BlueTower Privacy Notice

Version 1.0 · Effective [to be set on publication] · Last reviewed 2026-07-09

Draft — pending legal review. This notice is a codebase-grounded draft for audit readiness. The controller identity, DPO/SRI appointment, lead supervisory authority, lawful-basis conclusions, and transfer strategy must be confirmed by qualified data-protection counsel, and the bracketed values completed, before it is treated as published. This is general information, not legal advice.

1. Who we are and our role

[COMPANY LEGAL NAME] ("we", "us") operates BlueTower, a B2B governance, risk and compliance platform that helps organisations run vendor-risk reviews and analyse SOC reports. Registered address: [REGISTERED ADDRESS]. Privacy contact: [privacy@yourcompany.example].

We have two roles under GDPR. We are a processor (Art. 28) for the data our business customers put into their BlueTower tenant — their employees' user accounts, vendor contacts, and the SOC reports and evidence they upload; for that data the customer is the controller and is your first point of contact. We are a controller (Art. 4(7)) for data we determine the purposes of: our own platform-administrator accounts, security and audit logs, session/login records (including IP addresses and device strings), and customer-administrator contact details for account management. This notice covers the data for which we are the controller and, for transparency, explains how we handle customer tenant data as a processor.

2. Data Protection Officer

Our data-protection contact: [dpo@yourcompany.example]. Until a DPO/SRI appointment is finalised (an Art. 37 assessment is in progress), privacy enquiries are handled by [privacy@yourcompany.example].

3. Categories of personal data we process

As controller (platform and security data):

CategoryExamplesData subjects
Account identityName, email, initials, rolePlatform / customer administrators
Authentication databcrypt password hashes, MFA/TOTP secrets and backup codes, hashed session tokensAdministrators, customer users
Security telemetryIP address, user-agent, login timestamps, failed-login / lockout recordsAll authenticated users
Audit recordsActor name, role, action, IP, timestamp, tamper-evidence hashAll authenticated users
Account-management dataCustomer-admin names/emails, billing notesCustomer administrators

As processor (customer tenant data, controlled by our customers):

CategoryExamplesData subjects
Tenant user accountsName, email, initials, roleCustomer employees
Vendor and contact recordsVendor contact name, email, phone, business-owner emailVendor personnel; customer employees
Share recipientsQuestionnaire and draft-share recipient names/emailsExternal auditors and recipients
Uploaded documentsSOC reports, evidence and screenshots that may name auditors, signatories and personnelIndividuals named in documents

We do not intend to process special-category data (Art. 9); uploaded documents are free-form and could incidentally contain sensitive content, which we flag as a residual risk addressed in our DPIA. We do not knowingly collect data from children.

4. Purposes and lawful bases (Art. 6)

PurposeLawful basis
Providing the platform: accounts, authentication, review workflowsContract (Art. 6(1)(b))
Account security: sessions, MFA, rate limiting, lockout, audit loggingLegitimate interests (Art. 6(1)(f))
Detecting and investigating security incidents and abuseLegitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) for breach records
AI-assisted analysis of uploaded SOC reports (Section 9)Processor activity on customer (controller) instructions
Account management, support and billingContract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))
Transactional email (password resets, share links, notifications)Contract (Art. 6(1)(b))

Each legitimate-interests claim is supported by a documented Legitimate Interests Assessment retained as evidence. We do not sell personal data and do not use it for cross-context behavioural advertising.

5. Recipients and subprocessors

We share personal data with the providers that operate our infrastructure and features, each acting as our processor under an Art. 28 contract: cloud infrastructure and storage (Supabase, Vercel); AI/LLM providers for SOC-report analysis (Google Gemini, Anthropic Claude, Hugging Face embeddings); transactional email (Resend); security tooling (VirusTotal file-hash lookup — hash only, not file content); and single sign-on (BoxyHQ SAML Jackson). Our current subprocessors, the data each receives, their location and the transfer mechanism are maintained in our Subprocessor List, updated with advance change-notification. We may also disclose data where required by law or to establish or defend legal claims.

6. International transfers

Our infrastructure and subprocessors are US-hosted. For UK/EEA personal data transferred to the US we rely on the EU–US Data Privacy Framework / UK–US Data Bridge where a subprocessor holds a current certification, with 2021 Standard Contractual Clauses maintained as a parallel safeguard, plus supplementary technical measures (encryption in transit and at rest; PII redaction before AI processing). The DPF is under appeal to the CJEU (Case C-703/25 P), so we keep SCCs ready as an alternative so a subsequent invalidation would not interrupt lawful transfer. Details are available on request.

7. How long we keep your data

Data categoryRetention
Audit-log records7 years (scheduled purge)
Uploaded SOC reports3 years
Evidence files2 years
Review records5 years
Sessions and reset tokens90 days / on expiry
Deprovisioned customer (tenant) data30 days after account termination

Retention is enforced in the platform by scheduled purge jobs. We keep personal data only as long as necessary for the stated purpose, then delete or anonymise it.

8. Your rights

Where we are the controller, you have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and to withdraw consent where we rely on it. You will not be subject to a solely automated decision producing legal or similarly significant effects (Art. 22 — see Section 9). Authenticated users can export their own data in-app; contact [privacy@yourcompany.example] to exercise any right. We respond within one month and free of charge, extendable by up to two months for complex requests. If your data sits inside a customer's tenant, the customer is the controller — please direct your request to them, and we assist them as their processor.

9. Use of artificial intelligence

BlueTower uses AI to assist with reviewing SOC reports (extracting control objectives, CUECs and exceptions). A human is always in the loop: AI output is stored as a pending, AI-attributed suggestion that never overwrites a human answer, and a qualified reviewer must accept, edit or reject it — there is no solely automated decision with legal or similarly significant effect. Before document text is sent to an AI provider, obvious incidental identifiers (person emails, phone numbers, national ID numbers) are redacted; vendor and control references are preserved because the analysis needs them. AI providers are listed as subprocessors and are bound, or are being bound, not to train models on our customers' data.

10. Cookies

BlueTower uses only strictly necessary cookies to keep you logged in and secure your session (bt-session), which are exempt from consent because they are essential to the service. We do not use analytics, advertising or tracking cookies. If that changes, we will present an equal-prominence Accept/Reject consent choice before any non-essential cookie is set.

11. Your right to complain

You may lodge a complaint with a supervisory authority, in particular in your country of residence, place of work, or place of the alleged infringement. UK: Information Commissioner's Office (ico.org.uk, 0303 123 1113). EU lead supervisory authority: [EU lead supervisory authority]. We would appreciate the chance to address your concern first — please contact [privacy@yourcompany.example].

12. Changes to this notice

We review this notice at least annually and whenever our processing materially changes. The version and effective date are shown at the top; material changes are communicated to account administrators.

General compliance information, not legal advice. © 2026 [COMPANY LEGAL NAME].