Privacy Policy

Updated: 19 March 2026

1. Introduction

SectorSMART (Situational Management Assessment & Response Training) Ltd ("we", "our", "us") is committed to protecting the privacy and security of your personal data. This policy describes how we collect, use, store and protect personal information when you use the SectorSMART platform. SectorSMART Ltd is registered in England and Wales (Company No. 17047477) and is registered with the Information Commissioner's Office (ICO) under registration number CSN3122679. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

2. Data Controller & Data Protection Lead

SectorSMART Ltd is the data processor. Your subscribing organisation (employer) is the data controller and determines the purposes for which your personal data is processed through the platform. SectorSMART processes data on behalf of your organisation under a Data Processing Agreement. For data protection enquiries, contact our Data Protection Lead, Adam Hackett, at privacy@sectorsmart.co.uk.

3. Data We Collect

We collect and process the following categories of personal data on behalf of your organisation: (a) Account data — name, email address, role, organisation, rank, station, and watch group, as provided by your organisation or during registration; (b) Training performance data — scenario attempts, scores, completion dates, competency assessment results, and certification records; (c) Wellbeing check-in data — optional self-reported wellbeing ratings (1–5 scale). We treat this as potentially special category data under Article 9 UK GDPR and process it only with your explicit consent; (d) AI interaction data — conversation logs from the AI Debrief Coach and AI Companion features, used solely to generate personalised training feedback within your session; (e) Compliance and audit data — certificate generation records, training sign-offs, and audit logs required for regulatory compliance; (f) Technical data — browser type, IP address (for security and access logging), login timestamps, and session duration.

4. Lawful Basis for Processing

We process personal data under the following lawful bases: (a) Performance of contract (Article 6(1)(b)) — to deliver the training platform services under our agreement with your organisation; (b) Legitimate interests (Article 6(1)(f)) — to maintain platform security, prevent fraud, generate aggregated analytics to improve the service, and ensure system reliability. We have conducted a legitimate interests assessment for these purposes; (c) Legal obligation (Article 6(1)(c)) — to comply with UK health and safety training record-keeping requirements; (d) Explicit consent (Article 9(2)(a)) — for processing wellbeing check-in data, which may constitute special category data relating to health; (e) Consent (Article 6(1)(a)) — for optional analytics cookies. You may withdraw consent at any time via Settings > Privacy or by contacting privacy@sectorsmart.co.uk.

5. AI-Generated Content

The SectorSMART platform uses artificial intelligence (provided by Anthropic) to generate personalised training feedback through the AI Debrief Coach and AI Companion features. No personally identifiable information is sent to the AI provider — only anonymised scenario context and performance data. AI-generated feedback is for training purposes only and does not constitute professional, medical, or legal advice. AI conversation logs are stored on our UK-based servers and are not retained by the AI provider.

6. Data Retention

We retain personal data for the following periods: (a) Account data — for the duration of your organisation's contract with us, plus 12 months, after which it is securely deleted; (b) Training performance records — for the duration of your organisation's contract plus 6 years, in line with UK health and safety record-keeping guidance; (c) Wellbeing check-in data — for the duration of your organisation's contract, deleted within 90 days of contract termination; (d) AI conversation logs — retained for 12 months from creation, then automatically purged; (e) Compliance records and certificates — for the duration of your organisation's contract plus 6 years; (f) Audit logs — retained for 2 years for security purposes. Upon contract termination, your organisation may request export of all data before deletion.

7. Data Sharing & Sub-Processors

We share data with: (a) Your subscribing organisation — training records, compliance status, and aggregated analytics as the data controller; (b) Google Cloud Platform (UK, London region) — hosting, database, and storage services. All data resides in the europe-west2 (London) region; (c) Anthropic (USA) — AI model provider for feedback generation. No personally identifiable information is included in API requests; (d) GitHub (USA) — source code repository only, no user data is stored. We never sell personal data to third parties. A full sub-processor list is available upon request.

8. International Transfers

All personal data is stored and processed within the United Kingdom on Google Cloud Platform's europe-west2 (London) infrastructure. We do not transfer personal data outside the UK. Where our sub-processors are based outside the UK (such as Anthropic for AI processing), no personally identifiable information is included in data sent to them.

9. Your Rights

Under UK GDPR, you have the right to: (a) access your personal data (Subject Access Request); (b) rectify inaccurate or incomplete data; (c) request erasure of your data ("right to be forgotten"), subject to legal retention obligations; (d) restrict processing in certain circumstances; (e) data portability — receive your data in a structured, machine-readable format; (f) object to processing based on legitimate interests; (g) withdraw consent at any time where processing is based on consent; (h) not be subject to solely automated decision-making. To exercise any of these rights, contact privacy@sectorsmart.co.uk. We will respond within one calendar month. If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk.

10. Security Measures

We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS 1.3) and at rest; role-based access controls with principle of least privilege; comprehensive audit logging; automated daily database backups; private networking for database access (no public IP); and regular security reviews. We are committed to achieving Cyber Essentials certification.

11. Cookies

We use cookies and similar technologies on the platform. Essential cookies (authentication, security) are required for the platform to function. Analytics and functional cookies are only set with your explicit consent via our cookie banner. For full details, see our Cookie Policy.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the platform and, where appropriate, by email. The "Last updated" date at the top of this policy indicates the most recent revision. Continued use of the platform after changes constitutes acceptance of the updated policy.