Privacy Policy

1. Introduction

AssurePath Ltd ("we", "our", "us", or "AssurePath") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, use our services, or interact with us.

This policy applies to all personal data we process as a data controller under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018.

By using our website or services, you acknowledge that you have read and understand this Privacy Policy and agree to the collection and use of information in accordance with this policy.

3. Information We Collect

3.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, company name, job title
• Account Information: Username, password, security questions and answers
• Service Information: Details about your IT infrastructure, systems, and service requirements
• Communication Records: Records of communications between you and AssurePath
• Payment Information: Billing address, payment method details (processed by third-party providers)
• Support Tickets: Technical issues, system information, logs, and troubleshooting data

3.2 Information We Collect Automatically

• Website Usage Data: IP address, browser type, device information, pages visited, time spent
• System Monitoring Data: System performance metrics, security logs, network traffic data (when providing services)
• Cookies and Tracking: Information collected through cookies and similar technologies

3.3 Information from Third Parties

• Technology Partners: Data from integrated systems and platforms we manage
• Security Vendors: Threat intelligence and security monitoring data
• Public Sources: Publicly available business information for verification purposes

3.4 MSP Service Data Collection

When providing managed IT services, we may collect and process:

• System Performance Data: Server metrics, network performance, resource utilization, and uptime monitoring
• Security Monitoring Data: Security event logs, threat detection alerts, vulnerability scans, and incident response data
• Administrative Access Data: System access credentials, administrative activity logs, and configuration change records
• User Activity Logs: Login records, system usage patterns, and security-related user activities
• Infrastructure Data: Network topology, system configurations, software inventories, and asset management information
• Backup and Recovery Data: System backups, disaster recovery configurations, and business continuity data
• Compliance and Audit Data: Regulatory compliance monitoring, audit trails, and certification-related information

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Delivery

• Providing IT outsourcing, consulting, and support services
• Monitoring and maintaining your IT infrastructure
• Responding to support requests and troubleshooting issues
• Managing user accounts and access permissions
• Implementing security measures and threat detection

4.2 Business Operations

• Processing payments and managing billing
• Communicating about services, updates, and changes
• Conducting quality assurance and service improvement
• Compliance with legal and regulatory requirements
• Managing vendor relationships and partnerships

4.3 Marketing and Communications

• Sending service-related notifications and updates
• Providing information about new services or features
• Conducting market research and customer surveys
• Personalizing website content and user experience

4.4 Legal and Security

• Protecting against fraud, security threats, and abuse
• Investigating and preventing criminal activity
• Complying with court orders, legal processes, and law enforcement requests
• Enforcing our terms of service and other agreements

5. Legal Basis for Processing

Under GDPR, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to perform our service contracts with you
• Legitimate Interests: For our business operations, security, and service improvement
• Legal Obligation: To comply with legal and regulatory requirements
• Consent: Where you have provided explicit consent for specific processing activities
• Vital Interests: To protect the vital interests of individuals in emergency situations

6. Information Sharing and Disclosure

We may share your personal information in the following circumstances:

6.1 Service Providers and Technology Partners

We may share information with the following categories of service providers:

• Cloud Infrastructure Providers: AWS, Microsoft Azure, Google Cloud Platform for hosting and infrastructure
• Remote Monitoring & Management (RMM): ConnectWise Automate, Kaseya, Datto RMM, or similar platforms
• Professional Services Automation (PSA): ConnectWise Manage, Autotask, ServiceNow, or similar ticketing systems
• Security and SIEM Tools: Security monitoring platforms, vulnerability scanners, and threat intelligence services
• Backup and Recovery Services: Backup solution providers and disaster recovery platforms
• Payment Processors: Billing systems and payment processing platforms
• Communication Platforms: Email, phone systems, and collaboration tools
• Professional Services: Legal, accounting, and business consulting providers
• Compliance and Audit Tools: Security compliance platforms and audit management systems

6.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the new entity.

6.3 Legal Requirements

• To comply with legal obligations or court orders
• To respond to law enforcement requests
• To protect our rights, property, or safety
• To prevent fraud or criminal activity

6.4 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Data encryption in transit and at rest using industry-standard protocols
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and network monitoring
• Physical Security: Secure data centers with restricted access
• Regular Audits: Security assessments and compliance audits
• Employee Training: Regular security awareness training for all staff
• Incident Response: Documented procedures for security incident response

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying relevant authorities and affected individuals of any data breaches as required by law.

8. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy:

8.1 Business Operations Data

• Active Customer Records: For the duration of the service contract plus 7 years for business records
• Former Customer Records: Up to 7 years after contract termination for legal and compliance purposes
• Financial Records: 7 years as required by UK tax and company law
• Marketing Data: Until consent is withdrawn or the data is no longer relevant
• Website Visitors: As specified in our Cookie Policy

8.2 MSP Service Data Retention

• System Monitoring Data: Duration of active service plus 90 days for transition support
• Security Event Logs: 2 years or as required by applicable security regulations
• Administrative Access Logs: 1 year for audit and compliance purposes
• Configuration Backups: As specified in client service agreements (typically 30-90 days post-termination)
• Incident Response Data: 3 years or as required for regulatory compliance and forensic purposes
• Performance Analytics: 12 months for service improvement and trend analysis
• User Activity Logs: 6-12 months depending on security requirements and client agreements

Client Data Processing: When acting as a data processor, we retain client data only as instructed by the client and as specified in the relevant Data Processing Agreement (DPA).

Data may be retained longer if required for legal proceedings, regulatory investigations, or active security incidents.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal requirements)
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Request transfer of your data to another controller
• Right to Object: Object to processing based on legitimate interests or for marketing
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, contact us at privacy@assurepath.co.uk. We will respond within one month of receiving your request.

10. International Data Transfers

We may transfer your personal data outside the UK and EEA to provide our services. When we do so, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries deemed adequate by the UK or EU
• Standard Contractual Clauses: EU/UK approved contractual safeguards
• Certification Schemes: Appropriate certification under recognized schemes
• Binding Corporate Rules: Where applicable for multinational service providers

Our primary data processing occurs within the UK and EU. Any transfers outside these regions are subject to appropriate safeguards and documented transfer impact assessments.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. For detailed information about our cookie practices, please see our separate Cookie Policy.

You can manage your cookie preferences through your browser settings or our cookie consent banner.

12. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately, and we will take steps to remove such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website with a new "Last updated" date
• Notify existing customers of material changes via email or through our service platform
• Provide appropriate notice as required by applicable law

Your continued use of our services after any changes constitutes acceptance of the updated policy.

14. Vern (Contract Triage Platform) - Privacy Addendum

This section applies specifically to personal data and document data processed through Vern ("Verify Every Risk Now"), our AI-powered contract risk triage platform. Vern is a separate SaaS product operated by AssurePath Ltd. Where this section is silent on a topic, the general provisions of this Privacy Policy apply. In the event of any conflict between this section and the general provisions above, this section shall prevail for data processed through Vern.

14.1 About Vern

Vern is an AI-powered contract risk triage tool built for UK recruitment agencies. Users upload recruitment contracts (Terms of Business, contractor agreements, IR35 compliance documents, NDAs and candidate contracts) for automated clause-by-clause analysis against a configurable risk playbook. Vern delivers traffic light risk ratings (red, amber, green), clause-by-clause breakdowns, executive summaries and downloadable PDF reports. Vern also offers email triage functionality and multi-tenant workspaces with team management.

Vern is a risk triage tool and does not provide legal advice. Users are encouraged to consult a qualified solicitor for any legal decisions relating to their contracts.

14.2 Data We Collect Through Vern

14.2.1 Account Data

• Full name, email address and password (stored in hashed form)
• Organisation name, job title and role within workspace
• Workspace membership and role assignments (administrator or member)
• Account preferences and notification settings
• Authentication tokens and session data

14.2.2 Uploaded Contract Documents

• Contract files uploaded by users in PDF or DOCX format
• Document metadata (file name, file size, upload timestamp, file type)
• Contracts forwarded via the email triage feature

14.2.3 AI Triage Outputs

• Clause-by-clause risk analysis results and classifications (red, amber, green)
• Executive summaries and risk narratives generated by AI
• Generated PDF triage reports
• Risk playbook configurations and custom rules set by the user
• Audit trail records of triage requests, playbook changes and team actions

14.2.4 Usage and Technical Data

• IP address, browser type, device information, operating system
• Feature usage patterns (e.g., number of triages, playbook edits, report downloads)
• Session duration and access timestamps
• Error logs and performance metrics

14.2.5 Payment Data

• Billing information for paid subscriptions (processed by Stripe)
• Subscription tier, billing cycle and transaction identifiers
• AssurePath does not store full payment card details; these are handled entirely by Stripe

14.3 Legal Basis for Processing Vern Data

Under GDPR Article 6, we process Vern data on the following legal bases:

• Contract Performance (Art 6(1)(b)): Processing uploaded contracts to deliver triage results, managing user accounts and workspaces, providing email triage functionality, generating reports, and processing subscription billing. This processing is necessary to perform the service you have signed up for.
• Legitimate Interests (Art 6(1)(f)): Aggregate anonymised analytics for service improvement, system performance monitoring, fraud prevention, and platform security. Our legitimate interest is maintaining and improving a secure, reliable service. We have assessed that these interests are not overridden by your rights and freedoms.
• Legal Obligation (Art 6(1)(c)): Retaining payment records as required by UK tax and company law, responding to law enforcement requests, and maintaining records for regulatory compliance.
• Consent (Art 6(1)(a)): Marketing communications and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

14.4 How We Use Vern Data

14.4.1 Service Delivery

• Processing uploaded contracts through AI analysis to deliver triage results
• Generating risk reports, clause breakdowns and executive summaries
• Applying the user's configured risk playbook to each analysis
• Providing email triage functionality (parsing forwarded contracts and returning results)
• Managing workspaces, team memberships and role-based access

14.4.2 Service Improvement

• Analysing aggregate, anonymised usage patterns to improve platform performance and features
• Monitoring system performance and reliability
• Identifying and resolving technical issues

14.4.3 Account Management

• User authentication and account security
• Subscription management and billing
• Sending service-related notifications (e.g., triage completion, account alerts, subscription changes)

14.4.4 Legal and Compliance

• Maintaining audit trails as required by users and for regulatory compliance
• Responding to data subject requests under GDPR
• Meeting legal obligations under UK law

14.5 AI Processing and Model Training

This subsection addresses how Vern handles your contract data in relation to AI processing:

• Contract data is never used for AI model training. Uploaded contracts and triage outputs are processed solely for the purpose of fulfilling your triage request.
• Document content is transmitted to our AI processing providers (OpenAI and Anthropic) exclusively to perform the contracted analysis. It is not retained by these providers for model improvement, fine-tuning or any other purpose. Both providers operate under API Data Processing Addendums that contractually prohibit the use of customer data for model training.
• AI analysis results are generated in real-time for each request and stored only within your Vern workspace.
• AssurePath does not aggregate contract content across different customer workspaces.
• Your data does not influence, train or modify any AI models in any way.
• AI processing occurs within EU data centres. See Section 14.8 for international transfer details.

14.6 Data Processors and Sub-Processors

In accordance with GDPR Article 28, we disclose the following sub-processors who process data in connection with the Vern service. All sub-processors operate under Data Processing Agreements (DPAs) with AssurePath.

AI Processing Providers

• OpenAI - AI contract analysis and risk classification. Processes uploaded contract text content. Processing location: EU. Operates under an API Data Processing Addendum prohibiting use of data for model training.
• Anthropic - AI contract analysis and risk classification. Processes uploaded contract text content. Processing location: EU. Operates under an API Data Processing Addendum prohibiting use of data for model training.
• LlamaIndex - Document parsing, indexing and AI orchestration. Processes uploaded contract text content and document metadata. Processing location: EU.

Infrastructure and Platform Providers

• Railway - Application hosting and data storage. Processes all Vern application data. Processing location: EU.
• Clerk - User authentication and account management. Processes account credentials, session tokens and email addresses. Processing location: EU.

Payment and Communication Providers

• Stripe - Subscription payment processing. Processes billing data and transaction records. Full payment card numbers are handled entirely by Stripe and are not stored by AssurePath. Processing location: UK/EU.
• Resend - Transactional email delivery. Processes email addresses and notification content. Processing location: EU.

Sub-Processor Change Notifications

• AssurePath will notify Vern users of material changes to sub-processors via email with at least 30 days' notice before the change takes effect.
• Users who object to a new sub-processor may terminate their account in accordance with the Vern service terms.
• Full DPA details are available on request by contacting privacy@assurepath.co.uk.
• AssurePath may use one or both AI providers (OpenAI, Anthropic) for contract analysis depending on the specific analysis task and service requirements.

14.7 Data Security for Vern

We implement the following technical and organisational measures to protect data processed through Vern:

• Encryption at rest: All stored data (uploaded contracts, triage results, account data) is encrypted at rest using industry-standard AES-256 encryption.
• Encryption in transit: All data transmitted between users' browsers and Vern, and between Vern and its sub-processors, is encrypted using TLS 1.2 or higher.
• SOC 2 Type 2 infrastructure: Vern is hosted on infrastructure that has completed SOC 2 Type 2 auditing.
• EU data centres: All Vern data is stored and processed in data centres located in the European Union.
• Access controls: Role-based access controls with multi-factor authentication options. Workspace isolation ensures one tenant cannot access another tenant's data.
• Audit logging: All significant actions (triage requests, playbook changes, team membership changes, data exports) are logged with timestamps and user attribution.
• Disaster recovery: Defined backup and disaster recovery procedures are in place to protect against data loss.
• Vulnerability assessments: Regular security assessments of the Vern platform.

14.8 International Data Transfers

Vern data is processed and stored as follows:

• Vern application data is hosted by Railway in EU data centres.
• Contract content is transmitted to OpenAI and Anthropic's EU infrastructure for AI analysis.
• The UK-to-EU data transfer is covered by the UK's adequacy decision for the EU, maintained under the UK GDPR framework. This means that EU data protection standards are recognised as providing adequate protection for UK personal data.
• All international transfers are additionally governed by Data Processing Agreements containing Standard Contractual Clauses (SCCs) as a supplementary safeguard.
• AssurePath has conducted a Transfer Impact Assessment (TIA) confirming that transfers to the EU do not materially increase risk to data subjects' rights and freedoms.
• No Vern data is transferred outside the UK and EU.

14.9 Data Retention for Vern

• Active account data: Retained for the duration of the active subscription.
• Uploaded contracts and triage results: Retained in the user's workspace for the duration of the active subscription. Users may delete individual contracts and triage results at any time from within the application.
• Playbook configurations: Retained for the duration of the active subscription.
• Audit trail data: Retained for the duration of the active subscription plus 12 months after account closure for compliance purposes.
• Account data after closure: Upon account deletion or subscription cancellation, all user data including uploaded contracts, triage results, playbook configurations and workspace data will be permanently deleted within 30 days, except where retention is required by law or for legitimate compliance purposes.
• Payment records: Retained for 7 years as required by UK tax and company law.
• Anonymised usage analytics: May be retained indefinitely in aggregate, anonymised form for service improvement purposes. This data cannot be linked back to individual users.

14.10 Data Protection Impact Assessment

In accordance with GDPR Article 35, AssurePath has conducted a Data Protection Impact Assessment (DPIA) for the Vern platform, recognising that AI-powered automated processing of contract documents at scale requires careful assessment of risks to data subjects' rights and freedoms.

• The DPIA covers all aspects of Vern's data processing including AI analysis of contract documents, automated risk classification, data sharing with sub-processors, and international data transfers.
• The DPIA is reviewed and updated at least annually, or whenever material changes are made to Vern's data processing activities.
• A summary of the DPIA findings is available on request by contacting dpo@assurepath.co.uk.

14.11 Automated Decision-Making

Vern uses AI to perform automated analysis of uploaded contracts and generate risk classifications (red, amber, green traffic light ratings). In relation to GDPR Article 22 (automated individual decision-making):

• Vern's automated outputs are informational triage indicators intended to assist human decision-making. They do not constitute automated decisions that produce legal effects or similarly significantly affect individuals within the meaning of GDPR Article 22.
• No automated decisions are made by Vern that restrict, deny or alter users' access to services or legal rights.
• Users always retain full control over how they act on triage results and are encouraged to seek qualified legal advice before making contractual decisions.
• If you believe an automated output has been applied in a way that significantly affects you, you have the right to request human review by contacting privacy@assurepath.co.uk.

14.12 Data Breach Notification

In the event of a personal data breach affecting Vern user data, AssurePath will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms, as required by GDPR Article 33.
• Notify affected Vern users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Provide clear information about the nature of the breach, the data affected, the likely consequences, and the measures taken to address and mitigate the breach.
• Maintain an internal breach register documenting all incidents, including those that do not meet the notification threshold.

AssurePath's sub-processors are contractually required to notify AssurePath of any data breach without undue delay.

14.13 Your Rights Regarding Vern Data

In addition to the general GDPR rights described in Section 9 of this Privacy Policy, Vern users have the following specific controls:

• Data export: You may export your triage results and reports from within the Vern application at any time.
• Data deletion: You may delete individual contracts, triage results and your entire account from within the Vern application. Account deletion triggers permanent removal of all associated data within 30 days.
• Playbook portability: Your playbook configuration is available for export from within the application.
• Right to human review: You may request human review of automated outputs as described in Section 14.11.
• Access requests: You may request a full copy of all personal data held in connection with your Vern account by contacting privacy@assurepath.co.uk.
• Sub-processor information: You may request full details of current sub-processors and Data Processing Agreements by contacting privacy@assurepath.co.uk.