DRAFT — Subject to solicitor review before publication
Privacy Policy
Last updated: 1 April 2026
1. Who We Are
Licet (pending Ltd formation) is a construction compliance SaaS platform founded by Josh O’Keeffe. We help construction companies manage site compliance, competency records, inspections, and safety documentation digitally.
- Domain: licet.co.uk
- Email: privacy@licet.co.uk
- Post: Licet, Wirral, Merseyside. Registered address to be confirmed.
For the purposes of UK data protection law, Licet acts as a Data Processor on behalf of our customers (who are the Data Controllers). For data relating to account registration and billing, Licet acts as a Data Controller.
2. What Data We Collect
2.1 Account Information
When you register for an account, we collect your name, email address, phone number (for MFA), job title, and the name of your Organisation.
2.2 Compliance Records
Data uploaded by your Organisation for compliance purposes, including: competency certificates, training records, inspection reports, risk assessments, method statements, site induction records, and related documentation.
2.3 Digital Signatures
Electronic signatures captured within the Service for sign-offs, approvals, and acknowledgements, along with the timestamp and identity of the signatory.
2.4 GPS and Location Data
When workers use the clock-in/clock-out feature, we collect GPS coordinates to verify site presence. Location data is only collected at the moment of clock-in or clock-out and is not continuously tracked.
2.5 Device and Technical Information
We collect device type, operating system, browser type, IP address, and general usage analytics to maintain and improve the Service.
2.6 Payment Information
Payment card details are collected and processed directly by Stripe. We do not store your full card number on our servers. We retain only the last four digits for reference purposes.
3. Lawful Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:
- Contract Performance (Article 6(1)(b)): Processing your account data and compliance records is necessary to provide the Service you have subscribed to.
- Legitimate Interest (Article 6(1)(f)): Processing compliance data to maintain audit trails, enforce immutability, and ensure the integrity of construction safety records. Our legitimate interest is ensuring workplace safety and regulatory compliance.
- Legal Obligation (Article 6(1)(c)): Retaining certain compliance records for periods mandated by UK construction regulations.
- Consent (Article 6(1)(a)): Where we send marketing communications, we do so only with your explicit consent, which you may withdraw at any time.
4. How We Use Your Data
- Compliance Management: Hosting and displaying your competency records, inspection reports, and safety documentation.
- Audit Trail: Maintaining an immutable, hash-chain secured log of all compliance activities for regulatory purposes.
- Expiry Alerts: Sending notifications when certificates, competencies, or equipment inspections are approaching their expiry date.
- Analytics: Generating compliance dashboards and reports for your Organisation.
- Service Improvement: Aggregated, anonymised usage data to improve the platform.
- Security: Detecting and preventing unauthorised access, fraud, and other security threats.
5. Data Sharing
We share your data only with the following sub-processors, strictly as necessary to operate the Service. We never sell your data to anyone.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU / US |
| Vercel | Application hosting and CDN | US |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| Twilio | SMS delivery (MFA and alerts) | US |
| Sentry | Error monitoring and performance | US |
6. Data Retention
We retain data for the following periods, reflecting both operational needs and legal requirements under UK construction regulations:
| Data Type | Retention Period | Basis |
|---|---|---|
| CDM records (design risk assessments, construction phase plans) | 40 years | CDM Regulations 2015 / Limitation Act 1980 |
| LOLER records (lifting equipment inspections) | 2 years | LOLER 1998, Regulation 11 |
| General compliance records | 6 years | Limitation Act 1980 (general limitation period) |
| Account data (name, email, settings) | Duration of account + 30 days | Deleted on request (subject to legal retention obligations) |
| Payment records | 7 years | HMRC requirements |
7. Your Rights
Under the UK GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@licet.co.uk.
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate personal data.
- Right to Erasure: Request deletion of your personal data, where not subject to a legal retention obligation. Note: Compliance Records required by law cannot be erased during their mandatory retention period.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (CSV, PDF).
- Right to Object: Object to processing based on legitimate interest.
- Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
- Right to Withdraw Consent: Where processing is based on consent (e.g., marketing), you may withdraw consent at any time.
- Right to Complain: You have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk, telephone 0303 123 1113.
We will respond to all data rights requests within one calendar month, as required by the UK GDPR.
8. Cookies
We use only strictly necessary session cookies to maintain your authenticated session and remember your preferences. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.
- Session cookie: Required for authentication. Expires when you close your browser or after your session timeout period.
- CSRF token: A security cookie to prevent cross-site request forgery attacks.
Because we use only strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations 2003 (PECR).
9. International Data Transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK, we ensure adequate safeguards are in place:
- Supabase: EU-hosted database option where available; US transfers covered by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).
- Vercel: US-based hosting, covered by SCCs and the UK IDTA.
- Stripe, Resend, Twilio, Sentry: US-based, each operating under SCCs and the UK IDTA.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a prominent notice within the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page will be revised accordingly.
11. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: privacy@licet.co.uk
- Post: Licet (pending Ltd formation), Wirral, Merseyside. Registered address to be confirmed.