Skip to content

Privacy

Privacy Policy

Last updated: 12 March 2026

1. Overview

RiskSignal is designed to minimise the collection and processing of personal data. The GDPR Risk Snapshot can be completed without creating an account and without submitting personal or sensitive information.

No ongoing user profile is created. Assessment responses are not linked to an identifiable individual. Typeform is configured to collect anonymous responses only — no name, email address, or identifying information is requested or stored during the assessment.

This Privacy Policy explains how limited information is processed when you use the RiskSignal service.

2. Data Controller

For the purposes of the General Data Protection Regulation (EU GDPR) and UK GDPR, the data controller is:

RiskSignal, operated by G.O.O, Ireland.
Email: support@risksignal.co

3. Information We Process

3.1 Assessment Responses

The snapshot is designed so that responses relate to business practices and workflows rather than personal data. Users are not asked to submit personal or special category data.

Because responses are anonymous and cannot be linked to an identifiable individual, they fall outside the scope of personal data under GDPR. No retention obligations apply to assessment responses beyond the period necessary to generate the snapshot outcome.

3.2 Payment Information

Payments are processed by Stripe. RiskSignal does not receive or store full payment card details. Stripe acts as a data processor and maintains its own privacy and security certifications.

Limited transaction information — including payment confirmation, transaction amount, and reference ID — is retained by RiskSignal for accounting and record-keeping purposes, and to respond to customer support queries where required. Financial records are retained for seven years in accordance with applicable accounting obligations under Irish law.

3.3 Support Communications

If you contact us for support, we will process the information you provide — such as your email address and message content — solely to respond to your enquiry. Support communications are retained only for as long as necessary to resolve the enquiry and are then deleted.

4. Lawful Basis for Processing

Where personal data is processed, RiskSignal relies on the following lawful bases under Article 6 GDPR:

  • Article 6(1)(b) — processing is necessary for the performance of a contract (delivery of the requested service).
  • Article 6(1)(f) — processing is necessary for our legitimate interests in operating, securing, and supporting the service, where those interests are not overridden by your rights.

5. How Information Is Used

Information processed by RiskSignal is used only to:

  • generate the GDPR Risk Snapshot outcome,
  • deliver the service requested by the user,
  • process payments and maintain financial records, and
  • respond to support or retrieval requests.

Information is used only for the purposes described above. It is not shared with third parties for their own use and is not used for marketing.

6. Third-Party Service Providers

RiskSignal uses the following third-party services to operate the product. Each acts as a data processor under contractual obligations consistent with GDPR and UK GDPR requirements.

Stripe

Payment processing. Stripe handles all card transactions. RiskSignal receives only transaction confirmation and reference data. Stripe is PCI DSS certified and maintains its own data protection terms.

stripe.com/privacy

Typeform

Assessment delivery. Typeform hosts and delivers the GDPR Risk Snapshot questionnaire. Responses are configured as anonymous. No personal data is collected through the assessment form.

typeform.com/help/a/typeform-and-gdpr

Vercel

Infrastructure and hosting. Vercel hosts the RiskSignal web application. Data processed through the application passes through Vercel infrastructure. Vercel operates data centres within the EU and EEA.

vercel.com/legal/privacy-policy

Upstash

Data storage. Upstash provides serverless data storage used in the generation and temporary retention of snapshot outputs. Data is stored within EU regions. Upstash operates under standard contractual terms consistent with GDPR.

upstash.com/trust/privacy.pdf

7. International Transfers

RiskSignal uses service providers that primarily operate within the EU and EEA. Where personal data is processed outside the UK or EEA, appropriate safeguards are in place — such as Standard Contractual Clauses or equivalent legal mechanisms — to ensure an adequate level of data protection.

8. Data Retention

Snapshot submissions are retained for 30 days from the date of completion. After 30 days, your submission and the personal data contained within it are permanently deleted from our systems. No backup or archive is kept after deletion. If you wish to retain a copy of your snapshot, download or save it within 30 days of purchase.

Transaction records are retained for seven years in accordance with applicable financial and accounting obligations.

Support communications are retained only for as long as necessary to resolve the enquiry and are then deleted.

9. Cookies and Technical Data

RiskSignal does not use advertising cookies or behavioural tracking technologies.

Basic technical cookies may be used where strictly necessary for service functionality, security, and protection against abuse. No data collected through technical cookies is used for marketing or profiling purposes.

10. Your Data Protection Rights

Where applicable under GDPR or UK GDPR, you have the right to:

  • request access to your personal data,
  • request correction of inaccurate data,
  • request deletion of your personal data,
  • request restriction of processing,
  • object to processing based on legitimate interests,
  • request data portability, where technically feasible, and
  • lodge a complaint with a supervisory authority — such as the Data Protection Commission (Ireland), the UK Information Commissioner's Office, or your local EU authority.

Requests can be made by contacting support@risksignal.co. We may need to verify your identity before responding and will respond within the timeframes required by applicable law.

Because assessment responses are anonymous, it is not possible to retrieve or delete a specific individual's assessment data — there is no identifying information with which to locate it.

11. Security

RiskSignal implements appropriate technical and organisational measures to protect information against unauthorised access, loss, alteration, or misuse, taking into account the limited nature of the personal data processed.

12. Changes to This Policy

This Privacy Policy may be updated to reflect changes in the service or applicable legal requirements. The current version will always be available on this page. The date at the top of this page indicates when it was last updated.

13. Contact

If you have questions about this Privacy Policy or how information is handled, contact us at:

support@risksignal.co