Privacy Policy

Last update:

The website equarisk.com is owned and operated by the company Equarisk Limited, registered with Companies House in the UK (company number 16177922).

Throughout this privacy policy, references to the EU GDPR should be understood to include the UK GDPR, where applicable. Although the UK has adopted the GDPR independently post-Brexit, the principles and obligations remain closely aligned. Therefore, any mention of the EU GDPR in this document should also be interpreted as referencing the UK GDPR where appropriate.

Introduction

At Equarisk, we take the protection of your personal data very seriously and always process your personal data in accordance with the statutory data protection regulations. This privacy notice tells you what to expect us to do with your personal information. Your relationship to our organisation mainly determines which data in particular are processed or used by us. For this reason, some parts of this privacy notice may not apply to you.

We regularly review and update our privacy policy. Significant changes will be communicated through our website and, when appropriate, via direct notifications. We encourage you to review this policy periodically to stay informed about how we protect your data.

Contact details

For any inquiries regarding data protection and privacy practices, please contact our Data Protection Officer (DPO):

Information we collect and why

We process personal data that we receive from you when you contact us or use our website, in particular when you show interest in our software, consulting and training business.

We collect or use the following information to provide and improve products and services for clients:

  • Personal Identification and Contact Details
    Including title, name, address, date of birth, email address, telephone number

  • Payment Details
    Including card or bank information for transfers and direct debits

  • Transaction Data
    Including details about payments to and from you, and details of products and services purchased

  • Usage Data (no cookies)
    Including server-side access logs such as IP address, date and time of request, requested resource, HTTP status code, referrer (if provided), and user-agent. We do not use cookies or similar tracking technologies on our website.

  • Contractual Data
    Including data arising from the fulfilment of our contractual obligations (e.g. risk and safety management consulting, recruiting contract staff, delivering training services, inspecting industrial plant)

  • Advertising and Sales Data
    Including information on consents granted or objections lodged (e.g. email marketing opt-in/opt-out)

  • Technical and Diagnostic Data
    Including error logs, system performance metrics, browser and device specifications where relevant to supporting our services

  • User Preference and Configuration Data
    Customisation settings and feature usage patterns within our software (if applicable)

  • Support Communication Data
    Including records of support tickets, survey responses, product review data

  • Authentication and Security Data
    Including two-factor authentication details, login attempts, session identifiers, security tokens (for software users)

  • Compliments and Complaints
    Including information relating to compliments or complaints

  • Records of Meetings and Decisions
    Including documentation of key business interactions

  • Account Access Information
    Including data related to how your account is accessed (for software users)

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights, which are set out in brief below:

  • Your Right of Access – request copies of your personal information, and details of sources and disclosures.
  • Your Right to Rectification – request correction of inaccurate or incomplete information.
  • Your Right to Erasure – ask us to delete your personal information.
  • Your Right to Restrict Processing – request that we limit how we use your information.
  • Your Right to Object – object to processing, including direct marketing.
  • Your Right to Data Portability – request transfer of the information you provided to another organisation or to you.
  • Your Right to Withdraw Consent – where processing is based on consent, you may withdraw it at any time.

We will respond without undue delay and in any event within one month. To exercise your rights, please contact us using the details above.

Our lawful bases for the collection and use of your data

Contract (Article 6(1)(b) UK GDPR) – to take steps at your request prior to entering into a contract and to perform a contract with you. Examples include:

  • Producing project proposals and statements of work
  • Delivering software products, consultancy services and training
  • Communicating with you and your colleagues during projects
  • Dispatching invoices and processing payments

Legitimate Interests (Article 6(1)(f) UK GDPR) – for the effective operation and development of our business, provided your interests and rights do not override ours. Examples include:

  • Building and maintaining client and supplier relationships
  • Managing risks, records, and business operations
  • Improving and supporting our services and software (including diagnostics)
  • Asserting legal claims and defending legal disputes
  • Ensuring IT security and operations
  • Limited B2B direct marketing about our services (you can opt out at any time)

Consent (Article 6(1)(a) UK GDPR) – where you have explicitly agreed, for example:

  • Subscribing an email address to our newsletter or updates
    You may withdraw consent at any time using the unsubscribe link in emails or by contacting us.

Legal Obligation (Article 6(1)(c) UK GDPR) – to comply with laws and regulations, for example:

  • Tax and accounting record-keeping
  • Health and safety reporting
  • Employment and right-to-work checks (where applicable)

The relationship between our main operational processes and lawful bases is as follows:

  • Project management – Contract; Legitimate Interests
  • Software operations and maintenance – Contract; Legitimate Interests
  • User support and technical assistance – Contract; Legitimate Interests
  • Business development – Legitimate Interests (with opt-out for marketing); Contract where pre-contract steps are requested
  • Contact management – Contract; Legal Obligation; Legitimate Interests
  • Resourcing services – Contract; Legal Obligation; Legitimate Interests
  • Travel management – Contract; Legitimate Interests
  • Office administration – Contract; Legitimate Interests
  • Company legal administration – Legal Obligation; Legitimate Interests
  • External auditing – Legitimate Interests; Legal Obligation where applicable
  • Corporate archiving – Legal Obligation; Legitimate Interests
  • Training services – Contract; Legitimate Interests
  • Financial management – Contract; Legal Obligation; Legitimate Interests
  • Accident reporting – Vital Interests where applicable; Legal Obligation; Legitimate Interests
  • IT change management – Contract; Legitimate Interests
  • Employee HR management – Contract; Legal Obligation; Legitimate Interests

Recipients of personal data

Within our organisation, departments with access to your data are those which require them to fulfil their duties and our contractual or legal obligations.

We may share data with trusted service providers acting as processors, including:

  • IT, cloud, and hosting providers (including Google Cloud / Firebase)
  • Email delivery platforms and CRM tools (for email addresses only, where subscribed)
  • Professional advisers (auditors, lawyers, insurers, accountants)
  • Banks and payment processors
  • Auditors and certification bodies (where relevant)
  • Other suppliers necessary to deliver our services

In certain circumstances, personal data may also be provided to public bodies (e.g. tax authorities), judicial and law-enforcement authorities, and dispute-resolution bodies, where required by law.

We require all processors to implement appropriate security measures and to process personal data only on our documented instructions.

Where we get personal information from

  • Directly from you – when you contact us, request proposals, contract with us, seek support, or subscribe to our emails.
  • Publicly available sources – professional directories, company websites, social media, or public records.
  • Suppliers and service providers – who support our operations (e.g. payment processing, secure hosting), sharing only information necessary for the service.
  • Market research or marketing list providers – used occasionally for B2B outreach, in compliance with data protection and e-privacy rules.

How long we keep information

We keep personal data only as long as necessary for the purposes collected, including satisfying legal, accounting, and reporting requirements.

  • Client project records (which may include limited personal data) – retained for up to 10 years after the end of the project to maintain a defensible record of previous work.
  • Email marketing (email address only) – retained until you unsubscribe or we identify inactivity, at which point we will remove your details.
  • Payment and invoicing records – retained for the statutory accounting period (typically 6–7 years), or longer where required by law.
  • Server access logs – retained for operational security and troubleshooting, typically up to 12 months unless required longer for incident investigation.

All personal data is subject to periodic review and will be securely deleted or anonymised when no longer required.

Your data protection rights

In line with statutory provisions, you hold the following rights:

  • The right of access (Article 15)
  • The right to rectification (Article 16)
  • The right to erasure (Article 17)
  • The right to restrict processing (Article 18)
  • The right to data portability (Article 20)
  • The right to object (Article 21), including to direct marketing

To exercise your rights, please contact us using the details above.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint using the contact details at the top of this privacy notice.

If you remain unhappy after raising a complaint with us, you can contact the ICO:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF

Helpline: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

International data transfers

We use Google Cloud / Firebase to host and process certain data. This may involve transferring personal data outside the UK. Where international transfers occur, we ensure appropriate safeguards are in place, such as:

  • An adequacy regulation for the destination country, or
  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with risk assessments and supplementary measures where appropriate.

Further details of these safeguards can be provided on request.

Security measures

To ensure the security of your personal data, we employ a range of measures, including:

  • Encryption in transit and at rest
  • Access controls and least-privilege principles
  • Regular audits and risk assessments
  • Secure storage and backups
  • Multi-factor authentication (MFA) for sensitive systems
  • Vulnerability management and patching
  • Network-level protections (e.g. firewalls, intrusion detection)
  • Penetration testing where appropriate
  • Incident response and breach procedures
  • Employee security training and awareness

Collection of personal data during visits to our website

(1) When you visit our website purely for information, we collect only the personal data your browser transmits to our server and that are technically necessary to display our website and to ensure stability and security (legal basis: Article 6(1)(f) UK GDPR). This includes your IP address, date and time of request, time zone difference to GMT, content of the request (page), HTTP status code, volume of data transferred, referrer URL (if provided), browser, operating system, and user-agent string.

(2) We do not use cookies or similar tracking technologies on our website.

(3) We do not embed third-party analytics, social media plug-ins, or advertising pixels on our website. If this changes in future, we will update this notice and, where required, seek your consent.

Further functions and offers of our website

(1) Besides the purely informational use of our website, we also offer services that you can use if you are interested (for example, contacting us for proposals or subscribing to email updates). For this you may need to provide additional personal data which we will use to provide the service, in accordance with the principles set out in this policy.

(2) We may use carefully selected external service providers to process your data on our behalf. They are bound by contract to follow our instructions and to implement appropriate security measures.

(3) Where services involve providers outside the UK, the international transfer safeguards described above will apply.

Email updates and newsletters

If you subscribe to our updates, we will process your email address only for this purpose on the basis of your consent. You can withdraw your consent at any time by using the unsubscribe link in our emails or by contacting us. We do not use tracking pixels in our emails.