Privacy Policy
Last updated: 6 July 2026
1. Introduction
Dassae Ltd, trading as Assura ("Assura", "we", "us" or "our"), is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance assessment platform and related services (the "Service").
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
We collect information that you voluntarily provide to us, including:
- Account Information: Name, email address, username, password, company name, and job title;
- Profile Information: Professional details, industry, company size;
- Payment Information: Billing address and payment card details (processed by our payment provider);
- Assessment Data: Compliance questionnaire responses, risk assessments, uploaded documents;
- Communications: Messages, feedback, and support requests you send to us;
- User Content: Any data, files, or content you upload to the Service.
2.2 Information Collected Automatically
When you access the Service, we automatically collect certain information, including:
- Device Information: Device type, operating system, browser type, unique device identifiers;
- Usage Data: Pages visited, features used, time spent on pages, click patterns;
- Log Data: IP address, access times, referring URLs, error logs;
- Cookies and Tracking: Information collected through cookies, pixels, and similar technologies.
2.3 Information from Third Parties
We may receive information about you from third parties, including:
- Identity verification services;
- Payment processors;
- Integration partners (with your authorisation);
- Publicly available sources.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service;
- Process transactions and send related information;
- Create and manage your account;
- Send administrative messages, updates, and security alerts;
- Respond to your comments, questions, and support requests;
- Personalise your experience and deliver relevant content;
- Generate AI-powered recommendations and insights;
- Analyse usage patterns to improve our products;
- Detect, prevent, and address fraud and security issues;
- Comply with legal obligations;
- Send marketing communications (with your consent).
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, our legal bases for processing your personal data include:
| Legal Basis | Purpose |
|---|---|
| Contract Performance | To provide the Service you have requested and manage your account |
| Legitimate Interests | To improve our services, prevent fraud, and ensure security |
| Consent | To send marketing communications and use certain cookies |
| Legal Obligation | To comply with applicable laws and regulations |
5. Information Sharing and Disclosure
We may share your information in the following circumstances:
5.1 Service Providers
We share information with third-party vendors who perform services on our behalf, including:
- Cloud hosting and infrastructure providers;
- Payment processors (e.g., Stripe);
- Email delivery services;
- Analytics providers;
- Customer support tools.
These providers are contractually obligated to protect your information and use it only for the purposes we specify.
5.2 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities, including courts, law enforcement, or government agencies.
5.3 Business Transfers
If Assura is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Data Retention
We retain your personal information for as long as necessary to:
- Provide the Service to you;
- Comply with legal obligations;
- Resolve disputes;
- Enforce our agreements.
6.1 Retention Schedule
| Data Category | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion request |
| Assessment Data | Duration of account + 90 days after deletion |
| Payment Records | 7 years (UK tax/accounting requirements) |
| Audit Logs | 3 years for security and compliance |
| Marketing Consent Records | Duration of consent + 3 years after withdrawal |
| Support Communications | 2 years after resolution |
When you close your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain certain information for legal or legitimate business purposes as outlined above.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption of data in transit (TLS/SSL) and at rest;
- Secure cloud infrastructure with industry-standard certifications;
- Regular security assessments and penetration testing;
- Access controls and authentication mechanisms;
- Employee training on data protection;
- Incident response procedures.
However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.
8. Your Rights and Choices
8.1 Your Rights (GDPR/UK GDPR)
If you are in the EEA or UK, you have the following rights:
- Access: Request a copy of the personal data we hold about you;
- Rectification: Request correction of inaccurate or incomplete data;
- Erasure: Request deletion of your personal data ("right to be forgotten");
- Restriction: Request limitation of processing of your data;
- Portability: Request transfer of your data in a structured format;
- Objection: Object to processing based on legitimate interests or direct marketing;
- Withdraw Consent: Withdraw consent at any time where processing is based on consent.
To exercise these rights, contact us at privacy@assurasec.com. We will respond within 30 days.
8.2 Marketing Communications
You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing email or by contacting us. Note that you may still receive transactional or administrative emails.
8.3 Cookies
Most browsers allow you to control cookies through their settings. You can also use our cookie consent tool to manage your preferences. Note that disabling certain cookies may affect the functionality of the Service.
9. International Data Transfers
Your information may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection. When we transfer data internationally, we use appropriate safeguards, including:
- Standard Contractual Clauses approved by the European Commission;
- Transfers to countries with adequate data protection laws;
- Other legally approved transfer mechanisms.
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information promptly.
11. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on our website and, where appropriate, by email. Your continued use of the Service after any changes indicates your acceptance of the updated policy.
13. Data Protection Officer
If you have questions about this Privacy Policy or our data practices, you may contact our Data Protection Officer at:
- Email: dpo@assurasec.com
- Privacy inquiries: privacy@assurasec.com
14. Supervisory Authority
If you are in the EEA or UK, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach;
- Notify affected individuals without undue delay;
- Document all breaches in our internal breach register;
- Provide information about the nature of the breach, likely consequences, and measures taken.
16. Data Portability
You can export all your personal data at any time from within your Assura account settings. The export includes your profile information, assessment data, task history, and audit logs in a portable JSON format. To request a data export:
- Log into your Assura account;
- Navigate to Settings;
- Select "Export My Data" to download a complete copy of your personal data.
17. Contact Us
For questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: privacy@assurasec.com
- Support: support@assurasec.com
- Website: www.assurasec.com
Data Controller:
Dassae Ltd
Company Registration Number: 16994444
Registered Address: Flat 2, 3 Hannington Road, London, England, SW4 0NA, United Kingdom
Dassae Ltd is the data controller responsible for your personal information under this Privacy Policy and the UK Data Protection Act 2018.