This policy explains how Traction Automotive Ltd collects, uses, and protects your personal data when you use our product, Momentum Reach. We are committed to handling your data responsibly and in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Traction Automotive Ltd is the data controller for Momentum Reach. We are a private limited company registered in England and Wales (Companies House number: 16963413), trading as Momentum Business Support. Our registered address is available at Companies House.
We have not appointed a Data Protection Officer, as one is not required given the nature and scale of our processing. If you have any questions about how we handle your data, or wish to exercise any of your rights under the UK GDPR, please contact us at:
Email: privacy@momentum-reach.com
Website: momentum-businesssupport.com
2. Our product
Momentum Reach is a marketing advisor application designed for UK small businesses. It helps users create social media content, schedule Facebook posts, manage email campaigns via Mailchimp, monitor competitor activity, and track marketing performance. The app uses AI to provide consultation and content generation features personalised to each business.
3. What data we collect
The personal data we collect is limited to information provided by the user of the Service and relates to the user themselves and their business. Specifically, we may collect and store:
- Your name, email address, and phone number, used to create and manage your account
- Business information you provide during onboarding, such as your business name, location, sector, website, the products or services you offer, and your target customer profile. We do not collect or store personal data about your individual customers
- Content you create within the app, including social media posts, campaign copy, and marketing assets
- Facebook page connection details, including your page name, page ID, and access tokens required to publish content on your behalf
- Performance data related to your Facebook posts, such as reach, impressions, and engagement metrics retrieved via the Facebook Graph API
- App usage data, including session timestamps and activity logs
We do not process special category data as defined under Article 9 of the UK GDPR, including data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, sex life, or sexual orientation.
Momentum Reach is not a data processor for your customers' personal data. Where you use integrated services such as Mailchimp to contact your customers, you input that data directly into the third-party service and those providers act as the data processor for that data under their own terms.
4. How we use your data
We use your data only to provide and improve the Service. The table below sets out each purpose and the lawful basis on which we rely under Article 6 of the UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account and delivering the Service | Performance of a contract (Article 6(1)(b)) |
| Sending service-related communications, such as welcome emails and password resets | Performance of a contract (Article 6(1)(b)) |
| Connecting to your Facebook page, publishing content you have approved, and retrieving post performance data | Consent (Article 6(1)(a)), which you may withdraw at any time |
| Improving the Service, monitoring usage, and maintaining security | Our legitimate interests in operating and developing the Service (Article 6(1)(f)) |
| Complying with legal, tax, and accounting obligations | Legal obligation (Article 6(1)(c)) |
We do not sell your data. We do not use your data for advertising purposes. We do not share your data with third parties except as described in section 5.
5. Third-party services we use
The Service is built on a small number of trusted third-party platforms. Where these providers process personal data on our behalf, they act as our data processors under contractual terms that require them to protect your data in line with UK GDPR.
- Google Firebase, used to store your account data, app content, and uploaded files securely in the cloud. Firebase is operated by Google LLC. Google acts as our data processor for this data.
- Google Gemini API, the AI model that powers the assistant features in the app. Content you create within the Service, including your business profile and the copy and images you submit for AI-assisted generation, may be processed by Gemini to produce responses. We use the paid tier of the Gemini API via our Google Cloud billing account. Under Google's paid-tier terms, Google does not use your prompts or Gemini's responses to train or improve its AI models. Google acts as our data processor for this data.
- Meta (Facebook), used to connect your Facebook page, publish posts, and retrieve performance data. When you connect your Facebook account, Meta's own privacy policy and platform terms also apply. Meta acts as an independent data controller for data processed within its own platform.
- Mailchimp (Intuit), used to send email campaigns where you have chosen to set up this integration. Any recipient data you upload to Mailchimp is managed by you directly under Mailchimp's terms. Mailchimp acts as the data processor for that data under its agreement with you.
6. International data transfers
Several of our third-party providers, including Google, Meta, and Mailchimp, are based in the United States or store data in data centres outside the United Kingdom. Where your personal data is transferred outside the UK, we rely on one or more of the following safeguards:
- The UK Extension to the EU-US Data Privacy Framework, where the receiving organisation is certified under that framework
- UK International Data Transfer Agreements or Standard Contractual Clauses approved by the Information Commissioner's Office, as incorporated into our contracts with these providers
- UK adequacy decisions, where they apply to the receiving country
If you would like more information about the specific safeguards in place for a particular provider, please contact us at privacy@momentum-reach.com.
7. Facebook data and permissions
When you connect your Facebook page to Momentum Reach, we request limited permissions via the Facebook Graph API. These permissions are used only to provide core functionality within the Service and only after you have authorised access. The lawful basis for this processing is your consent, which you may withdraw at any time by disconnecting your Facebook page from within the app.
- pages_show_list, to allow you to select and connect the Facebook Pages you manage
- pages_read_engagement, to retrieve basic performance data such as reach and engagement for posts published via the Service
- pages_manage_posts, to publish content to your Facebook Page only after you have created and approved the post within the Service
We store your Facebook page access token securely in Firebase. We use it only to publish content you have chosen to create or schedule, and to retrieve performance data for posts published through the Service. We do not access your personal Facebook profile, your friends list, or any data beyond what is needed to operate the Service.
You can disconnect your Facebook page at any time from within the app. Doing so will remove your stored access token immediately and stop any scheduled content from publishing. If your account is deleted without you manually disconnecting, your access token and Facebook performance data will be deleted within 30 days as part of the account data deletion process described in section 9.
If you would like us to delete any Facebook-related data associated with your account, you can request this at any time by emailing privacy@momentum-reach.com. We will process all data deletion requests within 30 days.
8. Data security
We take reasonable and appropriate technical and organisational measures to protect your data. Specifically:
- All data is stored in Google Firebase, which is protected by Google's enterprise-grade security infrastructure
- Data is encrypted at rest by Google Cloud by default, and in transit over HTTPS
- Authentication is handled by Firebase Authentication
- Administrative access to your data within Traction Automotive Ltd is restricted to personnel who require it to operate and support the Service
- Sensitive credentials such as API secrets are stored in Google Cloud Secret Manager and are never exposed in the application code or to the browser
In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it, where required under Article 33 of the UK GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Article 34.
9. How long we keep your data
We keep your data for as long as your account is active. If you request deletion of your account, we will delete your account data from our production systems within 30 days of your request.
Some data may be retained for a short period in Google's backup systems after deletion from production. Our backup retention window is not expected to exceed 90 days from the point of deletion.
Certain limited data may be retained beyond these periods where we are required to do so by law, for example accounting records which we are required to keep for six years under UK tax law.
10. Your rights under UK GDPR
As a UK-based user, you have the following rights regarding your personal data:
- The right to access the data we hold about you
- The right to correct inaccurate or incomplete data
- The right to request deletion of your data (the "right to be forgotten")
- The right to restrict or object to how we process your data
- The right to data portability
- The right to withdraw consent at any time, where consent is the lawful basis for processing (for example, Facebook integration)
- The right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects. We do not engage in solely automated decision-making of this kind
To exercise any of these rights, contact us at privacy@momentum-reach.com. Exercising these rights is free of charge, except in limited circumstances permitted by law. We may ask you to verify your identity before processing a request. We will respond within one month of receiving a valid request.
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
11. Cookies
Momentum Reach uses a small number of cookies that are strictly necessary for the app to function. These include cookies set by Firebase Authentication to manage your login session. They do not track you for advertising purposes.
The Facebook SDK, which is loaded when you connect your Facebook page, may also set cookies in line with Meta's own cookie policy. These cookies are governed by Meta's own platform.
We do not currently use analytics or advertising cookies. If this changes in the future, we will update this policy and, where required under the Privacy and Electronic Communications Regulations 2003, we will obtain your consent before setting such cookies.
12. Children's data
The Service is intended for use by businesses and their authorised representatives only. It is not directed at individuals under the age of 18, and we do not knowingly collect personal data from individuals under 18. If you believe that a child has provided us with personal data, please contact us at privacy@momentum-reach.com and we will take steps to remove it.
13. Changes to this policy
We may update this policy from time to time as our product develops. Where we make material changes, we will notify you by email to the address associated with your account at least 14 days before the changes take effect. For non-material changes, we will update the effective date at the top of this page. We recommend reviewing this policy periodically.