This Privacy Policy governs the collection, processing, storage, and use of personal data by Wolsten Studios LTD, a company incorporated in the Republic of Cyprus (Registration Number: ΗΕ 485976), operating the Siteproof software platform.

As a Cypriot-registered entity, Wolsten Studios LTD is subject to the General Data Protection Regulation (GDPR) (EU) 2016/679 and the applicable Cypriot national data protection legislation administered by the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus.

This policy applies to all users of the Siteproof platform, including main contractors, subcontractors, field operatives, supervisors, and administrative personnel who access the software in any capacity. It covers data collected through our web application, mobile interfaces, and any associated communication channels.

Siteproof is a business-to-business (B2B) platform. We do not hold or process end-customer personal data on behalf of client organisations. The data we process relates solely to the registered users, operatives, and administrators who interact with the platform directly.

We collect only the minimum personal data necessary to provide and improve the Siteproof platform. The categories of data we may process include:

• Identity Data: Full name, job title, and role within your organisation
• Contact Data: Work email address and telephone number
• Authentication Data: Login credentials and session tokens (managed via Clerk — see Section 6)
• Usage Data: Feature interactions, access logs, page views, and session duration for security and improvement purposes
• Technical Data: IP address, device type, browser type, and operating system
• Communication Data: Support tickets, training enquiries, and correspondence submitted to us
• Audit & Activity Data: Job records, sign-off actions, photo uploads, and workflow events created within the platform for compliance and accountability purposes

We do not collect, store, or process sensitive personal data (special category data) under Article 9 of the GDPR, such, biometric, or financial data.

We process personal data under one or more of the following lawful bases in Article 6 of the GDPR:

Wolsten Studios LTD uses the following third-party infrastructure to store and process platform data:

We have entered into Data Processing Agreements (DPAs) with all sub-processors handling personal data. A full list of sub-processors is available upon request by contacting privacy@siteproof.io.

We retain personal data only for to fulfil the purposes for which it was collected, to meet legal obligations, and to resolve disputes or enforce agreements.

• Active account data is retained for the duration of your organisation's subscription or service agreement
• Audit trail records (job completions, sign-offs, evidence logs) may be retained for up to 7 years to satisfy regulatory and contractual compliance requirements typical in the utilities sector
• Support correspondence is retained for 2 years after resolution
• Authentication logs are retained for 90 days for security and incident investigation
• Upon account termination, data is anonymised or deleted within 90 days, unless a longer retention period is required by law or agreed contractually

As a data subject under the GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights by contacting us at the details provided in Section 11.

We will respond to all verified requests within 30 days. In complex cases, this may be extended by a further 60 days with prior notice. We reserve the right to verify your identity before fulfilling a request.

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including by our sub-processors Supabase and Clerk who may operate infrastructure in the United States. Where such transfers occur, we ensure they are protected by appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements incorporating GDPR-compliant transfer mechanisms

Our UK Training Centre operates in accordance with the UK GDPR and the Data Protection Act 2018. No personal data is routinely transferred to the UK Training Centre; it is used solely for delivery of training services.

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

• End-to-end encryption in transit using TLS 1.2+ for all data communications
• Encryption at rest for database records and file storage via Supabase
• Multi-factor authentication support and session management via Clerk
• Role-based access control (RBAC) limiting data access to authorised personnel only
• Regular security assessments and dependency audits
• Incident response procedures with breach notification processes compliant with Article 33 GDPR (72-hour reporting window)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Wolsten Studios LTD will notify the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay. Affected client organisations will be notified promptly and provided with a breach summary including the nature of the incident, categories of data affected, and remediation steps taken.

Siteproof uses essential cookies and session tokens required for the platform to function, including authentication session cookies managed by Clerk. We do not use third-party advertising cookies, behavioural tracking, or cross-site tracking technologies.

• Essential Cookies: Required for login, session management, and security (cannot be disabled)
• Analytics (where applicable), aggregated usage data for platform improvement — no personal identifiers
• No third-party advertising or retargeting cookies are used

For any privacy-related enquiries, subject access requests, or concerns regarding how we process your personal data, please contact us at:

You also have the right to lodge a complaint with the competent supervisory authority. As a Cypriot-registered company, our lead supervisory authority is:

If you are based in the United Kingdom and your concerns relate to our UK Training Centre activities, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.

We reserve the right to update this Privacy Policy periodically to reflect changes in legislation, our services, or our data processing practices. Material changes will be communicated to registered users via email or an in-platform notification at least 14 days before taking effect.

The version date at the top of this page indicates when the policy was last reviewed. Continued use of the Siteproof platform after the effective date of any update constitutes acceptance of the revised policy.