Privacy Policy
1. Introduction
Snubnose Ltd ("we", "our", "us", or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit and use our website and services at https://app.snubnose.io (the "Service").
Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.
2. Data Controller
Snubnose Ltd
- Registered in England and Wales
- Company number: 17048932
- Jurisdiction: England and Wales
This Privacy Policy is governed by the laws of England and Wales, the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA).
3. Data We Collect
3.1 Personal Data from OAuth Authentication
When you log in via Google or Microsoft OAuth, we collect:
- Email address
- Full name
- Profile image
We do not collect or store passwords. Authentication is handled entirely by Google or Microsoft.
3.2 Account and Profile Data
When setting up your account and profile within the Service, we may collect:
- System role and permissions
- Organisation membership and affiliation
- Communication preferences
3.3 Organisation Data
When your organisation is registered with Snubnose, we collect:
- Company name
- Industry sector
- Website URL
- Office addresses
- Target DefStan 05-138 certification level
3.4 Cybersecurity Assessment Data
When you use the Service to conduct compliance assessments, we collect and process:
- Scope assessments (locations, technology systems, operational procedures, data storage environments, personnel structures, administrative functions)
- Control applicability assessments
- Control status and implementation tracking
- Evidence documents (uploaded files in various formats)
- AI validation results (confidence scores, reasoning, and extracted field data)
- Audit review notes and findings
- Certification records and status
This data is commercially sensitive and may relate to your organisation's cybersecurity posture.
3.5 Invitation and Access Data
When inviting other users to access the Service, we collect:
- Email addresses of invited users
- Invitation tokens
- Timestamp of invitations
3.6 Assessor Data
DCC Assessors (certifying bodies) may be granted access to a Supplier's workspace on the platform at the Supplier's invitation. When Assessors use the Service, we collect the same categories of personal data described in Sections 3.1 and 3.2 above. Assessors may also register their own organisation on the platform for their own compliance purposes, in which case we collect the data described in Sections 3.3 and 3.4 in respect of that organisation.
When an Assessor accesses a Supplier's data on the platform, the Supplier remains the data controller for that data. Snubnose facilitates this access but does not determine the purposes of the Assessor's processing of Supplier data.
3.7 Usage and Log Data
Our servers automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages viewed and time spent
- Referring URL
- Error logs and diagnostic information
- Timestamps of your activities
This data is collected through standard server logs and helps us understand how the Service is used and to maintain security.
4. Purposes of Processing and Legal Bases
We process your personal data for the following purposes and on the following legal bases under the UK GDPR (as amended by the DUAA):
| Purpose | Legal Basis |
|---|---|
| Authentication and account management | Contract performance (Article 6(1)(b) GDPR) |
| Provision of the Service and compliance features | Contract performance (Article 6(1)(b) GDPR) |
| Communication regarding your account and invitations | Contract performance (Article 6(1)(b) GDPR) |
| Security, fraud detection, and abuse prevention | Legitimate interests (Article 6(1)(f) GDPR) |
| Service improvement and analytics | Legitimate interests (Article 6(1)(f) GDPR) |
| Compliance with legal obligations | Legal obligation (Article 6(1)(c) GDPR) |
| System maintenance and troubleshooting | Legitimate interests (Article 6(1)(f) GDPR) |
When we process data using OAuth providers, their use of your data is governed by their respective privacy policies.
5. AI Processing and Automated Decision-Making
5.1 AI Validation and Analysis
Snubnose uses artificial intelligence (specifically the Anthropic Claude API) to assist with:
- Evidence document validation and analysis
- Control applicability assessment
- Extraction of relevant fields and data from evidence documents
- Generation of confidence scores and validation reasoning
5.2 Data Sent to AI Processor
When you upload evidence documents or provide assessment information, the following data may be sent to Anthropic (Claude API) for processing:
- Content of evidence documents (e.g., policies, procedures, audit reports)
- Your organisation's website content (for context and validation)
- Assessment scope and control information
Anthropic processes this data as a sub-processor under a Data Processing Agreement. Snubnose has enrolled in Anthropic's Zero Data Retention (ZDR) programme, which means Anthropic does not retain any data submitted via the API beyond the duration of each individual request. Your data is not stored, logged, cached, or used by Anthropic for model training or any other purpose. Anthropic is based in the United States; data is transmitted to US infrastructure for real-time processing only and is not stored at rest outside the United Kingdom. All persistent storage of your data remains in the UK (Fly.io London region). You may opt out of AI features entirely (see Section 5.4), in which case no data is transmitted to the United States.
5.3 No Automated Decisions with Legal Effect
We do not make any decisions that have legal effect or significantly affect you based solely on automated processing. All AI-generated insights and recommendations are reviewed by human users before any decisions are finalised. The Service is designed to support human decision-making, not replace it.
5.4 Your Rights Regarding AI Processing
You have the right to:
- Request human review of any AI-generated analysis
- Understand the reasoning behind AI validation results
- Opt out of AI features entirely by contacting legal@snubnose.io (requests are processed within 5 business days; a self-service toggle is planned)
- Make representations about and contest any decisions informed by AI-generated analysis, in accordance with the DUAA
- Request deletion of data used in AI processing (subject to legal retention requirements)
6. Data Sharing and Sub-processors
We share your personal data with the following sub-processors for the purposes stated:
6.1 Hosting and Infrastructure
Fly.io
- Purpose: Cloud infrastructure, application hosting, and managed PostgreSQL database
- Location: London region (LHR)
- Role: Data processor
Tigris (via Fly.io)
- Purpose: S3-compatible file storage for evidence documents and attachments
- Location: Integrated with Fly.io infrastructure
- Role: Data processor
6.2 Artificial Intelligence
Anthropic (Claude API)
- Purpose: Evidence validation, control assessment, and analysis
- Location: United States
- Data shared: Evidence document content, organisation website content, assessment information
- Role: Data processor
- Zero Data Retention (ZDR) programme: no data retained beyond each request
- See Section 5 for additional details on AI processing
6.3 Email and Communications
Resend
- Purpose: Transactional email delivery (invitations, notifications, password resets)
- Role: Data processor
6.4 Authentication and Identity
- Purpose: OAuth authentication, Google Places API for address autocomplete
- Role: Data processor
Microsoft (Azure AD / Entra ID)
- Purpose: OAuth authentication
- Role: Data processor
6.5 Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all sub-processors that meet the requirements of the UK GDPR and ensure appropriate safeguards for your personal data.
7. International Data Transfers
All your personal data is stored at rest exclusively within the United Kingdom (Fly.io London region). No personal data is permanently stored outside the UK. However, some data is transmitted transiently to services in the United States for real-time processing:
- Anthropic (Claude API) for AI validation and analysis — no data retained beyond each request under the Zero Data Retention programme. You may opt out of AI features entirely, eliminating this transfer.
- Resend for transactional email delivery (limited to email addresses and notification content)
- Google for OAuth authentication and address autocomplete
- Microsoft for OAuth authentication
7.1 Transfer Safeguards
Where data is transferred outside the UK and EEA, we rely on:
- UK International Data Transfer Agreement (UK IDTA) adequacy assessments
- Standard Contractual Clauses (SCCs) for EU/EEA transfers under the EU GDPR
- Supplementary measures to address any residual risks
We ensure that any transfers are made only where appropriate safeguards are in place to protect your personal data.
7.2 Export Controls
If your organisation operates in the UK defence sector or handles controlled goods, technology, or information subject to UK export control legislation (including the Export Control Order 2008 and the Trade and Investment Act 2021), you are responsible for determining whether data you provide to the Service requires export licensing before transmission to sub-processors outside the United Kingdom. You may opt out of AI features to ensure no data leaves the UK. For further details, see the Data Processing Agreement (Section 10.7).
8. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfil the purposes for which it was collected, unless a longer retention period is required by law.
8.1 Retention Periods
- Account and authentication data: For the duration of your account and up to 2 years after account deletion
- Assessment and evidence data: For the duration of the certification programme, and retained for 6 years thereafter for compliance and audit purposes
- Audit logs and usage data: Up to 1 year
- Invitation tokens: Until used or expired (typically 30 days)
8.2 Deletion Upon Request
You may request deletion of your personal data, subject to:
- Legal retention obligations (e.g., tax, audit, compliance records)
- Our legitimate interests in maintaining security and preventing fraud
- Ongoing contractual or legal obligations
Upon account deletion, we will anonymise or delete personal data within 30 days, except where retention is legally required.
9. Your Data Subject Rights
Under the UK GDPR, you have the following rights:
9.1 Right of Access
You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it.
9.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data.
9.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data, subject to legal retention requirements and other limitations.
9.4 Right to Restrict Processing
You have the right to request that we limit how we use your personal data while we consider your request or investigate a complaint.
9.5 Right to Data Portability
You have the right to request your personal data in a structured, commonly-used, machine-readable format and to transmit it to another organisation.
9.6 Right to Object
You have the right to object to processing of your personal data for legitimate interests, including profiling for marketing purposes.
9.7 Rights Related to Automated Decision-Making
Under the UK GDPR (as amended by the DUAA), you have the right to request human review of any decision based solely on automated processing that has legal effect or significantly affects you. You also have the right to make representations about and contest such decisions, and to receive clear information about the logic involved in any automated processing.
9.8 Exercising Your Rights
To exercise any of these rights, please contact us at the details provided in Section 15. We will respond to your request within 30 days. You may be asked to verify your identity to protect your security.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection:
Information Commissioner's Office
- Website: https://ico.org.uk
- Phone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You may lodge a complaint at any time, but we encourage you to contact us first to allow us to resolve your concern.
11. Cookies and Session Management
11.1 Session Cookies
The Service uses encrypted session cookies to maintain your authentication and login state. These cookies:
- Are essential to the functioning of the Service
- Contain encrypted session data (secured with NUXT_SESSION_PASSWORD)
- Do not track you across websites or for advertising purposes
- Are deleted when you log out or close your browser
11.2 No Tracking or Advertising Cookies
We do not use cookies for:
- Advertising, marketing, or tracking purposes
- Cross-site tracking
- Behavioural advertising or profiling
11.3 Managing Cookies
Your browser settings allow you to refuse cookies or alert you when cookies are being sent. However, refusing essential session cookies will prevent you from using the Service.
12. Security Measures
We implement comprehensive security measures to protect your personal data:
12.1 Encryption
- Data in transit: All communication with the Service is encrypted using TLS/SSL (HTTPS)
- Session data: Session cookies are encrypted using NUXT_SESSION_PASSWORD
- Data at rest: Personal data is encrypted in the managed PostgreSQL database (Fly.io encryption at rest)
12.2 Access Controls
- Role-based access control (RBAC): Users can only access data relevant to their role and organisation
- Authentication: OAuth-based authentication eliminates password storage and password compromise risks
- Activity logs: All access and modifications are logged for audit purposes
12.3 Infrastructure Security
- Hosted on Fly.io's secure, managed infrastructure
- Automatic backups and disaster recovery
- Regular security updates and patch management
- DDoS protection and WAF (Web Application Firewall) configurations
12.4 Organisational Measures
- Restricted access to personal data (need-to-know basis)
- Data processing agreements with all sub-processors
- Regular security assessments and penetration testing
- Incident response procedures
12.5 Security Certifications and Insurance
Snubnose holds current Cyber Essentials certification and maintains cyber liability insurance. We are committed to maintaining these certifications throughout the provision of the Service. Evidence of current certifications and insurance coverage is available upon request.
12.6 Data Breach Notification
In the event of a data breach affecting your personal data, we will notify the relevant data controller without undue delay and in any case within 24 hours of becoming aware of the breach. We will cooperate with the data controller's own notification obligations to the ICO and affected individuals.
12.7 Limitations
Whilst we implement robust security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your login credentials. Never share your OAuth credentials or access tokens with unauthorised parties.
13. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such data promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated Privacy Policy on the Service
- Updating the "Last updated" date at the top of this document
- Sending you a notification email if the change is significant
Your continued use of the Service after changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Policy regularly to stay informed about how we protect your data.
15. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Snubnose Ltd
Email: privacy@snubnose.io
Website: snubnose.io
We will respond to your inquiry within 14 business days.
For data subject rights requests (access, deletion, portability, etc.), please use the same contact details and clearly state your request. We may ask for additional information to verify your identity.