Privacy Policy
Last updated: 12 May 2026
This policy explains how ClearSafe Ltd collects, uses, stores, and protects your personal data in compliance with UK GDPR and the Data Protection Act 2018.
1. Introduction and Data Controller
The data controller for GetClearSafe is:
ClearSafe Ltd
Company number: 17093354
66 Paul Street, London, England, EC2A 4NA
Phone: +44 (0)330 133 0620
Email: hello@getclearsafe.com
Website: getclearsafe.com
Information Commissioner's Office (ICO) registration number: ZC107875
We are committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).
This Privacy Policy applies to both UK data subjects under UK GDPR and EU data subjects under EU GDPR (Regulation (EU) 2016/679). For EU data subjects, the relevant supervisory authority is the Data Protection Commission of Ireland (where Anthropic's EU operations are based) or the supervisory authority in the EU member state where the data subject resides.
If you have any questions about how we handle your personal data, contact us at support@getclearsafe.com.
2. Data We Collect
2.1 Account Data
When you create an account (via Clerk), we collect:
- Full name
- Email address
- Profile picture (if using Google sign-in)
- Authentication identifiers (Clerk user ID)
2.2 Company and Workplace Data
During onboarding and settings configuration, you provide:
- Company name
- Industry
- Number of workers
- Site/premises name(s) and address(es)
- Phone number (optional)
- Founded year (optional)
2.3 Compliance Records
When you use the platform, we store:
- Risk assessments (including hazard descriptions, control measures, review dates)
- Fire risk assessments (including premises details, fire safety systems, escape routes)
- Incident and near-miss reports (including descriptions, injury details, RIDDOR outcomes)
- Safety asset records (including equipment details, inspection dates, test logs)
- Health and safety policies
- Method statements (RAMS)
- Compliance scores and calendar events
Important: Incident records may contain special category data (health data) about injured workers or members of the public, including details of injuries, medical treatment, and absence periods. See Section 5 for how we handle this data.
2.4 AI Interaction Data
When you use Felix (our AI advisor) or generate AI content, the queries and prompts you submit are sent to Anthropic for processing. We store:
- The messages you send to Felix
- The AI-generated responses
- Usage counts for plan limit tracking
Anthropic processes your queries under their data processing agreement. Anthropic does not use data submitted via the API for model training. See Section 7 for details.
2.5 Payment Data
Payment processing is handled entirely by Stripe. We store:
- Stripe customer ID
- Subscription plan and status
- Billing period dates
We never store your card number, CVC, or full payment details. These are held securely by Stripe in accordance with PCI DSS Level 1 compliance.
2.6 Usage Data
We automatically collect:
- Feature usage counts (for plan limit enforcement)
- Login timestamps
- Pages visited within the platform
2.7 Communications Data
If you contact us via email or submit a complaint, we retain your correspondence to provide support and resolve issues.
3. Legal Basis for Processing
Under UK GDPR Article 6, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, assessments, reports) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (invitations, receipts, reminders) | Legitimate interest (Art. 6(1)(f)) |
| Enforcing plan limits and usage tracking | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests and complaints | Legitimate interest (Art. 6(1)(f)) |
| Product improvement and security | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (if you opt in) | Consent (Art. 6(1)(a)) |
| AI processing of user inputs to generate compliance documentation | Contract performance (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) |
4. Legitimate Interests
Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment (LIA) and concluded that our processing does not override your rights and freedoms. Our legitimate interests include:
- Providing and improving the Service
- Preventing fraud and maintaining security
- Sending service-related communications
- Enforcing subscription plan limits
You have the right to object to processing based on legitimate interests. See Section 10.
5. Special Category Data (Health Data)
ClearSafe Ltd's incident reporting feature may involve the processing of special category data under UK GDPR Article 9, specifically health data about individuals involved in workplace incidents (injuries, illnesses, medical treatment, absence periods).
5.1 Our Role
You are the data controller for health data about your employees, contractors, and visitors that you input into GetClearSafe. ClearSafe Ltd acts as your data processor for this data.
5.2 Legal Basis for Processing
We process special category data under the following Article 9 conditions:
- Article 9(2)(b) — Processing is necessary for the purposes of carrying out obligations in the field of employment law, specifically health and safety record-keeping under the HSWA 1974, MHSWR 1999, RIDDOR 2013, and the Social Security (Claims and Payments) Regulations 1979.
- Article 9(2)(f) — Processing is necessary for the establishment, exercise, or defence of legal claims.
5.3 Your Responsibilities
As the data controller for health data, you are responsible for:
- Ensuring you have a lawful basis to record health data about individuals.
- Informing affected individuals that their data is being recorded.
- Restricting access to incident records to authorised personnel only.
- Responding to data subject access requests (DSARs) relating to this data.
6. How We Use Your Data
We use your personal data to:
- Create and manage your account.
- Provide the Service, including generating AI content, storing compliance records, and managing team access.
- Process subscription payments via Stripe.
- Send transactional emails (account verification, team invitations, asset inspection reminders, billing receipts).
- Enforce plan-based usage limits.
- Respond to support requests, complaints, and feedback.
- Maintain security, detect fraud, and prevent misuse.
- Comply with UK legal obligations (e.g., retaining compliance records).
- Improve the Service based on anonymised usage patterns.
We do not use your personal data for profiling, automated decision-making with legal effects, or selling to third parties.
7. Data Processors (Sub-Processors)
We use the following third-party services to operate GetClearSafe. Each processes personal data on our behalf under a data processing agreement (DPA):
| Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Clerk | Authentication and user management | United States | SCCs (Module 2) |
| Supabase | Database (PostgreSQL) hosting | AWS EU-West-2 (London) | UK hosted |
| Stripe | Payment processing and billing | United States | SCCs (Module 2) |
| Anthropic PBC | AI language model provider — processes prompts and generates compliance documentation content via the Claude API | United States | SCCs (Module 2) + UK Addendum |
| Resend | Transactional email delivery | United States | SCCs (Module 2) |
| Ideal Postcodes | Address lookup and postcode validation during onboarding | United Kingdom | UK hosted |
| Vercel | Application hosting and CDN | United States | SCCs (Module 2) |
| Sentry (Functional Software, Inc.) | Application error tracking and performance monitoring — receives anonymised error events and stack traces. PII is stripped before transmission and personal data is not deliberately sent. | United States | SCCs (Module 2) + DPA |
Note on Anthropic PBC: When you use Felix or generate AI content, your prompts and queries are transmitted to Anthropic's API for processing. Anthropic does not use data submitted via the API to train its models. Personal data included in prompts is processed under Anthropic's Data Processing Addendum (incorporated into their Commercial Terms of Service) with Standard Contractual Clauses and UK Addendum for UK-US data transfers. Anthropic's data usage policy is available at anthropic.com/privacy.
Each sub-processor may itself use infrastructure sub-processors (e.g., cloud hosting providers). For details of each provider's own sub-processor arrangements, please refer to their respective documentation: Clerk, Supabase, Stripe, Anthropic, Resend, Vercel, Ideal Postcodes, Sentry.
8. International Data Transfers
Your core compliance data (risk assessments, incidents, assets) is stored in the UK on Supabase's AWS EU-West-2 (London) infrastructure.
Some personal data is transferred to the United States for processing by Clerk, Stripe, Anthropic, Resend, Vercel, and Sentry (anonymised error events only). These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the ICO, in accordance with UK GDPR Article 46(2)(c).
We regularly review our sub-processors' data protection practices and will notify you of any material changes.
8A. Artificial Intelligence and Automated Processing
The platform uses AI (Anthropic Claude API) to process user inputs and generate compliance documentation.
ClearSafe Ltd does not make automated decisions that produce legal effects concerning users. The platform generates AI-assisted compliance documentation which users review, modify, and sign off at their own discretion. All legal responsibility for adopted documents rests with the user as signatory. ClearSafe Ltd does not make any determination about a user's compliance status — this assessment is always made by the user themselves.
All AI outputs require human review and sign-off before being used as compliance documents. Users retain full control over all AI outputs and are not bound by them until they choose to sign off.
The lawful basis for AI processing is: legitimate interests (providing the contracted service) and contractual necessity.
Users who require professional H&S consultancy support beyond the platform's AI-assisted tools may contact enterprise@getclearsafe.com to enquire about consultancy services.
AI interaction logs are retained for 12 months for service improvement purposes, in accordance with the retention schedule in Section 9 below.
8B. AI Incident Analysis — Sub-Processor Disclosure
When you use AI-powered incident analysis features (severity suggestions, RIDDOR checks, dangerous-occurrence checks, likelihood suggestions), we process incident text using Anthropic's Claude API.
8B.1 What data is sent to Anthropic
- Incident description text
- Injury type (if applicable)
- Hazard type (for near-misses)
- Severity (for RIDDOR checks)
8B.2 What is NOT sent to Anthropic
- Names from dedicated fields (persons involved, witnesses)
- Photos or attachments
- Dates, times, or specific locations
- Any fields beyond those listed in 8B.1
We also remind you in the incident report form to describe events without including names, referring to people by role instead (e.g., "a warehouse operative" rather than "John Smith").
8B.3 Legal basis
Processing is necessary for compliance with health & safety employment law obligations under UK GDPR Article 9(2)(b) (employment, social security and social protection law).
8B.4 Data retention at Anthropic
- Anthropic retains API inputs for up to 30 days for abuse prevention and operational integrity
- After 30 days, Anthropic deletes the data
- API data is not used to train Anthropic's models
8B.5 International transfer
Anthropic PBC is a US-based processor. Transfers are protected by Standard Contractual Clauses (SCCs) with the UK Addendum, as approved by the ICO under UK GDPR Article 46(2)(c).
8B.6 Your rights
You can opt out of AI suggestions by not using these features. Manual incident reporting (without AI severity, RIDDOR, or likelihood suggestions) remains fully available.
For more information, see Anthropic's Privacy Policy.
9. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data and all H&S records (risk assessments, fire risk assessments, incidents, method statements, assets, policies, compliance scores) | Duration of subscription + 90 days after cancellation | Contract (Art. 6(1)(b)) |
| Payment records | 7 years from transaction | Financial regulations (HMRC) |
| Felix conversations (chat messages with our AI assistant) | Not stored | We process Felix chats in real-time only. Documents Felix helps you create are stored as account data above. |
| Support and complaint correspondence | 2 years from resolution | Legitimate interest |
| Usage tracking data | 13 months (rolling) | Plan enforcement |
Important: you are the data controller for your H&S records. Upon account deletion (either by user request or after the 90-day grace period following subscription cancellation), all your data is permanently removed from our systems. As the data controller for your Health & Safety records, you are responsible for retaining them in accordance with applicable UK law — including RIDDOR 2013, COSHH 2002, the Health and Safety at Work etc. Act 1974, and the Limitation Act 1980. The platform provides per-document export functionality (PDF download buttons next to each record) throughout your subscription to enable this retention. Please save copies of any records you need to keep before initiating deletion.
Deletion requests: You may delete your account at any time from Settings → Account → Delete Account, which begins permanent deletion immediately after you confirm. Cancelling your subscription (without deleting the account) starts the 90-day grace period after which all data is automatically deleted.
10. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of Access (Article 15) — You can request a copy of the personal data we hold about you. We will respond within one calendar month.
- Right to Rectification (Article 16) — You can ask us to correct inaccurate or incomplete personal data. You can also update your data directly in the dashboard settings.
- Right to Erasure (Article 17) — You can delete your account directly from Settings → Account → Delete Account. Before confirming, you’ll be asked to acknowledge that you are the data controller for your H&S records and that you have downloaded any records you need to retain under UK law. On confirmation, all your data is permanently removed from our systems. We cannot recover deleted data.
- Right to Restriction (Article 18) — You can ask us to restrict processing of your data in certain circumstances (e.g., while we verify the accuracy of data you have contested).
- Right to Data Portability (Article 20) — You can export your data at any time in a structured, machine-readable JSON format from Settings → Security → Export Your Data. This self-serve export is available on every plan and covers every record we hold for your organisation. Professional and Business plans additionally include a formatted audit pack (PDF) for compliance inspections.
- Right to Object (Article 21) — You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
- Rights Related to Automated Decision-Making (Article 22) — ClearSafe Ltd does not make automated decisions with legal or similarly significant effects on you. Our Compliance Score and RIDDOR checks are advisory tools, not automated decisions.
10.1 How to Exercise Your Rights
To exercise any of the above rights, contact us at:
- Phone: +44 (0)330 133 0620
- Email: support@getclearsafe.com (subject line: “Data Rights Request”)
We will respond within one calendar month. If the request is complex, we may extend this by a further 60 days and will inform you of the reason for the extension. We may ask you to verify your identity before processing a request.
10.2 Right to Complain to the ICO
If you are not satisfied with how we have handled your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — All data is transmitted over HTTPS (TLS 1.2+).
- Encryption at rest — Database data is encrypted at rest using AES-256 (via Supabase/AWS).
- Authentication security — Managed by Clerk with support for multi-factor authentication (MFA).
- Row-Level Security (RLS) — Database policies ensure users can only access their own organisation's data.
- Payment security — PCI DSS Level 1 compliance via Stripe. We never see or store card details.
- Access controls — Role-based access (Admin, Manager, Viewer, Auditor) within team management.
- Regular security reviews — We regularly review our security practices and sub-processor arrangements.
11A. Data Breach Notification
In the event of a personal data breach, ClearSafe Ltd will notify affected controller-customers without undue delay and in any event within 48 hours of becoming aware of the breach.
This enables controller-customers to meet their own 72-hour notification obligation to the ICO under UK GDPR Article 33.
Where ClearSafe Ltd is acting as a controller of its own user data, ClearSafe Ltd will notify the ICO directly where required under UK GDPR Article 33.
12. Children
GetClearSafe is a business-to-business platform and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.
Note: While ClearSafe Ltd's risk assessment tools allow users to identify children/pupils as “vulnerable persons” for the purposes of a workplace risk assessment, this does not involve collecting personal data about individual children.
13. Cookies
ClearSafe Ltd uses a minimal number of essential cookies for authentication and platform functionality. We do not use advertising or tracking cookies.
For full details, see our Cookie Policy.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The “Last updated” date at the top of this page will be revised accordingly.
15. Governing Law
This Privacy Policy is governed by the laws of England and Wales and the UK GDPR. Users in Scotland and Northern Ireland retain any additional rights afforded to them under their local jurisdiction.
16. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data:
ClearSafe Ltd
Company number: 17093354
66 Paul Street, London, England, EC2A 4NA
Phone: +44 (0)330 133 0620
Data protection enquiries: hello@getclearsafe.com
Support: support@getclearsafe.com
Complaints: complaints@getclearsafe.com
Website: getclearsafe.com
For all data protection queries and subject access requests, contact hello@getclearsafe.com with the subject line “Data Protection Request”.
A formal Data Processing Agreement (DPA) is available on request for business customers — see our DPA page.
Information Commissioner's Office (ICO):
Website: ico.org.uk · Helpline: 0303 123 1113
See also: Terms of Service · Refund & Cancellation Policy · Cookie Policy · Complaints Policy · Data Processing Agreement · AI Transparency Statement