Privacy Policy
Last updated: 15 March 2026
This policy explains how ClearSafe collects, uses, stores, and protects your personal data in compliance with UK GDPR and the Data Protection Act 2018.
DRAFT — Pending legal review before publication. This document will be reviewed by a qualified solicitor before ClearSafe launches publicly.
1. Introduction and Data Controller
The data controller for ClearSafe is:
ClearSafe Ltd
Company number: 17093354
66 Paul Street, London, England, EC2A 4NA
Email: hello@clearsafe.io
Website: clearsafe.io
Information Commissioner's Office (ICO) registration number: ZC107875
We are committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).
If you have any questions about how we handle your personal data, contact us at hello@clearsafe.io.
2. Data We Collect
2.1 Account Data
When you create an account (via Clerk), we collect:
- Full name
- Email address
- Profile picture (if using Google sign-in)
- Authentication identifiers (Clerk user ID)
2.2 Company and Workplace Data
During onboarding and settings configuration, you provide:
- Company name
- Industry
- Number of workers
- Site/premises name(s) and address(es)
- Phone number (optional)
- Founded year (optional)
2.3 Compliance Records
When you use the platform, we store:
- Risk assessments (including hazard descriptions, control measures, review dates)
- Fire risk assessments (including premises details, fire safety systems, escape routes)
- Incident and near-miss reports (including descriptions, injury details, RIDDOR outcomes)
- Safety asset records (including equipment details, inspection dates, test logs)
- Health and safety policies
- Method statements (RAMS)
- Compliance scores and calendar events
Important: Incident records may contain special category data (health data) about injured workers or members of the public, including details of injuries, medical treatment, and absence periods. See Section 5 for how we handle this data.
2.4 AI Interaction Data
When you use Felix (our AI advisor) or generate AI content, the queries and prompts you submit are sent to Anthropic for processing. We store:
- The messages you send to Felix
- The AI-generated responses
- Usage counts for plan limit tracking
Anthropic processes your queries under their data processing agreement. Anthropic does not use data submitted via the API for model training. See Section 7 for details.
2.5 Payment Data
Payment processing is handled entirely by Stripe. We store:
- Stripe customer ID
- Subscription plan and status
- Billing period dates
We never store your card number, CVC, or full payment details. These are held securely by Stripe in accordance with PCI DSS Level 1 compliance.
2.6 Usage Data
We automatically collect:
- Feature usage counts (for plan limit enforcement)
- Login timestamps
- Pages visited within the platform
2.7 Communications Data
If you contact us via email or submit a complaint, we retain your correspondence to provide support and resolve issues.
3. Legal Basis for Processing
Under UK GDPR Article 6, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, assessments, reports) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (invitations, receipts, reminders) | Legitimate interest (Art. 6(1)(f)) |
| Enforcing plan limits and usage tracking | Legitimate interest (Art. 6(1)(f)) |
| Retaining compliance records (risk assessments, incidents) | Legal obligation (Art. 6(1)(c)) — UK H&S legislation |
| Responding to support requests and complaints | Legitimate interest (Art. 6(1)(f)) |
| Product improvement and security | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (if you opt in) | Consent (Art. 6(1)(a)) |
4. Legitimate Interests
Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment (LIA) and concluded that our processing does not override your rights and freedoms. Our legitimate interests include:
- Providing and improving the Service
- Preventing fraud and maintaining security
- Sending service-related communications
- Enforcing subscription plan limits
You have the right to object to processing based on legitimate interests. See Section 10.
5. Special Category Data (Health Data)
ClearSafe's incident reporting feature may involve the processing of special category data under UK GDPR Article 9, specifically health data about individuals involved in workplace incidents (injuries, illnesses, medical treatment, absence periods).
5.1 Our Role
You are the data controller for health data about your employees, contractors, and visitors that you input into ClearSafe. ClearSafe acts as your data processor for this data.
5.2 Legal Basis for Processing
We process special category data under the following Article 9 conditions:
- Article 9(2)(b) — Processing is necessary for the purposes of carrying out obligations in the field of employment law, specifically health and safety record-keeping under the HSWA 1974, MHSWR 1999, RIDDOR 2013, and the Social Security (Claims and Payments) Regulations 1979.
- Article 9(2)(f) — Processing is necessary for the establishment, exercise, or defence of legal claims.
5.3 Your Responsibilities
As the data controller for health data, you are responsible for:
- Ensuring you have a lawful basis to record health data about individuals.
- Informing affected individuals that their data is being recorded.
- Restricting access to incident records to authorised personnel only.
- Responding to data subject access requests (DSARs) relating to this data.
6. How We Use Your Data
We use your personal data to:
- Create and manage your account.
- Provide the Service, including generating AI content, storing compliance records, and managing team access.
- Process subscription payments via Stripe.
- Send transactional emails (account verification, team invitations, asset inspection reminders, billing receipts).
- Enforce plan-based usage limits.
- Respond to support requests, complaints, and feedback.
- Maintain security, detect fraud, and prevent misuse.
- Comply with UK legal obligations (e.g., retaining compliance records).
- Improve the Service based on anonymised usage patterns.
We do not use your personal data for profiling, automated decision-making with legal effects, or selling to third parties.
7. Data Processors (Sub-Processors)
We use the following third-party services to operate ClearSafe. Each processes personal data on our behalf under a data processing agreement (DPA):
| Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Clerk | Authentication and user management | United States | SCCs |
| Supabase | Database (PostgreSQL) hosting | AWS EU-West-2 (London) | EU/UK hosted |
| Stripe | Payment processing and billing | United States | SCCs |
| Anthropic | AI processing (Felix advisor, content generation) | United States | SCCs |
| Resend | Transactional email delivery | United States | SCCs |
| Vercel | Application hosting and CDN | United States | SCCs |
Note on Anthropic: When you use Felix or generate AI content, your prompts and queries are transmitted to Anthropic's API for processing. Anthropic does not use data submitted via the API to train its models. Anthropic's data usage policy is available at anthropic.com/privacy.
8. International Data Transfers
Your core compliance data (risk assessments, incidents, assets) is stored in the UK/EU on Supabase's AWS EU-West-2 (London) infrastructure.
Some personal data is transferred to the United States for processing by Clerk, Stripe, Anthropic, Resend, and Vercel. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the ICO, in accordance with UK GDPR Article 46(2)(c).
We regularly review our sub-processors' data protection practices and will notify you of any material changes.
9. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of subscription + 90 days | Contract |
| Compliance records (risk assessments, fire risk, policies) | 7 years from creation | UK H&S legal requirements |
| Incident records (including health data) | 3 years from date of incident (or 7 years if litigation risk) | RIDDOR 2013, Limitation Act 1980 |
| Payment records | 7 years from transaction | Financial regulations (HMRC) |
| AI interaction logs | 12 months | Service improvement |
| Support and complaint correspondence | 2 years from resolution | Legitimate interest |
| Usage tracking data | 13 months (rolling) | Plan enforcement |
Deletion requests: You may request deletion of your personal data at any time (see Section 10). We will process deletion requests within 30 days, except where retention is required by law (e.g., compliance records retained for H&S obligations).
10. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of Access (Article 15) — You can request a copy of the personal data we hold about you. We will respond within 30 days.
- Right to Rectification (Article 16) — You can ask us to correct inaccurate or incomplete personal data. You can also update your data directly in the dashboard settings.
- Right to Erasure (Article 17) — You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it (e.g., compliance records required under H&S legislation).
- Right to Restriction (Article 18) — You can ask us to restrict processing of your data in certain circumstances (e.g., while we verify the accuracy of data you have contested).
- Right to Data Portability (Article 20) — You can request your data in a structured, commonly used, machine-readable format. ClearSafe's audit pack export (PDF + CSV) provides this functionality.
- Right to Object (Article 21) — You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
- Rights Related to Automated Decision-Making (Article 22) — ClearSafe does not make automated decisions with legal or similarly significant effects on you. Our Compliance Score and RIDDOR checks are advisory tools, not automated decisions.
10.1 How to Exercise Your Rights
To exercise any of the above rights, contact us at:
- Email: hello@clearsafe.io (subject line: “Data Rights Request”)
We will respond within 30 days. If the request is complex, we may extend this by a further 60 days and will inform you of the reason for the extension. We may ask you to verify your identity before processing a request.
10.2 Right to Complain to the ICO
If you are not satisfied with how we have handled your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — All data is transmitted over HTTPS (TLS 1.2+).
- Encryption at rest — Database data is encrypted at rest using AES-256 (via Supabase/AWS).
- Authentication security — Managed by Clerk with support for multi-factor authentication (MFA).
- Row-Level Security (RLS) — Database policies ensure users can only access their own organisation's data.
- Payment security — PCI DSS Level 1 compliance via Stripe. We never see or store card details.
- Access controls — Role-based access (Admin, Manager, Viewer, Auditor) within team management.
- Regular security reviews — We regularly review our security practices and sub-processor arrangements.
12. Children
ClearSafe is a business-to-business platform and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.
Note: While ClearSafe's risk assessment tools allow users to identify children/pupils as “vulnerable persons” for the purposes of a workplace risk assessment, this does not involve collecting personal data about individual children.
13. Cookies
ClearSafe uses a minimal number of essential cookies for authentication and platform functionality. We do not use advertising or tracking cookies.
For full details, see our Cookie Policy.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The “Last updated” date at the top of this page will be revised accordingly.
15. Governing Law
This Privacy Policy is governed by the laws of England and Wales and the UK GDPR. Users in Scotland and Northern Ireland retain any additional rights afforded to them under their local jurisdiction.
16. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data:
ClearSafe Ltd
Company number: 17093354
66 Paul Street, London, England, EC2A 4NA
Data protection enquiries: hello@clearsafe.io
Support: support@clearsafe.io
Complaints: complaints@clearsafe.io
Website: clearsafe.io
Information Commissioner's Office (ICO):
Website: ico.org.uk · Helpline: 0303 123 1113
See also: Terms of Service · Refund & Cancellation Policy · Cookie Policy · Complaints Policy