Effective Date: 15, August 2025

1. Introduction

This Privacy Policy sets out the basis upon which DsReplay (“we”, “us”, or “our”) processes your personal data when you access or use our website, platform, and associated services, including but not limited to replay simulations, trading analytics, session management tools, and related customer support services (collectively, the “Services”). We are firmly committed to protecting and respecting your privacy and safeguarding your personal data in accordance with the obligations set out in the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable, the EU GDPR and other relevant laws concerning privacy and data protection.

1.1 Who We Are

DsReplay is a digital analytics and trading simulation platform designed for individuals and organisations who wish to backtest and replay trading scenarios using synthetic financial instruments. Our services are delivered entirely through a secure online platform and are accessible globally. DsReplay is operated by DsLabs Ventures. In providing our Services, we collect and process personal data from users, which may include individuals acting in their personal capacity (i.e., retail users), as well as representatives of corporate entities (e.g., traders, analysts, financial professionals, or researchers using DsReplay for institutional purposes).

1.2 Our Commitment to Privacy

We understand that the nature of our business involves handling sensitive data, including user behaviour, trading patterns, strategy configurations, and account information. Our commitment to privacy is not merely legalistic but intrinsic to the trust our users place in us. As such, we implement best-practice data governance procedures to ensure the confidentiality, integrity, and availability of your personal information. We treat your data with the highest level of care, apply strict access controls, use industry-standard encryption, and conduct periodic risk assessments to prevent data breaches, unauthorised access, or misuse.

1.3 Who This Policy Applies To

This Privacy Policy applies to you if:
  • You visit or browse the DsReplay website or application;
  • You create a DsReplay account or otherwise register with us;
  • You interact with any of our Services, whether as a paid subscriber or free trial user;
  • You communicate with us via email, chat, or support channels;
  • You are a prospective customer, business partner, or vendor;
  • You provide us with personal data in any context, whether commercial or otherwise.
This Policy is intended to provide transparency about our data processing activities and your legal rights. By using our Services, you acknowledge and agree to the terms of this Privacy Policy.

1.4 Scope and Limitations

This Privacy Policy does not extend to third-party websites, platforms, APIs, or services that may be linked to or embedded within DsReplay, including but not limited to payment providers, external data feeds, or trading integration partners. We are not responsible for the privacy practices of such third parties and encourage you to review their privacy policies before disclosing any personal data to them. Similarly, if you are using DsReplay through a corporate account or as a sub-user under an enterprise agreement, your employer or principal organisation may act as a separate data controller. In such cases, please consult your organisation’s own data protection policy to understand how they process your data.

1.5 Lawful Basis for Processing

All personal data we collect is processed on a lawful basis as defined by applicable legislation. These bases include:
  • Consent – where you have explicitly agreed to the processing of your data for a specific purpose (e.g., newsletter subscription).
  • Contractual necessity – where the processing is necessary to perform our contractual obligations to you (e.g., account provisioning, subscription billing).
  • Legal obligation – where we are required to process data to comply with legal or regulatory mandates (e.g., anti-fraud, record-keeping).
  • Legitimate interests – where processing is necessary for our legitimate business interests and those interests are not overridden by your data protection rights (e.g., analytics, platform performance monitoring, fraud detection).
We conduct routine assessments of these lawful bases to ensure continued compliance and will update this policy if our processing purposes change.

1.6 Updates to This Policy

We may revise this Privacy Policy from time to time to reflect changes in legal requirements, best practices, or updates to our Services. All changes will be published on our website with a clearly marked revision date. In the event of material changes (e.g., new processing purposes, international data transfers, third-party integrations), we will take reasonable steps to notify you directly. Your continued use of the Services following the publication of updates will constitute your acknowledgment and agreement to the revised policy. You are encouraged to review this policy regularly to remain informed about how we protect your information.

2. Data Controller Contact Information

For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection and privacy legislation, the entity responsible for determining the purposes and means of processing your personal data—referred to as the Data Controller—is: DsReplay Operated by: DsLabs Ventures You may contact us at any time for matters relating to this Privacy Policy, your data protection rights, or how we handle your personal data.

2.1 General Enquiries and Data Protection Requests

If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise any of your rights under data protection law (including subject access requests), please contact us using the details below: Email: [dslabs@dsreplay.com] We aim to respond to all legitimate requests within one calendar month. In cases of complex or voluminous requests, this period may be extended in accordance with Article 12(3) of the UK GDPR, and we shall notify you accordingly.

2.2 Data Protection Officer (DPO)

Although not legally required for all data controllers under Article 37 of the UK GDPR, DsReplay has appointed a designated individual responsible for overseeing compliance with data protection obligations. This individual acts in an advisory and supervisory capacity within our organisation and serves as a point of escalation for any privacy-related concerns. Data Protection Officer (DPO) Email: dslabs@dsreplay.com You may contact our DPO in confidence regarding any matter relating to the processing of your personal data, including complaints, security incidents, or whistleblowing concerns.

2.3 Representative in the European Union (if applicable)

If we offer services to individuals within the European Union or monitor the behaviour of individuals located within the EU, we may be required to appoint a representative in the European Economic Area (EEA) pursuant to Article 27 of the EU GDPR. As of the date of this policy, DsReplay [has/has not] appointed an EU representative. If appointed, their details will be updated here and made publicly accessible.

3. Types of Data We Collect

To provide, maintain, secure, and improve the DsReplay platform and services, we may collect and process a wide range of personal data. This section outlines the categories of information we may collect directly from you, indirectly through your use of our services, or via third-party partners and integrations. The data we collect depends on the context of your interactions with us and the features you use. Not all categories listed below will necessarily apply to every individual.

3.1 Identity and Contact Information

We collect personal identifiers and contact details to create, manage, and secure your account, and to fulfil any contractual or legal obligations:
  • Full name
  • Username or display name
  • Date of birth (for age verification, if applicable)
  • Country of residence
  • Email address
  • Phone number (optional or if used for multi-factor authentication)
  • Communication preferences

3.2 Account Profile and User Settings

To personalise your experience and deliver core platform functionality, we collect and store information related to your user profile:
  • Account registration date
  • User role or access tier (e.g., free, premium)
  • Saved preferences (e.g., UI themes, timezones)
  • Replay session history
  • Watchlists, layouts, or strategy templates (where applicable)
  • Notification settings and consent status

3.3 Technical and Device Information

We automatically collect certain technical data whenever you interact with DsReplay to ensure system stability, prevent fraud, and understand user behaviour:
  • Internet Protocol (IP) address
  • Browser type and version
  • Operating system and platform
  • Device identifiers (e.g., UUID, MAC address, device model)
  • Connection status and timestamps
  • Language preferences
  • Referring URL and destination links
  • Screen resolution and session duration
This data may be collected through server logs, cookies, tracking pixels, or other similar technologies (see Section 10 for more on cookies).

3.4 Usage Data and Activity Logs

To analyse trends, improve services, and troubleshoot issues, we maintain logs and telemetry relating to how you use the platform, including:
  • Features accessed (e.g., replay start, strategy selection)
  • Timestamps of key events
  • Pages viewed and navigation flow
  • Clickstream and scroll depth data
  • Keyboard/mouse interaction data (for UX optimisation)
  • Crash reports and error logs
  • Replay configuration data and usage metrics
Note: While we analyse behavioural patterns, DsReplay does not profile users in an automated manner that produces legal or similarly significant effects unless explicitly disclosed and consented to.

3.5 Payment and Financial Information

When you subscribe to paid services or conduct transactions through the platform, we may collect:
  • Subscription tier and billing history
  • Transaction references and payment status
  • Billing address (where required by law or provider)
  • Last four digits of payment card (for reference)
  • Payment method (e.g., Stripe, PayPal)
  • VAT number (for business clients)
All direct payment data is processed securely by third-party payment processors. DsReplay does not store full credit or debit card numbers or CVV codes on its servers.

3.6 Communication and Support Records

We maintain a record of your interactions with our support and communication channels, including:
  • Emails and messages sent to our team
  • Chat logs from in-app support
  • Feedback submissions, surveys, and reviews
  • Dispute or complaint correspondence
  • Verification materials (if identity checks are required)
These records help us provide responsive support, investigate issues, and comply with regulatory obligations.

3.7 Marketing and Analytics Data

If you opt into marketing communications or use features that involve external integrations, we may collect:
  • Marketing preferences and opt-in status
  • Email open rates and click-through data
  • Referral source or affiliate tracking data
  • Interaction with promotional offers or campaigns
  • Anonymous aggregated analytics data from cookies or SDKs
You may update your marketing preferences or opt out at any time via your account settings or by contacting dslabs@dsreplay.com.

3.8 Optional or Special Case Data

In rare cases, we may collect additional data under specific circumstances, such as:
  • Identity verification documents (e.g., passport, driving licence) where required by law or in case of fraud
  • Responses to legal notices or law enforcement enquiries
  • Biographical or occupational data (e.g., if you apply for a role or partner with us)
We do not intentionally collect special category data under Article 9 of the UK GDPR (e.g., health data, ethnicity, political opinions), and request that users refrain from submitting such data unless explicitly requested and justified.

4. How We Collect Your Data

DsReplay collects personal data through various methods to deliver and support our services. Data may be collected directly from you, automatically via your use of the platform, or indirectly through third-party providers and integrations. This section outlines each method and the rationale for its use.

4.1 Direct Collection

We collect personal data directly from you when you voluntarily submit it to us. This includes, but is not limited to:
  • Account registration: When you sign up for an account on DsReplay, you provide personal identifiers such as your name, email address, and password.
  • Platform usage: When you manually configure settings, start replay sessions, or input trading strategies and parameters.
  • Payment and billing: When you subscribe to paid plans and input payment details or billing address (processed via third-party processors).
  • Customer support: When you contact us via email, chat, or ticketing systems for assistance or to report issues.
  • Feedback and forms: When you participate in surveys, beta testing, early access programs, or submit feedback through our feedback mechanisms.
In all such instances, you will typically know what data is being collected because you are the one submitting it.

4.2 Automated Collection (Passive Collection)

Certain types of data are collected automatically when you interact with DsReplay. This helps us maintain platform security, optimise performance, and better understand user behaviour. These include:
  • Cookies and local storage: Used to maintain session state, remember preferences, and enable analytics. For details, see Section 10 (Cookies & Tracking Technologies).
  • Server logs: Capture IP address, time of access, URL requests, browser version, and user agent string.
  • Usage analytics: Using tools like Google Analytics, Sentry, or self-hosted trackers (if applicable) to understand aggregate usage behaviour and UI interactions.
  • Replay telemetry: In the context of simulations or backtesting sessions, we may automatically log which features are used, replay parameters selected, and the frequency of certain operations.

4.3 Third-Party Data Sources

We may obtain personal data about you from third-party sources where lawful and necessary to provide our services. This includes:
  • Payment processors (e.g., Stripe, Polar): Confirmation of payment status, subscription plan, and transaction references.
  • Authentication or identity providers (e.g., Discord, Twitter, Google Sign-In): Where single sign-on or federated login methods are enabled, we may receive basic profile data subject to your consent and the provider’s terms.
  • Marketing platforms: If you arrived at DsReplay via an affiliate or referral link, certain attribution data may be shared with us for performance tracking and compliance.
  • Business tools: If you interact with us via integrations (e.g., Notion), those platforms may share communication metadata with us.
In all such cases, we ensure that the third parties involved are themselves compliant with applicable privacy laws, and we do not request more data than is strictly necessary.

4.4 Combined and Derived Data

We may combine data collected through the methods above to create derived insights for internal use, such as:
  • Usage intensity or frequency scoring
  • Feature adoption metrics
  • Subscription lifecycle analytics
  • Strategy simulation patterns
Where these derived datasets are pseudonymised or anonymised, they fall outside the scope of personal data regulation. Where identifiable, they are handled in accordance with this Privacy Policy.

4.5 Data Provided on Behalf of Others

If you are an administrator of an organisation account, or if you invite other users to collaborate in a workspace or simulation, you may provide data relating to those individuals. You represent and warrant that you have obtained any necessary consents and that you are authorised to share such information with us. We act as a processor of such data and will treat it in accordance with our obligations under applicable law and any service-level agreements in place.

5. Purposes of Data Processing

DsReplay processes personal data in accordance with the principles of lawfulness, fairness, and transparency. This section explains why we collect and use personal data, and the legal basis we rely on for each purpose, as required by the UK GDPR and the Data Protection Act 2018. Each purpose is linked to a specific lawful basis under Article 6 of the UK GDPR.

5.1 To Provide and Operate the DsReplay Platform

We process your data to deliver the core functionalities of our platform, including account creation, replay session configuration, feature access control, and technical performance.
  • Personal Data Used: Identity data, contact details, session configurations, user preferences, platform usage data.
  • Legal Basis:
    • Contractual necessity – processing is required to fulfil our service contract with you.
    • Legitimate interests – ensuring platform functionality and responding to user behaviour.

5.2 To Manage Your Account and Subscription

This includes maintaining account credentials, managing login security, upgrading or downgrading subscriptions, billing, payment tracking, and compliance with financial regulations.
  • Personal Data Used: Name, email, login history, plan details, billing data, payment confirmations.
  • Legal Basis:
    • Contractual necessity – required to manage your subscription and access to paid services.
    • Legal obligation – where processing is required to meet tax or anti-fraud obligations.
    • Legitimate interests – securing accounts and managing user lifecycles.

5.3 To Communicate with You

We use your data to communicate important updates, respond to enquiries, deliver service announcements, and send transactional or system-related messages (e.g. verification emails, alerts, service degradation notices).
  • Personal Data Used: Name, email, phone number (if applicable), communication history.
  • Legal Basis:
    • Contractual necessity – required for effective service operation.
    • Legitimate interests – keeping users informed of platform changes.
    • Consent – where communications are promotional or not strictly service-related.

5.4 To Provide Technical and Customer Support

This includes diagnosing problems, responding to support requests, and resolving issues related to platform use, account access, or service errors.
  • Personal Data Used: Login data, platform activity logs, support chat history, contact information, technical logs.
  • Legal Basis:
    • Legitimate interests – ensuring timely support and user satisfaction.
    • Contractual necessity – where support is essential to fulfil your service contract.

5.5 To Monitor Platform Security and Prevent Fraud

We monitor activity for suspicious behaviour, unauthorised access, and other threats to the integrity of the platform, accounts, or infrastructure. This may include the use of automated systems for detection and risk scoring.
  • Personal Data Used: IP address, login history, behavioural data, device identifiers.
  • Legal Basis:
    • Legitimate interests – protecting the platform and users from cybercrime and data loss.
    • Legal obligation – complying with applicable cybersecurity or data protection requirements.

5.6 To Improve Our Services

We analyse platform usage to optimise features, prioritise development, and refine user experience. We may aggregate and anonymise usage data for this purpose.
  • Personal Data Used: Interaction data, device information, telemetry, strategy use patterns.
  • Legal Basis:
    • Legitimate interests – to develop a responsive, user-friendly platform and assess performance.
    • Consent – where optional cookies or feedback tools are used.

5.7 To Process Payments and Comply with Financial Laws

We use payment-related data to process transactions, issue invoices, reconcile disputes, and comply with recordkeeping and regulatory requirements related to taxation, anti-money laundering (AML), and account auditing.
  • Personal Data Used: Billing address, email, transaction history, VAT number, payment references.
  • Legal Basis:
    • Contractual necessity – enabling transaction processing.
    • Legal obligation – compliance with financial, tax, and AML regulations.

5.8 To Send Marketing and Promotional Materials

Where you have given explicit consent, we may send newsletters, product announcements, offers, and invitations to participate in events, surveys, or beta programmes.
  • Personal Data Used: Name, email, marketing preferences, campaign engagement metrics.
  • Legal Basis:
    • Consent – you may withdraw your consent at any time via the unsubscribe link or settings panel.
We may use your data to enforce our terms of use, investigate breaches, comply with legal demands, and respond to court orders or regulatory authorities.
  • Personal Data Used: Any relevant data required for the specific issue.
  • Legal Basis:
    • Legal obligation – where processing is necessary to comply with law.
    • Legitimate interests – protecting our legal and commercial interests.

5.10 To Facilitate Mergers, Acquisitions or Business Reorganisation

In the event of a merger, acquisition, sale of assets, or business restructuring, we may disclose your personal data to third parties involved in the transaction under strict confidentiality terms.
  • Personal Data Used: All categories relevant to the transaction.
  • Legal Basis:
    • Legitimate interests – to support corporate activity with minimal disruption.
    • Legal obligation – if required by law or regulatory frameworks.

6. Lawful Bases for Processing

Under the UK General Data Protection Regulation (UK GDPR), we must ensure that every instance of processing personal data is supported by at least one of the lawful bases set out in Article 6 of the Regulation. The lawful basis we rely upon depends on the specific context and purpose of the processing activity. This section details the legal grounds DsReplay relies on, along with real-world examples of their application in our operations.

6.1 Contractual Necessity (Article 6(1)(b))

We process your data when it is necessary to enter into or perform a contract with you. Without this data, we would not be able to provide you with access to or fulfil the functionality of the DsReplay platform. Examples:
  • Creating and managing your user account.
  • Providing access to replay tools and analytical features.
  • Processing your subscription payments.
  • Responding to your support tickets as part of service delivery.
Important Note: If you do not provide the data necessary for us to perform our contract, we may be unable to provide you with access to our services.

6.2 Consent (Article 6(1)(a))

In some cases, we will seek your clear and informed consent before processing your personal data. You have the right to withdraw consent at any time, and this will not affect the lawfulness of processing carried out prior to the withdrawal. Examples:
  • Sending you marketing or promotional emails.
  • Collecting optional analytics through non-essential cookies.
  • Participating in surveys or feedback programmes.
How we obtain consent:
  • Through clearly worded prompts during registration, or when configuring preferences.
  • Via opt-in checkboxes or toggles (never pre-ticked).
  • Through cookie banners for online tracking tools.

6.3 Legal Obligation (Article 6(1)(c))

We process data when we are legally required to do so, for example under UK tax law, accounting rules, or other regulatory obligations. Examples:
  • Maintaining accurate financial and tax records.
  • Responding to lawful requests from regulators, courts, or police.
  • Screening payments for potential fraud or sanctions compliance.
Data Retention: Where this basis applies, data may be retained for longer periods as required by law (e.g., up to 6 years for tax documentation under HMRC rules).

6.4 Legitimate Interests (Article 6(1)(f))

We may process your data when it is necessary for our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Where we rely on this basis, we conduct a Legitimate Interests Assessment (LIA) to ensure a balanced approach. Examples:
  • Monitoring platform usage to optimise user experience.
  • Preventing fraud or system abuse.
  • Communicating service updates or changes to terms.
  • Analysing anonymised or pseudonymised data to improve performance.
Your Rights: You have the right to object to processing based on legitimate interests. If you do so, we will reassess and, in most cases, cease such processing unless we can demonstrate compelling overriding grounds.

6.5 Vital Interests (Article 6(1)(d))

Although rare in the context of DsReplay, we may process your data if it is necessary to protect someone’s life or physical safety. Example (hypothetical):
  • If we are alerted to a credible risk of harm involving one of our users and must share information with emergency services.

6.6 Public Task (Article 6(1)(e))

This basis applies to data processing carried out in the public interest or under official authority. DsReplay does not typically rely on this basis, as we are a private-sector service provider.

Children’s Data and Age Restrictions

DsReplay is not intended for children under the age of 18. We do not knowingly collect or process data from individuals below this age. If we learn that we have inadvertently collected such data, we will take prompt steps to delete it.

Special Category Data (Article 9)

We do not intentionally collect or process any special category data, such as health information, religious beliefs, political opinions, or biometric identifiers. If you voluntarily submit such information, it will be deleted unless we have a lawful and explicit basis to retain it.

7. How We Share Your Data

At DsReplay, we treat your personal data with strict confidentiality. We do not sell or rent your information under any circumstances. However, in order to operate effectively, meet regulatory obligations, and deliver a high-quality experience, we may need to share your data with specific third parties. This section explains who those parties are, under what circumstances data may be shared, and the safeguards we employ.

7.1 Data Processors and Service Providers

We may share personal data with trusted third-party service providers who act as data processors on our behalf. These providers are only permitted to process your data under our explicit instructions and are contractually bound to maintain appropriate confidentiality, security, and data protection standards. Categories of service providers include:
  • Cloud hosting providers (e.g., Amazon Web Services, DigitalOcean, Vercel): For secure storage, platform deployment, and scalability.
  • Analytics and telemetry tools (e.g., Plausible, PostHog, Sentry): To monitor system performance and usage trends.
  • Payment processors (e.g., Stripe, Polar): To handle subscription payments and financial reconciliation.
  • Email and notification systems (e.g., Mailgun): For transactional messages, alerts, and communication.
  • Customer support platforms (e.g., Chatwoot): For handling support requests and user queries.
  • CRM or billing providers: To manage customer relationships and invoicing where applicable.
All processors are required to:
  • Process data only under our instructions.
  • Implement robust technical and organisational measures.
  • Never use the data for their own purposes.

7.2 Group Companies and Corporate Affiliates

Where DsReplay is operated as part of a group of companies, or if we establish legally affiliated entities, personal data may be shared internally within that group. This is done solely for internal administrative purposes, technical support, or business continuity. All such transfers will:
  • Be covered by appropriate inter-company agreements.
  • Comply with relevant data protection legislation.
  • Be subject to safeguards equivalent to those described in this Policy.
We may disclose personal data when required to comply with applicable laws, regulations, legal processes, or enforceable government requests. Examples of such disclosures include:
  • Responding to court orders, subpoenas, or regulatory inquiries.
  • Complying with UK tax, financial, or anti-money laundering laws.
  • Cooperating with law enforcement in cases involving fraud, misuse, or harm.
We will always assess the legality and proportionality of any request and will, where permitted, notify you unless prohibited by law.

7.4 Business Transfers and Transactions

In the event that DsReplay is involved in a business transition—such as a merger, acquisition, reorganisation, sale of assets, or insolvency—your personal data may be transferred as part of the transaction, subject to confidentiality protections. We will ensure that:
  • The recipient entity is contractually bound to this Privacy Policy (or a materially equivalent policy).
  • You are notified of any changes to the ownership or data control status.
  • Your rights remain unaffected and enforceable.

7.5 Third-Party Integrations and APIs

Where you choose to connect your DsReplay account with third-party platforms (e.g., through OAuth integrations such as Deriv), we may share or receive limited personal data necessary to authenticate and operate those connections. Important:
  • You control whether these integrations are enabled.
  • Any data shared with or by such third parties is subject to their respective privacy policies.
  • DsReplay disclaims responsibility for the privacy practices of such third-party services outside the scope of our integration.

7.6 Public or Community Forums (If Applicable)

If DsReplay provides community features such as public profiles, leaderboards, or forums:
  • Information you choose to publish voluntarily (e.g., username, strategies, messages) may become visible to others.
  • You should take care not to share personal or sensitive information in such areas.
  • We provide controls to manage visibility and anonymisation where applicable.
In all other cases not covered above, we will not share your data with third parties unless you provide clear, informed, and explicit consent. Example:
  • Participating in a case study or user testimonial programme.
  • Opting into promotional partnerships or referral programmes.
You may withdraw consent at any time, and we will cease such processing or sharing unless there is another lawful basis.

7.8 Data Protection Agreements and Safeguards

Wherever data is shared with external parties, we:
  • Use Data Processing Agreements (DPAs) with processors.
  • Ensure compliance with UK GDPR Chapter V for international transfers.
  • Require standard contractual clauses (SCCs) or UK Addenda where applicable.
  • Conduct due diligence on each partner’s security, data handling, and privacy reputation.

8. International Data Transfers

DsReplay is committed to ensuring that your personal data is treated securely and in accordance with UK data protection legislation, regardless of where it is processed. Where your personal data is transferred outside the United Kingdom (UK) or the European Economic Area (EEA), we ensure an adequate level of protection consistent with Chapter V of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This section sets out how we approach international data transfers, including to countries without an adequacy decision from the UK Government.

8.1 Where Transfers May Occur

As a digital platform, DsReplay may store, process, or transfer personal data outside the UK and EEA in the following circumstances:
  • Use of third-party service providers whose servers are located in countries such as the United States, Canada, or Singapore.
  • Intra-group transfers where DsReplay is part of a corporate structure with international offices or affiliates.
  • Cross-border access by support, engineering, or legal teams for operational or compliance purposes.
  • Execution of global partnerships or integrations where the service provider operates internationally.

8.2 Adequacy Decisions

The UK Government may designate certain countries as providing an adequate level of data protection, meaning your data can be transferred to those jurisdictions without further safeguards. As of the date of this Policy, adequacy regulations exist for jurisdictions such as:
  • European Union and EEA Member States
  • Switzerland
  • Canada (commercial organisations)
  • Japan
  • New Zealand
  • South Korea
Where applicable, we rely on such adequacy decisions under UK GDPR Article 45 to legitimise transfers.

8.3 Standard Contractual Clauses (SCCs) and the UK Addendum

For transfers to countries not covered by an adequacy decision, we implement Standard Contractual Clauses (SCCs) adopted by the European Commission and recognised by the UK Government, together with the UK Addendum, to ensure appropriate contractual safeguards. These clauses:
  • Bind the recipient to strict data protection principles;
  • Prohibit onward transfer without equivalent safeguards;
  • Provide enforceable rights and remedies for data subjects.
Where relevant, we conduct Transfer Risk Assessments (TRAs) and may implement additional security measures (such as encryption or pseudonymisation) to supplement the SCCs.

8.4 Binding Corporate Rules (BCRs)

If DsReplay becomes part of a corporate group operating under Binding Corporate Rules, these may be used to legitimise internal transfers between group companies. At present, DsReplay does not rely on BCRs but reserves the right to adopt them in future subject to UK Information Commissioner’s Office (ICO) approval.

8.5 Specific Exceptions (Derogations)

In exceptional cases, we may rely on specific derogations under UK GDPR Article 49 where no other transfer mechanism is available. These include:
  • Your explicit consent, with full transparency of risks;
  • Transfers necessary for the performance of a contract, e.g., delivering services to an international user;
  • Legal claims or defences, or
  • Public interest grounds recognised in UK law.
These are used sparingly and only where no safer mechanism applies.

8.6 Security Measures During Transfer

Regardless of the transfer mechanism, DsReplay ensures that:
  • All transfers are encrypted during transmission (e.g., via TLS).
  • Data minimisation principles are applied.
  • Access is limited to authorised personnel with strict role-based controls.
  • Audit logs are maintained to monitor international access or replication.

8.7 User Rights and Remedies

You retain all your UK GDPR rights even when your data is transferred internationally, including:
  • The right to be informed of such transfers;
  • The right to access and request a copy of your transferred data;
  • The right to object to certain transfers or withdraw consent where applicable;
  • The right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

8.8 Contact for International Transfer Queries

If you have any questions about how your data is transferred or would like further details of specific safeguards, you may contact our Data Protection Officer (DPO) at: 📧 Email: dslabs@dsreplay.com ✍️ Subject: International Data Transfers

9. Data Retention and Storage

At DsReplay, we are committed to retaining your personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. We implement clear retention schedules and secure storage practices to ensure your data’s integrity, confidentiality, and availability.

9.1 Retention Principles

  • Purpose Limitation: Data is retained solely to achieve the original purposes specified in this Privacy Policy.
  • Minimal Retention: We do not keep personal data longer than necessary.
  • Compliance: Retention periods reflect statutory or regulatory requirements (e.g., financial records retention).
  • User Rights: You may request deletion or access at any time, subject to exceptions detailed below.

9.2 Retention Periods by Data Category

Data CategoryRetention PeriodRationale
Account and Profile DataDuration of active account + 2 years after account closureTo provide ongoing service and support, plus dispute resolution
Transactional Data (payments, subscriptions)Minimum 6 yearsTo comply with UK tax and accounting regulations
Support and Communication Records2 years from last contactTo resolve issues and improve service
Marketing Consents and PreferencesUntil consent withdrawal or opt-outTo respect your marketing preferences
Analytics and Usage Data (aggregated and pseudonymised)Up to 3 yearsFor product improvement and trend analysis
Cookies and Tracking DataAs per cookie policySubject to user consent and browser settings
Legal and Compliance RecordsAs required by law (variable; typically up to 6 years)For regulatory compliance and legal defence

9.3 Data Deletion and Anonymisation

  • Upon expiry of retention periods or upon your valid deletion request, we will:
    • Permanently delete personal data from all active systems and backups, unless further retention is justified by law.
    • Anonymise or pseudonymise data when complete deletion is impractical but personal identifiers are removed.
  • Deletion requests will be handled in accordance with Section 11 (Your Rights) of this Policy.
  • Where legal obligations prevent deletion (e.g., financial records), data will be securely archived and access strictly controlled.

9.4 Data Storage and Security

  • Data is stored in secure cloud environments using providers with high-level certifications (e.g., ISO 27001, SOC 2).
  • Encryption is applied both at rest and in transit using industry standards.
  • Access controls enforce strict role-based permissions and multi-factor authentication.
  • Regular audits, penetration tests, and vulnerability scans are conducted.
  • Backup and disaster recovery processes ensure data resilience and availability.

9.5 Special Considerations for Backup Data

  • Backup copies may exist for a limited time beyond deletion requests to allow system restoration.
  • Backup data is encrypted and stored securely, with access restricted to authorised personnel.
  • Once backup retention periods expire, data is securely destroyed.

9.6 Data Retention Review

We periodically review retention policies and data holdings to ensure compliance, relevance, and minimisation.

10. Data Security and Breach Notification

At DsReplay, safeguarding your personal data is a core priority. We employ robust security measures to protect your data against unauthorised access, loss, alteration, or disclosure. In the unlikely event of a data breach, we have strict protocols to respond swiftly and transparently in accordance with UK data protection laws.

10.1 Security Measures

To ensure the confidentiality, integrity, and availability of your data, we implement the following:
  • Technical Controls:
    • Use of strong encryption standards (AES-256) for data at rest.
    • Secure Transmission via TLS 1.2 or higher for all data in transit.
    • Regular patching and updating of software and infrastructure.
    • Network security through firewalls, intrusion detection/prevention systems.
    • Multi-factor authentication (MFA) for all system access.
    • Role-based access control (RBAC) limiting data access to authorised personnel only.
    • Automated monitoring and alerting for suspicious activity.
    • Secure API design and vulnerability testing.
  • Organisational Controls:
    • Comprehensive information security policies and employee training.
    • Strict confidentiality agreements with staff and contractors.
    • Data Protection Officer (DPO) oversight for compliance.
    • Vendor management processes to ensure third-party security.
  • Physical Security:
    • Use of certified data centres with physical access controls.
    • Environmental controls to protect against fire, flood, and power loss.

10.2 Data Breach Response Procedure

In the event of an actual or suspected data breach involving your personal data, DsReplay will:
  1. Identification and Containment:
    • Quickly assess the nature and scope of the breach.
    • Contain the breach to prevent further data loss.
  2. Assessment of Risk:
    • Evaluate the potential impact on affected individuals’ rights and freedoms.
    • Determine the severity and likelihood of harm.
  3. Notification to Authorities:
    • Notify the UK Information Commissioner’s Office (ICO) within 72 hours if the breach poses a risk to individuals’ rights and freedoms.
    • Provide detailed information about the breach, affected data, and mitigation steps.
  4. Communication to Affected Individuals:
    • Where there is a high risk to individuals (e.g., identity theft, financial loss), promptly inform affected users.
    • Provide guidance on protective measures users can take.
  5. Remediation and Prevention:
    • Implement corrective actions to address vulnerabilities.
    • Review and update security measures to prevent recurrence.
  6. Documentation:
    • Maintain detailed records of all breaches, decisions, and communications as required by law.

10.3 User Responsibilities

To help protect your data, we recommend:
  • Using strong, unique passwords for your DsReplay account.
  • Enabling multi-factor authentication where available.
  • Reporting any suspicious account activity immediately.
  • Keeping your devices and software up to date.

10.4 Contact for Security Concerns

If you suspect a security breach or wish to report a vulnerability, please contact our security team immediately at: 📧 dslabs@dsreplay.com Your reports help us maintain a secure platform for all users.

11. Your Rights

DsReplay is committed to empowering you with control over your personal data. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have a number of important rights regarding your personal information. This section outlines those rights and how you can exercise them.

11.1 Right to Be Informed

You have the right to be informed about how your personal data is collected, used, stored, and shared. This Privacy Policy is part of fulfilling that obligation. We strive to provide clear, transparent, and accessible information at all times.

11.2 Right of Access (Subject Access Request)

You have the right to request access to the personal data DsReplay holds about you. This includes:
  • Confirmation whether we are processing your data.
  • A copy of the personal data.
  • Details about the purposes, recipients, and retention of your data.
To make a subject access request (SAR), please contact us at dslabs@dsreplay.com. We will respond within one calendar month.

11.3 Right to Rectification

If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion without undue delay.

11.4 Right to Erasure (“Right to be Forgotten”)

You may request that we delete your personal data when:
  • It is no longer necessary for the purposes it was collected.
  • You withdraw consent and no other legal basis applies.
  • You object to processing and there are no overriding legitimate grounds.
  • The data has been unlawfully processed.
  • The data must be erased to comply with a legal obligation.
Please note that certain data may be retained to comply with legal, regulatory, or contractual requirements.

11.5 Right to Restrict Processing

You may request that we restrict the processing of your personal data in situations such as:
  • While the accuracy of the data is contested.
  • Processing is unlawful but you oppose erasure.
  • We no longer need the data but you require it for legal claims.
  • You have objected to processing pending verification of legitimate grounds.

11.6 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another controller where technically feasible.

11.7 Right to Object

You can object to our processing of your personal data on grounds relating to your particular situation, including for direct marketing purposes or where processing is based on legitimate interests. DsReplay does not currently engage in automated decision-making or profiling that produces legal or similarly significant effects. Should this change, we will provide you with meaningful information and the right to challenge such decisions.

11.9 How to Exercise Your Rights

  • Submit requests to dslabs@dsreplay.com with clear details of your request.
  • Provide sufficient information to verify your identity to protect your data.
  • We will respond within one calendar month. In complex cases, this period may be extended by two further months, but you will be informed.

12. Children’s Privacy

DsReplay takes the privacy and protection of children’s personal data seriously. We recognise the special considerations required when processing data of individuals under the age of 18, in line with the UK Data Protection Act 2018 and the Age Appropriate Design Code (Children’s Code).

12.1 Age Restrictions

  • Our services are not intended for use by children under 18 years of age.
  • We do not knowingly collect or solicit personal data from children under 18 without parental or guardian consent.
Where we become aware that we have collected personal data from a child under the age of 18 without appropriate consent, we will take immediate steps to:
  • Delete the data promptly;
  • Verify parental or guardian consent where possible before continuing to process the data.

12.3 Information Provided to Children

We endeavour to provide privacy information in clear, plain language accessible to young users where appropriate. This includes:
  • Explanation of what data is collected;
  • How it is used;
  • Who it is shared with;
  • Rights regarding their data.

12.4 Rights of Children and Parents

Children and their parents or legal guardians have the right to:
  • Access their personal data;
  • Request correction or deletion of data;
  • Withdraw consent where applicable;
  • Object to processing.
Requests can be made by the child or the parent/guardian by contacting dslabs@dsreplay.com.

12.5 Additional Safeguards

In line with the Children’s Code, DsReplay:
  • Limits data collection to what is necessary for the service;
  • Applies strict data security measures;
  • Avoids profiling or marketing directly targeted at children;
  • Provides options to opt-out of data collection mechanisms.

12.6 Reporting Concerns

If you believe that DsReplay has collected personal data from a child under 18 without appropriate consent or if you have concerns about children’s data privacy, please contact us immediately at: 📧 dslabs@dsreplay.com

13. Cookies and Tracking Technologies

DsReplay uses cookies and similar tracking technologies to enhance your experience, analyse usage, and deliver personalised content. This section explains what cookies are, how we use them, and how you can control their use.

13.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device, remember preferences, and collect information about your interaction with the site. Similar technologies include:
  • Local storage
  • Web beacons
  • Pixel tags
  • Fingerprinting techniques

13.2 Types of Cookies We Use

CategoryPurposeExample
Strictly NecessaryEssential for the operation of DsReplay servicesSession ID, authentication tokens
PerformanceCollect anonymous data to understand site usageGoogle Analytics, aggregate stats
FunctionalityRemember preferences and personalise user experienceLanguage settings, UI customisations
Targeting/AdvertisingDeliver relevant ads and measure effectivenessThird-party ad networks, retargeting
  • We only use non-essential cookies (performance, functionality, targeting) after obtaining your informed consent, as required by law.
  • Upon your first visit, a cookie banner will appear to explain cookie use and allow you to accept or customise preferences.
  • You may withdraw or modify your consent at any time via the cookie settings link on the website.
  • You can also control or delete cookies via your browser settings. Note that disabling certain cookies may affect site functionality.

13.4 Third-Party Cookies

DsReplay may allow third-party service providers (e.g., analytics, advertising partners) to place cookies on your device. These providers are subject to their own privacy policies and controls.

13.5 More Information

For detailed information about the cookies we use and how to manage them, please refer to our Cookies Policy.

13.6 Contact

If you have any questions or concerns about our use of cookies and tracking technologies, please contact: 📧 dslabs@dsreplay.com

14. Changes to This Privacy Policy

DsReplay is committed to maintaining transparency about how we collect, use, and protect your personal data. As our services evolve, and as legal or regulatory requirements change, we may need to update this Privacy Policy. This section explains how we manage and communicate such changes.

14.1 Reasons for Changes

We may update this Privacy Policy to:
  • Reflect changes in legal, regulatory, or compliance obligations.
  • Incorporate new features or services offered by DsReplay.
  • Improve clarity, transparency, or user experience.
  • Address security or operational enhancements.

14.2 How We Notify You

  • Material Changes: For significant changes that affect your rights or how your data is processed, we will notify you in advance by:
    • Email (if you have registered with us).
    • Prominent notices on our website or within the DsReplay platform.
  • Minor Changes: For minor updates (e.g., editorial clarifications, contact details), we may update the policy without direct notice but will update the “Last Updated” date.

14.3 Your Continued Use

By continuing to use DsReplay services after changes take effect, you accept the revised Privacy Policy. If you do not agree with any material changes, you should stop using our services and may request deletion of your data as per Section 11 (Your Rights).

14.4 Version Control

This Privacy Policy includes a “Last Updated” date at the top of the document. Please review it regularly to stay informed of any changes.

14.5 How to Contact Us About Policy Changes

If you have questions or concerns regarding changes to this Privacy Policy, please contact us at: 📧 dslabs@dsreplay.com

15. Contact Information and Data Protection Officer (DPO)

DsReplay is committed to ensuring that your personal data is handled responsibly and transparently. To assist with this, we have appointed a Data Protection Officer (DPO) who oversees our compliance with data protection laws and is your point of contact for privacy-related matters.

15.1 Data Protection Officer

Our DPO is responsible for:
  • Monitoring compliance with the UK GDPR and Data Protection Act 2018.
  • Providing advice and guidance on data protection obligations.
  • Acting as a liaison with the Information Commissioner’s Office (ICO).
  • Handling data subject requests, complaints, and enquiries.

15.2 How to Contact the DPO

You may contact our Data Protection Officer regarding any questions, requests, or concerns about your personal data or this Privacy Policy: Email: 📧 dslabs@dsreplay.com

15.3 General Contact for Privacy Matters

For general privacy inquiries or to exercise your data rights, you can also reach out to our privacy team at: Email: 📧 dslabs@dsreplay.com

15.4 Complaint Resolution

If you have concerns about how DsReplay processes your personal data, we encourage you to contact us first so we can address your concerns promptly. Alternatively, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) as described in Section 11.