Legal

Privacy Policy

Last updated 5 July 2026

KnoxGuard Limited ("KnoxGuard", "we", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose and safeguard personal data when you use the KnoxGuard platform (the "Service") in accordance with the UK GDPR and the Data Protection Act 2018.

1. Who we are

KnoxGuard Limited (in formation), a company incorporated in England & Wales, is the "controller" of personal data collected about visitors to our website and account holders. Where we process customer content on behalf of an organisation using the Service, that organisation is the controller and we act as "processor" — see our Data Processing Addendum.

2. What we collect

  • Account data: name, work email, hashed password, organisation, role.
  • Usage data: pages viewed, actions taken, device and browser metadata, IP address.
  • Customer content: evidence items, submissions, incidents and training records you upload.
  • Support data: messages you send us and any diagnostic information.

We do not knowingly collect data from anyone under 16.

3. Lawful bases

  • Contract (Art. 6(1)(b)): to provide the Service you subscribe to.
  • Legitimate interests (Art. 6(1)(f)): to secure, improve and support the Service.
  • Consent (Art. 6(1)(a)): for optional analytics cookies and marketing emails.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting and regulatory duties.

4. Special category data

The Service is designed so that customers do not need to upload identifiable patient data. Where evidence artefacts contain incidental special category data, we process it only on the documented instructions of the controller organisation and under Article 9(2)(g) & (h).

5. How we share data

We use vetted sub-processors listed in our DPA (e.g. cloud infrastructure, email delivery, error monitoring). We never sell personal data. We may disclose data where legally required by a UK regulator, court or law enforcement agency.

6. International transfers

Customer content is stored in the United Kingdom / European Economic Area. Where any sub-processor is located outside the UK/EEA we rely on the UK International Data Transfer Addendum or Standard Contractual Clauses and complete a transfer risk assessment.

7. Retention

Account and customer content is retained for the term of your subscription plus 30 days, after which it is deleted or anonymised. Backups are rotated on a 30-day cycle. Statutory records (invoices, tax) are retained for 6 years.

8. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, port or object to processing of your personal data, and to withdraw consent. To exercise a right, email privacy@knoxguard.co.uk. You may also lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

9. Security

We implement organisational and technical controls aligned to ISO/IEC 27001:2022, including encryption in transit and at rest, role-based access control, audit logging, least-privilege service accounts and 24-hour incident triage.

10. Contact

Data Protection contact: privacy@knoxguard.co.uk. Postal: KnoxGuard Limited, Data Protection Officer, United Kingdom.