Privacy Policy

RiskGuard is operated by TrusTrak Solutions Ltd, a private limited company registered in England and Wales. Our registered office is in London, UK. In this policy "we", "us", and "our" refer to TrusTrak Solutions Ltd.

If you have any questions about this policy, contact us at privacy@riskguardhq.com.

We collect the following categories of personal data:

Account data — your name, email address, company name, and password (stored as a hashed value, never in plain text) when you register for an account.

Usage data — information about how you interact with the platform, including pages visited, features used, and timestamps. This helps us improve the product.

Compliance data — documents, risk entries, control records, and evidence files you upload to the platform as part of your GRC workflow. You own this data entirely.

Communications — emails you send to us, support requests, and feedback.

Technical data — IP address, browser type, device information, and cookies (see Section 8).

We process your personal data under the following lawful bases under UK GDPR:

Contract — to provide the RiskGuard service you have signed up for.

Legitimate interests — to improve our platform, prevent fraud, and ensure the security of our systems.

Legal obligation — where we are required by law to process or retain data.

Consent — for marketing communications, where you have opted in. You can withdraw consent at any time.

We use your data to:

• Create and manage your account
• Deliver and improve the RiskGuard platform
• Respond to support requests
• Send transactional emails (account confirmations, password resets)
• Send product updates and marketing, if you have opted in
• Detect and prevent fraud or security incidents
• Meet our legal obligations

We do not sell your personal data. We share it only with:

Service providers — third-party processors who help us operate the platform (hosting, email delivery, analytics). These are bound by data processing agreements and may not use your data for their own purposes.

Law enforcement or regulators — where we are required by law or court order.

Auditors — where you have granted an external auditor access via a time-limited token. You control what they can see.

We will never share your compliance data with any third party without your explicit instruction.

Your data is stored on servers located in the United Kingdom and European Economic Area (EEA). We do not transfer personal data outside the UK/EEA without appropriate safeguards in place.

Compliance data (risk registers, evidence files, control records) is stored with AES-256 encryption at rest. All data in transit is protected by TLS 1.2 or higher.

We retain your personal data for as long as your account is active. If you close your account, we will delete or anonymise your personal data within 90 days, unless we are required by law to retain it longer.

Compliance data uploaded by you is deleted within 30 days of account closure, unless you request earlier deletion.

We use a small number of strictly necessary cookies to keep you logged in and maintain session state. We do not use tracking cookies or advertising cookies.

You can disable cookies in your browser settings, but this may prevent you from logging in to the platform.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten")
• Restriction — ask us to stop processing your data in certain circumstances
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — for any processing based on consent

To exercise any of these rights, email privacy@riskguardhq.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We may update this policy from time to time. We will notify you of material changes by email or by displaying a prominent notice in the platform. The "Last updated" date at the top of this page reflects the most recent revision.

Continuing to use RiskGuard after a policy update constitutes acceptance of the revised terms.