AssuranceLoopAssuranceLoop
Get started

Privacy Notice

Effective date: 23 May 2026

This Privacy Notice explains how InnovPath Professional Services ("AssuranceLoop", "we", "us") processes personal data in connection with the AssuranceLoop platform and websites (the "Service"). It is written to comply with the UK General Data Protection Regulation, the EU General Data Protection Regulation (collectively, "GDPR") and the UK Data Protection Act 2018.

We act as a controller for personal data we collect about visitors to our websites and people who create accounts. When a customer uses the Service to process personal data within their workspace, we act as a processor on the customer's behalf and the customer is the controller.

1. Controller & contact

  • Controller: InnovPath Professional Services (trading as AssuranceLoop).
  • Contact: privacy@assuranceloop.co.uk
  • Data Protection Officer: dpo@assuranceloop.co.uk

2. Personal data we process

2.1 Account & profile data

  • Full name and email address.
  • Authentication metadata (hashed password, sign-in timestamps).
  • Workspace membership and role (Owner, Admin, Reviewer).
  • Consent records (when you accepted the Terms and Privacy Notice; marketing opt-in).

2.2 Usage & security data

  • Server logs (IP address, user-agent, request path and timestamp) for security, abuse prevention and service availability.
  • Audit-trail entries created by your interactions within the Service.

2.3 Customer Data

Content you upload to your workspace — AI system records, assessments, controls, evidence files — may contain personal data chosen by you. We process this data on your instructions under our Data Processing Agreement.

2.4 What we do not collect

  • We do not use behavioural advertising trackers.
  • We do not sell personal data.
  • We do not require special category data to operate the Service.

3. Purposes & legal bases

  • Provide the Service (Article 6(1)(b) — contract): create and maintain your account, authenticate you, render the features you use.
  • Security & abuse prevention (Article 6(1)(f) — legitimate interests): protect the Service and our users from unauthorised access and misuse.
  • Service communications (Article 6(1)(b)): send transactional emails such as password reset and security alerts.
  • Marketing communications (Article 6(1)(a) — consent): only where you opt in. You can withdraw consent at any time via the unsubscribe link.
  • Legal compliance (Article 6(1)(c)): respond to lawful requests, retain records required by law.
  • Product improvement (Article 6(1)(f)): aggregated and anonymised usage statistics. We do not profile individuals.

4. Recipients & subprocessors

We share personal data with a limited set of subprocessors who help us deliver the Service. Each is bound by written terms requiring appropriate security and confidentiality:

  • Cloud hosting & database: Lovable Cloud (Supabase), hosted in the European Union.
  • Email delivery: transactional email provider for account and security emails.
  • Error monitoring: aggregated diagnostic events to maintain reliability.

An up-to-date list of subprocessors is available on request from privacy@assuranceloop.co.uk. We provide customers with reasonable notice of new subprocessors as set out in the Data Processing Agreement.

5. International transfers

The Service is hosted in the European Union. Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement, the European Commission's Standard Contractual Clauses (2021/914), and equivalent safeguards, together with a documented transfer impact assessment.

6. Retention

  • Account data: retained for the life of the account and deleted within 30 days of account closure.
  • Customer Data: retained until the customer deletes it or instructs us to do so, then erased in accordance with the Data Processing Agreement.
  • Server logs: retained for up to 90 days unless required longer for security or legal reasons.
  • Billing records: retained for the period required by applicable tax law (typically 6–10 years).

7. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request erasure ("right to be forgotten") where applicable.
  • Restrict or object to processing in certain circumstances.
  • Receive your personal data in a structured, machine-readable format and transmit it to another controller (data portability).
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with a supervisory authority — for the UK, the Information Commissioner's Office (ICO); for the EU, your local data protection authority.

To exercise any of these rights, email privacy@assuranceloop.co.uk. We respond within one month and may extend this period by two further months for complex requests, in which case we will notify you within the first month.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, workspace isolation via row-level security, audit logging, principle-of-least-privilege for staff, and supplier risk management. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you in accordance with Article 33–34 GDPR.

9. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

10. Children

The Service is intended for use by professionals and is not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Material changes will be notified by email or in-product notice with at least thirty (30) days' advance notice. The "Effective date" above indicates the latest revision.