Privacy Policy
Version 1.0 · Effective 21 March 2026
This policy applies to SafeGuard Workers UK ("we", "us", "our"), operated from Startup Stiwdio, University of South Wales Newport. We are the data controller for all personal data described here. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Controller: SafeGuard Workers UK
Address: Startup Stiwdio, University of South Wales Newport
Privacy enquiries: privacy@safeguardworkers.co.uk
General support: support@safeguardworkers.com
We have not appointed a Data Protection Officer (DPO) as we do not meet the mandatory thresholds under UK GDPR Art. 37. All data protection enquiries are handled by our Privacy Contact at the address above.
2. What Personal Data We Collect
2.1 Account Registration
- Full name, email address, password (stored as bcrypt hash — never in plaintext)
- Phone number (optional)
- Job role and employer sector
- Immigration / visa status (optional — you may select "prefer not to say")
- Union membership and union name (optional)
- Consent timestamp and policy version
2.2 Incident Reports
- Workplace name, specific location, date and time of incident
- Free-text description of what happened
- Name and role of any person involved (manager, colleague, patient)
- Witness names and contact information (if provided)
- Injury details, medical attention sought, days off work
- Retaliation events, timeline, and description
- Police involvement and crime reference number
- Details of any immigration-related coercion by an employer
2.3 Evidence Files
- File contents (photos, PDFs, documents) stored in encrypted object storage
- File metadata: name, type, size, SHA-256 hash, upload timestamp
- EXIF metadata extracted automatically: GPS coordinates, device make/model, original capture timestamp — you are notified of this at upload
- Masked IP address and browser user-agent at upload time
2.4 Legal Claims
- Case type, status, notes, and linked incident report
- Legal representative contact details (name, firm, email, phone)
- Retaliation event log
- Schedule of loss: date of birth, employment start/end dates, pay figures, pension loss, injury-to-feelings damages
- Legal deadlines (tribunal filing dates, limitation dates)
2.5 Technical & Usage Data
- Masked IP address — the last octet of your IPv4 address (or last 4 groups of IPv6) are zeroed before storage. We never store your full IP.
- Browser user-agent string (for device compatibility diagnostics)
- Audit log entries: action type, resource accessed, timestamp (no report content)
- Session authentication cookies (HTTP-only, Secure, SameSite=Lax)
2.6 Anonymous Submissions
If you use our anonymous submission option, no account or email is required. We store: incident type, workplace sector, region (UK region, not precise location), retaliation flag, injury flag, and visa flag. We also generate a UUID token you can use to claim the report later.
Important: anonymous does not mean unidentifiable
The combination of fields you submit (sector + region + incident type + date) may be sufficient to identify you in a small workplace. We cannot guarantee anonymity. If you are at serious risk, consider using Tor Browser or a public computer.
3. Special Category Data (Article 9 UK GDPR)
We process special category data
The nature of workplace incident reporting means we handle sensitive information protected by Art. 9 UK GDPR. This data receives the highest level of protection we can provide.
| Special Category | Where It Appears | Art. 9 Basis |
|---|---|---|
| Health data | Injury description, medical attention, days off, schedule of loss (injury-to-feelings) | Art. 9(2)(c) vital interests; Art. 9(2)(f) legal claims |
| Racial or ethnic origin (proxy) | Visa status, nationality, immigration coercion by employer | Art. 9(2)(g) substantial public interest; Art. 9(2)(f) legal claims |
| Trade union membership | Union member flag, union name | Art. 9(2)(a) explicit consent |
| Data re criminal allegations | Crime reference number, police involvement, retaliation descriptions | Art. 9(2)(f) legal claims; Art. 9(2)(g) public interest |
4. Lawful Basis for Each Processing Activity
UK GDPR Article 6 requires a lawful basis for every processing activity. Article 9 requires an additional condition for special category data. The table below sets out our basis for each activity.
| Processing Activity | Art. 6 Basis | Art. 9 Basis |
|---|---|---|
| Account registration | (b) Contract + (a) Consent | (g) Substantial public interest |
| Incident report storage | (b) Contract + (a) Consent | (c) Vital interests + (f) Legal claims |
| Anonymous submissions | (f) Legitimate interests | Minimised — pseudonymous data |
| Evidence file storage | (b) Contract | (f) Legal claims |
| Legal claims management | (b) Contract | (f) Legal claims |
| Near-miss logging | (b) Contract + (f) LI | N/A |
| Organisation report sharing | (a) Consent (worker-initiated) | (a) Explicit consent |
| Transactional emails | (b) Contract | N/A (reference IDs only) |
| Billing | (b) Contract | N/A |
| Error monitoring (Sentry) | (f) Legitimate interests | N/A (body stripped) |
| Session replay (Sentry) | (a) Consent | N/A |
| Audit logging | (c) Legal obligation + (f) LI | N/A |
| Data subject rights responses | (c) Legal obligation | N/A |
| Police report assistance | (b) Contract | (f) Legal claims |
5. How We Use Your Data
- Providing the service — storing and displaying your reports, evidence, and legal cases
- Authentication — verifying your identity on each request
- Communications — confirmation emails, legal deadline reminders, organisation invites
- AI incident classification — automatically categorising your report to assist you in understanding its urgency and type. This runs entirely on our platform; no data is sent to external AI APIs without your knowledge.
- Evidence integrity — computing SHA-256 hashes and optional blockchain timestamps to create tamper-evident records for legal proceedings
- Security and fraud prevention — rate limiting, audit logging, and abuse detection
- Platform stability — error monitoring via Sentry (body stripped; see §10)
- Legal compliance — responding to lawful requests from courts or regulators
We do not sell, rent, or broker your data to any third party.
We do not use your data for advertising, profiling, or automated decision-making that produces legal or significant effects.
7. Data Residency & International Transfers
Primary data residency: EU
We configure Supabase to store your data in EU data centres by default. If you require a specific UK-only residency guarantee (for NHS or public sector compliance), please contact us at privacy@safeguardworkers.co.uk.
Three sub-processors (Resend, Stripe, Sentry) are based in the United States. All international transfers to the US are governed by Standard Contractual Clauses (SCCs) approved by the UK ICO as an appropriate transfer mechanism under UK GDPR Chapter V. Copies of the SCCs are available on request.
Vercel may process request metadata (not personal data content) in US and EU edge locations as part of content delivery. This is governed by Vercel's DPA and SCCs.
8. Data Retention Periods
We keep data only as long as necessary for the purpose it was collected, or as required by law. The table below sets out our retention periods.
| Data Category | Retention Period | Reason |
|---|---|---|
| User profile (active account) | Account life + 30 days | Contract |
| User profile (after deletion request) | 30 days (anonymised), then hard-deleted | Art. 17 Right to Erasure |
| Incident reports | 7 years from submission | Limitation Act 1980; ERA 1996 s.111A |
| Witness records | Deleted immediately on account deletion request | Art. 17 — third-party PII |
| Evidence files (no legal hold) | 7 years | Legal claims |
| Evidence files (under legal hold) | Until hold released, then 7 years | Legal obligation |
| Legal case data | 7 years after case closure | Limitation Act 1980 |
| Near-miss logs | 7 years | RIDDOR / HSE guidance |
| Audit logs | 2 years | Legitimate interests (security) |
| API token usage logs | 90 days | Legitimate interests (security) |
| Anonymous submissions | 3 years | Legitimate interests |
| Organisation billing records | 7 years | HMRC financial records requirement |
| Organisation member records | Active membership + 2 years | Contract |
| Sentry error logs | 90 days (Sentry-managed) | Legitimate interests |
Hard-deletion after account closure
When you request account deletion, your profile is immediately pseudonymised (name replaced with "Deleted User"; contact fields nulled; visa/union data cleared). All incident report PII fields (descriptions, names, locations, medical details) are anonymised within the same request. Witness records are hard-deleted immediately. The remaining structural data is permanently deleted within 30 days.
9. Security Measures
Encryption in transit
All data transmitted over TLS 1.3. HTTP requests are rejected.
Encryption at rest
All database rows and file storage encrypted at rest by Supabase.
Row Level Security
Database RLS policies enforce data isolation — you can only access your own records.
IP address masking
We zero the last octet of your IP before any storage. Full IPs are never persisted.
Input sanitisation
All user inputs are sanitised before storage to prevent XSS and injection.
Rate limiting
All API endpoints are rate limited per user or IP using persistent Supabase counters.
Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it responsibly to privacy@safeguardworkers.co.uk.
11. Your Rights Under UK GDPR
You have the following rights. Most can be exercised directly in your Account Settings. We will respond within 30 days (UK GDPR Art. 12(3)).
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
How: Account Settings → Download my data
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable JSON format.
How: Account Settings → Download my data
Right to Rectification (Art. 16)
Correct inaccurate personal data. You can update your profile directly.
How: Account Settings → Personal Details, or email us
Right to Erasure (Art. 17)
Request deletion of your data. Profile PII and report PII are anonymised immediately; full deletion within 30 days. Some data may be retained where a legal hold applies or where we have a legal obligation.
How: Account Settings → Delete account
Right to Restrict Processing (Art. 18)
Pause all non-essential processing of your data while a dispute is resolved.
How: Account Settings → Your GDPR Rights → Restrict processing
Right to Object (Art. 21)
Object to processing based on legitimate interests. We will cease non-essential processing immediately.
How: Account Settings → Your GDPR Rights → Object to processing
Right to Withdraw Consent (Art. 7(3))
Withdraw the consent you gave at registration. Some features may become unavailable if consent is withdrawn.
How: Account Settings → Your GDPR Rights → Withdraw consent
To exercise rights not available in Account Settings (rectification, portability, complex erasure), email privacy@safeguardworkers.co.uk with "GDPR Rights Request" in the subject line. We may ask you to verify your identity.
12. Children
Our service is intended for workers aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe we have done so, please contact us immediately at privacy@safeguardworkers.co.uk and we will delete the data without delay.
13. Changes to This Privacy Policy
We will update this policy when our processing activities change. For material changes (new special category processing, new sub-processors, changes to retention) we will notify registered users by email and require re-consent where the lawful basis is consent. Minor clarifications will be noted in the version history.
The current version is 1.0, effective 21 March 2026. Older versions are available on request.
14. Contact & Complaints
Privacy enquiries: privacy@safeguardworkers.co.uk
General support: support@safeguardworkers.com
Address: Startup Stiwdio, University of South Wales Newport
Right to complain to the ICO
If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority:
Website: https://ico.org.uk
Helpline: 0303 123 1113
Report a concern: ico.org.uk/make-a-complaint
We ask that you contact us first — we will do our best to resolve your concern within 30 days.