Privacy Policy
SCF Controls Platform
Effective Date: 24 January 2026 | Last Updated: 24 January 2026
Our Commitment to Your Privacy
Ginga Ninja Holdings Ltd, trading as ComplianceGenie.io ("Company", "we", "us", "our") is committed to protecting your privacy. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.
Data Controller: Ginga Ninja Holdings Ltd, trading as ComplianceGenie.io
Email: [email protected]
2. Scope
This Privacy Policy applies to:
- Users who register for and use the Platform
- Visitors to our website and related services
- Individuals whose data is processed through the Platform by our customers
For data processed on behalf of our customers (as Data Processor), please refer to the relevant customer's privacy policy.
3. Data We Collect
Account Information
Name, email address, job title, and authentication data used to create and manage your account.
Customer Content
Control scoping decisions, evidence records, risk assessments, and team member information.
Usage Data
Technical data, access logs, and performance metrics to maintain and improve the Platform.
3.1 Account Information
When you register for the Platform, we collect:
| Data Category | Examples |
|---|---|
| Identity Data | First name, last name, job title |
| Contact Data | Email address, organisation name |
| Authentication Data | Google OAuth tokens (we do not store passwords) |
3.2 Usage Data
We automatically collect:
| Data Category | Examples |
|---|---|
| Technical Data | IP address, browser type, device information, operating system |
| Access Data | Login timestamps, pages visited, features used |
| Performance Data | Error logs, response times, system diagnostics |
3.3 Customer Content
Data you upload or create within the Platform:
- Control scoping decisions and implementation status
- Evidence collection records
- Risk assessments
- Organisation and team member information
- Comments and notes
Note: We process Customer Content on your behalf as a Data Processor. You remain the Data Controller for this information.
4. How We Use Your Data
4.1 Legal Bases for Processing
| Legal Basis | Purpose |
|---|---|
| Contract Performance | Providing the Platform, account management, customer support |
| Legitimate Interests | Service improvement, security, fraud prevention, analytics |
| Legal Obligation | Tax records, regulatory compliance, legal claims |
| Consent | Marketing communications (where required) |
4.2 Specific Purposes
We use your data to:
- Provide the Service — Create and manage accounts, authenticate users, deliver Platform functionality
- Maintain Security — Monitor for threats, prevent unauthorised access, protect against fraud
- Improve the Platform — Analyse usage patterns, develop new features, optimise performance
- Communicate — Send service notifications, respond to enquiries, provide support
- Comply with Law — Meet legal obligations, respond to lawful requests, protect our rights
4.3 Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
5. Data Sharing
5.1 Third-Party Service Providers
We share data with service providers who assist in operating the Platform:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure (AWS) | Hosting, data storage | All Platform data |
| Authentication (Google OAuth) | User login | Email, name |
| Analytics (Google Analytics) | Usage analysis | Anonymised usage data |
| Email Services | Transactional emails | Email address, name |
| Payment Processors | Subscription billing | Payment details (not stored by us) |
All service providers are contractually bound to protect your data and process it only as instructed.
5.2 Within Your Organisation
Platform administrators within your organisation can access:
- User account information for members of their organisation
- Activity logs and usage data
- Customer Content created by team members
5.3 Legal Requirements
We may disclose data when required by:
- Court orders or legal process
- Law enforcement requests
- Protection of our rights or safety
- Prevention of fraud or security threats
5.4 No Sale of Data
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6. International Data Transfers
6.1 Transfer Mechanisms
Your data may be transferred to and processed in countries outside the UK and European Economic Area. We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs) — EU-approved contractual terms with recipients
- Adequacy Decisions — Transfers to countries deemed adequate by UK/EU authorities
- Binding Corporate Rules — For transfers within corporate groups (where applicable)
6.2 AWS Infrastructure
The Platform is hosted on Amazon Web Services. Data is primarily stored in EU-West (Ireland) and UK regions, with failover capabilities to other AWS regions for disaster recovery.
7. Data Retention
7.1 Retention Periods
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account Data | Duration of account + 2 years | Service delivery, legal obligations |
| Usage Logs | 12 months | Security, troubleshooting |
| Customer Content | Duration of subscription + 90 days | Data export period |
| Billing Records | 7 years | Tax and legal requirements |
| Support Correspondence | 3 years | Service quality, dispute resolution |
7.2 Data Deletion
Upon account termination or subscription cancellation:
- You have 90 days to export your data
- Customer Content is deleted after the export period
- Aggregated, anonymised data may be retained for analytics
- Backups are purged according to our retention schedule
8. Your Rights
Under UK GDPR and EU GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data ("right to be forgotten") |
| Restriction | Limit how we process your data |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent where processing is consent-based |
| Complaint | Lodge a complaint with a supervisory authority |
8.1 Exercising Your Rights
To exercise your rights, contact us at: [email protected]
We will respond within 30 days. We may request identity verification to protect your data.
8.2 Supervisory Authority
You have the right to lodge a complaint with:
UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
EU: Your local data protection authority
9. Data Security
9.1 Security Measures
We implement appropriate technical and organisational measures to protect your data:
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2+ for all connections |
| Encryption at Rest | AES-256 for stored data |
| Access Controls | Role-based access, principle of least privilege |
| Authentication | Google OAuth, session management |
| Infrastructure Security | AWS security controls, VPC isolation |
| Monitoring | Intrusion detection, security logging |
| Vulnerability Management | Regular security testing, patching |
9.2 Incident Response
In the event of a personal data breach that poses risk to your rights and freedoms:
- We will notify relevant supervisory authorities within 72 hours
- We will notify affected individuals without undue delay
- We will document all breaches and remedial actions
10. Cookies and Tracking
For detailed information about our use of cookies and tracking technologies, please see our Cookie Policy.
11. Children's Privacy
The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be communicated through:
- Email notification to registered users
- Prominent notice on the Platform
- Updated "Last Updated" date
We encourage you to review this policy regularly. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
13. Data Processing Agreement
For enterprise customers processing personal data through the Platform, we provide a Data Processing Agreement (DPA) that meets GDPR requirements. The DPA covers:
- Processing instructions and restrictions
- Security obligations
- Sub-processor management
- Data subject rights assistance
- Breach notification procedures
- Audit rights
Contact [email protected] to request a DPA.
14. Contact Us
For privacy enquiries, data subject requests, or concerns about our data practices:
Data Protection Contact
Ginga Ninja Holdings Ltd, trading as ComplianceGenie.io
Office 10, Technology House, 9 Newton Place, Glasgow, Scotland, G3 7PR
Phone: 0141 258 1202
Email: [email protected]
We aim to respond to all enquiries within 30 days.
15. Additional Information for Specific Jurisdictions
15.1 California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information
- Right to non-discrimination for exercising rights
We do not sell personal information. To exercise your rights, contact us at [email protected].
15.2 Swiss Residents
For Swiss residents, we comply with the Swiss Federal Act on Data Protection (FADP). You may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding complaints.
By using the SCF Controls Platform, you acknowledge that you have read and understood this Privacy Policy.