How we protect your data

Privacy Policy Statement
Updated April 2023



In providing you, the user, with access to ‘the Site’ – meaning either the Safe-Assure website or the Safetyframe web application, Safe-Assure understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits the Site and we will only collect and use personal data through the application in the limited ways that are described here, and in a way that is consistent with Our obligations and your rights under the law.

Please read this Privacy Statement carefully and ensure that you understand it. It sets out Our policy for how we collect and process the personal data of users of our sites.  In the case of the Safetyframe web application, your use of the site may have been mandated by your employer or the organisation you work for in another capacity (e.g. as a contractor). You should therefore speak to them about any issues you have regarding personal data.


1.  Information About Us

The Site is owned and operated by Safe-Assure, a Limited Liability Partnership registered in Scotland. (We, Us, Our). Enquiries about privacy matters should be addressed to the Data Processing Manager using the contact details given in Part 13. We are a Processor of your personal data if you are a user of the Safetyframe web application, and may use sub-processors to carry out some functions on our behalf. The organisation giving you access to it is the Controller of the data.  We are the Controller of any data submitted through the Safe-Assure website.

2.  What Does This Privacy Statement Cover?

This Privacy Statement explains how We use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

Our Privacy Policy applies only to your use of the Site. The Site may contain links to other websites. Please note that We have no control over how your data is collected, stored, or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.


3.  What is Personal Data?

Personal data is defined by the UK General Data Protection Regulation (UK GDPR), supplemented and tailored by the Data Protection Act 2018 as amended, (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

In simpler terms, this is any information about you that enables you to be identified either directly, or in association with other data which may be available about you. Personal data covers obvious information such as your name and contact details, but it can also include other information such as identification numbers, electronic location data, and other online identifiers.


4.  What Are My Rights?

Under the GDPR, you have the following rights, which We will always work to uphold:

  1. The right to be informed about Our collection and use of your personal data. This Privacy Statement should tell you everything you need to know, but you can always contact Us to find out more, to ask any questions, or to make a request relating to your data, using the contact details in Part 13.
  2. The right to access the personal data We hold about you. Part 11 will tell you how to request this.
  3. The right to have your personal data rectified if any of your personal data held by Us is inaccurate or incomplete.
  4. The right to be forgotten, i.e. the right to ask Us to erase or otherwise dispose of any of your personal data that We hold.
  5. The right to restrict (i.e. prevent aspects of) the processing of your personal data.
  6. The right to data portability. You have the right to receive your personal data from Us in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask Us to transfer your data to another organisation. We must do this if the transfer is technically feasible.
  7. The right to object to Us using your personal data for a particular purpose or purposes.
  8. Rights relating to automated decision-making and profiling. (We do not use your personal data in this way.)

For more information about Our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 13.

Further information about your rights can also be obtained from the Information Commissioner’s Office (ICO) or your local Citizens Advice Bureau.

If you have any cause for complaint about Our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact Us first, using the details in Part 13.

5.  What Personal Data Do You Collect, How, and For What Purpose?

6.  How Do You Use My Personal Data?

Under the GDPR, Wemust always have a lawful basis for using personal data. This may be a) for Our performance of a contract with the organisation which provides you access to Safetyframe, or b) because you have consented to Our processing of your personal data on a site webform, or c) because it is in Our legitimate business interests to use it. Your personal data will be used for one of the purposes and in accord with the associated lawful basis given in the table above.

7.  How Long Will You Keep My Personal Data?

Your personal data will be retained for as long as necessary for the performance of a contract with Our clients, or for as long as we may need to prove you gave Us permission to process it. Personal data collected by third party cookies (if applicable) may be retained on the Site for the current session only, or for the period set by the provider (usually 1-2 years). You may opt not to allow cookies, but your use of the Site may be affected.

8.  How and Where Do You Store or Transfer My Personal Data?

We will normally only store or transfer your personal data within the UK and the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the Data Protection Legislation, and/or to equivalent standards by law.

Where it becomes necessary to transfer personal data to third parties (e.g. to a subcontractor) not in the EEA We will use specific contracts containing Standard Contractual Clauses (SCCs) that are approved by the Information Commissioner’s Office (ICO) for the transfer of personal data to third countries.These contracts require the same levels of personal data protection as would be required for European transfers. Since the demise of the EU-US Privacy Shield, and until satisfactory replacement legislative provision is in place, we will treat the USA in the same way as a third country.

Except for what Cookies on the site may do, We will not further share any of your personal data with any third parties for any purposes, subject to two important exceptions.

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

We also reserve the right to transfer information (including your personal data) to a third party in the event of a sale, merger, liquidation, receivership or transfer which includes the ownership of Safetyframe, provided that the third party agrees to adhere to equivalent privacy terms and provided that the third party only uses your personal data for the purposes for which you provided it to us. You will be notified in the event of any such transfer and you will be afforded an opportunity to opt-out.

Data input by our Safetyframe clients’ administrators or other users of the Safetyframe application, is stored in separate databases assigned only to the particular client. We have no access to this data unless specifically approved by the client for diagnostic or technical etc. purposes for their assistance. Client databases are held on a secure server, and all (external) files uploaded by clients’ users are encrypted in transit and at rest on the server using 256bit AES encryption for additional security in case these contain personal data.

Because encryption can impact on performance, in the case of documents created within the Safetyframe system, only essential fields which may contain personal data are encrypted. These fields are distinguished on the Safetyframe user interface by a light green background so that the user is made aware of the areas in which data will be further protected. These include such areas as name, email, phone, job title and department fields.

9.  How Can I Control My Personal Data?

You may restrict Our use of cookies using the cookie consent banner, but this might affect the functioning of the Site.

If you have been a Safetyframe administrator for one of Our clients, and have left your employed position, you may request that your personal data is deleted from the application database. You may do this either through the client organisation, who will contact Us, or directly with Ourselves using the contact information given at Part 13. This will enable you to be ‘forgotten’ by Us and by Safetyframe.

If you have been provided with access to Safetyframe as a user by one of Our clients, please apply to your providing organisation for erasure from their system.

10. Can I Withhold Information?

You may restrict Our use of cookies using the cookie consent banner, but this might affect the functioning of the Site.

11. How Can I Access My Personal Data?

If you want to know what personal data We have about you, you can ask Us for a copy of it. This is known as a “subject access request”. All subject access requests should be made in writing and sent to the email or postal address shown in Part 13.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover Our administrative costs in responding.

We will respond to your subject access request within one month of receiving it. Normally, We aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date We receive your request. You will be kept fully informed of Our progress.

12. How Do You Use Cookies?

You can view the list of Cookies used by Our site in the Cookie Statement below.

All Cookies used by and on Our site are used in accordance with current Cookie Law. Certain features of Our site may depend on Cookies to function. Cookie Law deems these Cookies to be “strictly necessary”.

Before Cookies are placed on your computer or device, you will be shown a pop-up requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of Our site may not then function fully or as intended.

In addition to the controls that We provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser and the documentation for your operating system.

You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.

It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by relevant software providers if you are unsure about adjusting your privacy settings.

13. How Do I Contact You?

To talk to us about anything to do with your personal data and data protection, including to make a subject access request, or to request correction or erasure of the data, please contact The Data Processing Manager using the following details:

Email address:                 Postal Address:  Foothills, Perth Road, Abernethy, Perth, PH2 9LW.

14. Changes to this Privacy Policy Statement

We may change this Privacy Statement and the accompanying Cookie Statement from time to time. This may be necessary, for example, if the law changes, or if We change Our business in a way that affects personal data protection.

Any revised version will be posted on the Site and will apply immediately. We recommend that you check the Privacy Policy page regularly to keep up-to-date.

Cookie Statement