Last updated: 21 May 2026
Data Controller: CIS Comply Ltd, United Kingdom.
ICO Registration: Pending registration.
1. What we collect
- Account data: email, company name, contact name
- Compliance data: subcontractor UTR, NI numbers, verification records, due diligence logs (processed as legitimate business records)
- Documents: uploaded compliance evidence
- Payment data: processed by Stripe — we never see card details
- Technical data: IP address, browser type, session data
2. Legal basis (UK GDPR)
- Compliance data: Legitimate interests (enabling contractors to meet their legal CIS obligations)
- Account data: Contract performance
- Payment data: Contract performance
- Marketing emails: Consent (opt-in only)
3. Data storage and security
- Data stored via Supabase (EU region — Frankfurt, Germany)
- Stripe processes payments (PCI DSS Level 1 certified)
- Data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Access controlled by Row Level Security — each user's data is isolated and inaccessible to other users
4. How long we keep data
- Active accounts: data retained while account is active
- Deleted accounts: data retained for 30 days then permanently deleted
- Exception: where retention is required by law (e.g. tax records)
5. Your rights (UK GDPR)
- Access: request a copy of your data (use Export in Settings)
- Rectification: correct inaccurate data
- Erasure: delete your account and data
- Portability: export your data in CSV format
- Objection: object to processing based on legitimate interests
To exercise rights: contact support@ciscomply.co.uk. Response within 30 days.
6. Cookies
See our Cookie Policy.
7. Changes to this policy
We will notify you by email of material changes.
8. Contact
support@ciscomply.co.uk
Information Commissioner's Office: ico.org.uk · Tel: 0303 123 1113