Privacy and GDPR Policy

Last updated: 2 June 2026

1: Introduction

1.1 Who We Are
This Privacy Policy explains how Health & Safety Zone Limited, a private limited company incorporated in England and Wales under company number 17232584, with its registered office at Suite 1a, 34 West Street, Retford, Nottinghamshire, England, DN22 6ES (the "Company", "we", "us", or "our"), collects, uses, stores, and protects personal data when you use the Health & Safety Zone platform (the "Platform").

1.2 Scope of this Policy
This Policy applies to all User(s) of the Platform and forms part of, and should be read alongside, our Terms and Conditions. It is provided in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1.3 Controller and Processor Roles
For personal data relating to your account, billing, and your use of the Platform, the Company acts as a data controller. For any personal data that you input, upload, or include within the documents you create using the Platform (including, for example, the names, roles, or health information of your employees or third parties contained within risk assessments, COSHH assessments, policies, or signatures), you are the data controller and the Company acts as a data processor acting on your instructions. As the controller of that content, you are solely responsible for ensuring you have a lawful basis to provide it to us and for the accuracy and lawfulness of that data.

2: Personal Data We Collect

2.1 We may collect and process the following categories of personal data:

Account and registration data: name, email address, username, password (stored in encrypted form), job title, and contact details.
Organisation data: company or organisation name, business address, company logos, branding, and other business identifiers you provide for use within your documents.
Document content data: the information you enter into, upload to, or generate within the Platform, which may include the personal data of your employees, contractors, or third parties where you choose to include it.
Digital signature data: electronic signatures, including reviewer and approver e-signatures applied within risk assessments, COSHH assessments, and other documents, together with associated metadata such as the signatory name, date, and time.
Usage, log, and technical data: records of documents generated and saved, actions taken on the Platform, IP address, browser type, device information, and access logs.
Communications data: any correspondence you send to us, including support requests.
Payment-related data: limited transaction information such as subscription tier, amount, currency, and payment status. We do not collect or store your card or bank details — see Section 8.

3: How We Collect Your Data

3.1 We collect personal data: directly from you when you register, subscribe, configure your account, or create documents; automatically as you use the Platform (through logs and similar technologies); and from our payment processors in the form of limited transaction confirmations.

4: Legal Bases for Processing

4.1 We process personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR, namely:

Performance of a contract: to provide the Platform, manage your account, and deliver the services you have subscribed to.
Legitimate interests: to operate, secure, maintain, and improve the Platform, prevent fraud and misuse, log activity, and communicate with you, provided such interests are not overridden by your rights.
Legal obligation: to comply with our legal, regulatory, accounting, and tax obligations.
Consent: where required, for example for certain marketing communications. You may withdraw consent at any time.

4.2 Where you include special category data (such as health information) within your documents, you, as the controller of that content, are responsible for identifying and satisfying the additional conditions for processing under Articles 9 of the UK GDPR.

5: How We Use Your Data

5.1 We use personal data to: create and administer your account; provide, operate, and maintain the Platform and its document-generation features; store and make available the documents you save; process subscriptions and payments; provide customer support; ensure security and prevent fraud or misuse; comply with legal obligations; and maintain, develop, and improve our services.

6: Digital Signatures and Document Security

6.1 Encryption of Signatures
All electronic signatures captured on the Platform are secured using AES-256-GCM encryption. Risk assessments and COSHH assessments additionally support reviewer and approver e-signatures applied within the document itself, which are protected by the same encryption standard.

6.2 Integrity
Encryption is applied to protect signature data against unauthorised access and tampering. While we apply robust technical measures, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.

7: Document Storage, Logging, and Service Improvement

7.1 Storage
Documents you save, together with associated assets such as company names and logos, are stored on our systems so that they remain available to you within your account.

7.2 Logging
For security, auditing, troubleshooting, and service-improvement purposes, the Platform logs documents generated and key actions taken by User(s).

7.3 Service Improvement
We may use data relating to the use of the Platform and the documents generated, including in aggregated, de-identified, or anonymised form, to maintain, secure, analyse, develop, and improve our products, templates, and services. Where data is fully anonymised so that it no longer identifies any individual, it is no longer personal data and may be used without restriction. You should not include personal or special category data within documents beyond what is necessary for your purposes.

8: Payment Processing

8.1 Third-Party Processors
Payments are processed securely by our third-party payment providers, Stripe and PayPal. When you make a payment, your card and payment details are entered into and processed directly by Stripe or PayPal.

8.2 No Local Storage of Card Details
We do not collect, see, or store your full card numbers, bank details, or other sensitive payment credentials on our own systems. Such data is handled entirely by Stripe and PayPal under their own terms and privacy policies, which we encourage you to review. We receive only limited transaction information necessary to manage your subscription (such as confirmation of payment, amount, and status).

8.3 Stripe and PayPal act as independent controllers in respect of the payment data they process. Their handling of your data is governed by their respective privacy policies.

9: Special Category Data

9.1 Health and safety documents may, by their nature, contain special category data such as information about an individual’s health. Where you choose to include such data within your documents, you do so as the data controller and warrant that you have a valid lawful basis and an applicable Article 9 condition for doing so. We process such data only as a processor, on your instructions, for the purpose of providing the Platform to you. We recommend you minimise the inclusion of special category data wherever possible.

10: Sharing and Disclosure of Your Data

10.1 We do not sell your personal data. We may share personal data with:

Sub-processors and service providers who help us operate the Platform, including cloud hosting and infrastructure providers, email and communication providers, and analytics providers, all of whom are bound by appropriate contractual obligations.
Payment processors (Stripe and PayPal) to process transactions.
Professional advisers such as lawyers, accountants, and auditors where necessary.
Authorities or third parties where required to comply with a legal obligation, enforce our Terms, or protect our rights, property, or safety, or those of others.
A successor in the event of a merger, acquisition, or sale of the business or its assets.

11: International Transfers

11.1 Some of our service providers, including payment processors, may process personal data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as an adequacy decision, the International Data Transfer Agreement, or Standard Contractual Clauses, as required by law.

12: Data Retention

12.1 We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide the Platform, comply with our legal, accounting, and reporting obligations, and resolve disputes. Account and document data is generally retained for the duration of your account and for a reasonable period thereafter, after which it may be deleted or anonymised, subject to any legal retention requirements. You are responsible for retaining your own copies of finalised documents as set out in our Terms and Conditions.

13: Data Security

13.1 We implement appropriate technical and organisational measures to protect personal data, including encryption of signatures using AES-256-GCM, encrypted storage of passwords, access controls, and secure infrastructure. However, no system is completely secure, and we cannot guarantee the absolute security of data transmitted to or stored on the Platform. You are responsible for keeping your account credentials confidential.

14: Your Rights

14.1 Subject to the conditions and exemptions in the UK GDPR, you have the right to: be informed about how your data is used; access your personal data; have inaccurate data rectified; have your data erased in certain circumstances; restrict or object to processing; data portability; and withdraw consent where processing is based on consent.

14.2 Where the Company acts as a processor in respect of personal data contained within your documents, requests from individuals relating to that data should be directed to you as the controller, and we will assist you in responding as required by law.

14.3 To exercise your rights, contact us using the details in Section 21. We may need to verify your identity before responding.

15: Cookies and Similar Technologies

15.1 Strictly Necessary Cookies
The Platform uses cookies and similar technologies that are strictly necessary for the provision of the service. These are an integral part of how the Platform operates and are used to maintain your session, secure your account and access, protect the integrity of your documents, and record the activity and tracking data required to operate the service (such as logging document generation, signatures, and approvals). These cookies are essential and are not used for third-party advertising.

15.2 Your Agreement
Because these cookies and tracking technologies are necessary to deliver the service you have subscribed to, they cannot be disabled while using the Platform. When you first access the Platform, a notification informs you of their use, and by continuing to use the site you acknowledge and agree to our use of cookies and tracking data as described in this Policy. If you do not wish to accept them, you should stop using the Platform, as it cannot function without them.

15.3 No Non-Essential Cookies
We do not use non-essential cookies. In particular, we do not use cookies or tracking for advertising, advert suggestions, behavioural profiling, or third-party marketing. All analytics and tracking we carry out are essential to the use, operation, security, and running of the site and services, and are used solely for those purposes.

15.4 Managing Cookies
You may block or delete cookies through your browser settings; however, doing so will prevent the Platform from working correctly, as the cookies we use are required for the service to operate.

16: Automated Processing and AI-Assisted Features

16.1 Certain features use automated or AI-assisted processing to help generate documents based on the information you provide. These features assist with document creation only and do not make decisions that produce legal or similarly significant effects on individuals without human involvement. All generated documents must be reviewed and approved by you in accordance with our Terms and Conditions.

17: Data Breaches

17.1 We maintain procedures to detect, report, and investigate personal data breaches. Where required by law, we will notify the Information Commissioner’s Office and affected individuals of a breach within the applicable timeframes. Where we act as a processor, we will notify you, as controller, without undue delay on becoming aware of a relevant breach.

18: Children’s Data

18.1 The Platform is intended for business and professional use and is not directed at children. We do not knowingly collect personal data relating to children.

19: Third-Party Links and Services

19.1 The Platform may contain links to or integrate with third-party websites and services, including Stripe and PayPal. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.

20: Changes to this Policy

20.1 We may update this Privacy Policy from time to time to reflect changes in law or our practices. Material changes will be notified to you by email or via the Platform. The "Last updated" date at the top indicates when this Policy was last revised. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

21: How to Contact Us and Complaints

21.1 For any questions about this Policy or to exercise your rights, contact us at info@healthsafetyzone.com or by writing to Health & Safety Zone Limited, Suite 1a, 34 West Street, Retford, Nottinghamshire, England, DN22 6ES.

21.2 If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority, at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.