Privacy Policy
Last updated: 3 June 2026 · Effective: 3 June 2026
1. Who we are
Raize Technology Ltd (“Raize”, “we”) operates the Raize Orion Compliance platform at raizehq.dev. We are the data controller for the personal data processed when you visit the marketing surface. When you become a customer, we are the data processor for the data you upload into your organisation’s workspace at app.raizehq.dev.
Registered in England & Wales, company number 17225613. Registered with the UK Information Commissioner’s Office, registration number ZC151322.
2. What we collect
- Account data: name, work email, organisation name, industry, size, country.
- Authentication: hashed password, MFA TOTP enrolment metadata, sign-in timestamps + IP + user-agent.
- Compliance data you upload: controls, evidence files, risks, audit findings, policies, vendor records — all org-scoped via row-level security.
- Billing: Stripe customer ID + subscription state. We never see your card number.
- Operational telemetry: Sentry error events (no PII), server access logs at the Vercel + Supabase edge layer.
3. Lawful bases (GDPR Art. 6)
- Contract (Art. 6(1)(b)): account + compliance data + billing — required to deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)): security telemetry, sign-in geolocation, abuse detection — balanced against your right to privacy via short retention windows.
- Legal obligation (Art. 6(1)(c)): tax records (UK HMRC: 6 years), audit log retention where you are subject to HIPAA / SOC 2 / PCI DSS.
4. Retention
| Data class | Retention |
|---|---|
| Active account + compliance workspace | For the life of your subscription |
| After cancellation (read-only mode) | 90 days, then deletion |
| Audit log (sign-ins, role changes) | 12 months default; configurable up to 7 years for HIPAA orgs |
| Sentry error events | 90 days |
| Billing records (HMRC obligation) | 6 years |
5. Cookies and tracking
raizehq.dev (this marketing site) uses no analytics, advertising, or marketing cookies, and no first- or third-party tracking pixels. We use cookieless analytics (Vercel Web Analytics and Vercel Speed Insights), which transmit aggregated, anonymised performance metrics without storing identifiers on your device. No consent banner is required because nothing on this domain stores or accesses information on your device beyond what is strictly necessary to render the page.
app.raizehq.dev (the authenticated application, served on a separate subdomain) sets a first-party session cookie issued by Supabase Auth to keep you logged in. This is a strictly-necessary cookie under PECR Reg 6(4)(b) / ePrivacy Art. 5(3) — providing the service the user has explicitly requested — and does not require consent. It is HttpOnly, Secure, SameSite=Lax, scoped to the app subdomain, and expires automatically on sign-out or session timeout. No other cookies are set on the app domain.
If we ever add a cookie that is not strictly necessary (for example a marketing-attribution pixel or a customer-support widget that drops a tracking cookie), we will publish an updated cookie notice and a consent mechanism on this page, with a separate dated changelog entry, before the cookie ships. We will not roll out non-essential tracking quietly.
6. Sub-processors
We use the following sub-processors. Each is bound by a Data Processing Agreement at least as protective as the one we offer you.
- Supabase — Postgres database + auth + edge functions + storage (eu-west-1, Ireland).
- Vercel — frontend hosting + CDN (region: London for app traffic; global edge for marketing).
- Resend — transactional email delivery via AWS SES (eu-west-1).
- Sentry — error monitoring (EU data residency).
- Stripe — payment processing (when you subscribe).
- Voyage AI — embedding generation for AI-assisted control mapping (US; only the control text is sent, never customer evidence).
- ipapi.co — IP geolocation lookup for sign-in notification "new device" detection.
. Your rights
Under UK GDPR you can: access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), and object (Art. 21). Email privacy@raizehq.dev and we’ll respond within 30 days. Right to lodge a complaint with the ICO at any time.
. Breach notification
If we detect a breach affecting your personal data we will notify you and the ICO within 72 hours of becoming aware (GDPR Art. 33).
. Changes
Material changes to this policy will be announced 30 days in advance via the in-app banner and email to all account admins.