Privacy policy

Version 1.0 · Last updated 11 May 2026 · Effective 11 May 2026

This policy explains how Safe and Sorted Ltd handles your personal data when you use the Safe and Sorted app and website. It is written for UK builders and UK GDPR compliance. Plain English wherever we can manage it — definitions where we can’t.

1. Who we are

We are the data controller for the personal data of our customers (account holders, affiliate applicants, people who contact us). We are a data processor for the data customer organisations enter into the Service about their employees, sub-contractors and site visitors — see Section 9.

  • Company name: Safe and Sorted Ltd
  • Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
  • Companies House number: 17214001
  • ICO Data Protection registration: pending — will be obtained once Companies House number is issued
  • Data Protection Officer: we are a small organisation and are not legally required to appoint a DPO. Privacy queries are handled by the company directors.
  • Contact for data protection: privacy@safeandsorted.com

2. Personal data we collect

A. About you (the account holder, authorised user, or applicant)

  • Account information — full name, email, business phone, your role, the trades and activities you select during onboarding
  • Authentication data — encrypted password (we never see it), password-reset tokens, sign-in timestamps, device/browser fingerprint used to enforce concurrent-session limits
  • Billing information — billing address, business name, VAT number where applicable. Card details are held by Stripe — we never see or store them.
  • Usage data — the actions you take in the Service (sign-ins, RAMS issued, permits closed, documents created, accident reports filed), timestamps, your IP address at login
  • Device data — browser type, operating system, device approximate location for the optional geofence sign-in feature (you consent at first use)
  • Affiliate / partner application data — name, email, business name, expected referral volume, payout details
  • Correspondence — messages, screenshots or recordings you send us via email or in-app support

B. About people in your organisation, your sub-contractors, and your site visitors

You enter this data into the Service to run your business. We process it on your behalf:

  • Employees — names, mobiles, training records, card expiry dates, signatures
  • Sub-contractors — company name, contact name, mobile, addresses, insurance expiry dates, signatures
  • Site visitors — names, companies, mobiles, vehicle regs, sign-in / sign-out times, GPS coordinates at sign-in (subject to consent and your organisation’s geofence settings), digital signatures
  • Photographic evidence — site photos uploaded as part of accident reports, tick-list issues, sub-contractor inductions
  • Accident, near-miss and RIDDOR records — names of injured persons, witnesses, descriptions of incidents, action taken

For this data, your organisation is the data controller and we are the processor. See Section 9.

Digital signatures captured in the Service are personal data but are not biometric data within the meaning of UK GDPR Article 9 — they are images of a handwritten signature, not measurements of physiological characteristics.

C. Source of data

Most personal data we hold is provided directly by the data subject. Some data is provided about a data subject by a third party (e.g. when a site foreman records a visitor’s vehicle reg, or a customer adds an employee to the team). Where we are the controller for such data, we will notify the affected data subject of this Privacy Policy at the point they first interact with the Service.

3. How we collect it

  • Directly from you when you fill in forms, type, upload photos, sign on the screen, or speak via the in-app dictation feature
  • From your devices — geolocation (with your permission) and basic device/browser metadata
  • Via cookies and similar technologies for session authentication. We do not run third-party advertising trackers and we are not running any third-party analytics at launch.

4. Why we collect it (lawful basis under UK GDPR)

PurposeLawful basis
Operating your account and providing the ServicePerformance of contract (Art. 6(1)(b))
Service-change, password-reset, expiry-alert and weekly digest emailsPerformance of contract / Legitimate interest
Marketing emails about Safe and SortedConsent — withdraw at any time via the unsubscribe link in every marketing email
Billing, fraud prevention, tax complianceLegal obligation / Performance of contract
Improving the Service via anonymised usage analysisLegitimate interest
HSE / RIDDOR / CDM record-keeping on behalf of your organisationLegal obligation (yours, processed by us as your processor)
Storing site sign-in recordsLegitimate interest of the site operator — safety and access control
Affiliate / partner programme administrationPerformance of the affiliate agreement

We do not use personal data for advertising and we do not sell personal data to anyone.

5. Who we share it with

We share personal data only with:

  • Other authorised users in your organisation — under your control via the Service’s role and permission settings
  • Sub-processors that operate the Service on our behalf:
    • Supabase (database, authentication, file storage) — Europe (Frankfurt) region
    • Stripe (payment processing) — UK / EU
    • Resend (transactional and marketing emails) — EU / US (SCCs in place for US transfers)
    • Rewardful (affiliate-programme attribution, when activated) — US (SCCs in place)
    • Netlify (web hosting) — global edge with EU-region origin
    • Apple App Store and Google Play (when you download the native app — they receive minimal account information that you control)
  • Regulators or law enforcement where legally required (HMRC, ICO, HSE, police on valid order)
  • Professional advisors (accountants, lawyers) bound by confidentiality

This list is kept current on this page. Material changes are notified by email at least 14 days in advance.

International transfers. Personal data is stored primarily within the UK and EEA. Where a sub-processor is based outside the UK/EEA (currently Resend and, when activated, Rewardful), transfers rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or an applicable UK adequacy decision.

6. How long we keep it

Type of dataRetention
Active account dataFor the duration of your subscription, plus 30 days after cancellation
Cancelled account dataPermanently deleted 30 days after cancellation, except records we are legally required to keep
Billing records7 years (HMRC requirement)
Site sign-in records6 years (limitation period for personal-injury claims), or as your organisation configures
Accident / RIDDOR recordsAt least 3 years from date of injury, or until the injured person turns 21 if a minor — RIDDOR Reg. 12
Training and competence recordsDuration of employment plus 6 years
Photos uploaded as evidenceSame period as the parent record (accident, induction, tick-list issue)
BackupsUp to 90 days, then permanently overwritten
Marketing-email subscribersUntil you unsubscribe
Support correspondence3 years after the last interaction

You can request earlier deletion of your personal data — see Section 8.

7. Where we store it

Personal data is stored on UK and European servers operated by Supabase (Frankfurt region). Backups are held in the same region. We do not transfer personal data outside the UK / EEA except via the sub-processors named in Section 5, under the safeguards described there.

8. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email privacy@safeandsorted.com with proof of identity.

  • Access — receive a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion (“right to be forgotten”), subject to legal retention requirements (HMRC, RIDDOR)
  • Restriction — limit how we process your data
  • Portability — receive your data in a structured, machine-readable format (CSV / JSON)
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — for any processing based on consent (e.g. marketing emails), at any time
  • Automated decision-making — we do not make decisions about you using solely automated processing

We respond to verified requests within 30 calendar days. Complex requests may extend by a further 60 days; we will tell you within the first 30 days if so.

If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

9. Data Processing Terms (for customer organisations)

When you use the Service to record data about your employees, sub-contractors, and visitors, you are the data controller and we are the processor. These terms form part of your subscription agreement.

  • Subject: processing of personal data described in Section 2(B). Duration: for the term of your subscription, plus the retention periods in Section 6.
  • Nature and purpose: hosting and operating the Service to enable you to record and manage construction H&S compliance data.
  • Categories of data subjects: your employees, sub-contractors and their staff, site visitors, accident-affected persons, witnesses.
  • Our obligations as processor:
    • Process personal data only on your documented instructions (the Service’s UI and your written requests)
    • Ensure persons authorised to process the data are bound by confidentiality
    • Implement appropriate technical and organisational security measures (Section 11)
    • Engage sub-processors only with your prior consent (Section 5 is your initial consent; 14 days’ notice of material changes)
    • Assist you in responding to data-subject requests
    • Notify you of any personal-data breach without undue delay, and within 72 hours where the breach poses a risk to data subjects. For high-risk breaches we will also assist you in notifying the affected data subjects directly
    • Delete or return all personal data at the end of the contract, at your choice
  • International transfers: primarily UK / EEA. Where a sub-processor outside the UK/EEA is engaged (currently Resend and, when activated, Rewardful), transfers are protected by SCCs with the UK International Data Transfer Addendum.
  • Audits: you may audit our compliance with these terms once per calendar year on 30 days’ written notice. We respond to written security questionnaires (e.g. SIG Lite) without notice.

10. Cookies and similar technologies

  • Authentication — keeping you signed in (session cookies, expire when you close the browser, plus an optional 30-day “remember me” cookie)
  • Preferences — your active site, dismissed nudges, your offline outbox (localStorage / IndexedDB; never sent to third parties)
  • Service operation — the service worker that powers offline support stores a cache of pages and recent data on your device. Technical, not analytics, and essential to the Service.

We do not run cross-site tracking, fingerprinting, advertising cookies, or third-party analytics at launch. If we add a privacy-preserving analytics provider in the future, this policy will be updated before any analytics cookies are set, and you will be asked for consent where the law requires.

11. Security

Our controls include:

  • Encryption in transit (TLS 1.2+) and at rest
  • Strict role-based access control with least privilege
  • Multi-factor authentication for all our staff with access to production systems
  • Daily encrypted backups with a 90-day retention
  • Audit logs for sensitive actions (sign-ins, deletions, permission changes)
  • Penetration testing and dependency-vulnerability scanning before launch and at least annually thereafter
  • Concurrent-session limits and device fingerprinting to detect account sharing

If you suspect your account has been compromised, contact us immediately at privacy@safeandsorted.com.

12. Marketing communications

If you have an active account we may send you operational emails (password resets, expiry alerts, invoice receipts, security notices) — these are part of the Service and are not optional while your account is active.

We will send you marketing emails only with your consent. Every marketing email contains a one-click unsubscribe link. Unsubscribing from marketing does not affect operational emails.

13. Children

The Service is for use by adults in a workplace setting. We do not knowingly collect personal data from anyone under 16. Site sign-ins of apprentices under 18 may be recorded for site-safety record-keeping; no marketing or analytics is applied to those records.

14. Changes to this policy

We will update this policy when our practices change. Significant changes (new data categories, new sub-processors outside the named region, new lawful bases) are announced by email at least 14 days before they take effect. Historical versions are available on request.

15. Contact

  • Email: privacy@safeandsorted.com
  • Post: Data Protection, Safe and Sorted Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
  • Phone: pending — a UK business number is being arranged and will be added here