Privacy Policy

Version 2.0 | Effective 27 May 2026
Last reviewed: May 2026 | Next review date: May 2027

Privacy at a glance

This summary explains the main ways Sevron Ltd uses personal data. The full Privacy Policy below gives more detail, including our lawful bases, retention periods, data sharing, international transfers, and your rights. If this summary and the full Policy appear to differ, the full Policy takes precedence.

Who we are

Sevron Ltd is a UK company based in Newcastle upon Tyne. We provide Safety365, a health and safety compliance platform, alongside related services.

When we are controller and when we are processor

Sevron is usually the controller for personal data we collect directly from website visitors, customers, users, prospects, suppliers, and business contacts. This means we decide why and how that data is used.

Where a customer organisation uploads or creates personal data in Safety365 about its own staff, contractors, visitors, or other people, that customer is usually the controller and Sevron acts as its processor. This means we handle that data on the customer's instructions so we can provide Safety365.

What we collect

• Account details, such as name, work email, employer, role, username, password credentials, and Microsoft single sign-on details where used.
• Billing details when you subscribe to Safety365. Card payments are handled by Stripe; Sevron does not receive or store your full card number.
• Content uploaded or created in Safety365, such as risk assessments, safety data sheets, employee names, job roles, signatures, and incident logs where relevant.
• Technical and usage data when you visit our website or use Safety365.
• Marketing preferences and cookie choices. More detail is in our Cookie Policy.

Why we use it

• To provide, support, secure, and improve Safety365 and related services.
• To manage accounts, authentication, customer support, billing, and legal obligations.
• To send relevant product updates and marketing where the law allows, with an opt-out in marketing emails.
• To provide optional AI-assisted features, where enabled, to help users draft or review risk assessment content. AI outputs must be reviewed by a human before being added to documents or files.
• To comply with the law and respond to data protection requests or complaints.

Who we share it with

We share personal data with trusted providers who help us run our business and services, including providers of hosting, payment, accounting, customer support, marketing, authentication, and AI inference. We do not sell personal data. The full list, including locations and roles, is in Annex A at the end of this Policy.

Your rights

You can ask us for a copy of your data, ask us to correct or delete it, object to certain uses, restrict processing, withdraw consent, or complain. Email privacy@sevron.co.uk to use these rights. If your data was uploaded to Safety365 by your employer or another customer organisation, you should contact that organisation first; we will support them where required.

If something is wrong

Please tell us first. We operate an internal data protection complaints procedure under section 103 of the Data (Use and Access) Act 2025: we will acknowledge complaints within 30 days and aim to acknowledge sooner where practicable. You can also complain to the UK Information Commissioner's Office (ICO) at any time.

1. Introduction

Sevron Ltd ("Sevron", "we", "us", "our") is committed to protecting personal data. This Privacy Policy explains what personal data we collect, why we use it, how we share it, how long we keep it, and the rights people have in relation to it.

This Policy applies to:

• visitors to www.sevron.co.uk and any subdomain we operate;
• users and customer administrators of Safety365 and related services, where Sevron acts as controller;
• prospective customers, suppliers, partners, and other business contacts;
• people who contact us through Intercom, email, forms, events, or other communication channels; and
• applicants for employment with Sevron.

Where we process personal data on behalf of a customer organisation that uses Safety365, the customer is the controller and Sevron is the processor. In those cases, the customer's own privacy notice should explain why the data is used. We will support our customer in meeting its data protection obligations.

2. Who we are and how to contact us

3. Controller and processor roles

A controller decides why and how personal data is used. A processor handles personal data on behalf of a controller and follows the controller's instructions. Sevron may be either a controller or a processor depending on the context.

If you are unsure whether Sevron or one of our customers is responsible for your data, contact us at privacy@sevron.co.uk. If your data was entered into Safety365 by your employer or another organisation, we may direct you to that organisation and support them in responding to your request.

3.1 Customer processing terms

Where Sevron acts as processor on behalf of a customer organisation, the relationship is governed by Sevron's Data Processing Addendum (the "DPA"). The DPA is incorporated into the Sevron Standard Terms and Conditions and applies automatically to customer processing under that contract. The DPA sets out the processor instructions, security measures, subprocessor arrangements, international transfer safeguards, audit position, return and deletion obligations, and support for data subject requests and breach response.

4. Personal data we collect

The exact data we collect depends on how you interact with us.

4.1 Information you give us

• Account and identity data: name, job title, employer, username, password credentials, security credentials, and Microsoft single sign-on information where enabled.
• Contact data: business email address, postal address, and telephone number.
• Billing data: billing contact, billing address, VAT number, purchase history, invoice details, and payment status.
• Customer content: information entered into or uploaded to Safety365, such as risk assessments, safety data sheets, employee names, job roles, signatures, and incident logs where relevant.
• Support and correspondence data: enquiry messages, Intercom conversations, support tickets, attachments, feedback, and emails.
• Marketing preferences: your choices about receiving communications from us.
• Job application data: CVs, covering emails, correspondence, interview notes, and related recruitment information submitted to us by email or processed in our internal recruitment system.

4.2 Information we collect automatically

• Technical data: IP address, device identifiers, browser type and version, operating system, time-zone setting, and language.
• Usage data: pages and features viewed, links clicked, dates and times of access, session duration, referring URLs, error logs, and audit logs.
• Approximate location: derived from IP address. Sevron does not collect precise GPS location data through Safety365.
• Cookies and similar technologies: as explained in our Cookie Policy.

4.3 Information from third parties

• Information from the customer organisation that registers or authorises you to use Safety365.
• Identity and contact information from business sources, events, referrals, publicly available sources, and lead-generation tools.
• Technical, marketing, and engagement data from analytics, CRM, marketing, and communication providers we use.

4.4 Special category data

Safety365 supports workplace health and safety compliance. Some records may include or relate to health, safety, incident, exposure, or vulnerability information. If that information identifies a person, or could reasonably identify a person when combined with other information, it may be personal data and may sometimes be special category data under UK GDPR.

Where a customer uploads or creates this data in Safety365, Sevron usually processes it as processor for that customer. The customer is responsible for identifying the appropriate Article 6 lawful basis and, where needed, the Article 9 condition for special category data. Sevron does not use customer-controlled special category data for its own marketing purposes.

5. Why we process personal data and our lawful bases

The table below sets out our main purposes and lawful bases where Sevron acts as controller.

Where we rely on legitimate interests, we balance our interests against your rights and freedoms via a documented Legitimate Interests Assessment (LIA). You can request a summary of the relevant LIA by contacting us using the details in section 2.

5.1 Recognised legitimate interests (DUAA)

From 5 February 2026, the UK GDPR includes a new lawful basis of "recognised legitimate interests" under Article 6(1)(ea), introduced by the Data (Use and Access) Act 2025. This applies to a defined and narrow list of public-interest purposes set out in Annex 1 of the UK GDPR. We will rely on this basis only where one of those specific conditions applies, and we will identify it in writing when we do. We do not currently use it as a routine basis for our commercial activities.

6. Marketing

We send marketing communications about Sevron's products, services, events, and resources where UK GDPR and PECR allow us to do so.

• For existing customers and similar products or services, we may rely on the PECR soft opt-in, with an unsubscribe link in every marketing email.
• For business contacts at corporate email addresses, we may rely on legitimate interests where the message is relevant to the person's role and we provide a clear opt-out.
• Where consent is required, we will ask for consent before sending marketing.

We use GoHighLevel for marketing activities. You can opt out at any time by using the unsubscribe link in a marketing email or by contacting privacy@sevron.co.uk. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Where we rely on consent, we record the date, scope, and method by which consent was given, in line with Article 7(1) UK GDPR. You can ask us for a copy of your consent record by contacting privacy@sevron.co.uk.

7. Cookies and similar technologies

We use cookies and similar technologies on our website. Full details are set out in our Cookie Policy, including cookie categories, purposes, retention periods, and how to change your choices. Our website uses an active cookie banner to record and manage cookie choices.

From 5 February 2026, the DUAA amended PECR to introduce limited exemptions from the requirement to obtain prior consent for low-risk cookies (for example, certain analytics, functional, and security cookies). Where Sevron relies on these exemptions, we will continue to provide clear information about the cookies in question and a prominent opt-out, as required by the amended regulations.

8. AI-assisted features

Safety365 may include optional AI-assisted features. For example, while a user is creating a risk assessment, AI may suggest additional information, controls, wording, or next steps based on the answers and content the user has provided.

AI-assisted features are designed to support human users. They do not replace professional judgement, and they do not make solely automated decisions that produce legal or similarly significant effects within the meaning of Article 22 UK GDPR. A human user must review and approve AI-generated suggestions before they are added to any document, record, or file. AI features can be disabled by the customer or user; when a feature is disabled, customer-controlled content is not sent to AI providers for that feature.

We currently use API-based AI providers for production AI features: the OpenAI API and Google AI Studio / Gemini API. The provider used depends on the feature. Under our agreements with both providers, customer content is not used to train or improve the providers' models, and Sevron does not use customer content to train AI models. Sevron maintains a dated internal AI provider privacy profile and will update this Policy if providers, features, retention settings, or data locations materially change.

8.1 Current AI provider summary

The summary below is based on Sevron's internal AI Sub-Processor Privacy Profile.

We use third-party AI service providers to power certain features of Safety365, including Safety Data Sheet (SDS) processing, SPOT AI, and the Safety365 chatbot. These providers process the prompts, files, and other inputs involved in those features, along with the resulting outputs, on our behalf and under our instructions.

OpenAI. We use OpenAI to help provide our SDS processing, SPOT AI, and Safety365 chatbot features. OpenAI processes this data on our behalf and does not use it to train its models. Inputs, outputs, and related metadata may be retained for a limited period — up to 30 days — for abuse monitoring and security purposes, unless a longer period is required by law. Uploaded files may be retained until they are deleted or expire in the normal course.

Google (Gemini). We use Google's Gemini AI services to help provide our SDS processing and SPOT AI features. Google processes this data on our behalf and does not use it to improve Google's products. Some content may be retained for a limited period for abuse monitoring and security purposes. Uploaded files are retained for a short period — by default around 48 hours — unless deleted or extended.

8.2 AI feature controls and confirmations

Most AI features can be disabled. Where an AI feature is turned off, customer-controlled Safety365 content is not sent to AI providers for that feature. AI suggestions are always subject to human review before they are added to any document, record, or file — the AI does not make decisions on its own.

SDS processing. Our SDS processing feature works only with manufacturer-published safety data sheets held in our own libraries, which customers can draw on for their own documents. It does not process customer personal data.

Automated decision-making. Our AI features support, but do not replace, human judgement, and we do not currently use them to make solely automated decisions that produce legal or similarly significant effects. If we introduce any such feature, we will update this Policy and provide the information and safeguards required under UK GDPR before using it, including the right to obtain human intervention, to express your point of view, and to contest the decision.

9. Payment and billing information

We use third-party providers to manage payments and billing:

• Stripe: card payments are collected and processed through Stripe. Sevron does not receive or store full payment card details, which are transmitted directly to Stripe. Stripe is certified as a PCI-DSS Level 1 Service Provider. Stripe's privacy notice is available at https://stripe.com/privacy.
• Xero: we use Xero to generate invoices, record payments, manage accounts receivable, and meet statutory accounting and tax obligations. Xero's privacy notice is available at https://www.xero.com/uk/legal/privacy/.

Sevron remains controller of its billing records. Stripe and Xero act as processors for billing activities carried out on our behalf, and as independent controllers for certain activities described in their own notices, such as fraud prevention, regulatory compliance, and service improvement. We maintain written terms meeting the requirements of Article 28 UK GDPR with both providers; these are incorporated into our subscription agreements and apply automatically, without a separately signed agreement. Full sub-processor information is set out in Annex A.

10. Who we share personal data with

We share personal data only where there is a lawful basis and an appropriate reason to do so.

Recipient categories include:

• hosting and infrastructure providers;
• payment and accounting providers;
• customer communication and support providers;
• marketing and CRM providers;
• authentication and identity providers;
• analytics and performance-monitoring providers used on our website, governed by our Cookie Policy and, where required, your consent;
• search and in-product monitoring providers used within Safety365 to deliver, secure, and maintain the service;
• AI API providers that support optional AI-assisted Safety365 features, acting as Sevron's sub-processors and not using content for their own purposes;
• professional advisers, such as lawyers, accountants, auditors, and insurers;
• regulators, public authorities, law enforcement, or courts where required by law; and
• buyers, successors, or restructuring parties if Sevron is involved in a merger, sale, reorganisation, or similar transaction.

We name our current providers, with their locations and roles, in Annex A to this Policy, which we keep up to date. We update Annex A when we add, replace, or remove a vendor. We do not sell personal data and we do not share it with third parties for their own independent marketing purposes.

11. International transfers

Some of our service providers are located outside the United Kingdom. The location for each subprocessor is identified in Annex A.

When personal data is transferred outside the UK, we put in place safeguards required by Chapter V of the UK GDPR (as amended by the DUAA), including:

• reliance on UK adequacy regulations or a UK "data bridge", where one is in force for the destination (for example, the UK Extension to the EU–US Data Privacy Framework for certified US recipients);
• the International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum;
• a transfer risk assessment confirming that the safeguards in the destination country are not materially lower than those in the UK, as required by the data protection test introduced by the DUAA.

For our AI providers specifically: OpenAI's data processing terms identify OpenAI OpCo, LLC as the contracting entity for personal data subject to UK GDPR, and OpenAI Ireland Ltd. for personal data subject to EU GDPR; in both cases the EU Standard Contractual Clauses (with the UK Addendum where relevant) apply to transfers outside the EEA/UK. Google AI Studio processing occurs in EU-hosted facilities where possible but is not guaranteed to a single region; the Google Cloud Data Processing Addendum applies and SCCs cover transfers outside the EEA. Each provider retains content for a limited period for abuse-monitoring purposes; neither provider operates Zero Data Retention on Sevron's current account configuration.

You can contact us to request more information about the transfer safeguards we rely on.

12. How long we keep personal data

We keep personal data only for as long as needed for the purposes described in this Policy, or for as long as the law requires. Retention periods are aligned with our internal processes and our Data Retention Policy. Where data is held for more than one purpose, the longest applicable period applies.

13. How we protect personal data

Sevron operates an Information Security Management System certified to ISO/IEC 27001 and a Quality Management System certified to ISO 9001. Our technical and organisational measures include:

• encryption of personal data in transit (TLS) and at rest where appropriate;
• role-based access controls, multi-factor authentication for administrative access, and least-privilege access;
• logging, monitoring, vulnerability management, penetration testing, and patch management;
• supplier due diligence and written data processing terms where required;
• staff training, confidentiality obligations, and internal policies;
• a documented incident response plan.

Where a personal data breach meets the legal threshold for notification, we will notify the ICO within 72 hours of becoming aware of it where required by Article 33 UK GDPR. Where a breach is likely to result in a high risk to affected individuals, we will notify them without undue delay where required by Article 34 UK GDPR.

Where Sevron acts as processor for a customer, and Sevron becomes aware of a personal data breach affecting that customer's personal data, Sevron will notify the customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will, to the extent then known, include: (a) the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned; (b) the name and contact details of the Sevron contact from whom further information can be obtained; (c) the likely consequences of the breach; and (d) the measures taken or proposed by Sevron to address the breach and mitigate its possible adverse effects. Sevron will provide further information to the customer in stages where it is not possible to provide all required information at the same time, and will cooperate with the customer in fulfilling the customer's own obligations under Articles 33 and 34 UK GDPR.

14. Your rights

Depending on the circumstances, you may have the following rights under UK GDPR:

• Access — to receive a copy of personal data held about you, together with information about how we process it.
• Rectification — to correct inaccurate or incomplete personal data.
• Erasure ("right to be forgotten") — to have personal data deleted in certain circumstances.
• Restriction — to limit how personal data is used in certain circumstances.
• Portability — to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
• Objection — to object to processing based on legitimate interests, and an absolute right to object to direct marketing.
• Withdrawal of consent — where processing is based on consent.
• Rights relating to automated decision-making — where applicable; see section 8.

14.1 How to exercise your rights

To exercise any of these rights, email privacy@sevron.co.uk. We aim to respond within one calendar month of receiving your request. We may extend this by up to two further months for complex or numerous requests, in which case we will tell you within the first month and explain why.

Where we reasonably need further information to confirm your identity or to locate the data you are asking about, we will tell you. As permitted by the Data (Use and Access) Act 2025, the response clock is paused ("stopped") until we receive the clarification we have asked for. Our searches in response to subject access requests will be reasonable and proportionate.

If your request relates to data uploaded to Safety365 by your employer or another customer organisation, that organisation may be responsible for responding. We will help them where required.

15. How to complain

If you are unhappy with how we have handled your personal data or with our response to a request, please tell us first. We operate an internal complaints procedure in line with section 103 of the Data (Use and Access) Act 2025, which comes into force on 19 June 2026.

15.1 Submitting a complaint to Sevron

You can submit a data protection complaint by:

• emailing privacy@sevron.co.uk with "Data protection complaint" in the subject line; or
• writing to us at the registered address in section 2, marked for the attention of the Operations Manager.

15.2 What we will do

• Acknowledge your complaint within 30 days of receipt, as required by section 103 of the DUAA, and sooner where practicable.
• Investigate the issue, which may include speaking to the relevant team, reviewing logs and records, and seeking legal advice.
• Provide a substantive response without undue delay, setting out our findings and any action we will take.
• Keep a record of the complaint and the outcome for accountability purposes.

Sevron's Customer Happiness team will triage data protection complaints and coordinate responses with the Operations Manager and relevant teams.

15.3 Complaining to the ICO

If you are not satisfied with our response — or at any time — you have the right to complain to the UK Information Commissioner's Office (ICO):

16. Children's data

Safety365 is intended for use by businesses and authorised personnel, not by children. We do not knowingly collect personal data from anyone under the age of 18. If you believe that a child has provided personal data to us, please contact privacy@sevron.co.uk and we will delete it.

17. Changes to this Policy

We review this Policy at least annually and update it when our processing activities, the law, or regulatory guidance change. The "Version" and "Last reviewed" dates at the top of this Policy show the current version. Material changes will be communicated by email, in-product notice, or a prominent website notice where appropriate.

18. Definitions

• "UK GDPR" means the UK General Data Protection Regulation as it forms part of UK law, read with the Data Protection Act 2018 and as amended by the Data (Use and Access) Act 2025.
• "PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.
• "DUAA" means the Data (Use and Access) Act 2025.
• "Customer content" means information uploaded to or created in Safety365 by or on behalf of a customer organisation.
• "Controller", "processor", "personal data", "processing", "special category data" have the meanings given in UK data protection law.
• "Customer" means the organisation that enters into a contract with Sevron for the use of Safety365 and related services. The Sevron Standard Terms and Conditions use the term "Customer" for the same concept.
• "Data subject" means an identified or identifiable natural person to whom personal data relates.
• "Subprocessor" means a third party engaged by Sevron to process personal data on Sevron's behalf in connection with the Services, as listed in Annex A.
• "Personal data breach" has the meaning given in Article 4(12) UK GDPR, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• "International transfer" means a transfer of personal data to a country or international organisation outside the United Kingdom, as contemplated by Chapter V of the UK GDPR (as amended by the DUAA).
• "Services" means Safety365 and any related services provided by Sevron, as described in the customer contract or Terms & Conditions.
• "SCCs" means the EU Standard Contractual Clauses approved by the European Commission for the transfer of personal data to third countries, as supplemented by the UK Addendum issued by the Information Commissioner where applicable.
• "IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

Capitalised terms used but not defined in this Policy have the meaning given in Sevron's Terms & Conditions or the customer's applicable contract with Sevron. Where there is a conflict between this Policy and the Terms & Conditions on a defined term, the Terms & Conditions take precedence.

Annex A — Subprocessors and key vendors

This Annex lists the third-party providers Sevron uses to deliver the Services and to operate its business. It is updated when subprocessors are added, replaced, or removed.

Table 1A — Sub-processors used to deliver Safety365

These providers process personal data of customers and end-users as part of operating the Safety365 service. Each is bound by a written data processing agreement under Article 28 UK GDPR.

Table 1B — Sub-processors used for commercial and business operations

These providers process personal data of customers, prospects, or commercial counterparties in a commercial or relationship capacity — for example, marketing, contracting, billing, or contract signing — rather than as part of the Safety365 service itself. Each is bound by a written data processing agreement under Article 28 UK GDPR.

Table 2 — Internal operational vendors

These providers support Sevron's internal operations. Their primary function is not to process customer or user data, but in the course of normal use they may incidentally process personal data where customers or counterparties are referenced in internal records. They are bound by data processing agreements and recorded in Sevron's internal record of processing activities.

Changes to this Annex

Sevron will update this Annex when a subprocessor is added, replaced, or removed. Customers who wish to be notified of changes can subscribe by contacting privacy@sevron.co.uk.