Privacy Policy

1. Who We Are

Vindico ICS Ltd, trading as RiskGen ("we", "us", "our"), is a company registered in England and Wales. We operate the website riskgen.ai and provide an AI-powered platform for generating Risk Assessments and Method Statements (RAMS) for the UK construction industry.

We are the data controller for the personal data we process. If you have any questions about this policy or how we handle your data, please contact us at [email protected].

This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

We collect the following categories of personal data:

Account Information: Your name, email address, company name, and password (stored securely via Firebase Authentication).

Payment Information: Billing details processed securely by Stripe. We do not store your full card details on our servers.

RAMS Document Content: The information you provide to generate risk assessments and method statements, including project descriptions, hazard details, and control measures.

Usage Data: How you interact with our platform, including pages visited, features used, and session duration. We use Plausible Analytics, which does not collect personal data or use cookies.

Communication Data: Any messages, support requests, or feedback you send to us.

3. How We Use Your Data

We use your personal data for the following purposes:

• To provide and maintain our RAMS generation service, including processing your inputs through our AI system
• To manage your account and subscription
• To process payments and manage billing
• To communicate with you about your account, service updates, and support enquiries
• To improve our platform and develop new features
• To send marketing communications (only with your explicit consent)
• To comply with legal obligations and protect our legitimate interests

4. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR:

Contract (Article 6(1)(b)): Processing necessary to provide our service, manage your account, process payments, and generate RAMS documents.

Legitimate Interest (Article 6(1)(f)): Processing necessary for improving our services, maintaining platform security, and analysing usage patterns to enhance user experience.

Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.

Legal Obligation (Article 6(1)(c)): Where we are required to process data to comply with UK law, including tax and accounting obligations.

5. AI Processing

Our platform uses artificial intelligence (provided by Anthropic's Claude) to generate RAMS documents based on the information you provide. When you use our RAMS generation feature:

• Your project information is sent to Anthropic's API for processing
• Anthropic does not use your data to train their models
• Data is transmitted securely using encryption in transit
• We do not share your personal identity with Anthropic -- only the content needed to generate your documents

6. Data Storage and Security

We take the security of your data seriously:

• Your data is stored on secure servers within the United Kingdom (GCP europe-west2, London)
• All data is encrypted at rest and in transit using industry-standard encryption (AES-256)
• We implement appropriate technical and organisational measures to protect against unauthorised access, alteration, or destruction
• Access to personal data is restricted to authorised personnel only
• We regularly review and update our security practices

7. Third-Party Services

We use the following trusted third-party services to operate our platform:

Anthropic (Claude AI): Powers our RAMS generation engine. Processes document content only; no personal identity data is shared.

Stripe: Handles all payment processing securely. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.

Firebase (Google): Provides authentication services and website hosting. See Firebase's Privacy Policy.

MongoDB Atlas: Database hosting for your account data and RAMS documents. Data is stored in UK-based data centres.

SendGrid: Delivers transactional and service-related emails on our behalf.

Plausible Analytics: Privacy-friendly website analytics. Plausible does not use cookies or collect personal data. See Plausible's Data Policy.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your account, plus 30 days after deletion to allow for recovery
• RAMS documents: Retained for the duration of your account. You may delete individual documents at any time
• Payment records: Retained for 7 years as required by HMRC for tax purposes
• Support correspondence: Retained for up to 2 years after resolution

9. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data in certain circumstances
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use a small number of cookies to ensure our website functions correctly. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

11. International Transfers

We primarily store and process data within the United Kingdom. Where data is transferred outside the UK (for example, to service providers in the United States such as Stripe and Anthropic), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions recognised by the UK government.

12. Children's Privacy

Our service is designed for businesses and professionals in the construction industry. We do not knowingly collect personal data from children under the age of 18. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by email or by posting a prominent notice on our website. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

Vindico ICS Ltd t/a RiskGen
Cardiff, United Kingdom
Email: [email protected]
Website: riskgen.ai