Privacy Policy

Effective date: 14 April 2026 · Last updated: 14 April 2026

Passpol Ltd is committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains what we collect, why we collect it, how long we keep it, and your rights.

1. Who We Are and How to Contact Us

Passpol Ltd is the data controller for all personal data collected through this platform.

Company: Passpol Ltd

Company No.: 17156285

Registered in: England and Wales

Registered office: 1 Carr View Avenue, Doncaster, DN4 8AY

ICO Registration: ZC123950

Passpol Ltd is registered with the Information Commissioner's Office (ICO) under registration reference ZC123950.

Email: hello@passpol.co.uk

For any privacy-related questions, data subject access requests, or to report a concern, email us at hello@passpol.co.uk. We aim to respond within 30 days.

2. What Personal Data We Collect

Category	Examples
Account information	Name, email address, password (stored as a bcrypt hash — never plain text)
Business information	Company name, industry, location, employee count, Companies House number (optional)
ESG questionnaire responses	Your answers to our 18-question environmental, social and governance assessment
Payment information	Billing details processed by Stripe — we do not store card numbers or full payment data on our servers
Usage and security data	Login timestamps and IP addresses, used solely for security and fraud prevention

3. Why We Collect It — Lawful Basis Under UK GDPR

Purpose	Lawful basis
Providing and operating the Passpol platform	Contract performance (Article 6(1)(b))
Generating your ESG profile and framework reports	Contract performance (Article 6(1)(b))
Processing payments via Stripe	Contract performance (Article 6(1)(b))
Sending transactional emails (welcome, password reset, etc.)	Contract performance (Article 6(1)(b))
Security monitoring and fraud prevention	Legitimate interests (Article 6(1)(f))
Improving the platform via anonymised analytics	Legitimate interests (Article 6(1)(f))
Complying with legal and financial obligations	Legal obligation (Article 6(1)(c))

4. How Long We Keep Your Data

Account and ESG data — retained while your account is active, plus 2 years after account closure or last login, to allow account recovery and comply with regulatory requests.
Financial and payment records — retained for 7 years from the date of transaction in accordance with HMRC requirements.
Security logs (IP addresses, login events) — retained for 90 days.
You can request deletion of your account at any time via Settings or by emailing hello@passpol.co.uk. Account data will be deleted within 30 days; financial records retained as above.

5. Who We Share Your Data With

We only share your data with third-party processors who are under appropriate Data Processing Agreements (DPAs). We do not sell your data or share it with advertisers.

Processor	Purpose	DPA in place
Railway	Cloud infrastructure and hosting	Yes
Resend	Transactional email delivery	Yes
Stripe	Payment processing	Yes

Your Passpol profile link is shareable at your discretion. When you share your passport link with a buyer, that buyer can view your ESG profile data. You control all sharing through your account.

6. International Data Transfers

Where your data is transferred outside the UK, we ensure appropriate safeguards are in place:

Railway (EU West — Netherlands): The EU is covered by a UK adequacy regulation. No further transfer mechanism required.
Stripe (United States): Transfers are made under the UK–US Data Bridge, which provides an adequacy-equivalent framework for participating US organisations.
Resend (United States): Transfers are made under the UK–US Data Bridge.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — ask us to correct inaccurate or incomplete data.
Right to erasure — ask us to delete your personal data (subject to legal retention obligations).
Right to restriction — ask us to restrict processing of your data in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format. You can export your ESG data at any time from Settings.
Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email hello@passpol.co.uk with the subject line "Data Subject Request". We will respond within 30 days.

8. How to Complain to the ICO

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Telephone: 0303 123 1113

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO — please reach out to us first at hello@passpol.co.uk.

9. Cookies and Local Storage

We use strictly necessary browser storage only:

JWT authentication token — stored in localStorage to keep you logged in during your session. This token is removed when you log out.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. No cookie consent banner is required because we use only strictly necessary storage.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email at least 14 days before the change takes effect. The "Effective date" at the top of this page will reflect the most recent version.

Continued use of the platform after the effective date constitutes acceptance of the updated policy. If you disagree with the changes, you may close your account before the effective date.

Passpol Ltd · Company No. 17156285 · Registered in England and Wales · hello@passpol.co.uk