Privacy Policy

Vygard Ltd ("we", "us") operates a B2B SaaS lone-worker safety platform sold to UK organisations across construction, care, security, forestry, healthcare and other field-services sectors. We are the data controller for visitor data on this marketing website; for customer-tenant data on the platform itself, our customers (the employers) are the data controllers and we are the data processor (see DPA).

• Registered address: TBC — registered office
• Companies House number: TBC
• ICO registration: TBC — pending ICO registration
• Data Protection contact: privacy@vygard.com
• Data Protection Officer (GDPR Article 37): dpo@vygard.com

This policy describes how we handle personal data in three distinct contexts:

1. Marketing website visitors (this site). We are the controller.
2. Prospective customers who book demos / start trials. We are the controller.
3. Workers + admins of customer tenants using the platform itself. Our customer (the employer) is the controller; we are the processor. The DPA governs that processing.

From visitors to this website:

• Page views, referrer, approximate location (city level) — via privacy-respecting analytics (no cross-site tracking, no ad cookies)
• Anything you submit in the contact / demo forms (name, work email, company, phone)

From prospective customers:

• Company name, role, contact details
• Use-case discussion notes (kept in our CRM, retained for 24 months from last contact)
• If you start a free trial: the data described in §4 of the DPA

From workers + admins of customer tenants (we are the processor — see DPA for the full list):

• Identifiers: name, work email or phone, role, employee reference
• Live + historic location pings while on shift
• Vitals (heart-rate, fall events) from paired wearables
• Incident records (SOS triggers, no-movement alerts, geofence events)
• Optional: voice recordings during witness mode or voice check-ins
• Authentication artefacts: phone number, scrypt-hashed password, refresh tokens

We rely on the following Article 6 (UK GDPR) lawful bases:

• Legitimate interests — running our marketing site, responding to inquiries, prospect outreach to relevant business contacts.
• Contract — delivering the platform and billing customers once they sign up.
• Legal obligation — tax records, HMRC compliance, anti-money-laundering.
• Consent — non-essential analytics or marketing emails.

For special-category data (notably vitals from wearables, where we are a processor for our customers), our customers rely on Article 9(2)(b) — employment law obligations — together with appropriate safeguards. See the DPA for detail.

• To respond to your inquiry, schedule a demo, or set up a trial
• To deliver the platform you have signed up for
• To send you operational emails (security alerts, billing receipts, service status)
• To improve the product (aggregated, de-identified usage signals only)
• To detect and prevent abuse, fraud, or platform misuse
• To comply with legal obligations (RIDDOR submission support, HSE inquiries)

We do not: sell your data, share it with advertisers, use it to train third-party AI models, or process it for any purpose not described in this policy.

We rely on the following sub-processors. Each has a current DPA / data transfer mechanism. The list of sub-processors used inside a tenant is in Schedule B of the DPA; the list below is for our own controller activities.

• Fly.io — UK (London) — hosting + DB. DPA
• Vercel — global (US-routed) — admin web hosting. DPA
• Twilio Ireland Ltd — Ireland — SMS, WhatsApp, voice. DPA
• Anthropic PBC — US — AI welfare-sweep + responder ranking. Data sent: tenant-scoped activity snapshots, never PII beyond worker names. DPA
• Stripe Payments UK Ltd — UK — billing. We never see card numbers. DPA
• Resend Inc — US — transactional email. SCCs in place. DPA

Most processing is in the UK or EEA. Where data is transferred to the US (Vercel, Anthropic, Resend) we rely on the UK International Data Transfer Agreement (IDTA) or the UK addendum to the EU Standard Contractual Clauses. We have completed a Transfer Risk Assessment (TRA) for each — available on request.

• Marketing inquiries: 24 months from last contact
• Customer accounts: duration of contract + 90 days for billing reconciliation
• Tenant operational data (incidents, location pings): see DPA — default 7 years for incident records to support insurance + HSE retention requirements; 90 days for location pings unless an incident references them, in which case retained with the incident
• Audit logs: 7 years (master-admin actions), 90 days (worker-side operational logs)

Under UK GDPR you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data (subject to our legal retention obligations)
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where consent is the lawful basis)
• Complain to the Information Commissioner's Office (ico.org.uk)

To exercise any of these, email privacy@vygard.com. For workers or admins of customer tenants: your employer is the data controller — please contact them first. We will support them in fulfilling your request.

Detailed technical and organisational measures are in Schedule C of the DPA . Summary: encryption at rest + in transit, scrypt-hashed passwords, HMAC-signed sessions, JWT auth with 30-day TTL (1-hour for impersonation), per-tenant data isolation enforced by row-level scoping on every query, automated daily backups with restore tested quarterly.

This site uses strictly-necessary cookies only (session, CSRF). The platform itself uses one HTTPOnly auth cookie (control panel session). We do not use tracking, ad, or analytics cookies that require consent under PECR. If we add optional analytics later we will surface a consent banner.

We will post material changes here and notify existing customers by email 14 days before the effective date. Minor clarifications may be made without notice.