Privacy Policy

How RiskMetrica collects, uses, stores, and protects personal data across our AI native risk intelligence platform. Includes roles, lawful bases, retention, security measures, international transfers, and your rights.

Who we are Your rights

Scope

Websites, modules, APIs, and dashboards. Last updated September 2025.

Regions

Primary hosting and storage in the UK and EU. Transfers safeguarded by adequacy or Standard Contractual Clauses.

Contact

Data Protection Officer, privacy@riskmetrica.com

1. Who we are and our roles

RiskMetrica Ltd is a controller for personal data gathered from our website, marketing, and user registration activities. We act as a processor when enterprise customers upload or analyse data inside the platform.

  • Controller for website visitors, prospects, and account sign ups.
  • Processor for customer supplied datasets inside modules and workbenches.
  • DPO contact: privacy@riskmetrica.com

Registered office: 10 Fairway Close, Hertfordshire, Harpenden, United Kingdom, AL5 2NN. EU residents may contact their local Data Protection Authority. UK residents may contact the ICO.

2. Data we collect

Provided by you

  • Registration details, role, organisation.
  • Authentication credentials and MFA tokens.
  • Billing details and invoicing references.
  • Files, datasets, annotations, comments.

Collected automatically

  • IP address, device and browser type.
  • Session IDs, usage analytics, error logs.
  • Security telemetry and anomaly flags.

From third parties

  • SSO and identity providers.
  • Market, regulatory, and ESG data feeds.
  • Optional integrations and workflow tools.

We do not collect special category data unless a regulated customer instructs us and appropriate safeguards are in place.

3. Lawful bases for processing

  • Contractual necessity for provisioning accounts and modules.
  • Legitimate interests for platform improvement and security.
  • Legal obligation for compliance and audit purposes.
  • Consent for optional marketing to business contacts.
We document processing under GDPR Article 30 and apply data minimisation, purpose limitation, and storage limitation principles.

4. Storage and retention

  • Primary storage in the UK and EU with logical segregation per customer.
  • Encryption in transit TLS 1.2 or higher and at rest AES 256 or stronger.
  • Encrypted backups in separate UK or EU regions with aligned erasure schedules.
  • Default retention equals subscription term plus 90 day off boarding period.
  • Audit and finance records retained for statutory periods, typically up to six years.
On termination or request from the controller we return or erase customer data consistent with GDPR Article 28(3)(g) and Article 17. Minimal audit trails may be retained where law requires.

5. Purposes of processing

Purpose Legal basis Typical storage period
Account setup and platform access Contract Subscription term plus 90 days
Platform performance and security Legitimate interests Operational logs 12 to 24 months
Billing and financial records Contract and legal obligation Statutory record period
Compliance with supervisory requests Legal obligation As required by law
Product analytics and improvement Legitimate interests Aggregated or anonymised retention

6. Data sharing

We do not sell data

We disclose personal data only to deliver services and comply with law.

Sub processors

Cloud hosting, logging, and model APIs under GDPR compliant DPAs and Standard Contractual Clauses where required.

Authorities

Lawful requests only, after verification and in line with legal obligations.

7. International transfers

Where personal data leaves the UK or EU, we use adequacy decisions where available or Standard Contractual Clauses with supplementary technical and organisational measures.

8. Security measures

  • ISO 27001 aligned ISMS and SOC 2 Type II controls.
  • Encryption in transit and at rest with strong key management.
  • MFA, role based access control, least privilege.
  • Third party penetration testing and continuous vulnerability management.
  • Business continuity and disaster recovery tested regularly.
We monitor for anomalies, maintain audit logs, and follow secure disposal procedures for end of life media and backups.

9. Your rights

  • Access, rectification, and erasure where applicable.
  • Restriction and objection, including to marketing.
  • Data portability for data you provided.
  • Withdraw consent where processing relies on consent.
To exercise rights contact privacy@riskmetrica.com. We generally respond within 30 days. You may complain to the UK ICO or your EU DPA.

10. Cookies and tracking

We use essential cookies for secure sessions and optional analytics cookies for usability. Manage preferences in your browser or via in platform controls. See our Cookie Policy for details.

11. Children

The services are not intended for individuals under 18. We do not knowingly collect data from minors. If you believe a child has provided data contact us for deletion.

12. Changes to this policy

We may update this policy to reflect legal or technical changes. Material changes will be notified in product or by email. Continued use after the effective date indicates acceptance.

13. Contact

For privacy requests and questions:

  • Data Protection Officer, RiskMetrica Ltd
  • Email: privacy@riskmetrica.com
  • Address: 10 Fairway Close, Hertfordshire, Harpenden, United Kingdom, AL5 2NN
  • Phone: +44 7807780284
You may lodge a complaint with the UK Information Commissioner's Office or with your local EU Data Protection Authority.