Privacy Policy

1. Introduction

AssurePath Ltd ("we", "our", "us", or "AssurePath") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, use our services, or interact with us.

This policy applies to all personal data we process as a data controller under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018.

By using our website or services, you acknowledge that you have read and understand this Privacy Policy and agree to the collection and use of information in accordance with this policy.

3. Information We Collect

3.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, company name, job title
• Account Information: Username, password, security questions and answers
• Service Information: Details about your IT infrastructure, systems, and service requirements
• Communication Records: Records of communications between you and AssurePath
• Payment Information: Billing address, payment method details (processed by third-party providers)
• Support Tickets: Technical issues, system information, logs, and troubleshooting data

3.2 Information We Collect Automatically

• Website Usage Data: IP address, browser type, device information, pages visited, time spent
• System Monitoring Data: System performance metrics, security logs, network traffic data (when providing services)
• Cookies and Tracking: Information collected through cookies and similar technologies

3.3 Information from Third Parties

• Technology Partners: Data from integrated systems and platforms we manage
• Security Vendors: Threat intelligence and security monitoring data
• Public Sources: Publicly available business information for verification purposes

3.4 MSP Service Data Collection

When providing managed IT services, we may collect and process:

• System Performance Data: Server metrics, network performance, resource utilization, and uptime monitoring
• Security Monitoring Data: Security event logs, threat detection alerts, vulnerability scans, and incident response data
• Administrative Access Data: System access credentials, administrative activity logs, and configuration change records
• User Activity Logs: Login records, system usage patterns, and security-related user activities
• Infrastructure Data: Network topology, system configurations, software inventories, and asset management information
• Backup and Recovery Data: System backups, disaster recovery configurations, and business continuity data
• Compliance and Audit Data: Regulatory compliance monitoring, audit trails, and certification-related information

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Delivery

• Providing IT outsourcing, consulting, and support services
• Monitoring and maintaining your IT infrastructure
• Responding to support requests and troubleshooting issues
• Managing user accounts and access permissions
• Implementing security measures and threat detection

4.2 Business Operations

• Processing payments and managing billing
• Communicating about services, updates, and changes
• Conducting quality assurance and service improvement
• Compliance with legal and regulatory requirements
• Managing vendor relationships and partnerships

4.3 Marketing and Communications

• Sending service-related notifications and updates
• Providing information about new services or features
• Conducting market research and customer surveys
• Personalizing website content and user experience

4.4 Legal and Security

• Protecting against fraud, security threats, and abuse
• Investigating and preventing criminal activity
• Complying with court orders, legal processes, and law enforcement requests
• Enforcing our terms of service and other agreements

5. Legal Basis for Processing

Under GDPR, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to perform our service contracts with you
• Legitimate Interests: For our business operations, security, and service improvement
• Legal Obligation: To comply with legal and regulatory requirements
• Consent: Where you have provided explicit consent for specific processing activities
• Vital Interests: To protect the vital interests of individuals in emergency situations

6. Information Sharing and Disclosure

We may share your personal information in the following circumstances:

6.1 Service Providers and Technology Partners

We may share information with the following categories of service providers:

• Cloud Infrastructure Providers: AWS, Microsoft Azure, Google Cloud Platform for hosting and infrastructure
• Remote Monitoring & Management (RMM): ConnectWise Automate, Kaseya, Datto RMM, or similar platforms
• Professional Services Automation (PSA): ConnectWise Manage, Autotask, ServiceNow, or similar ticketing systems
• Security and SIEM Tools: Security monitoring platforms, vulnerability scanners, and threat intelligence services
• Backup and Recovery Services: Backup solution providers and disaster recovery platforms
• Payment Processors: Billing systems and payment processing platforms
• Communication Platforms: Email, phone systems, and collaboration tools
• Professional Services: Legal, accounting, and business consulting providers
• Compliance and Audit Tools: Security compliance platforms and audit management systems

6.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the new entity.

6.3 Legal Requirements

• To comply with legal obligations or court orders
• To respond to law enforcement requests
• To protect our rights, property, or safety
• To prevent fraud or criminal activity

6.4 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Data encryption in transit and at rest using industry-standard protocols
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and network monitoring
• Physical Security: Secure data centers with restricted access
• Regular Audits: Security assessments and compliance audits
• Employee Training: Regular security awareness training for all staff
• Incident Response: Documented procedures for security incident response

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying relevant authorities and affected individuals of any data breaches as required by law.

8. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy:

8.1 Business Operations Data

• Active Customer Records: For the duration of the service contract plus 7 years for business records
• Former Customer Records: Up to 7 years after contract termination for legal and compliance purposes
• Financial Records: 7 years as required by UK tax and company law
• Marketing Data: Until consent is withdrawn or the data is no longer relevant
• Website Visitors: As specified in our Cookie Policy

8.2 MSP Service Data Retention

• System Monitoring Data: Duration of active service plus 90 days for transition support
• Security Event Logs: 2 years or as required by applicable security regulations
• Administrative Access Logs: 1 year for audit and compliance purposes
• Configuration Backups: As specified in client service agreements (typically 30-90 days post-termination)
• Incident Response Data: 3 years or as required for regulatory compliance and forensic purposes
• Performance Analytics: 12 months for service improvement and trend analysis
• User Activity Logs: 6-12 months depending on security requirements and client agreements

Client Data Processing: When acting as a data processor, we retain client data only as instructed by the client and as specified in the relevant Data Processing Agreement (DPA).

Data may be retained longer if required for legal proceedings, regulatory investigations, or active security incidents.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal requirements)
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Request transfer of your data to another controller
• Right to Object: Object to processing based on legitimate interests or for marketing
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, contact us at privacy@assurepath.co.uk. We will respond within one month of receiving your request.

10. International Data Transfers

We may transfer your personal data outside the UK and EEA to provide our services. When we do so, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries deemed adequate by the UK or EU
• Standard Contractual Clauses: EU/UK approved contractual safeguards
• Certification Schemes: Appropriate certification under recognized schemes
• Binding Corporate Rules: Where applicable for multinational service providers

Our primary data processing occurs within the UK and EU. Any transfers outside these regions are subject to appropriate safeguards and documented transfer impact assessments.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. For detailed information about our cookie practices, please see our separate Cookie Policy.

You can manage your cookie preferences through your browser settings or our cookie consent banner.

12. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately, and we will take steps to remove such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website with a new "Last updated" date
• Notify existing customers of material changes via email or through our service platform
• Provide appropriate notice as required by applicable law

Your continued use of our services after any changes constitutes acceptance of the updated policy.