Last updated: 31 October 2025

Who we are (Data Controller)

Rosi Systems Limited (“we”, “us”, “our”) is the data controller for personal information collected via https://rosisystems.com and in connection with our services (e.g., background music and audio streaming, digital signage, and video‑on‑demand). Our registered office is The Old Lemonade Factory, Falmouth, UK, TR11 3EX. Company number: 7104967. 

Contact for privacy matters: info@rosisystems.com

Scope of this notice

This policy explains what personal data we collect, how we use it, the lawful bases for processing, how long we keep it, who we share it with, international transfers, your rights, and how to contact us. It applies to visitors to our websites and apps, prospective customers, customers and users, and others who interact with us.

Personal data we collect

We collect and process the following categories of data:

  • Identity and contact data – name, job title, company, email address, phone number, billing and service addresses.
  • Account and service data – user IDs, authentication data, organisation/station/zone relationships, configuration preferences, playlists/schedules, support tickets, and audit logs.
  • Usage and technical data – IP address, device identifiers, browser/app version, operating system, pages viewed, buttons clicked, session data, crash logs, diagnostic and performance metrics related to our players and signage.
  • Marketing preferences – opt‑in/opt‑out status, suppression lists.
  • Payment and invoicing data – transaction references, invoice details, payment method tokens from our payment processors (we do not store full card details on our systems).
  • Communications – emails, messages, call recordings (where applicable), and notes from our interactions.

We collect data directly from you, from your organisation (if you are an authorised user), automatically via our sites/apps (cookies and similar technologies), and from third‑party providers (e.g., payment, analytics, or identity services) as part of providing our services.

Why we use your data and our lawful bases

We use personal data for the purposes and lawful bases below:

  • Providing and supporting our services (setting up accounts, delivering background music/signage, maintaining uptime, technical support) – *Performance of a contract* and *Legitimate interests*.
  • Billing and account management (invoicing, payments, fraud prevention, debt collection) – *Performance of a contract* and *Legal obligation*.
  • Service improvement and analytics (diagnostics, quality, capacity planning, feature usage) – *Legitimate interests*.
  • Security (detecting/preventing abuse, intrusion, or misuse; incident response) – *Legitimate interests* and *Legal obligation*.
  • Customer communications (operational emails, product updates, support) – *Performance of a contract* and *Legitimate interests*.
  • Marketing (B2B marketing to corporate subscribers, events, newsletters, case studies) – *Legitimate interests* under UK GDPR and PECR; **we will obtain consent where required** and include an unsubscribe link in every message.
  • Compliance (tax/audit records, legal claims, regulatory requests) – *Legal obligation* and *Legitimate interests*.

We do not carry out solely automated decision‑making that produces legal or similarly significant effects.

Cookies and similar technologies

We use first‑party and (where configured) third‑party cookies and SDKs to operate the site, remember your preferences, measure performance, and (optionally) support advertising/conversion measurement. Categories include:

  • Strictly necessary – required for login, load balancing, and security.
  • Functional – remember settings such as language or region.
  • Performance/analytics – understand how our services are used so we can improve them.
  • Advertising/measurement (optional) – measure campaign performance and prevent ad fraud.

You can manage non‑essential cookies via our **Cookie Settings** tool at any time. Most browsers also let you block or delete cookies. Blocking some cookies may affect site functionality.

Sharing your data

We do not sell personal data. We share data, under agreements and appropriate safeguards, with:

  • Hosting and infrastructure providers (e.g., cloud hosting, CDNs, backup and monitoring).
  • Payment processors and billing platforms (to take payments and manage subscriptions).
  • Communications providers (email, SMS/WhatsApp, customer support tools).
  • Analytics and product tools (to understand usage and improve quality).
  • Professional advisers (accountants, auditors, legal counsel) and authorities where required by law.

Where we use processors outside the UK/EEA, we rely on approved transfer mechanisms (UK IDTA, EU SCCs plus UK Addendum, or an adequacy decision) and implement technical and organisational safeguards.

International transfers

If we transfer your personal data outside the UK/EEA, we will ensure an adequate level of protection by using one or more of: an adequacy regulation, the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, and additional measures where appropriate.

Data retention

We keep personal data only for as long as necessary for the purposes described above and to meet legal, accounting, or reporting requirements. Typical retention periods are:

  • Enquiries and sales leads: up to 24 months after last activity (or sooner if you object).
  • Customer account and service records: for the duration of the contract and 7 years thereafter for tax/audit.
  • Support tickets and logs: typically 24 months, unless needed longer for security or legal reasons.
  • Marketing preferences/suppression lists: kept indefinitely to honour your opt‑out.

When data is no longer needed, we securely delete or irreversibly anonymise it.

Security

We apply industry‑standard technical and organisational measures, including encryption in transit and at rest where appropriate, access controls and least‑privilege permissions, multi‑factor authentication for administrative access, network segmentation, vulnerability management, logging/monitoring, and regular backups and restore testing.

Your rights (UK GDPR)

You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where we rely on consent, you can withdraw it at any time. To exercise your rights, contact info@rosisystems.com. We will respond within statutory timeframes.

You also have the right to complain to the ICO: ico.org.uk or 0303 123 1113. We would appreciate the chance to address your concerns first.

Children’s data

Our services are intended for business use and are not directed to children. We do not knowingly collect personal data about children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

Third‑party links

Our websites/apps may link to third‑party sites or services. Those sites have their own privacy policies. We are not responsible for their content or practices.

Changes to this policy

We may update this policy from time to time. We will post the new version here and update the “Last updated” date. If changes are material, we may notify you by email or within the service.

How to contact us

If you have questions about this policy or how we handle your data, please contact: info@rosisystems.com