← Back

Privacy Policy

Last updated: April 2026

1. Data Controller and DPO

KitBase Ltd is the data controller for personal data processed through the KitBase platform. KitBase Ltd is registered in England and Wales.

You can contact our Data Protection Officer (DPO) at privacy@kitbase.uk.

2. Data We Collect

We collect:

  • account information (name, email, role);
  • asset data (equipment details, serial numbers, inspection records);
  • usage data (scan events, timestamps, GPS coordinates where consented);
  • uploaded documents (certificates, photographs, signatures); and
  • technical data (IP addresses, device information for security purposes).

3. Legal Basis (UK GDPR)

We process personal data under:

  • legitimate interests (providing the compliance management service);
  • contractual necessity (fulfilling service agreements);
  • legal obligation (maintaining statutory examination records as required by UK law); and
  • consent (GPS location data, email notifications).

4. Data Storage and Security

All data is stored in the United Kingdom using Supabase infrastructure hosted in the London (eu-west-2) AWS region. Data is not transferred outside the UK without explicit consent.

Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Access is controlled via Row Level Security policies ensuring organisation-level data isolation.

5. Data Retention

Asset and compliance data is retained for the duration of the service agreement plus 7 years, in line with UK statutory record-keeping requirements. Account data is deleted within 30 days of account closure upon request.

6. Your Rights Under UK GDPR

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data (subject to legal retention requirements);
  • restrict processing of your data;
  • data portability — receive your data in a structured, machine-readable format; and
  • object to processing based on legitimate interests.

To exercise any of these rights, contact our DPO at privacy@kitbase.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

7. Third Parties

We use the following trusted sub-processors strictly to deliver the service:

  • Supabase — database and storage hosting, UK (London, eu-west-2) region;
  • Resend — transactional email delivery;
  • Mapbox — map rendering (no personal data shared).

We do not sell personal data to third parties and we do not share it for marketing or advertising purposes.

8. Cookies

We use session cookies only for authentication. These cookies are essential to keep you signed in and to protect your account. No tracking, analytics, or advertising cookies are used.

Last updated: April 2026

KitBase Ltd is a company registered in England and Wales.

Terms of Service