Privacy Policy

Last updated: 26 March 2026

This policy explains how Crocker Digital Ltd (Company No. 17008789) ("we", "us", "our") collects, uses, and protects personal data through the AnswerVault service at answervault.co.uk.

We are the data controller for personal data processed through the Service. You can reach us at support@answervault.co.uk.

Data we collect

Account information

  • What: Name, email address, organisation name, and hashed password.
  • Lawful basis: Contractual necessity — we need this to create and manage your account.
  • Retention: Retained while your account is active. Deleted 30 days after account closure.

ESG data you store

  • What: Facts, documents, questionnaire responses, evidence files, and related content you upload or create in AnswerVault.
  • Lawful basis: Contractual necessity — this is the core data the Service manages for you.
  • Retention: Retained while your account is active. Soft-deleted for 30 days after deletion, then permanently removed.

Billing information

  • What: Subscription tier, billing cycle, and payment status. Card details are held by Stripe and never stored on our servers.
  • Lawful basis: Contractual necessity — to manage your subscription.
  • Retention: Transaction records retained for 7 years as required by UK tax law.

Audit logs

  • What: Timestamped records of account actions (logins, data changes, exports) for security and accountability.
  • Lawful basis: Legitimate interest — security monitoring and compliance support.
  • Retention: Depends on your subscription tier: Starter 90 days, Professional 1 year, Business 2 years.

Anonymous analytics

  • What: Anonymous page views collected via GoatCounter, a privacy-focused, cookie-free analytics service. No personal data is collected. No tracking cookies are set.
  • Lawful basis: Legitimate interest — understanding how people use the website.
  • Retention: Aggregated indefinitely. No personal data is stored.

Transactional emails

  • What: Email address used to send password resets, billing notifications, and account alerts via Resend.
  • Lawful basis: Contractual necessity — service communications.

How we use your data

  • Account information is used to provide and manage your AnswerVault subscription.
  • ESG data is used solely to provide the Service. It is never shared with third parties.
  • Billing data is processed by Stripe to manage payments.
  • Audit logs are used for security monitoring and to support your compliance needs.
  • Analytics data is aggregated and anonymous — we cannot identify individual visitors.
  • We will never sell your personal data or share it with third parties for marketing purposes.

Sub-processors

We use the following third-party services to provide AnswerVault. Each has a data processing agreement in place. For the full list, see our Sub-processors page.

Service Purpose Data processed
Supabase Database, authentication, file storage Account data, ESG data, documents
Stripe Payment processing Billing and payment data
Resend Transactional email Email address, message content
GoatCounter Website analytics Anonymous page views (no personal data)
Netlify Website hosting Server logs (IP addresses, request data)
Sentry Error monitoring Error reports (may include anonymised usage context)

Cookies

This website uses only essential session cookies set by Supabase for authentication (maintaining your logged-in session). These are strictly necessary for the Service to function and do not require consent.

GoatCounter is a cookie-free analytics service. No tracking cookies, advertising cookies, or third-party cookies are set. No cookie consent banner is required.

For full details, see our Cookies Policy.

Your rights under UK GDPR

You have the right to:

  • Access your personal data — request a copy of the data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention requirements).
  • Data portability — receive your data in a structured, commonly used format.
  • Restrict processing — request that we limit how we use your data.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

How to exercise your rights

  • Self-service data export: Use the data export feature in your account settings at any time.
  • Account deletion: Request account deletion from your account settings. Data enters a 30-day recovery window, then is permanently deleted.
  • Other requests: Email support@answervault.co.uk. We will respond within 30 days.

Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Row-level security (RLS) on all database tables
  • Encryption in transit (TLS) and at rest
  • SHA-256 checksums for document integrity verification
  • Rate limiting on API endpoints
  • CSRF protection

For more details, see our Security Policy.

International transfers

Your data is primarily processed within the EU/EEA (Supabase EU region). Where sub-processors process data outside the UK or EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or equivalent).

Children

AnswerVault is a business service. We do not knowingly collect data from anyone under 18.

Changes to this policy

We may update this policy as AnswerVault develops. Significant changes will be communicated via email to registered users at least 14 days before they take effect.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

Contact

For privacy-related questions, contact us at support@answervault.co.uk.

Crocker Digital Ltd (Company No. 17008789), registered in England and Wales.