Privacy Policy
Last updated: [DATE]
1. Introduction
This Privacy Policy explains how Praeviso ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website (praeviso.app), our project risk management workstation ("the Service"), and related services.
Praeviso is operated by [COMPANY NAME], a company registered in England and Wales with registered address at [REGISTERED ADDRESS]. Company number: [COMPANY NUMBER].
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this Privacy Policy, please contact us at support@praeviso.app.
2. Data Controller
The data controller responsible for your personal data is:
[COMPANY NAME]
[REGISTERED ADDRESS]
Email: support@praeviso.app
3. What Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account and Registration Data
When you sign up for a trial or subscribe to Praeviso, we collect:
- Company name
- Email address
- Name (if provided)
- Password (stored as a cryptographic hash — we never store your actual password)
- Selected subscription tier
3.2 Usage Data
When you use the Service, we collect:
- Risk register data and project information you enter into the workstation
- Actions performed within the workstation (for audit trail and change history purposes)
- Login timestamps and session information
3.3 Billing Data
When you subscribe to a paid plan, payment is processed by Stripe. We store:
- Stripe customer ID and subscription ID
- Subscription status and billing cycle
- Selected tier and plan
We do not store your credit card number, bank details, or full payment card information. This data is held solely by Stripe, our payment processor. Stripe's privacy policy is available at https://stripe.com/privacy.
3.4 Communication Data
When you contact us via the contact form or email, we collect:
- Your name and email address
- The content of your message
3.5 Technical Data
When you visit our website, we may collect:
- IP address
- Browser type and version
- Device type
- Pages visited and time spent
We use essential cookies only (see our Cookie Policy for details). We do not use analytics tracking or marketing cookies.
3.6 Authentication Data
If you use "Sign in with Microsoft", we receive from Microsoft:
- Your Microsoft email address
- Your display name
We do not receive or store your Microsoft password.
If you enable multi-factor authentication (MFA), we store:
- An encrypted TOTP secret (for authenticator app verification)
- Hashed backup recovery codes
- Passkey public keys (if you register a passkey)
We never store biometric data. Passkey biometric verification happens on your device — only a cryptographic key is sent to our servers.
4. How We Use Your Data
We use your personal data for the following purposes:
4.1 To Provide the Service
- Creating and managing your account
- Providing access to the Praeviso workstation
- Processing your subscription and billing
- Generating and managing licence keys
- Sending verification emails for trial signups
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR)
4.2 To Communicate With You
- Responding to your enquiries via the contact form or email
- Sending trial expiry notifications (30 days before, 14 days before, and on the day of expiry)
- Sending service-related notices (e.g. planned maintenance, security updates)
Legal basis: Performance of a contract and legitimate interests (Article 6(1)(b) and 6(1)(f) UK GDPR)
4.3 To Maintain Security
- Authenticating your identity at login
- Enforcing multi-factor authentication policies
- Monitoring for unauthorised access
- Maintaining audit logs of system activity
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR)
4.4 To Comply With Legal Obligations
- Maintaining records required by law
- Responding to lawful requests from authorities
Legal basis: Legal obligation (Article 6(1)(c) UK GDPR)
5. Data Sharing
We share your personal data only with the following categories of recipients, and only to the extent necessary to provide the Service:
5.1 Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Hosting (admin platform, marketing site) | United States |
| Hetzner | Hosting (customer workstation instances) | Germany |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Microsoft (Entra ID) | Authentication (SSO), only if your organisation enables "Sign in with Microsoft" | United States |
5.2 International Transfers
Some of our sub-processors are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
- The sub-processor's compliance with applicable data protection frameworks
5.3 We Do Not
- Sell your personal data to third parties
- Share your data with advertisers
- Use your data for profiling or automated decision-making
- Share your risk register data with other customers (each customer has an isolated database)
6. Data Retention
We retain your personal data for the following periods:
| Data type | Retention period |
|---|---|
| Account and registration data | Duration of your subscription + 90 days |
| Risk register and workstation data | Duration of your subscription + 90 days |
| Change history (risk audit trail) | 6 months (rolling) |
| Billing records | 7 years (UK legal requirement for financial records) |
| Contact form messages | 12 months |
| Trial signup attempts (rate limiting) | 24 hours |
| Audit logs (system activity) | 12 months |
After cancellation of your subscription, your workstation data (including your risk register) is retained for 90 days in case you wish to resubscribe. After 90 days, your data is permanently deleted. This includes dropping your isolated customer database.
If you are on a free trial that expires without conversion, the same 90-day retention period applies from the date of trial expiry.
7. Data Security
We take the security of your data seriously. Measures we implement include:
- Encryption in transit: All data is transmitted over TLS 1.3
- Encryption at rest: Databases are encrypted at rest. Hetzner VPS instances use LUKS full-disk encryption
- Database isolation: Each customer organisation has its own separate database. Your data is never co-mingled with other customers' data
- Authentication: Passwords are hashed using bcrypt. MFA secrets are encrypted using AES-256. We support TOTP, passkeys, and Microsoft SSO
- Access control: Role-based access within each organisation. The Praeviso admin platform is protected by MFA
- Security headers: HSTS, Content Security Policy, X-Frame-Options, and other security headers are enforced
- Infrastructure hardening: Firewalls, SSH key-only authentication, automatic security updates, and intrusion detection on all servers
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of the personal data we hold about you
- Right to rectification: You can request correction of inaccurate or incomplete data
- Right to erasure: You can request deletion of your personal data (subject to legal retention requirements)
- Right to restrict processing: You can request that we limit how we use your data
- Right to data portability: You can request your data in a structured, machine-readable format
- Right to object: You can object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, contact us at support@praeviso.app. We will respond within one month of receiving your request.
If your organisation uses database-per-tenant isolation (all SaaS customers do), exercising your right to erasure is straightforward — we can delete your entire isolated database.
9. Data Processing on Behalf of Customers
When you use the Praeviso workstation, you may enter personal data belonging to third parties (e.g. names of risk owners, team members). In this case:
- You are the data controller for that data
- We are the data processor, processing it on your behalf to provide the Service
We offer a Data Processing Agreement (DPA) to all customers. To request a copy, contact support@praeviso.app.
10. Children's Data
Praeviso is a business-to-business service intended for professional use. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected data from a person under 16, please contact us immediately at support@praeviso.app.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email or via a notice on our website.
12. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us at support@praeviso.app in the first instance.
13. Contact
For any questions about this Privacy Policy or our data practices:
Email: support@praeviso.app
[COMPANY NAME]
[REGISTERED ADDRESS]