Privacy Policy

Introduction

This Privacy Policy explains how crossrisk ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our security risk management platform. We are committed to protecting your privacy and complying with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the platform.

Data Controller

For the purposes of UK data protection law, crossrisk is the data controller of your personal information. We are registered with the Information Commissioner's Office (ICO).

Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Register for an account
• Complete a security risk assessment questionnaire
• Contact us for support or enquiries
• Subscribe to our communications

This information may include:

• Name and email address
• Organisation name and details
• Job title and role
• Responses to security assessment questions
• Technical information about your organisation's security posture

Automatically Collected Information

When you access our platform, we may automatically collect certain information, including:

• Log data (IP address, browser type, pages visited)
• Device information
• Usage data and analytics
• Cookies and similar tracking technologies

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our platform
• Process your security risk assessments and generate reports
• Improve and personalise your experience
• Communicate with you about your account and assessments
• Send administrative information, updates, and security alerts
• Respond to your enquiries and provide customer support
• Monitor and analyse usage patterns and trends
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

Legal Basis for Processing (GDPR)

If you are from the European Economic Area (EEA) or United Kingdom, our legal basis for collecting and using your personal information depends on the data concerned and the context in which we collect it:

• Contract performance: Processing is necessary to provide the services you requested
• Legitimate interests: We have a legitimate interest in operating our platform and communicating with you
• Consent: You have given us explicit consent to process your information for specific purposes
• Legal obligation: We need to comply with legal requirements

Sharing Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

• Service providers: With trusted third-party service providers who assist us in operating our platform (e.g., hosting, analytics, email services)
• Organisation members: Within your organisation, with designated administrators and members who have appropriate access permissions
• Legal requirements: When required by law, regulation, legal process, or governmental request
• Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
• Protection of rights: To protect our rights, privacy, safety, or property, and that of our users

Sharing Your Information with Third-Party Processors

We work with trusted third-party service providers to operate our platform. These processors only access your data to perform specific tasks on our behalf and are obligated to protect your information. Our key service providers include:

• Infrastructure & Hosting: Supabase (database and authentication services)
• Cloud Services: Vercel (application hosting and content delivery)
• Email Services: For transactional emails and notifications
• Analytics: For monitoring platform performance and usage patterns

All our processors are required to comply with UK GDPR and have appropriate data processing agreements in place.

Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy. Our specific retention periods are:

• Account information: For the duration of your account plus 30 days after account closure or deletion request
• Assessment reports and risk data: For 7 years after completion to comply with information security documentation standards and regulatory requirements
• Communication records: For 3 years from last contact for customer service purposes
• Analytics data: Aggregated and anonymised after 24 months
• Marketing data: Until consent is withdrawn or 2 years of inactivity
• Log data and security records: For 12 months for security and troubleshooting purposes

After these periods, we will securely delete or anonymise your personal information. Some information may be retained longer if required by law or to establish, exercise, or defend legal claims.

Your Data Protection Rights Under UK GDPR

Under UK data protection law, you have the following rights:

• Right of access: Request copies of your personal information (commonly known as a "subject access request")
• Right to rectification: Request correction of inaccurate or incomplete information
• Right to erasure: Request deletion of your personal information in certain circumstances
• Right to restriction of processing: Request that we limit how we use your information
• Right to object: Object to our processing of your information where we rely on legitimate interests
• Right to data portability: Request transfer of your information to another organisation or directly to you in a structured, commonly used format
• Right to withdraw consent: Withdraw consent at any time where we relied on your consent to process your information
• Rights related to automated decision making: Request human review of automated decisions that significantly affect you

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@crossrisk.io with:

• Your full name and email address associated with your account
• A description of which right you wish to exercise
• Any relevant details or documentation

We will respond to your request within one month. In some cases, where requests are complex or numerous, we may extend this by a further two months, in which case we will inform you and explain the reason for the delay.

You will not usually have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to Complain to the ICO

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our platform in accordance with the Privacy and Electronic Communications Regulations (PECR). A cookie is a small text file that is placed on your device to help the website function and provide analytics.

Types of Cookies We Use

Managing Cookies

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your device and you can set most browsers to prevent them from being placed. However, if you do this, you may have to manually adjust some preferences every time you visit our platform, and some features may not work.

For more information about cookies, including how to see what cookies have been set and how to manage and delete them, visit allaboutcookies.org.

Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Staff training on data protection and security

For detailed information about our security practices, please see our Data Security page.

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing information about the nature of the breach and the measures we are taking to address it.

International Data Transfers

Your information is primarily processed and stored within the United Kingdom and the European Economic Area (EEA). However, some of our service providers may process data outside the UK/EEA. Where we transfer your personal information outside the UK, we ensure appropriate safeguards are in place, including:

• Using service providers in countries that the UK government has determined provide an adequate level of data protection
• Implementing International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved by the ICO
• Ensuring our service providers are certified under appropriate international frameworks

You can obtain more information about the safeguards we use for international transfers by contacting us at privacy@crossrisk.io.

Children's Privacy

Our platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. Our services are designed for business and professional use.

If you become aware that a child under 18 has provided us with personal information, please contact us immediately at privacy@crossrisk.io. If we discover that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

Marketing Communications

We may send you marketing communications about our services, features, and updates where:

• You have explicitly consented to receive such communications, or
• We have a legitimate interest in marketing to you (such as when you are an existing customer and we are marketing similar services)

You can opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@crossrisk.io
• Updating your communication preferences in your account settings

Please note that even if you opt out of marketing communications, we will still send you essential service-related communications (such as password resets, security alerts, or changes to our terms).

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email if the changes are significant
• In some cases, display a notice on our platform

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our platform after any changes indicates your acceptance of the updated Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us:

• Email: privacy@crossrisk.io
• Data Protection Enquiries: For urgent data protection matters
• Response Time: We aim to respond to all privacy enquiries within 5 business days