Privacy Policy

1. Introduction

PICMS ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance management platform.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, job title, company name, and contact details when you register
• Organisation Data: Company information, compliance documents, audit records, incident reports, and training records you upload
• Communication Data: Information you provide when contacting our support team
• Payment Information: Billing details processed securely through Stripe (we do not store card details)

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the platform
• Device Information: Browser type, operating system, IP address
• Cookies: As described in our Cookie Policy

3. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining our compliance management services
• Processing your subscription and payments
• Sending important service updates and notifications
• Providing customer support
• Improving our platform and developing new features
• Ensuring security and preventing fraud
• Complying with legal obligations

4. Legal Basis for Processing

We process your personal data based on:

• Contract Performance: To provide our services as agreed in our Terms of Service
• Legitimate Interests: To improve our services, ensure security, and communicate with you
• Legal Compliance: To meet regulatory requirements
• Consent: Where you have given explicit consent for specific processing activities

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with the sub-processors listed below:

• Cloud hosting: Amazon Web Services (AWS) — eu-west-2 (London), United Kingdom
• Authentication: Auth0 (Okta) — United States, processed under the UK addendum to the EU Standard Contractual Clauses
• AI processing: Anthropic (Claude API) — United States, used for AI-assisted compliance analysis (see §5.1 below)
• Embeddings: OpenAI (text-embedding-3-small) — United States, used for semantic search of your documents (see §5.1 below)
• Email delivery: Resend — United States; AWS Simple Email Service (SES) — eu-west-2 (London)
• Payment processing: Stripe — United Kingdom / United States, regulated under PCI DSS
• Optional messaging: Telegram (only when a user voluntarily links their Telegram account for digest/alerts)

All sub-processors process your data under signed contractual data-processing terms (UK GDPR Article 28). Data crossing the UK→US border is protected under the UK addendum to the EU Standard Contractual Clauses. We notify you in advance of any new sub-processor addition. Other disclosures: we may share information when required by law or to protect our rights, and in connection with any merger or acquisition (with prior notice).

5.1 AI Features and Your Content

The Service uses third-party AI APIs to provide features such as evidence mapping, gap analysis, RAMS drafting, document generation, regulatory monitoring, and conversational compliance assistants. We send the following data categories to AI sub-processors:

Sub-processor	Data sent	Location	Purpose
Anthropic (Claude API)	User-typed messages, document excerpts, system prompts containing your organisation's compliance context	United States	AI analysis and content drafting
OpenAI (Embeddings API)	Document text chunks (~1,000 characters per chunk)	United States	Semantic search of your documents

Both providers process API content under contractual data-processing terms. Anthropic and OpenAI's API terms confirm that API content is not used to train their models by default. AI-generated output is logged in our internal audit log (for ISO 42001 governance) and retained per the retention schedule in §6. Successful AI interactions may be stored as agent memory (held in our EU/UK Supabase database) to personalise future suggestions for your organisation. You can request export or deletion of your AI interaction history at any time by contacting privacy@picms.com.

AI-generated content disclaimer: AI output is a starting point for review by a competent person — not a finished compliance artefact. Always review, edit, and approve AI output before relying on it for compliance decisions.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account closure:

• Account data is deleted within 30 days
• Compliance records may be retained for up to 7 years as required by regulations
• Backup data is purged within 90 days

7. Your Rights

Under UK GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a portable format
• Restriction: Limit how we process your data
• Objection: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at privacy@picms.com

8. Data Security

We implement robust security measures including:

• 256-bit SSL/TLS encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication options
• Regular security audits and penetration testing
• ISO 27001 aligned security practices
• UK-based data centres with SOC 2 compliance

9. International Transfers

Your data is primarily stored in AWS EU-West-2 (London). If data needs to be transferred outside the UK/EEA, we ensure appropriate safeguards such as Standard Contractual Clauses are in place.

10. Children's Privacy

PICMS is a business service not intended for children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or platform notification at least 30 days before changes take effect.