CrownSyncCrownSync
Sign inGet started free

Privacy Policy

CrownSync CE Readiness

Last updated: March 2026

CrownSync LTD (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect information when you use CrownSync CE Readiness at crownsync.uk.

CrownSync LTD is registered with the Information Commissioner’s Office (ICO) as a data controller. Registration reference: ZC109210.

1. Who We Are

Data Controller:

CrownSync LTD

Company number: 15464490

128 City Road, London, EC1V 2NX

Email: [email protected]

Website: crownsync.uk

For all data protection queries, contact us at [email protected] with the subject line “Data Protection”.

2. What Data We Collect

2.1 Account and identity data:

  • Name and email address (via Clerk)
  • Authentication tokens and session data

2.2 Organisation data:

  • Organisation name, company registration number
  • Registered and operational address
  • Sector, employee count, website
  • Data retrieved from Companies House API (publicly available information only)

2.3 Assessment data:

  • Answers to Cyber Essentials preparation questions
  • Evidence notes attached to answers
  • Gap analysis results
  • Comments and discussion threads
  • Version history of answers

2.4 Team and collaboration data:

  • Names and email addresses of invited contributors
  • Question assignments and deadlines
  • Contributor access tokens
  • Names and email addresses of remediation task assignees (including third parties such as contractors or managed service providers)
  • Remediation task instructions and completion notes

2.5 Board sign-off data:

  • Names and email addresses of board approvers
  • Approval tokens and timestamps
  • IP addresses at time of approval
  • Declaration text confirmed by approvers

2.6 Audit log data:

  • Audit log of actions taken within assessments including question answers, sign-off decisions, and data exports
  • Timestamps and action descriptions for all significant events
  • IP addresses at the point of board sign-off

This data is processed on the basis of legitimate interests to maintain assessment integrity and accountability. Retained for 12 months.

2.7 Technical data:

  • Browser type and version (via Clerk)
  • IP address
  • Pages visited and time spent (via Plausible Analytics — see Section 5)

3. How We Use Your Data

We process your data under the following lawful bases:

3.1 Contract performance (Article 6(1)(b) UK GDPR):

  • Providing the assessment preparation service
  • Sending invitation and reminder emails
  • Processing board sign-off requests
  • Generating reports and exports

3.2 Legitimate interests (Article 6(1)(f) UK GDPR):

  • Preventing fraud and abuse
  • Maintaining security of the service
  • Improving the service based on usage patterns
  • Operating the audit trail for data integrity

3.3 Legal obligation (Article 6(1)(c) UK GDPR):

  • Complying with applicable laws and regulations
  • Responding to lawful requests from authorities

We do not use your assessment data for marketing, profiling, or sale to third parties.

4. Data Sharing

4.1 We share data with the following third-party processors under appropriate data processing agreements:

Clerk (authentication)

Purpose: User authentication and session management

Location: United States (Standard Contractual Clauses in place)

Privacy policy: clerk.com/legal/privacy

Resend (email)

Purpose: Sending invitation, reminder, and sign-off emails

Location: United States (Standard Contractual Clauses in place)

Privacy policy: resend.com/legal/privacy-policy

Plausible Analytics (self-hosted)

Purpose: Anonymous website analytics

Location: European Union (Germany) — self-hosted on our own infrastructure. No data is sent to Plausible’s own servers.

Note: Plausible does not use cookies and does not collect personally identifiable information

Privacy policy: plausible.io/privacy

Companies House API

Purpose: Auto-filling organisation details during onboarding

Note: We query publicly available data only. No personal data is sent to Companies House.

Operated by: Companies House, Cardiff, Wales

Hetzner Online (hosting)

Purpose: Hosting the application and database

Location: European Union (Germany/Finland)

Privacy policy: hetzner.com/legal/privacy-policy

4.2 We do not sell your data to any third party.

4.3 We may disclose your data if required by law, court order, or regulatory authority.

5. Analytics

We use Plausible Analytics to understand how visitors use our website.

Plausible does not use cookies and does not collect personally identifiable information. It records page views and custom events in aggregate only.

Data collected by Plausible includes:

  • Pages visited
  • Referring website
  • Browser type
  • Country (derived from IP address, not stored)

Your IP address is not stored by Plausible.

No consent is required for Plausible analytics under UK GDPR as no personal data is processed.

6. Cookies

We use only strictly necessary cookies.

Authentication cookies (set by Clerk):

  • Purpose: Maintaining your login session
  • Duration: Up to 7 days
  • Basis: Strictly necessary — no consent required

We do not use advertising, tracking, or analytics cookies.

Full details are in our Cookie Policy.

7. How Long We Keep Your Data

We apply different retention periods depending on the type of data:

Data typeRetention periodBasis
Assessment answers and gap analysis12 months from last activityLegitimate interests
Account data (name, email)Until erasure request or account deletionConsent / contract
Audit log records6 years (anonymised after erasure request)Legitimate interests / legal claims
Board sign-off records6 years (name anonymised after erasure request)Legitimate interests / legal claims
Contributor data12 months from assessment endLegitimate interests
Financial records (when applicable)6 yearsLegal obligation (HMRC)

After the applicable retention period, data is securely deleted or further anonymised.

7A. Your Right to Erasure

You have the right to request erasure of your personal data under UK GDPR Article 17. When we receive a valid erasure request, we will process it within 30 days.

How we handle erasure requests

Rather than deleting all data associated with your account, we anonymise your personal identifiers while retaining your organisation’s assessment data. This approach satisfies your right to erasure while protecting our legitimate governance interests and those of your organisation.

What we anonymise (your personal data):

  • Your name — replaced with “Former User”
  • Your email address — replaced with an anonymised identifier
  • Your IP addresses in audit records — removed
  • Your login account — permanently deleted

What we retain (organisational data):

  • Your organisation’s name and company details
  • Assessment answers and gap analysis results
  • Board sign-off decisions and timestamps (your name anonymised)
  • Audit log events (your name anonymised, IP address removed)
  • Remediation notes (content retained, your name anonymised)

Why we retain organisational data

Assessment and audit records are retained for up to 6 years under UK GDPR Article 17(3) for the following legitimate purposes:

  • Governance and accountability of the Cyber Essentials preparation process
  • Defence of legal claims (6-year limitation period under English law)
  • Fraud prevention and dispute resolution
  • Compliance with our obligations to other users of the same assessment

How to request erasure

Submit an erasure request through your account at /account/privacy, or email [email protected]. We will acknowledge your request within 72 hours and complete processing within 30 days.

Contributors

If you were invited as a contributor and do not have a CrownSync account, submit your erasure request at /privacy/erasure-request or email [email protected].

7B. Anonymisation

Where we anonymise data in response to an erasure request, the resulting anonymised data no longer constitutes personal data under UK GDPR. Anonymised records cannot be used to identify you and are not subject to data protection law. We use anonymisation as a privacy-preserving alternative to deletion where we have legitimate interests in retaining the underlying record.

8. Your Rights

Under UK GDPR you have the right to:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request anonymisation of your personal identifiers (subject to legitimate retention interests as described in Section 7A).
  • Right to restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

You can exercise your data rights at any time by visiting your Privacy & Data settings at crownsync.uk/account/privacy. For requests that cannot be handled automatically, contact [email protected].

We will acknowledge all data subject requests within 72 hours and respond in full within 30 days of receipt. If we need additional time (up to a further 2 months for complex requests), we will notify you within the initial 30-day period explaining the reason for the delay.

Contributors and remediation assignees

If you have been invited to contribute to an assessment or assigned a remediation task, your name and email address are processed by CrownSync on behalf of the organisation that invited you. You can submit a data subject request directly via our privacy portal at crownsync.uk/account/privacy after creating a free account, or submit an erasure request at /privacy/erasure-request without creating an account, or email [email protected].

Board sign-off participants

Where an assessment owner requests board sign-off, we process the name, job title, and email address of the director or signatory to send the sign-off request and record the declaration. Upon approval or rejection, the signatory’s IP address and timestamp are recorded for audit purposes. A partial IP address is visible to the assessment owner as confirmation that the sign-off was completed. The full IP address is retained in system audit logs accessible only to CrownSync administrators. Sign-off participants may exercise their data rights by contacting [email protected]. The legal basis for this processing is legitimate interests — specifically the organisation’s interest in maintaining a tamper-evident record of the sign-off declaration.

In the event of an erasure request from a signatory, their name will be replaced with “Former Signatory” in all records. The sign-off decision, timestamp, and role/title are retained for 6 years as part of the organisation’s governance record. This anonymised record no longer constitutes personal data under UK GDPR.

Automated reminders

Where contributors have been assigned tasks with deadlines, we may send automated reminder emails at 7 days, 3 days, 1 day before deadline, and after the deadline passes. Recipients may contact the assessment owner to be removed from assignments.

You also have the right to lodge a complaint with the Information Commissioner’s Office:

  • Website: ico.org.uk/concerns
  • Helpline: 0303 123 1113

9. Data Security

We implement the following security measures:

  • All data transmitted over HTTPS/TLS
  • Database encrypted at rest
  • Access controls limiting staff access to personal data
  • Authentication via Clerk with MFA available
  • Regular security updates applied within 14 days of release
  • Audit logging of all significant data access

We regularly update our software dependencies and address security vulnerabilities as part of our commitment to keeping your data secure. Security updates are applied within 14 days of release.

We regularly review security advisories for our software dependencies. Where vulnerabilities require major version upgrades that would introduce breaking changes, we assess the practical risk in the context of our infrastructure before upgrading. Our application is protected by a Web Application Firewall and authenticated access controls which mitigate the majority of known vulnerabilities in our current dependency versions.

We will notify you and the ICO of any personal data breach within 72 hours of becoming aware of it, where required by law.

10. Infrastructure Security and Provider Certifications

CrownSync is built on infrastructure from providers that hold independent third-party security certifications. We selected these providers specifically because of their security posture and compliance with international standards relevant to UK and European data protection law.

Hetzner Online GmbH — Cloud Infrastructure and Data Hosting

Your assessment data is stored on servers hosted by Hetzner Online GmbH, a German cloud provider. Hetzner’s data centres are located in Germany and Finland and hold the following certifications:

  • ISO/IEC 27001:2022 — International standard for information security management systems
  • ISO/IEC 27018 — Standard for protection of personally identifiable information in cloud services
  • BSI C5:2020 — German Federal Office for Information Security Cloud Computing Compliance Criteria Catalogue
  • PCI DSS — Payment Card Industry Data Security Standard
  • KRITIS-V / NIS-2 — Compliance with EU Network and Information Security Directive and German critical infrastructure regulations
  • BSI Grundschutz — German Federal Office for Information Security baseline protection standards
  • SOC 2 — Service Organisation Controls for security, availability, and confidentiality

Hetzner maintains Technical and Organisational Measures (TOMs) that meet the requirements of Article 32 of the UK GDPR. Your data is stored in the European Union and does not leave the EU/EEA.

Cloudflare, Inc. — Web Application Firewall and DDoS Protection

All traffic to CrownSync passes through Cloudflare’s network, which provides DDoS protection, Web Application Firewall (WAF), and SSL/TLS termination. Cloudflare holds the following certifications:

  • ISO/IEC 27001 — Information security management (certified since 2019, full platform scope)
  • ISO/IEC 27701:2019 — Privacy information management system, aligned with GDPR — Cloudflare is certified as both a data processor and data controller under this standard
  • ISO/IEC 27018 — Protection of personal data in cloud services
  • SOC 2 Type II — Annual independent audit of security, confidentiality, and availability controls
  • PCI DSS Level 1 — Highest level of payment card industry certification, audited annually by a Qualified Security Assessor
  • BSI C5:2020 — German Federal Office for Information Security cloud standard
  • European Cloud Code of Conduct — EU framework for cloud service provider data protection compliance

Cloudflare acts as a data processor on behalf of CrownSync. A Data Processing Agreement (DPA) is in place with Cloudflare in accordance with UK GDPR Article 28.

Resend Inc. — Transactional Email Delivery

CrownSync uses Resend to send transactional emails including contributor invitations, assessment notifications, and account verification emails. Resend holds:

  • SOC 2 Type II — Annual independent audit covering security, availability, and confidentiality of customer data

Resend processes only the email addresses necessary to deliver transactional emails. No marketing emails are sent via Resend. A Data Processing Agreement is in place with Resend in accordance with UK GDPR Article 28.

Clerk, Inc. — Authentication and Identity Management

User authentication, sign-in, and account management is handled by Clerk. Clerk holds:

  • SOC 2 Type II — Annual independent audit of security controls
  • GDPR compliance — Clerk acts as a data processor for authentication data with Standard Contractual Clauses in place for data transfers

Why we chose these providers

Each provider was selected based on their security certification status, data residency options, and compliance with UK and EU data protection law. We review our provider certifications annually and will update this section when certifications change.

For questions about our infrastructure security or to request copies of relevant Data Processing Agreements, contact [email protected].

11. International Transfers

Some of our third-party processors are located outside the UK/EEA (specifically Clerk and Resend in the United States). These transfers are protected by Standard Contractual Clauses approved by the ICO.

Your assessment data and organisation data is hosted by Hetzner within the European Union and does not leave the EEA.

Storing data on EU-based servers is fully compliant with UK GDPR. The European Union has been granted adequacy status by the UK government, meaning data transfers between the UK and EU meet the required legal standards.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect.

The current version is always available at crownsync.uk/privacy-policy.

13. Contact

For any privacy-related queries:

Email: [email protected]

Subject line: “Data Protection”

CrownSync LTD

128 City Road, London, EC1V 2NX

Website: crownsync.uk

ICO Registration: ZC109210