Privacy Policy
Last updated: 1 February 2026
1. Introduction
This Privacy Policy explains how Crocker Digital Ltd ("we", "us", "our"), a company registered in England and Wales (Company No. 17008789), collects, uses, stores, and protects your personal data when you use the AnswerVault platform ("Service").
We are the data controller for your personal data. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Data We Collect
We collect the following categories of personal data:
Account information
- Name and email address (provided during registration)
- Organisation name
- Password (stored in hashed form only)
- User role within the organisation
Billing information
- Payment card details (processed and stored by Stripe; we do not store card numbers)
- Billing address
- Invoice history
Service usage data
- Facts, documents, and questionnaire responses you create within the Service
- Audit log entries (actions taken within the platform)
- Feature usage analytics (aggregated and anonymised)
Technical data
- IP address
- Browser type and version
- Pages visited and actions taken (collected via GoatCounter, which is cookieless and privacy-respecting)
3. Lawful Basis for Processing
We process your personal data on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing the Service | Contract performance |
| Processing payments | Contract performance |
| Service improvement and analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Customer support | Legitimate interest |
| Marketing communications | Consent (opt-in) |
| Legal compliance | Legal obligation |
4. Sub-processors and Third Parties
We use the following third-party services to operate the platform. Each has been selected for their strong data protection practices:
| Service | Purpose | Data Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS eu-west-2) |
| Stripe | Payment processing | USA (with EU SCCs) |
| Resend | Transactional email delivery | USA (with EU SCCs) |
| Netlify | Website hosting and deployment | USA (with EU SCCs) |
| GoatCounter | Privacy-friendly website analytics (cookieless) | EU |
Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO.
5. Data Retention
We retain your personal data as follows:
- Active subscription: Your data is retained for as long as your subscription is active and you maintain an account with us.
- Post-cancellation: After you cancel your subscription, your account data (including all facts, documents, and questionnaire responses) is retained for 30 days to allow you to reactivate or export your data. After 30 days, it is permanently deleted.
- Billing records: Invoice and payment records are retained for 7 years in accordance with UK tax and accounting requirements.
- Audit logs: Audit log data is retained according to your subscription tier (90 days to 2 years) and deleted thereafter.
6. Your Rights (DSAR)
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
- Right to erasure: You can ask us to delete your personal data in certain circumstances.
- Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
- Right to data portability: You can request your data in a structured, commonly used format.
- Right to object: You can object to processing based on legitimate interest.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, please email us at privacy@answervault.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
AnswerVault uses a minimal approach to cookies:
- Session cookies: We use essential session cookies for authentication only. These are strictly necessary for the Service to function and expire when you close your browser or after your session ends.
- Analytics: We use GoatCounter for website analytics, which is a cookieless, privacy-respecting analytics tool. It does not set any cookies or track individual users.
- No third-party tracking: We do not use any third-party advertising or tracking cookies.
For more details, please see our Cookie Policy.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Row-level security policies in our database
- Regular security reviews and updates
- Access controls and principle of least privilege
- Secure password hashing (bcrypt via Supabase Auth)
9. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Crocker Digital Ltd
Company No. 17008789
Email: privacy@answervault.co.uk