Privacy Policy

ComplicEdge Ltd is a company registered in England and Wales (company number XXXXXXXX) with its registered address in London, England. For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, ComplicEdge Ltd is the data controller in respect of the personal data we collect about our business customers, prospective customers, and visitors to our website.

Where we process personal data of workers and other individuals on behalf of our customer organisations (tenants), we act as a data processor. In that context, the tenant organisation is the data controller and determines the purposes and means of processing. Please refer to Section 4 below for further detail on our role as a data processor.

We collect and process the following categories of personal data: (a) Account and identity data — names, email addresses, job titles, and organisational roles of individuals who administer or use the platform on behalf of a tenant organisation. (b) Workforce compliance data — worker names, email addresses, certification records, training histories, qualification expiry dates, and related employment compliance information, submitted by or on behalf of tenant organisations. (c) Audit and security data — platform activity logs, authentication records, IP addresses, browser and device information, and tamper-evident audit trail entries. (d) Communications data — enquiries submitted through our contact form, support correspondence, and related metadata.

We do not collect special category data (e.g. health data, trade union membership, or biometric data) unless explicitly required by a tenant’s compliance workflow and processed strictly under the tenant’s instructions as data controller.

We process personal data under the following lawful bases as set out in Article 6(1) of the UK GDPR: (a) Contract performance — processing is necessary for the performance of our contract with tenant organisations, including provisioning accounts, delivering the compliance management service, and providing support. (b) Legitimate interests — processing is necessary for our legitimate interests in operating, securing, and improving the platform, detecting and preventing fraud or misuse, and maintaining the integrity of our audit trail. We have conducted a balancing assessment and are satisfied that these interests are not overridden by the rights of data subjects. (c) Legal obligation — processing is necessary to comply with legal obligations to which we are subject, including record-keeping and data retention requirements under applicable UK legislation. (d) Consent — where we send marketing communications to prospective customers, we rely on consent, which may be withdrawn at any time.

ComplicEdge provides a multi-tenant software platform through which tenant organisations manage workforce compliance records. When processing the personal data of workers and other individuals on behalf of a tenant, we act as a data processor within the meaning of Article 28 UK GDPR. The tenant organisation is the data controller and is responsible for ensuring a lawful basis for such processing.

We process worker personal data only on the documented instructions of the relevant tenant controller, as set out in our Data Processing Agreement. We do not use worker personal data for our own purposes, and we do not sell personal data to any third party. Each tenant’s data is logically isolated through our multi-tenant architecture, and access is governed by role-based access controls configured by the tenant.

If you are a worker whose data is held on the platform, your employer or contracting organisation is the data controller. We recommend contacting them in the first instance regarding any data protection queries. You may also exercise your rights directly through the platform’s built-in subject access request feature.

Retention periods for workforce compliance data are configurable per tenant in accordance with the tenant’s own regulatory and contractual obligations. Tenants may set and adjust retention policies through the platform’s administration interface.

Audit trail entries are retained for the lifetime of the tenant account. Because our audit log uses a cryptographic hash chain (where each entry’s integrity depends on the preceding entry), individual audit records cannot be selectively deleted without breaking the chain. This design is necessary to provide a tamper-evident record that satisfies regulatory inspection requirements.

Upon account closure or contract termination, all tenant data — including worker records, certificates, uploaded files, and encryption keys — is securely and irreversibly deleted within 90 days. A certificate of destruction is available upon request. Anonymised and aggregated statistical data that cannot identify any individual may be retained for service improvement purposes.

Under the UK GDPR, you have the following rights in relation to your personal data: (a) Right of access — the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data. (b) Right to rectification — the right to have inaccurate personal data corrected or incomplete data completed. (c) Right to erasure — the right to request deletion of your personal data where there is no compelling reason for its continued processing, subject to our legal retention obligations and the integrity of our audit chain. (d) Right to restrict processing — the right to request that we limit the processing of your data in certain circumstances. (e) Right to data portability — the right to receive your personal data in a structured, commonly used, and machine-readable format. (f) Right to object — the right to object to processing based on legitimate interests, including profiling. (g) Rights related to automated decision-making — the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. ComplicEdge does not currently engage in solely automated decision-making.

If you are a user of the platform, you may submit a subject access request directly through the platform’s built-in SAR feature, which is available from your account dashboard. Requests submitted through the platform are tracked and responded to within the statutory one-month period.

You may also exercise any of the rights listed above by contacting us at privacy@complicedge.co.uk. We will verify your identity before processing any request and will respond within one calendar month. In exceptional circumstances, where a request is particularly complex, we may extend this period by a further two months, in which case we will inform you within the initial one-month period.

If you are a worker whose data is processed by a tenant organisation using our platform, we recommend directing your request to your employer or contracting organisation in the first instance, as they are the data controller. We will assist the tenant in fulfilling such requests in accordance with our data processing obligations.

We implement robust technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: (a) Encryption at rest — sensitive data fields are encrypted using AES-256-GCM with a two-tier key architecture (Data Encryption Keys wrapped by Key Encryption Keys). Each tenant has its own encryption key, and key versions are tracked to support rotation. (b) Encryption in transit — all data transmitted between your browser and our servers is protected by TLS 1.2 or higher. (c) Role-based access control (RBAC) — access to personal data within the platform is governed by configurable role-based permissions, ensuring users can only access data appropriate to their role. (d) Tamper-evident audit trail — all access to and modifications of personal data are recorded in a SHA-256 hash-chained audit log, providing a cryptographically verifiable record of data processing activities. (e) Tenant isolation — each tenant’s data is logically isolated within our multi-tenant architecture, with enforced tenancy context on every database operation.

We regularly review and update our security practices. Access to production systems is restricted to authorised personnel, and all administrative access is logged.

Personal data processed through our platform is stored on servers located within the United Kingdom and the European Economic Area (EEA). We do not transfer personal data to countries outside the UK or EEA unless adequate safeguards are in place, such as the UK International Data Transfer Agreement, standard contractual clauses approved by the Information Commissioner’s Office (ICO), or a relevant adequacy decision.

Where any sub-processor is located outside the UK or EEA, we ensure that appropriate transfer mechanisms are in place before any personal data is disclosed.

We use a limited number of third-party sub-processors to assist in providing our services, including infrastructure hosting, email delivery, and error monitoring. Each sub-processor is subject to a written agreement that imposes data protection obligations no less protective than those set out in our Data Processing Agreement with tenants.

A current list of sub-processors is available on request by contacting privacy@complicedge.co.uk. We will notify tenant organisations of any intended changes to sub-processors, providing them with the opportunity to object in accordance with the terms of our Data Processing Agreement.

Our platform uses only strictly necessary functional cookies required for session management and authentication. These cookies are essential for the platform to operate and do not require consent under the Privacy and Electronic Communications Regulations 2003.

We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies. We do not engage in cross-site tracking or behavioural profiling.

Our services are designed for use by businesses and their workforce and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. Where changes are material, we will notify tenant administrators through the platform and, where appropriate, by email. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

We encourage you to review this policy periodically. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.

If you are dissatisfied with how we have handled your personal data or responded to a request, we encourage you to contact us first at privacy@complicedge.co.uk so that we can attempt to resolve the matter.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. The ICO can be contacted at ico.org.uk or by telephone on 0303 123 1113.

For any questions about this privacy policy or our data protection practices, please contact our Data Protection Officer at privacy@complicedge.co.uk.

ComplicEdge Ltd, registered in England and Wales (company number XXXXXXXX). Registered address: London, England.