Legal

Privacy Notice

How we collect, use, and protect your personal data

1. INTRODUCTION

1.1 About This Notice

This Privacy Notice explains how AssureOS Limited ("AssureOS", "we", "us", or "our") collects, uses, shares, and protects personal data in connection with our Platform and services. We are committed to protecting your privacy and handling your data responsibly.

Arqen Group LTD T/A AssureOS is a company registered in England and Wales (company number 16770928) with registered office at 20 Wenlock Road, London, England, N1 7GU.

1.2 Who This Notice Applies To

This Privacy Notice applies to:

  • Platform Users: Employees, contractors, and other individuals who access the Platform through a subscribing organisation ("Customer")
  • Customer Administrators: Individuals who manage Platform accounts and settings for Customers
  • Data Subjects: Individuals whose personal data is processed through the Platform (such as employees, candidates, or service users managed by Customers)
  • Prospective Customers: Individuals who enquire about, request demonstrations of, or trial the Platform
  • Website Visitors: Individuals who visit our public websites
  • Business Contacts: Representatives of Customers, suppliers, partners, and other organisations we work with

1.3 Data Controller Information

AssureOS as Controller: We are the data controller for: (a) personal data we collect directly from you (such as account registration, website visits, and enquiries); (b) personal data about our business contacts; and (c) personal data we process for our own business purposes.

Customers as Controllers: For personal data processed through the Platform on behalf of Customers, the Customer is typically the data controller. We act as a data processor on behalf of Customers. If you are a Platform user or your data is held on the Platform by a Customer, please contact that organisation directly with questions about how they handle your personal data.

1.4 Changes to This Notice

We may update this Privacy Notice from time to time. We will notify you of material changes by posting the updated notice on our website and updating the "Effective Date". We encourage you to review this notice periodically.

2. PERSONAL DATA WE COLLECT

2.1 Data You Provide Directly

Account Registration and Profile Information:

  • Name, email address, phone number

  • Job title, role, department

  • Organisation name and details

  • Username and password

  • Profile photograph (optional)

  • Communication preferences

Enquiries and Communications:

  • Information you include in enquiry forms, emails, or other communications

  • Demo requests and trial registrations

  • Support requests and feedback

  • Survey and research responses

Professional and Compliance Information (where you provide it):

  • Professional registration numbers and status

  • Qualifications and certifications

  • Training records and competencies

  • Employment history

  • References and background check information

2.2 Data Collected Automatically

Technical and Usage Data:

  • IP address and approximate location

  • Device type, operating system, and browser

  • Pages viewed, features used, and actions taken

  • Access times, session duration, and frequency

  • Referral sources and links clicked

  • Error reports and performance data

Cookies and Similar Technologies:

We use cookies, pixels, and similar technologies to collect some of this information. See Section 9 for details about our use of cookies.

2.3 Data from Third Parties

From Customers and Employers:

If you are a Platform user, your employer or the subscribing Customer may provide us with your personal data to set up and manage your account.

From Third-Party Services:

The Platform integrates with third-party services that may return personal data, including:

  • Professional regulatory bodies (HCPC, GMC, NMC, SIA, etc.)

  • Government agencies (DVLA, DVSA, DBS, etc.)

  • Identity verification providers

  • Training and certification providers

  • Background check providers

From Public Sources:

We may collect information from publicly available sources such as professional registers, company registries, and LinkedIn (where relevant to our business relationships).

2.4 Special Categories of Personal Data

Depending on how the Platform is used by Customers, the Platform may process special categories of personal data (sensitive data), including:

  • Health information (such as fitness-to-practice records, occupational health data)

  • Criminal conviction and DBS check data

  • Biometric data (where biometric identity verification is used)

  • Racial or ethnic origin (where collected for equality monitoring)

Important: We process special category data only where necessary and where there is a lawful basis to do so, such as: (a) with your explicit consent; (b) for employment law purposes; (c) for reasons of substantial public interest; or (d) for healthcare purposes. When Customers upload or collect this data through the Platform, they are responsible for ensuring they have an appropriate lawful basis.

3. HOW WE USE PERSONAL DATA

3.1 Purposes of Processing

We use personal data for the following purposes:

Providing and Operating the Platform

  • Setting up and managing user accounts

  • Providing access to Platform features and functionality

  • Processing transactions and providing requested services

  • Responding to support requests and enquiries

  • Sending service-related communications (such as security alerts and updates)

Improving and Developing the Platform

  • Analysing usage patterns and trends

  • Testing and developing new features

  • Fixing bugs and improving performance

  • Conducting research and analytics (using aggregated or anonymised data)

Security and Compliance

  • Protecting the security and integrity of the Platform

  • Detecting, preventing, and investigating fraud and security incidents

  • Complying with legal obligations

  • Enforcing our Terms of Service and other agreements

  • Maintaining audit trails and records

Marketing and Business Development (where permitted)

  • Sending marketing communications (with your consent or where otherwise permitted)

  • Providing information about products, services, and events

  • Conducting market research and surveys

  • Managing our business relationships

Processing on Behalf of Customers

  • Processing personal data as instructed by Customers in accordance with our agreements with them

  • Facilitating compliance and workforce management activities for Customers

We process personal data on the following legal bases under UK GDPR:

Legal BasisWhen We Use It
ContractWhere processing is necessary to perform our contract with you or your organisation, or to take steps at your request before entering into a contract (e.g., providing the Platform, processing your account)
Legitimate InterestsWhere processing is necessary for our legitimate interests or those of a third party, provided these are not overridden by your rights (e.g., improving our services, security, business administration, marketing to business contacts)
Legal ObligationWhere processing is necessary to comply with our legal obligations (e.g., tax records, responding to lawful requests from authorities)
ConsentWhere you have given us specific consent to process your data for a particular purpose (e.g., marketing communications, certain cookies). You can withdraw consent at any time
Vital InterestsWhere processing is necessary to protect someone's life (rare, emergency situations only)
Public InterestWhere processing is necessary for a task carried out in the public interest (e.g., certain healthcare-related processing)

4. HOW WE SHARE PERSONAL DATA

4.1 Sharing with Customers

If you are a Platform user, your personal data may be shared with and accessible to your employer or the Customer organisation that provided you with access. This includes administrators and managers within that organisation who have appropriate permissions.

4.2 Service Providers

We share personal data with third-party service providers who assist us in operating the Platform and our business, including:

  • Cloud hosting and infrastructure providers (UK-based data centres)

  • Payment processors

  • Email and communication service providers

  • Customer support tools

  • Analytics and monitoring services

  • Security and fraud prevention services

  • Professional advisers (legal, accounting, auditing)

Our service providers are contractually required to protect personal data and may only use it for the purposes we specify.

4.3 Third-Party Integrations

The Platform integrates with third-party services that process personal data, including:

Regulatory and Government Bodies:

  • HCPC, GMC, NMC, SIA (professional registration verification)

  • DVLA, DVSA (driving licence and vehicle checks)

  • DBS (criminal record checks)

  • Home Office (right to work verification)

Commercial Verification Services:

  • Identity verification providers

  • Background check providers

  • Training and certification providers

When you or your Customer uses these integrations, your data may be shared with and processed by these third parties in accordance with their own terms and privacy notices.

We may disclose personal data if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

  • Comply with legal obligations, court orders, or legal process

  • Protect and defend our rights or property

  • Prevent or investigate possible wrongdoing

  • Protect the personal safety of users or the public

  • Protect against legal liability

4.5 Business Transfers

If AssureOS is involved in a merger, acquisition, sale of assets, or other business transaction, personal data may be transferred as part of that transaction. We will provide notice of any such transfer and any choices you may have.

4.6 Aggregated and Anonymised Data

We may share aggregated or anonymised data that does not directly identify individuals for analytics, research, benchmarking, and other purposes.

5. INTERNATIONAL DATA TRANSFERS

5.1 UK Data Storage

Primary Data Storage: Personal data processed through the Platform is stored in data centres located in the United Kingdom.

5.2 Transfers Outside the UK

In some circumstances, personal data may be transferred to, stored in, or accessed from countries outside the United Kingdom. This may occur when:

  • You access the Platform from outside the UK

  • We use service providers with operations outside the UK

  • Third-party integrations involve non-UK services

  • We provide support from different locations

5.3 Safeguards

When we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Transfers to countries with adequate data protection laws (as determined by the UK Government)

  • Standard Contractual Clauses approved by the Information Commissioner's Office (ICO)

  • Binding Corporate Rules (where applicable)

  • Other approved transfer mechanisms under UK data protection law

You may request a copy of the safeguards we use for international transfers by contacting us.

6. DATA RETENTION

6.1 Retention Principles

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

6.2 Customer Data

For personal data processed on behalf of Customers, retention periods are determined by Customer settings and instructions. When a Customer's subscription ends, we retain their data for a limited period (typically 30 days) to allow for data export, after which it is deleted unless retention is required by law.

6.3 Typical Retention Periods

Data TypeTypical Retention Period
Account informationDuration of account plus 3 years (or as required by law)
Transaction and billing records7 years (for tax and accounting purposes)
Support communications3 years from resolution
Marketing consent recordsDuration of consent plus 3 years
Security and audit logs1-3 years depending on type
Website analytics26 months (aggregated) or shorter for identifiable data
Trial account data90 days after trial expiry

We may retain personal data for longer periods if required by law, regulation, legal proceedings, or government requests.

7. YOUR RIGHTS

7.1 Data Protection Rights

Under UK data protection law, you have certain rights regarding your personal data. These rights may be subject to limitations and exceptions.

Right of Access: You have the right to request a copy of the personal data we hold about you.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (also known as the "right to be forgotten").

Right to Restriction: You have the right to request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, subject to certain exceptions.

Right to Withdraw Consent: Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time.

7.2 How to Exercise Your Rights

Platform Users: If you access the Platform through a Customer, please contact your Customer/employer in the first instance, as they control most personal data about you on the Platform. They can assist with access, correction, and deletion requests.

Direct Requests to AssureOS: For requests relating to data we control directly, or if your Customer directs you to us, contact our Data Protection Officer at dpo@assureos.co.uk.

We will respond to valid requests within one month. We may need to verify your identity before processing your request. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

7.3 Complaints

If you are not satisfied with our response to your concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk

Telephone: 0303 123 1113

Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

8. DATA SECURITY

8.1 Our Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

Technical Measures:

  • Encryption of data in transit (TLS) and at rest

  • Secure authentication and access controls

  • Multi-factor authentication options

  • Regular security testing and vulnerability assessments

  • Intrusion detection and monitoring

  • Secure software development practices

  • Regular security updates and patching

  • Backup and disaster recovery procedures

Organisational Measures:

  • Staff training on data protection and security

  • Access limited to authorised personnel on a need-to-know basis

  • Confidentiality agreements

  • Security incident response procedures

  • Vendor due diligence and security assessments

  • Regular policy reviews and updates

8.2 Certifications and Standards

We maintain industry-standard certifications and comply with relevant security frameworks, including Cyber Essentials Plus. For NHS Customers, we maintain compliance with the Data Security and Protection Toolkit (DSPT).

8.3 Your Security Responsibilities

You are responsible for maintaining the security of your account credentials, devices, and network connections. Please:

  • Use strong, unique passwords

  • Enable multi-factor authentication

  • Keep your devices and software up to date

  • Report any suspected security incidents promptly

  • Log out of shared or public devices

8.4 Security Incident Response

If we become aware of a security incident affecting personal data, we will notify affected Customers and, where required, supervisory authorities and data subjects in accordance with applicable law.

9. COOKIES AND SIMILAR TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites or use applications. We use cookies and similar technologies (such as pixels, local storage, and device identifiers) to operate and improve the Platform.

9.2 Types of Cookies We Use

Cookie TypePurpose
Strictly NecessaryEssential for the Platform to function. These cannot be disabled. They include authentication cookies, session cookies, and security cookies.
FunctionalRemember your preferences and settings (such as language, display preferences). Enhance functionality and personalisation.
AnalyticsHelp us understand how visitors use the Platform. We use this data to improve our services. Data is typically aggregated and anonymised.
MarketingUsed to deliver relevant advertisements and track marketing campaign effectiveness. We may use these on our marketing website (not within the Platform application).

When you first visit our website, you will be presented with a cookie banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time through:

  • Our cookie preference centre (available in the website footer)

  • Your browser settings

Please note that blocking certain cookies may affect Platform functionality.

9.4 Do Not Track

Some browsers have a "Do Not Track" feature. We do not currently respond to Do Not Track signals, but you can manage your cookie preferences as described above.

10. CHILDREN'S PRIVACY

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete it.

In some cases, the Platform may be used by Customers to manage data about minors (for example, in care or education settings). In such cases, the Customer is responsible for ensuring appropriate consents and safeguards are in place.

11. SPECIFIC PROCESSING SITUATIONS

11.1 Job Applicants and Recruitment

If you apply for a job at AssureOS, we collect and process your personal data for recruitment purposes. This includes CV/resume information, application forms, interview notes, references, and pre-employment checks. We retain unsuccessful application data for 12 months unless you ask us to delete it sooner or consent to longer retention for future opportunities.

11.2 Marketing Communications

We may send you marketing communications about our products and services if you have: (a) consented to receive them; or (b) are an existing customer or business contact and have not opted out. You can unsubscribe from marketing at any time by clicking the unsubscribe link in emails or contacting us.

11.3 Business Contacts

We process personal data about representatives of Customers, suppliers, partners, and other organisations we work with. This data is used to manage our business relationships and is processed on the basis of our legitimate business interests.

11.4 Events and Webinars

If you register for or attend our events, webinars, or training sessions, we collect registration information and may record sessions for later viewing. We will inform you if a session is being recorded.

12. CONTACT US

12.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted regarding any data protection matters:

Email: dpo@assureos.co.uk

Post: Data Protection Officer, Arqen Group LTD T/A AssureOS, 20 Wenlock Road, London, England, N1 7GU

12.2 General Contact

AssureOS

20 Wenlock Road,

London,

England,

N1 7GU

Company Number: 16770928

General Enquiries: support@assureos.co.uk

Privacy Enquiries: dpo@assureos.co.uk

Security Issues: security@assureos.co.uk

Last updated: January 2026

Platform Agreement

Commercial terms for subscribing to the assureOS platform

On this page

1. INTRODUCTION
1.1 About This Notice
1.2 Who This Notice Applies To
1.3 Data Controller Information
1.4 Changes to This Notice
2. PERSONAL DATA WE COLLECT
2.1 Data You Provide Directly
2.2 Data Collected Automatically
2.3 Data from Third Parties
2.4 Special Categories of Personal Data
3. HOW WE USE PERSONAL DATA
3.1 Purposes of Processing
3.2 Legal Bases for Processing
4. HOW WE SHARE PERSONAL DATA
4.1 Sharing with Customers
4.2 Service Providers
4.3 Third-Party Integrations
4.4 Legal and Safety Disclosures
4.5 Business Transfers
4.6 Aggregated and Anonymised Data
5. INTERNATIONAL DATA TRANSFERS
5.1 UK Data Storage
5.2 Transfers Outside the UK
5.3 Safeguards
6. DATA RETENTION
6.1 Retention Principles
6.2 Customer Data
6.3 Typical Retention Periods
6.4 Legal Holds
7. YOUR RIGHTS
7.1 Data Protection Rights
7.2 How to Exercise Your Rights
7.3 Complaints
8. DATA SECURITY
8.1 Our Security Measures
8.2 Certifications and Standards
8.3 Your Security Responsibilities
8.4 Security Incident Response
9. COOKIES AND SIMILAR TECHNOLOGIES
9.1 What Are Cookies
9.2 Types of Cookies We Use
9.3 Your Cookie Choices
9.4 Do Not Track
10. CHILDREN'S PRIVACY
11. SPECIFIC PROCESSING SITUATIONS
11.1 Job Applicants and Recruitment
11.2 Marketing Communications
11.3 Business Contacts
11.4 Events and Webinars
12. CONTACT US
12.1 Data Protection Officer
12.2 General Contact