Privacy Policy

1. Introduction

R1SK ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital risk assessment and risk management solution ("Service").

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection laws.

By using our Service, you consent to the data practices described in this policy. If you do not agree with the data practices described in this policy, you should not use our Service.

2. Data Controller

R1SK is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us using the details provided at the end of this policy.

3. Information We Collect

3.1 Personal Information

We may collect the following types of personal information:

• Account Information: Name, email address, phone number, job title, and company name
• Authentication Data: Username, password (stored in encrypted form), and authentication tokens
• Risk Assessment Data: Information you provide when creating and managing risk assessments, including assessment details, risk ratings, and control measures
• Usage Data: Information about how you use our Service, including pages visited, features used, and time spent on the platform
• Technical Data: IP address, browser type and version, device information, operating system, and unique device identifiers
• Communication Data: Records of correspondence when you contact us for support or enquiries
• Payment Information: Billing address and payment card details (processed securely through third-party payment processors)

3.2 How We Collect Information

We collect information through:

• Direct interactions when you register, create assessments, or contact us
• Automated technologies such as cookies, server logs, and analytics tools
• Third-party sources such as payment processors and authentication providers

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

• Contractual Necessity: To perform our contract with you and provide the Service
• Legitimate Interests: To improve our Service, ensure security, and prevent fraud
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where you have given clear consent for specific processing activities

5. How We Use Your Information

We use your personal information for the following purposes:

• To provide, maintain, and improve our Service
• To process transactions and manage your account
• To create and manage risk assessments and related documentation
• To send you service-related communications, including updates and security alerts
• To respond to your enquiries and provide customer support
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations and enforce our terms of service
• To analyse usage patterns and improve user experience
• To send marketing communications (only with your consent, which you can withdraw at any time)

6. Data Sharing and Disclosure

We may share your personal information in the following circumstances:

• Service Providers: With trusted third-party service providers who assist us in operating our Service, such as cloud hosting providers, payment processors, and analytics services. These providers are contractually obligated to protect your data and use it only for specified purposes.
• Business Transfers: In connection with any merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
• Legal Requirements: When required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.
• With Your Consent: We may share your information with other parties when you have given explicit consent.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Multi-tenant architecture to ensure data isolation
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data: Retained while your account is active and for a reasonable period thereafter to comply with legal obligations
• Risk Assessment Data: Retained in accordance with your subscription plan and legal requirements for health and safety record-keeping
• Transaction Records: Retained for 7 years as required by UK tax and accounting laws
• Marketing Data: Retained until you withdraw consent or opt out

When we no longer need your personal data, we will securely delete or anonymise it.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you
• Right to Rectification: You can request correction of inaccurate or incomplete data
• Right to Erasure: You can request deletion of your personal data in certain circumstances
• Right to Restrict Processing: You can request that we limit how we use your data
• Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
• Right to Object: You can object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making: You have rights regarding automated processing and profiling
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us using the details provided at the end of this policy. We will respond to your request within one month, though this may be extended in complex cases.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not handled your personal data in accordance with data protection laws.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. Cookies are small data files stored on your device.

We use the following types of cookies:

• Essential Cookies: Required for the Service to function properly
• Analytics Cookies: Help us understand how users interact with our Service
• Functional Cookies: Remember your preferences and settings

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of our Service.

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside the UK. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the UK government
• Adequacy decisions recognising the recipient country's data protection laws
• Other appropriate safeguards as required by UK GDPR

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You can also contact the Information Commissioner's Office (ICO) if you have concerns about how we handle your data: