Privacy Policy

Last Updated: April 9, 2026

This Privacy Policy describes how Best App ("we," "us," or "our") collects, uses, stores, and shares your personal data when you use the TallyUp application ("Service"), a Shopify embedded app for inventory management, demand forecasting, and purchase order automation.

By installing or using TallyUp, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

If you have questions or concerns, contact us at contact@tallyup.cc.

Summary of Key Points

We act as Data Controller for merchant account data and as Data Processor for Shopify store data on your behalf.
We do not store your customers' personal information (names, emails, addresses, or payment details).
We do not sell your personal data to third parties.
Your data is stored on servers in Germany (EU) and email is processed in Ireland (EU).
Sensitive data (contact information) is encrypted at rest using AES-256-GCM.
All billing is handled by Shopify — we never collect or store payment card information.
You have rights under GDPR, CCPA, and other applicable laws to access, correct, and delete your data.

Definitions
Data Controller and Processor Roles
Information We Collect
How We Use Your Information
Legal Bases for Processing
Cookies and Tracking Technologies
Data Sharing and Third-Party Processors
International Data Transfers
Data Retention
Data Security
Your Privacy Rights
US State Privacy Laws
Shopify App Data
Children's Privacy
Marketing Communications
Changes to This Policy
Contact Us

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
Processing: Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Data Controller: The entity that determines the purposes and means of Processing Personal Data.
Data Processor: The entity that processes Personal Data on behalf of the Data Controller.
Merchant: A Shopify store owner or authorized staff member who installs and uses TallyUp.
End Customer: A customer of the Merchant's Shopify store. TallyUp does not collect or store End Customer personal information.
Service: The TallyUp application, including all features, APIs, and related services.
Sub-Processor: A third-party service provider engaged by us to process Personal Data on our behalf.

2. Data Controller and Processor Roles

TallyUp operates in a dual capacity depending on the type of data being processed:

When We Act as Data Controller

We are the Data Controller under Article 4(7) of the GDPR for data where we determine the purposes and means of processing. This includes:

Merchant account information (shop domain, company details, contact information)
Supplier contact information that Merchants enter into TallyUp
Billing and subscription data
Usage analytics and product improvement data
Email template configurations and alert preferences

As Controller, we are responsible for ensuring that this data is processed lawfully, fairly, and transparently in accordance with this Privacy Policy.

When We Act as Data Processor

We act as a Data Processor under Article 4(8) of the GDPR for data that we process on behalf of Merchants. The Merchant is the Data Controller for this data. This includes:

Shopify product catalog data (titles, SKUs, prices, images)
Shopify order data (order IDs, line items, quantities, totals)
Inventory levels and historical inventory snapshots
Shopify location and warehouse data

We process this data solely to provide the Service to the Merchant and in accordance with the Merchant's instructions. We do not use Merchant store data for our own purposes beyond delivering the Service.

Important: If you are an End Customer of a Merchant using TallyUp and have questions about how your data is handled, please contact the Merchant directly. TallyUp does not store End Customer personal information (names, email addresses, shipping addresses, or payment details).

3. Information We Collect

3.1 Information You Provide Directly

When you use TallyUp, you may provide the following information:

Data	Purpose
Company name	Displayed on purchase order PDFs and communications
Company email address	Reply-to address for purchase order emails, alert notifications
Company phone number	Displayed on purchase order PDFs
Company physical address	Displayed on purchase order PDFs
Company logo URL	Displayed on purchase order PDF headers
Supplier names	Purchase order management and supplier directory
Supplier email addresses	Sending purchase orders to suppliers
Supplier phone numbers	Supplier contact management
Supplier physical addresses	Displayed on purchase order PDFs
Supplier notes and lead times	Internal supplier management
Email template content	Customizing purchase order and alert email templates
Alert preferences	Configuring inventory alert frequency and recipients
Application settings	Timezone, currency, locale preferences

3.2 Information Collected from Shopify

When you install TallyUp and grant the requested permissions, we access and sync the following data from your Shopify store:

Data	Shopify Permission	Purpose
Products (titles, handles, types, vendors, status, images)	`read_products`	Displaying your product catalog in the inventory dashboard
Variants (titles, SKUs, barcodes, prices, images)	`read_products`	Variant-level inventory tracking and identification
Inventory levels (quantities per location)	`read_inventory`	Real-time stock monitoring, reorder alerts, historical snapshots
Orders (order IDs, order numbers, line items, quantities, prices, statuses, timestamps)	`read_all_orders`	Demand forecasting, sales velocity calculation, ABC analysis
Locations (names, IDs)	`read_locations`	Multi-location inventory management
OAuth session data (access tokens, user identifiers)	OAuth flow	Authenticating API requests to Shopify

Data we do NOT collect from Shopify:

Customer names, email addresses, or phone numbers
Customer shipping or billing addresses
Customer payment information or credit card details
Customer browsing or purchasing behavior
Customer account credentials

3.3 Information Generated by the Service

TallyUp generates derived data based on your store data to provide its core features:

Data	Purpose
Inventory metrics (days of cover, stock health, ABC classification)	Inventory intelligence and reorder recommendations
Demand forecasts (predicted daily demand, safety stock, reorder points)	Automated demand forecasting
Forecast accuracy metrics (WAPE, MASE, drift detection)	Forecast quality monitoring
Suggested order quantities	Purchase order recommendations
Revenue analysis (90-day revenue per variant)	ABC classification

This derived data is calculated from your Shopify store data and does not contain any End Customer personal information.

3.4 Information Collected Automatically

Data	Purpose
Shopify shop domain (myshopify.com)	Account identification and session management
Feature usage events (feature impressions, upgrade clicks, dismissals)	Internal product improvement and understanding feature adoption
Sync operation logs (timestamps, entity counts, status)	Service reliability, debugging, and operational monitoring
Analytics data via self-hosted PostHog (page views, feature interactions, device type, browser)	Product improvement and understanding how Merchants use TallyUp

Our PostHog analytics instance is self-hosted on our own server in Germany. No analytics data is sent to PostHog Inc. or any other third party. Analytics data collection requires your consent via our cookie banner (see Section 6).

4. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service

Synchronizing your Shopify product, order, and inventory data
Calculating inventory metrics, demand forecasts, and reorder suggestions
Managing suppliers and generating purchase orders
Sending purchase order emails to your suppliers
Sending inventory alert digest emails to you
Processing billing through Shopify's payment system

Improving the Service

Analyzing feature usage patterns to prioritize product development
Monitoring service reliability and performance
Identifying and resolving technical issues

Ensuring Security and Compliance

Validating authentication sessions
Verifying webhook authenticity
Monitoring for free tier abuse (rate limiting)
Responding to data subject access requests
Processing Shopify GDPR webhooks (data requests, redactions)

Legal and Regulatory

Retaining billing records as required by tax legislation
Complying with applicable data protection laws
Responding to lawful requests from public authorities

5. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your Personal Data:

Contract Performance (Article 6(1)(b))

Processing necessary for the performance of our contract with you (the Shopify app subscription):

Providing inventory management, forecasting, and purchase order services
Syncing product, order, and inventory data from your Shopify store
Generating and sending purchase orders to your suppliers
Processing your subscription through Shopify's billing system
Sending transactional emails (purchase orders, inventory alerts)

Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights:

Internal product analytics to improve the Service (interest: product improvement; safeguard: aggregated data, no profiling)
Service reliability monitoring and error tracking (interest: service quality; safeguard: minimal data, automated logs)
Free tier abuse detection (interest: fair usage enforcement; safeguard: threshold-based, no individual profiling)
Security measures including session validation and webhook verification (interest: security; safeguard: automated, minimal data)

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations:

Responding to GDPR data subject access, rectification, and erasure requests
Processing Shopify mandatory GDPR webhooks (customer data requests, customer redaction, shop redaction)
Retaining billing and tax records as required by Polish and EU tax law

Consent (Article 6(1)(a))

Processing based on your freely given, specific, informed, and unambiguous consent:

Analytics cookies (PostHog) — consent collected via cookie banner
Marketing communications (when introduced) — explicit opt-in required

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent for analytics, adjust your cookie preferences. To withdraw consent for marketing, use the unsubscribe link in any marketing email or contact us at contact@tallyup.cc.

6. Cookies and Tracking Technologies

Shopify App Bridge Cookies

TallyUp is an embedded Shopify application that runs within the Shopify Admin interface. Shopify App Bridge manages authentication and session cookies necessary for the embedded app to function. These cookies are set and controlled by Shopify and are governed by Shopify's Privacy Policy. TallyUp does not set, read, or control these cookies.

PostHog Analytics Cookies (Self-Hosted)

We use PostHog, an open-source analytics platform, to understand how Merchants interact with TallyUp. Our PostHog instance is self-hosted on our own server in Germany. This means:

All analytics data is stored on our own infrastructure within the European Economic Area (EEA)
No analytics data is transmitted to PostHog Inc. or any third party
We have full control over all analytics data

PostHog uses the following cookies:

Cookie	Purpose	Duration	Type
`ph_phc_*_posthog`	Identifies unique visitors across sessions	1 year	Analytics
`ph_*_posthog`	Stores session information for analytics	Session	Analytics

These cookies are only set with your explicit consent, collected via our cookie consent banner displayed when you first use the Service.

Without consent: Only essential Shopify App Bridge cookies are active. No PostHog tracking occurs. The Service remains fully functional.

Managing your preferences: You can change your cookie preferences at any time through the cookie settings accessible within the application. You can also clear cookies through your browser settings.

No Other Tracking

We do not use:

Third-party advertising cookies or pixels
Social media tracking widgets
Browser fingerprinting
Cross-site tracking technologies
Google Analytics, Facebook Pixel, or similar third-party analytics services

We engage the following third-party service providers (Sub-Processors) to help us deliver the Service:

Sub-Processor	Purpose	Data Processed	Server Location	Legal Basis for Transfer
Shopify Inc.	E-commerce platform, OAuth authentication, app billing	Shop domain, API requests, subscription status	Canada, USA	EU adequacy decision (Canada), Standard Contractual Clauses
Resend Inc.	Transactional email delivery (purchase orders, alerts)	Recipient email address, email content, PDF attachments	Ireland	Within EEA — no transfer mechanism required
Hetzner Online GmbH	Server infrastructure hosting	All application data (database, files, logs)	Germany	Within EEA — no transfer mechanism required
GitHub Inc.	CI/CD pipeline, container image registry	Application source code, Docker images (no personal data)	USA	Standard Contractual Clauses (GitHub DPA)

PostHog is not a Sub-Processor. PostHog software runs as a self-hosted instance on our own Hetzner server in Germany. No data is shared with PostHog Inc.

What We Do NOT Do

We do not sell your Personal Data to any third party, for any purpose, under any circumstance.
We do not share your data for cross-context behavioral advertising.
We do not provide your data to data brokers.
We do not use your data for AI or machine learning model training outside of the Service's forecasting features, which operate solely on your own store data.

When We May Disclose Data

We may disclose your Personal Data only in the following limited circumstances:

Legal requirements: When required by law, regulation, legal process, or governmental request.
Rights protection: To protect the rights, property, or safety of Best App, our Merchants, or others.
Business transfer: In connection with a merger, acquisition, or sale of assets. In such case, we will notify you before your Personal Data is transferred and becomes subject to a different privacy policy.
With your consent: When you have given us explicit permission to share specific data.

8. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA):

Data	Location	Transfer Required?
Application database (all merchant and store data)	Germany	No — within EEA
Transactional emails	Ireland (Resend)	No — within EEA
Analytics data	Germany	No — within EEA
Shopify API communications	Canada / USA (Shopify)	Yes
CI/CD pipeline	USA (GitHub)	Yes (no personal data)

For transfers to countries outside the EEA that do not benefit from an EU adequacy decision, we rely on:

Standard Contractual Clauses (SCCs): Approved by the European Commission under Article 46(2)(c) of the GDPR. We have SCCs in place with Shopify and GitHub.
EU Adequacy Decisions: Canada has been granted an adequacy decision by the European Commission for transfers to organizations subject to PIPEDA (which includes Shopify).

We conduct transfer impact assessments where required and implement supplementary measures as needed to ensure an adequate level of data protection.

9. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

Data Category	Retention Period	Reason
Merchant account data	Duration of subscription + 30 days after app uninstall	Service delivery + grace period for reinstallation
OAuth sessions	Managed by Shopify SDK (automatically revoked on uninstall)	Technical necessity
Supplier information	Until you delete it or uninstall the app	Service delivery
Synced products and variants	Duration of subscription	Inventory management
Synced order history	Duration of subscription	Demand forecasting
Inventory snapshots	Duration of subscription	Historical stock analysis
Forecast data	Recalculated periodically; deleted on uninstall	Demand forecasting
Purchase orders	Duration of subscription	Order management
Email templates	Duration of subscription	Email customization
Billing records (subscription ID, plan, dates)	As required by applicable tax law (up to 10 years under Polish tax regulations)	Legal obligation
Usage analytics	Duration of subscription	Product improvement
PostHog analytics	Duration of subscription	Product improvement
Sync and operational logs	Duration of subscription	Service reliability

When You Uninstall TallyUp

When you uninstall TallyUp from your Shopify store, Shopify sends a shop/redact webhook. Upon receiving this webhook, we:

1. Delete all of the following within 48 hours:

OAuth sessions
Synced products, variants, orders, and line items
Inventory snapshots and current inventory records
Inventory metrics and forecast data
Purchase orders and purchase order items
Supplier records and supplier-variant associations
Email templates and alert configurations
Usage analytics (upgrade events)
Sync event logs
Import records

2. Nullify personally identifiable fields on your account record:

Company name, email, phone, address, and logo URL
Locale, sync counters, and forecast settings

3. Preserve minimal billing data as required by law:

Subscription plan history and trial dates (for tax record-keeping)
Redaction timestamp (for compliance audit trail)

Customer Data Requests and Redaction

When Shopify sends GDPR customer data request or customer redaction webhooks:

Customer data request: We compile and log all order data associated with the specified customer for the Merchant to provide to their customer.
Customer redaction: We permanently delete all synced orders and associated line items for the specified customer. Inventory metrics are automatically recalculated to reflect the data removal. No backup copies are retained.

10. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction.

Encryption at Rest

Data	Encryption Method
Merchant company email, phone, and address	AES-256-GCM
Supplier email, phone, address, and notes	AES-256-GCM
Alert recipient email address	AES-256-GCM
Email template subject and body content	AES-256-GCM
Supplier email search index	HMAC-SHA256 blind index (enables search without decryption)

Company logo URL is stored as plaintext (URLs are non-sensitive resource identifiers).

Encryption keys are stored as environment variables on the server and are never committed to source code or version control.

Encryption in Transit

All API communications use HTTPS with TLS 1.2 or higher
Shopify API calls are authenticated via OAuth 2.0
Database connections use SSL/TLS in production
Email delivery to Resend uses HTTPS API

Access Controls

Authentication managed by Shopify OAuth (we do not implement our own credential system)
No shared credentials or default passwords

Payment Security

We do not collect, process, or store any payment card information. All billing is handled entirely by Shopify through their PCI-DSS compliant payment infrastructure. TallyUp uses Shopify's appSubscriptionCreate API to initiate billing, which redirects Merchants to Shopify's own billing confirmation page.

Incident Response

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR
Notify affected Merchants without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR
Document the breach, its effects, and the remedial actions taken

Limitations

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable measures to protect your Personal Data, we cannot guarantee absolute security. We encourage you to protect your Shopify account credentials and to contact us immediately if you suspect unauthorized access to your data.

11. Your Privacy Rights

For Residents of the European Economic Area, United Kingdom, and Switzerland

Under the General Data Protection Regulation (GDPR) and equivalent laws, you have the following rights regarding your Personal Data:

Right	Description	GDPR Article
Access	Request a copy of the Personal Data we hold about you	Article 15
Rectification	Request correction of inaccurate or incomplete Personal Data	Article 16
Erasure	Request deletion of your Personal Data ("right to be forgotten")	Article 17
Restriction	Request that we limit the processing of your Personal Data	Article 18
Data Portability	Receive your Personal Data in a structured, commonly used, machine-readable format	Article 20
Objection	Object to processing based on legitimate interest or for direct marketing	Article 21
Automated Decisions	Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects	Article 22
Withdraw Consent	Withdraw consent at any time where processing is based on consent	Article 7(3)

Note on automated decision-making: TallyUp generates automated inventory forecasts and reorder suggestions based on your store data. These are advisory recommendations to assist your business decisions — they do not produce legal effects or similarly significant effects on any individual. You retain full control over all purchasing and inventory decisions.

Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority. For Poland, this is UODO (Urząd Ochrony Danych Osobowych).

For All Users

To exercise any of these rights, contact us at contact@tallyup.cc. We will respond to your request within:

30 days for requests under GDPR (extendable by an additional 60 days for complex requests, with notification)
45 days for requests under US state privacy laws (extendable by an additional 45 days, with notification)

We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive. If we cannot fulfill your request, we will explain why.

12. US State Privacy Laws

This section provides additional disclosures required under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other applicable US state privacy laws.

Categories of Personal Information Collected

The following table describes the categories of personal information we have collected in the preceding twelve (12) months, using the categories established by the CCPA:

Category	Examples	Collected
A. Identifiers	Name, email address, phone number, physical address	Yes
B. Personal Information (Cal. Civ. Code § 1798.80)	Name, address, telephone number	Yes
C. Protected Classifications	Race, gender, religion, sexual orientation	No
D. Commercial Information	Products, purchasing history (Shopify store data as Processor)	Yes
E. Biometric Information	Fingerprints, voice recordings	No
F. Internet or Network Activity	Feature usage, page views (PostHog, with consent)	Yes
G. Geolocation Data	Precise device location	No
H. Sensory Information	Audio, video, or similar recordings	No
I. Professional/Employment Information	Job title, employer	No
J. Education Information	Student records	No
K. Inferences	Inventory forecasts, demand patterns, ABC classifications	Yes
L. Sensitive Personal Information	Account credentials (Shopify OAuth tokens)	Yes

Your Rights Under US State Privacy Laws

Depending on your state of residence, you may have the following rights:

Right to Know: Request information about the categories and specific pieces of Personal Information we have collected about you.
Right to Delete: Request deletion of your Personal Information.
Right to Correct: Request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: We do not sell your Personal Information or share it for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Sensitive PI Use: We use sensitive Personal Information (OAuth tokens) solely for providing the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Disclosure

We do not sell Personal Information.
We do not share Personal Information for cross-context behavioral advertising.
We have not sold or shared Personal Information in the preceding twelve (12) months.

To exercise your rights, contact us at contact@tallyup.cc. You may designate an authorized agent to submit a request on your behalf. We may require verification of both your identity and the agent's authority to act on your behalf.

13. Shopify App Data

TallyUp is a Shopify embedded application that operates within the Shopify Admin interface. This section explains how we handle data accessed through the Shopify platform.

API Permissions (Scopes)

We request only the permissions necessary to provide the Service:

Permission	Why We Need It
`read_products`	Display your product catalog in the inventory dashboard
`write_products`	Update product metadata when needed
`read_inventory`	Monitor stock levels across all locations
`write_inventory`	Adjust inventory quantities when receiving purchase orders
`read_orders`	Access recent order data for demand analysis
`read_all_orders`	Access complete order history for accurate demand forecasting and seasonal pattern detection (historical data is essential for forecast accuracy)
`read_locations`	Display and manage inventory across multiple warehouse locations

Data Minimization

We sync only the data fields necessary for inventory management and forecasting.
We do not access or store End Customer personal information from orders. We sync only order identifiers, line item details (variant, quantity, price), financial totals, and timestamps.
We do not access customer accounts, customer addresses, payment information, or fulfillment tracking details.

GDPR Webhook Compliance

We have implemented all three mandatory Shopify GDPR webhooks:

Webhook	Our Response
`customers/data_request`	Compile all order data associated with the specified customer and log it for the Merchant
`customers/redact`	Permanently delete all synced orders and line items for the specified customer; recalculate affected metrics
`shop/redact`	Comprehensively delete all merchant data within 48 hours (see Section 9 for details)

Compliance

We comply with the Shopify Partner Program Agreement and the Shopify API License and Terms of Use. Our use of Shopify APIs and handling of Shopify data is in accordance with these agreements.

14. Children's Privacy

TallyUp is a business-to-business (B2B) service designed for Shopify store owners and their authorized staff. The Service is not directed at, and is not intended for use by, children under the age of 16 (as defined by the GDPR) or under the age of 13 (as defined by the US Children's Online Privacy Protection Act, COPPA).

We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child, we will take prompt steps to delete such data. If you believe a child has provided us with Personal Data, please contact us at contact@tallyup.cc.

15. Marketing Communications

Current State

TallyUp currently sends only transactional emails that are necessary for the operation of the Service:

Purchase order emails to suppliers (initiated by Merchants)
Inventory alert digest emails to Merchants (based on their configured alert preferences)

We do not currently send marketing, promotional, or newsletter emails.

Future Marketing Communications

If we introduce marketing communications in the future, we will:

Obtain your explicit opt-in consent before sending any marketing emails
Provide a clear and easy unsubscribe mechanism in every marketing email
Honor unsubscribe requests promptly
Update this Privacy Policy to reflect the change
Never send marketing emails to supplier email addresses

Transactional emails related to the operation of the Service (purchase orders, inventory alerts, account notifications) are not considered marketing and do not require separate opt-in consent.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

We will update the "Last Updated" date at the top of this Privacy Policy.
For material changes (changes to data collection categories, new Sub-Processors, changes to legal bases, or changes to your rights), we will notify you via email to the address associated with your account or through a prominent notice within the Service, at least 14 days before the changes take effect.
For minor changes (clarifications, formatting, updated contact information), we will update this page without separate notification.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may uninstall TallyUp at any time.

Previous versions of this Privacy Policy are available upon request by contacting us at contact@tallyup.cc.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact us:

Best App
ul. Palacowa 125
08-110 Stok Lacki
Poland

Email: contact@tallyup.cc

Supervisory Authority

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with a data protection supervisory authority.

For residents of Poland and the European Economic Area, the lead supervisory authority is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stanisława Moniuszki 1A
00-014 Warszawa, Poland
Website: https://uodo.gov.pl

For residents of the United Kingdom, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

For residents of other jurisdictions, please contact your local data protection authority.