1. Introduction
PICMS ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance management platform.
Our Commitment: We are fully compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Your data is stored exclusively in UK/EU data centres.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, job title, company name, and contact details when you register
- Organisation Data: Company information, compliance documents, audit records, incident reports, and training records you upload
- Communication Data: Information you provide when contacting our support team
- Payment Information: Billing details processed securely through Stripe (we do not store card details)
2.2 Information Collected Automatically
- Usage Data: Pages visited, features used, time spent on the platform
- Device Information: Browser type, operating system, IP address
- Cookies: As described in our Cookie Policy
3. How We Use Your Information
We use your information for the following purposes:
- Providing and maintaining our compliance management services
- Processing your subscription and payments
- Sending important service updates and notifications
- Providing customer support
- Improving our platform and developing new features
- Ensuring security and preventing fraud
- Complying with legal obligations
4. Legal Basis for Processing
We process your personal data based on:
- Contract Performance: To provide our services as agreed in our Terms of Service
- Legitimate Interests: To improve our services, ensure security, and communicate with you
- Legal Compliance: To meet regulatory requirements
- Consent: Where you have given explicit consent for specific processing activities
5. Data Sharing and Disclosure
We do not sell your personal data. We may share your information with:
- Service Providers: Cloud hosting (AWS EU-West-2, London), payment processing (Stripe), email services
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In connection with any merger or acquisition (with prior notice)
6. Data Retention
We retain your data for as long as your account is active or as needed to provide services. After account closure:
- Account data is deleted within 30 days
- Compliance records may be retained for up to 7 years as required by regulations
- Backup data is purged within 90 days
7. Your Rights
Under UK GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a portable format
- Restriction: Limit how we process your data
- Objection: Object to certain processing activities
- Withdraw Consent: Where processing is based on consent
To exercise these rights, contact us at privacy@picms.com
8. Data Security
We implement robust security measures including:
- 256-bit SSL/TLS encryption for data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication options
- Regular security audits and penetration testing
- ISO 27001 aligned security practices
- UK-based data centres with SOC 2 compliance
9. International Transfers
Your data is primarily stored in AWS EU-West-2 (London). If data needs to be transferred outside the UK/EEA, we ensure appropriate safeguards such as Standard Contractual Clauses are in place.
10. Children's Privacy
PICMS is a business service not intended for children under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or platform notification at least 30 days before changes take effect.