This Privacy Policy explains how AEO-Rex Ltd ("we", "us", "our"), the operator of Rex Commerce® (rex.aeo-rex.com), collects, uses, stores, and protects your personal data when you visit the site, join the waitlist, or otherwise interact with our services. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Data controller: AEO-Rex Ltd (Companies House #17018571), registered in England & Wales, operating from Birmingham, West Midlands, United Kingdom.
Contact for privacy enquiries: shanazbegum@aeo-rex.com
If you would like to exercise any of your rights under UK GDPR (set out in section 7 below), please write to the address above.
2. What personal data we collect
We collect the minimum data needed to operate the waitlist, deliver the AI Visibility Check, and respond to enquiries. Specifically:
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Email address | Provided by you via the waitlist form |
| Signup context | Source of your visit (e.g. ?source=newsletter) and the date you joined the waitlist | Captured automatically from the URL when you submit |
| Technical data | IP address, browser type, device type, referrer, request timestamps | Captured automatically by our hosting provider's server logs |
| Communications | The contents of emails or messages you send us | Provided by you when you contact us |
We do not collect special category data (race, health, religion, biometrics) and we do not knowingly collect data from anyone under the age of 18.
3. How we use your data
We process your personal data for the following purposes:
- Waitlist administration — adding you to the Q3 / Q4 2026 cohort waitlist and notifying you of cohort decisions.
- AI Visibility Check delivery — preparing and emailing your free audit.
- Service communications — replying to your enquiries, sending onboarding instructions if you proceed.
- Marketing emails about Rex Commerce® — only if you give explicit consent and only until you unsubscribe.
- Site security and abuse prevention — analysing server logs to detect spam, fraud, and unauthorised access.
- Aggregate analytics — measuring waitlist signups and traffic sources in aggregate, never tied to individual identities.
4. Lawful basis for processing
We rely on the following lawful bases under Article 6 of the UK GDPR:
- Consent (Art. 6(1)(a)) — for marketing emails and waitlist communications. You can withdraw consent at any time using the one-click unsubscribe link in every email.
- Legitimate interests (Art. 6(1)(f)) — for site security, fraud prevention, server-log analysis, and responding to direct enquiries. Our legitimate interest is operating a secure, working website. We have assessed that this interest is not overridden by your rights.
- Contract (Art. 6(1)(b)) — once you become a paying client, for delivering the service and meeting our contractual obligations to you.
5. Sub-processors and third parties
We share your data only with the third parties listed below, and only to the extent needed for them to perform their service. Each is bound by a written data-processing agreement that meets UK GDPR Article 28 standards.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| MailerLite | Email delivery for waitlist + transactional messages | Email, signup source, signup date, custom fields | EU (Lithuania) with US-region failover |
| Netlify | Static site hosting, serverless functions, CDN | IP address, request logs, form payloads | United States (with EU edge caching) |
| Google Fonts | Web font delivery (Bricolage Grotesque, Manrope, JetBrains Mono) | IP address (transient, for font request) | Global CDN |
We do not sell your personal data. We do not share it with advertising networks. We do not use third-party tracking pixels or analytics that profile individual users.
6. International data transfers
Where your data is transferred outside the United Kingdom (e.g. to Netlify in the United States), we rely on the UK Government's adequacy decisions where available, or on Standard Contractual Clauses (SCCs) supplemented by the UK International Data Transfer Addendum. You can request a copy of the relevant transfer mechanism by emailing us.
7. Your rights under UK GDPR
You have the following rights regarding your personal data. We will respond to any request within one calendar month.
- Right of access — you can ask for a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — you can ask us to delete your data, subject to limited legal exceptions.
- Right to restrict processing — you can ask us to pause processing while we investigate a query.
- Right to data portability — you can ask for your data in a machine-readable format to transfer to another service.
- Right to object — you can object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent — you can withdraw marketing consent at any time without affecting prior lawful processing.
- Right to lodge a complaint — with the Information Commissioner's Office (ico.org.uk, 0303 123 1113) if you believe we have mishandled your data.
To exercise any of these rights, email shanazbegum@aeo-rex.com. We may need to verify your identity before acting on a request.
8. Data retention
We retain personal data only as long as is necessary for the purposes set out above:
- Waitlist email addresses — until you unsubscribe, after which we retain only a suppression record (your email hashed) so we don't accidentally re-add you.
- Client records — for the duration of the engagement plus 6 years thereafter, to meet UK tax and accounting obligations.
- Server logs — 30 days, then deleted automatically.
- Email correspondence — 24 months, unless retention is required to defend a legal claim.
9. Cookies and similar technologies
This website does not set advertising or analytics cookies. The only data automatically captured is the standard server log data described in section 2. We do not use Google Analytics, Meta Pixel, or similar third-party trackers.
Your browser may receive transient cookies from Google Fonts as part of font delivery — these are first-party to fonts.googleapis.com and not under our control. If you disable third-party fonts in your browser settings, the site will fall back to system fonts.
10. Security
We protect your data with industry-standard measures: TLS 1.3 encryption in transit, HSTS-enforced HTTPS, Content-Security-Policy headers, and access control on our sub-processor accounts (multi-factor authentication required). Our hosting infrastructure (Netlify) and email infrastructure (MailerLite) both hold ISO 27001 certifications.
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware, and we will notify affected individuals without undue delay where the risk is high.
11. Children's privacy
Rex Commerce® is a B2B service intended for UK-registered businesses. We do not knowingly process personal data from anyone under 18. If you believe we hold data about a child, contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy to reflect changes in the law or our practices. We will post any changes on this page and update the "Last updated" date at the top. For material changes, we will notify waitlist subscribers by email at least 30 days before the change takes effect.
13. Contact us
If you have any questions about this Privacy Policy or your personal data, please contact:
AEO-Rex Ltd
Privacy Enquiries
Birmingham, West Midlands, United Kingdom
Companies House #17018571
Email: shanazbegum@aeo-rex.com