Privacy Policy

Last updated: February 2026 · Effective: February 2026

This policy explains how ServGrid Ltd (“we”, “us”, “our”) collects and uses personal data when you use platform.servgrid.net. We are the data controller under GDPR (EU 2016/679).

1. Who We Are

ServGrid Ltd, 123 Tech Street, London EC1A 1AA, United Kingdom.
Company No. 12345678. Email: privacy@servgrid.net.

2. Data We Collect

• Account data: name, work email address, role, organisation
• Usage data: pages visited, features used, subscription activity (server-side logs; no tracking cookies)
• Communications: support emails and messages you send us
• Service data: information you enter into the platform on behalf of your organisation (service descriptions, vendor details, etc.) — we are a data processor for this data

3. Lawful Basis for Processing

• Contract (Art. 6(1)(b)): account management, service delivery, billing
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, product improvement, server logs
• Consent (Art. 6(1)(a)): marketing emails (only where you have opted in)
• Legal obligation (Art. 6(1)(c)): audit log retention

4. Data Processors (Sub-processors)

• Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage) — EU (Finland, europe-north1). Data does not leave the EU. DPA.
• Sentry — error monitoring. PII suppression enabled (send_default_pii=False). Privacy policy.
• Email provider (SMTP) — transactional emails only.

5. Data Retention

• Active account data: for the duration of your account
• Audit logs: 2 years (legal obligation basis)
• Notification records: 1 year
• Deleted account data: anonymised within 30 days of deletion
• Server access logs: 90 days

6. Your Rights

Under GDPR you have the right to:

• Access (Art. 15): request a copy of your personal data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): request deletion of your data
• Restriction (Art. 18): pause processing while a dispute is resolved
• Portability (Art. 20): receive your data in a machine-readable format
• Object (Art. 21): object to processing based on legitimate interests

To exercise any right, email privacy@servgrid.net. We will respond within 30 days.

7. California Privacy Rights (CCPA/CPRA)

We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes. We do not engage in targeted advertising. California residents have the right to access, delete, and correct their personal information. Contact privacy@servgrid.net.

8. Cookies

We use only strictly necessary cookies (session and CSRF tokens). No analytics or marketing cookies. See our Cookie Policy for details.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest (GCP-managed encryption). Sensitive fields use additional application-layer field encryption. We maintain audit logs of all data access and changes.

10. Complaints

You have the right to lodge a complaint with a supervisory authority. In the UK: Information Commissioner's Office (ICO). In the EU: your national data protection authority.

11. Changes to This Policy

We will notify existing users by email of material changes at least 30 days before they take effect. The current version is always available at this URL.