Privacy Policy
Last updated: May 11, 2025
Ruraq ("we", "us", or "our") is a receivables management company that assists B2B businesses in recovering overdue invoices. In the course of providing this service, we process personal data relating to our clients, their contacts, and the individuals and businesses associated with the invoices we manage.
This Privacy Policy explains what personal data we collect, on what legal basis we process it, how long we retain it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable national data protection law.
If you have been contacted by Ruraq in connection with an outstanding invoice, it means a company to which you owe a payment has engaged us to assist in recovering that amount. Your contact information was provided to us by that company under the terms of their client agreement with us.
1. Who We Are (Controller)
Ruraq is the data controller for personal data we collect directly from clients and visitors to our website. For personal data relating to debtors (the individuals or companies against whom invoices are outstanding), Ruraq acts as a data processor on behalf of the client company, who is the controller.
Contact: info@ruraq.eu
2. What Personal Data We Collect
From clients (companies that engage our services)
- Business contact details: name, job title, work email address, phone number
- Company information: registered name, company number, address, VAT number
- Invoice data: invoice numbers, amounts, due dates, payment history
- Bank or payment details where relevant to fee collection
- Communications records relating to the engagement
From debtors (parties against whom invoices are outstanding)
This data is provided to us by the client company. It may include:
- Business contact details: name, job title, work email address, phone number
- Company information: registered name, address, and any related identifiers
- Invoice and payment history data provided by the client
- Communication records from our recovery interactions
From website visitors
- Contact form submissions (name, company, email, and qualifying information you provide)
- Anonymous usage analytics via Google Analytics (pages viewed, session duration, referral source)
3. Legal Basis for Processing
Clients
- Performance of a contract (Article 6(1)(b) GDPR): Processing is necessary to deliver our receivables recovery service under the terms agreed with each client.
- Legitimate interests (Article 6(1)(f) GDPR): We process data for billing, record-keeping, and the prevention of fraud.
- Legal obligation (Article 6(1)(c) GDPR): Where applicable tax, accounting, or regulatory obligations require retention of records.
Debtors
- Legitimate interests (Article 6(1)(f) GDPR): The recovery of a legitimate, undisputed commercial debt is a recognised legitimate interest under GDPR. We balance this against your rights and interests and limit processing to what is strictly necessary for recovery purposes.
Website visitors
- Legitimate interests: Responding to enquiries and improving our website.
- Consent: Where analytics cookies are used, we rely on your consent.
4. How We Use Personal Data
- To contact the relevant parties regarding outstanding invoices on behalf of our clients
- To manage the recovery process, including negotiating payment terms and recording communications
- To invoice clients for our success fee upon recovery
- To respond to enquiries submitted via our website
- To maintain accurate records of our activities for legal and regulatory purposes
- To improve our services and our website
We do not use personal data for any form of automated decision-making or profiling that produces legal or similarly significant effects.
5. Data Sharing
We do not sell personal data. We may share data with:
- Our client: Progress updates and communications records relating to their invoices are shared with the client who engaged us.
- Service providers: We use third-party providers for CRM, email, and analytics tools. These providers act as processors under appropriate data processing agreements and are not permitted to use data for their own purposes.
- Legal or regulatory authorities: Where required by law, court order, or regulatory obligation.
6. International Transfers
We are based in the European Union and primarily process data within the EU/EEA. Where any service provider is located outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
7. Data Retention
- Client and engagement records: Retained for 7 years from the end of the engagement to comply with accounting and tax obligations, and in case of disputes.
- Debtor communication records: Retained for the duration of the recovery engagement and for 2 years thereafter.
- Website enquiry data: Retained for 12 months from the date of submission unless a client relationship follows, in which case the client retention period applies.
- Analytics data: Anonymised and retained for up to 26 months in line with Google Analytics default settings.
8. Your Rights Under GDPR
Depending on your relationship with us and the legal basis for processing, you may have the following rights:
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may ask us to correct inaccurate data.
- Right to erasure: You may ask us to delete your data where there is no overriding legal basis for retention.
- Right to restrict processing: You may ask us to limit how we use your data in certain circumstances.
- Right to object: Where we rely on legitimate interests, you have the right to object. Note that in the context of lawful debt recovery, this right may be outweighed by our legitimate interest and that of the creditor.
- Right to data portability: Where applicable, you may request your data in a structured, commonly used format.
To exercise any of these rights, contact us at info@ruraq.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:
- HTTPS encryption for all data in transit
- Access controls limiting data access to authorised personnel only
- Regular review of our data handling practices
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to active clients directly.
11. Contact
For any questions, requests, or complaints relating to your personal data, please contact us at:
Email: info@ruraq.eu