This is a draft template provided for review. It is not legal advice and should be reviewed by your Data Protection Officer and legal counsel before publication. Bracketed items need confirmation.
Simpriva ("we", "us", "our") provides a web-based UK GDPR governance and compliance workflow platform. For personal data described in this policy, the data controller is [Simpriva Ltd, registered in England & Wales, company no. 00000000, registered office address]. You can reach our privacy team at [email protected].
When you visit our website or contact us, we act as a controller of your personal data. When a customer organisation uses the Simpriva platform, that organisation is the controller of the personal data it processes within the service, and Simpriva acts as a processor on its behalf under a Data Processing Agreement. This policy covers our controller activities; processor terms are set out in the DPA.
We rely on legitimate interests to respond to enquiries and operate, secure and improve the service; contract to provide the platform to customers; and legal obligation where we must retain certain records. Where required, we rely on consent — which you may withdraw at any time.
All personal data — including backups and telemetry — is hosted in the United Kingdom in Microsoft Azure UK South, with paired UK West for resilience. We do not transfer your data outside the UK. If that ever changes, we will update this policy and put appropriate safeguards in place first.
We keep enquiry data for [24 months] from your last contact, and account data for the life of the customer relationship plus any retention period required for audit and legal purposes. Customer-controlled data within the platform is retained, exported and deleted in line with the customer's instructions and the DPA.
Under UK GDPR you have the right to access, rectify, erase, restrict and object to processing of your personal data, and to data portability. To exercise these rights, contact [email protected]. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, though we'd welcome the chance to resolve any concern first.
We do not sell your personal data. We share it only with vetted sub-processors who help us run the service — including Microsoft Azure (hosting) and our email and analytics providers — under contracts that require UK-appropriate protection. A current list of sub-processors is available on request.
Our website uses essential cookies to function and, with your consent, limited analytics cookies to understand usage. You can control non-essential cookies through your browser or our cookie banner.
We may update this policy from time to time. Material changes will be notified through the service or by email, and the version and date at the top of this page will be updated.