Privacy Policy

Last updated: 7 May 2026

7 May 2026 — Dual-role framing added (controller for account data; processor for ESG content uploaded by Customers, governed by the DPA). Stripe contracting entity corrected to Stripe Payments Europe, Limited (Dublin, IE), with Stripe LLC (US) disclosed as importer under the UK Data Bridge. Microsoft 365 (Microsoft Ireland Operations Limited) added for the support-mailbox processing channel.

24 April 2026 — Sub-processors and international transfers updated for Cloudflare Turnstile and Upstash; feedback and cancellation-comment retention disclosed.

This policy explains how Crocker Digital Ltd (Company No. 17008789) ("we", "us", "our") collects, uses, and protects personal data through the AnswerVault service at answervault.co.uk.

You can reach us at support@answervault.co.uk.

The two capacities we act in

When you create an account and use AnswerVault, we act in two distinct roles depending on the data:

Controller — for your account data. We are the data controller for your name, email, billing details, and account preferences. We process this data to operate your account, deliver the Service, and meet our legal obligations. The rest of this Privacy Policy describes that processing.

Processor — for ESG content you upload. When you upload company facts, supplier data, employee diversity metrics, or other content containing personal data about your employees, suppliers, or other individuals, we process that data as your processor on your documented instructions. The Data Processing Agreement at /legal/dpa/ governs that processing. You remain the controller of that data and are responsible for the lawful basis on which you collect and share it.

Data we collect

Account information

  • What: Name, email address, organisation name, and hashed password.
  • Lawful basis: Contractual necessity — we need this to create and manage your account.
  • Retention: Retained while your account is active. Deleted 30 days after account closure.

ESG data you store

  • What: Facts, documents, questionnaire responses, evidence files, and related content you upload or create in AnswerVault.
  • Lawful basis: Contractual necessity — this is the core data the Service manages for you.
  • Retention: Retained while your account is active. Soft-deleted for 30 days after deletion, then permanently removed.

Billing information

  • What: Subscription tier, billing cycle, and payment status. Card details are held by Stripe and never stored on our servers.
  • Lawful basis: Contractual necessity — to manage your subscription.
  • Retention: Transaction records retained for 7 years as required by UK tax law.

Audit logs

  • What: Timestamped records of account actions (logins, data changes, exports) for security and accountability.
  • Lawful basis: Legitimate interest — security monitoring and compliance support.
  • Retention: Depends on your subscription tier: Starter 90 days, Professional 1 year, Business 2 years.

Anonymous analytics

  • What: Anonymous page views collected via GoatCounter, a privacy-focused, cookie-free analytics service. No personal data is collected. No tracking cookies are set.
  • Lawful basis: Legitimate interest — understanding how people use the website.
  • Retention: Aggregated indefinitely. No personal data is stored.

Transactional emails

  • What: Email address used to send password resets, billing notifications, and account alerts via Resend.
  • Lawful basis: Contractual necessity — service communications.

User feedback & cancellation comments

  • What: Cancellation reasons (category and free-text detail), NPS scores, in-app micro-feedback and any free-text comments you submit on the feedback or cancellation flows.
  • Lawful basis: Legitimate interest — product improvement and churn analytics. Linkable to your account via user and organisation identifiers; free-text content may identify the author.
  • Retention: 730 days (2 years) from submission. After expiry, rows are hard-deleted by the weekly scheduled purge.

How we use your data

  • Account information is used to provide and manage your AnswerVault subscription.
  • ESG data is used solely to provide the Service. It is never shared with third parties.
  • Billing data is processed by Stripe to manage payments.
  • Audit logs are used for security monitoring and to support your compliance needs.
  • Analytics data is aggregated and anonymous — we cannot identify individual visitors.
  • We will never sell your personal data or share it with third parties for marketing purposes.

Sub-processors

We use third-party services to provide AnswerVault. Each has a data processing agreement in place. For the full list — including service, purpose, data processed, processing location and the transfer mechanism where the processor operates outside the UK/EEA — see our Sub-processors page.

Cookies

This website uses only essential session cookies set by Supabase for authentication (maintaining your logged-in session). These are strictly necessary for the Service to function and do not require consent.

GoatCounter is a cookie-free analytics service. No tracking cookies, advertising cookies, or third-party cookies are set. No cookie consent banner is required.

For full details, see our Cookies Policy.

Your rights under UK GDPR

You have the right to:

  • Access your personal data — request a copy of the data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention requirements).
  • Data portability — receive your data in a structured, commonly used format.
  • Restrict processing — request that we limit how we use your data.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

How to exercise your rights

  • Self-service data export: Use the data export feature in your account settings at any time.
  • Account deletion: Request account deletion from your account settings. Data enters a 30-day recovery window, then is permanently deleted.
  • Other requests: Email support@answervault.co.uk. We will respond within 30 days.

Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Row-level security (RLS) on all database tables
  • Encryption in transit (TLS) and at rest
  • SHA-256 checksums for document integrity verification
  • Rate limiting on API endpoints
  • CSRF protection

For more details, see our Security Policy.

International transfers

Your data is primarily processed within the UK (Supabase, London — eu-west-2). Where sub-processors process personal data outside the UK or EU/EEA, the following safeguards apply per processor:

  • Stripe (EU contracting entity, with US importer for group support): Stripe Payments Europe, Limited (One Wilton Park, Wilton Place, Dublin 2, D02FX04, Ireland) is the contracting entity; adequacy applies. Where group support operations involve a transfer to Stripe, Inc. or Stripe LLC (US), Stripe relies on the UK Extension to the EU-US Data Privacy Framework (UK Data Bridge), with SCCs as a fall-back.
  • Resend (US): UK International Data Transfer Addendum (IDTA) to the EU SCCs. Contracting entity is Plus Five Five, Inc. (operating as Resend; San Francisco, USA).
  • Sentry: EU region (de.sentry.io) selected for the project, so processing takes place in the EU/EEA in ordinary operation. SCCs held as a fallback under Sentry's own DPA. Contracting entity is Functional Software, Inc. (US).
  • Netlify (US): UK IDTA to the EU SCCs.
  • GoatCounter (NL): EU/EEA — no third-country transfer.
  • Upstash (multi-region, primary EU): EU/EEA selected; UK IDTA where US fall-back applies.
  • Cloudflare Turnstile (US, global edge): UK IDTA to the EU SCCs. Processes IP, user agent and browser-fingerprint signals for bot-protection challenges on signup, login and password-reset forms only.
  • Microsoft 365 (Microsoft Ireland Operations Limited, IE): EU contracting entity; adequacy applies. Microsoft 365 hosts the support@answervault.co.uk mailbox we use for support correspondence and DSR-instruction handling. Microsoft's Online Services DPA governs the processing.

The full list of sub-processors and their roles is on the sub-processors page. We will update this list before adding a new sub-processor.

Children

AnswerVault is a business service. We do not knowingly collect data from anyone under 18.

Changes to this policy

We may update this policy as AnswerVault develops. Significant changes will be communicated via email to registered users at least 14 days before they take effect.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

Admin access

A small number of named operators at Crocker Digital Ltd hold administrative access to AnswerVault systems for support, billing reconciliation, and incident response. Admin access is logged in the audit log accessible to the affected organisation. Access is granted on a least-privilege basis and revoked when no longer needed.

Audit log contents

Our audit log records actions taken in your account (e.g. who exported a questionnaire, who invited a team member). It includes user identifiers, timestamps, action names, and operational metadata such as filenames and Stripe reference IDs. It does not include passwords, response text, or document contents. Lawful basis: Article 6(1)(f) legitimate interests (operating an audit-able compliance product is a stated purpose at signup and a foreseeable buyer expectation).

Contact

For privacy-related questions, contact us at support@answervault.co.uk.

Crocker Digital Ltd (Company No. 17008789), registered in England and Wales.

Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

ICO registration: ZC128626. The ICO data-protection fee is a statutory obligation under the Data Protection (Charges and Information) Regulations 2018.