DataShield HQ Start Free Trial

Privacy Policy

Effective date: 25 February 2026

1. Who We Are

DataShield HQ ("we", "us", "our") operates a cloud-based GDPR compliance platform. This Privacy Policy explains how we collect, use, store and protect personal data when you visit our website, create an account or use our services.

For the purposes of the EU/UK General Data Protection Regulation (GDPR), DataShield HQ is the data controller for information collected through this website and account registration. When our customers use the platform to manage their own data subjects, DataShield HQ acts as a data processor on behalf of the customer (see our Data Processing Agreement).

2. Data We Collect

2.1 Account & Billing Data

When you register or subscribe we collect:

  • Full name, email address and organisation name
  • Password (stored as a salted, hashed value — we never store plaintext passwords)
  • Billing address and VAT/tax identification number (if applicable)
  • Payment card details are processed directly by our payment processor (Stripe) and are never stored on our servers

2.2 Usage & Technical Data

  • IP address, browser type, operating system and device identifiers
  • Pages visited, features used, timestamps and session duration
  • Error and performance logs to maintain service reliability

2.3 Customer-Managed Data

Personal data that you (or your organisation) enter into the platform relating to your own data subjects is processed by us solely on your instructions and in accordance with our Data Processing Agreement.

3. How We Use Your Data

Purpose Legal Basis (GDPR Art. 6)
Provide and maintain the service Performance of a contract
Process payments and invoicing Performance of a contract
Send transactional emails (e.g. deadline alerts) Performance of a contract
Improve security, diagnose bugs, monitor performance Legitimate interest
Send product updates and marketing (opt-in only) Consent
Comply with legal or regulatory obligations Legal obligation

4. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with:

  • Cloud infrastructure provider — for hosting and database services (data region selected by the customer)
  • Stripe — payment processing
  • Transactional email provider — for sending system notifications
  • Freshdesk — customer support ticketing

All sub-processors are bound by data processing agreements that require GDPR-equivalent protections. A current list of sub-processors is available upon request.

5. International Transfers

Customer data is stored in the data region selected during account setup. Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision, to ensure an appropriate level of protection.

6. Data Retention

  • Account data — retained for the duration of your subscription plus 30 days after cancellation to allow for reactivation.
  • Audit logs — retained according to your subscription tier (30 days to custom).
  • Billing records — retained for up to 7 years to meet tax and accounting obligations.
  • Usage analytics — aggregated and anonymised within 90 days.

7. Your Rights

Under the GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest or direct marketing.
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@datashieldhq.com. We will respond within 30 days.

8. Security

We implement appropriate technical and organisational measures including:

  • Mandatory two-factor authentication for all accounts
  • TLS 1.2+ encryption for data in transit
  • AES-256 encryption for data at rest
  • Per-tenant database isolation
  • Immutable audit logging of all system activity
  • Regular vulnerability assessments

9. Cookies

We use essential cookies that are strictly necessary for the operation of our platform (e.g. authentication tokens). We do not use third-party advertising or tracking cookies. For analytics, we use privacy-focused, cookieless methods where possible.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 14 days before they take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy or wish to make a complaint, contact us at:

DataShield HQ
Email: privacy@datashieldhq.com
Support: datashieldhq.freshdesk.com

You also have the right to lodge a complaint with your local data protection supervisory authority.