Privacy Policy

1. Introduction & Data Controller

SafeSentry is a trading name of Apex Civil Engineering Consultants LTD ("we", "our", "us"), a company registered in England and Wales. We are the data controller for the personal data processed through the SafeSentry platform at safesentry.co.uk.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003.

By using SafeSentry, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Personal Data We Collect

2.1 Account & Registration Data

• Full name, email address, phone number
• Company name, job title, and role within your organisation
• Password (stored using bcrypt one-way hashing — we cannot read your password)
• Account preferences and notification settings

2.2 Document & Project Data

• RAMS documents uploaded for analysis (PDF, DOCX, DOC)
• AI-generated evaluation results, scores, and improvement suggestions
• Project details: name, location, coordinates, client information, project numbers
• Risk assessments (PoWRA): hazard data, checklists, assessor names, digital signatures
• Daily site reports, toolbox briefings, snagging lists, delivery logs
• Equipment registers, permit records, project milestones
• Near-miss reports and safety observations
• AI-generated RAMS documents created through our RAMS Generator
• Chat messages sent to our AI Safety Assistant ("Ask Your RAMS" and chatbot features)

2.3 Site Induction Data

• Operative name, company, trade/role, email, phone number
• Emergency contact details
• CSCS card number, type, and photograph
• Induction question responses and digital signature

2.4 Site Attendance / Register Data

• Worker name, position/trade, and company
• Sign-in and sign-out times, duration on site
• This data is collected via public QR code pages without requiring a login. Workers provide their name voluntarily when scanning the site QR code.

2.5 Photographs & Media

• Site photographs uploaded to projects (including EXIF metadata such as date, time, location)
• CSCS card photographs submitted during inductions

2.6 Certification & Training Data

• Professional certifications (name, issuer, expiry date, certificate numbers)
• Training module progress and quiz results
• Training matrix assignments

2.7 Technical & Usage Data

• IP address, browser type and version, device type
• Pages visited, features used, time spent on the platform
• Authentication tokens and session data
• Error logs and system performance data

3. Lawful Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following legal bases:

Legitimate Interest Assessments: Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override the rights and freedoms of data subjects. Records of these assessments are available on request.

4. How We Use Your Data

• Service delivery: Providing RAMS analysis, project management, attendance tracking, inductions, and all platform features
• AI processing: Sending document content to AI models for analysis, scoring, and generating recommendations (see Section 5)
• Communications: Sending email verification, password resets, service notifications, and certification expiry alerts
• Safety compliance: Maintaining induction records, attendance logs, near-miss reports, and risk assessments as required for health and safety record-keeping
• Service improvement: Analysing usage patterns, debugging errors, and improving platform features
• Security: Preventing unauthorised access, detecting fraud, and protecting user data

5. AI Processing & Automated Decision-Making

6. Data Sharing & Third-Party Processors

6.1 We Do Not Sell Your Data

We will never sell, rent, or trade your personal data or documents to third parties for marketing or any other purpose.

6.2 Sub-Processors

We share data with the following categories of processors, all bound by data processing agreements:

• Cloud hosting & infrastructure: Servers, databases, and file storage (data encrypted at rest and in transit)
• AI service provider: For document analysis, scoring, and AI-powered features
• Email service: For transactional emails (verification, password resets, notifications)
• Content delivery network: For serving static assets efficiently

6.3 Legal Disclosures

We may disclose your data if required to:

• Comply with a legal obligation, court order, or regulatory request (e.g. HSE investigation)
• Protect the rights, property, or safety of our users, employees, or the public
• Enforce our Terms and Conditions
• In connection with a merger, acquisition, or sale of assets (users will be notified in advance)

7. International Data Transfers

Some of our sub-processors may process data outside the United Kingdom. Where this occurs, we ensure adequate safeguards are in place through:

• UK adequacy regulations (for countries deemed adequate by the UK Government)
• International Data Transfer Agreements (IDTAs) or the UK Addendum to Standard Contractual Clauses
• Supplementary measures where necessary (encryption, pseudonymisation)

Details of the specific safeguards applied to international transfers are available on request by contacting [email protected].

8. Data Retention

Health and safety records are retained for 6 years after project completion in line with the Limitation Act 1980 and CDM Regulations 2015 guidance. This ensures records are available in the event of a regulatory investigation, claim, or prosecution.

9. Data Security

While we implement industry-standard security measures, no system is 100% secure. We encourage users to choose strong passwords, keep credentials confidential, and report any suspected security issues promptly.

10. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you (Subject Access Request)
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
• Right to Restrict Processing (Art. 18): Request that we limit how we use your data while a complaint is resolved
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling
• Rights Related to Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing with legal or significant effects
• Right to Withdraw Consent: Where we process based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email [email protected]. We will respond within one calendar month as required by law. We may need to verify your identity before fulfilling your request.

11. Cookies & Tracking Technologies

We use strictly necessary cookies to operate the platform. For full details, please see our Cookie Policy.

In summary:

• Essential cookies: Authentication session, CSRF protection, user preferences — required for the Service to function
• No third-party advertising or tracking cookies
• No social media tracking pixels

12. Children's Privacy

SafeSentry is designed for use by construction industry professionals and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided personal data, we will take steps to delete it promptly.

13. Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
• Document all breaches in our internal breach register, including facts, effects, and remedial actions taken

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will:

• Update the "Last updated" date at the top of this page
• Notify registered users of material changes via email or in-platform notification
• Where required, seek fresh consent before applying significant changes to how we process your data

15. Complaints & Supervisory Authority

If you are unhappy with how we handle your personal data, please contact us first at [email protected] so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

16. Contact Us