regulatory requirements.
4. Legal basis for processing
Under UK GDPR we rely on the following legal bases:
- Contract — when we process data to deliver services you've requested or signed up for.
- Legitimate interests — when we process data to run our business effectively (e.g., responding to enquiries, improving our website, preventing fraud) where this doesn't override your rights.
- Consent — for non-essential cookies and any marketing communications where consent is required. You can withdraw consent at any time.
- Legal obligation — when we need to retain or process data to comply with UK law (e.g., HMRC records, AML checks).
5. Who we share your data with
We only share your data where necessary and with trusted partners. These include:
- HighLevel (LeadConnector) — our underlying CRM and automation platform, used to host customer-facing booking calendars, messaging inboxes, and workflows.
- Stripe — for payment processing. Payment card details are handled directly by Stripe and never stored on our systems.
- Google Workspace — for email and document hosting.
- Email and SMS delivery providers — for sending transactional and (with consent) marketing communications.
- Professional advisers — accountants, lawyers, or auditors where required.
- Regulatory and government bodies — where required by law.
We do not sell your personal data to third parties.
6. International transfers
Some of our service providers are based outside the UK or European Economic Area (notably HighLevel, which is based in the United States). Where we transfer your data outside the UK, we ensure appropriate safeguards are in place — typically the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with a UK addendum.
7. How long we keep your data
- Enquiry data — we keep enquiry records for up to 24 months from the date of last contact, unless you ask us to delete it sooner.
- Customer account data — kept for the duration of your subscription, then for 6 years after the end of the relationship to comply with UK tax and accounting requirements.
- Marketing consents — kept until you withdraw consent or for 24 months of inactivity, whichever comes first.
8. Your rights
Under UK GDPR you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure — ask us to delete your data ("right to be forgotten"), subject to legal exceptions.
- Right to restrict processing — ask us to pause processing of your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests, or to direct marketing at any time.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, email [email protected]. We'll respond within one calendar month.
If you believe we've mishandled your data, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. How we protect your data
We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest, access controls, regular backups, and staff training. No system is 100% secure, but we take this seriously and continually review our practices.
10. Cookies and tracking
For full details on the cookies and tracking technologies we use, please see our Cookie Policy. By default, we only fire essential cookies until you give consent for analytics or marketing cookies via the cookie banner.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of the page shows when it was last revised. Material changes will be flagged on the homepage or by email to active customers.