Privacy Policy

This notice explains how ResilienceChain Ltd (“ResilienceChain”, “we”, “us”) collects and uses personal data when you use our platform, website, or contact us. We are committed to handling your data in line with the UK GDPR and the Data Protection Act 2018.

Who we are

ResilienceChain Ltd is the data controller for the personal data we collect about account holders, prospective customers, and visitors to our website. Full company details will be published here once our incorporation is finalised. In the interim, you can reach us at hello@resiliencechain.co.uk. For privacy-specific enquiries use privacy@resiliencechain.co.uk.

What we collect

• Account data. Name, work email address, password hash, organisation name, and the roles you hold.
• Workspace content.The cyber-asset inventories, compliance orders, action items, and evidence records your team creates in the platform. This is your organisation's data — we process it on your behalf.
• Operational metadata. Audit logs of who did what and when, immutable by design, so you can prove who acted.
• Technical data. Request logs, IP address, user agent, and error traces — retained briefly for security and debugging.
• Analytics. On our public pages (landing, signup, login) we use Plausible Analytics, a cookie-less, privacy-friendly tool that does not track individuals or build user profiles. We do not run analytics or tracking cookies inside the authenticated app.

Why we collect it & lawful basis

• To provide the service you have signed up for — contract.
• To keep the service secure and prove an immutable audit trail of actions on incidents — legitimate interests, and, for regulated customers, compliance with a legal obligation (NIS2, NCSC CAF, DORA).
• To send transactional emails (verification, password resets, invites) — contract.
• To improve the product via anonymous landing-page metrics — legitimate interests.

Retention

Workspace content is retained for as long as your account is active. If your workspace is deleted from the Settings → Data & Privacy screen, it enters a 30-day grace period during which you can reinstate it. After 30 days, all personal data is permanently destroyed. Audit logs inside the platform are immutable and retained for the life of the workspace; they are also destroyed when the tenant is purged. Marketing contacts we hold outside the platform (cold outreach) are retained no longer than 24 months from last interaction.

Your rights

Under UK GDPR you have the right to: (a) access the personal data we hold about you; (b) have inaccurate data corrected; (c) have your data erased; (d) restrict or object to processing; (e) data portability. Account admins can export a full ZIP of workspace data at any time from Settings → Data & Privacy. For all other rights requests, email privacy@resiliencechain.co.uk and we will respond within one calendar month.

You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your rights have been violated. We'd prefer you raise it with us first so we can resolve it.

International transfers

Our production infrastructure runs in Google Cloud's europe-west2 (London) region. Transactional email routes through SendGrid (Twilio); we rely on the UK Extension to the EU Standard Contractual Clauses for the onward transfer of transactional email metadata to the US. We do not export workspace content outside the UK/EEA in the normal course of business.

Subprocessors

• Google Cloud Platform (hosting, storage, databases — UK)
• SendGrid / Twilio (transactional email — US)
• Plausible Analytics (cookie-less landing-page analytics — EU)

A full up-to-date list is available on request.

Cookies

We use a session cookie inside the authenticated app to keep you signed in. We do not use any marketing, advertising, or behavioural-tracking cookies. The Plausible script we run on public pages does not set cookies or use local storage, so there is no cookie banner required.

Contact

Questions or rights requests: privacy@resiliencechain.co.uk.