Privacy notice.
This notice explains how ComplyChat handles personal data – both as the controller of our own website and prospect data, and as the processor of customer data flowing through governed channels. We have tried to write it plainly. Where we have to be honest about the limits of what we can govern, we are.
- About this notice
- Who we are
- Our two-hat model: controller and processor
- Data we handle as a controller
- Data we handle as a processor
- Lawful bases under UK GDPR
- Special category data and safeguarding information
- Children's personal data
- The personal-device boundary
- Encryption: what changes and what does not
- International data transfers
- Retention
- Sub-processors and recipients
- Your rights and how to exercise them
- Cookies and analytics
- Security
- Personal data breaches
- Changes to this notice
- Complaints
- Contact us
About this notice
ComplyChat keeps a record of the work conversations of UK schools, charities and care providers in their own Microsoft 365. Conversations are captured from more than one place – our own secure web space (including an SMS-verified web room) and Microsoft Teams – and each governed message is captured on the server, not on any participant's device, and delivered into a record held in the customer's own Microsoft 365 tenant. Because we operate at the meeting point of a public marketing site, a software product, and a regulated communications service, the relationships we have with personal data are not all the same. This notice covers all of them.
We have written this notice to be intelligible to a Data Protection Officer, a trustee, and an ordinary reader. Where we draw distinctions that have legal weight – between controller and processor, between operational data and content, between what we can and cannot reach – we have flagged them in plain language. If anything here is unclear, the contact details in section 20 are real and monitored.
Who we are
ComplyChat is a service operated by CIaaS Limited, a company registered in England and Wales (company number 14519311), with its registered office at C/O Aardvark Accounting, 1 Cedar Office Park, Cobham Road, Wimborne, BH21 7SB (in this notice, "we", "us", "our"). Our registration with the Information Commissioner's Office (ICO) is filed under reference ZC181640.
For matters relating to this notice or any data we hold about you, please contact enquiries@chat.org.uk. For escalations specifically about privacy or data protection, please use compliance@chat.org.uk; that mailbox is monitored by the person responsible for data protection at CIaaS Limited.
Our two-hat model: controller and processor
Under the UK GDPR, the responsibilities we have for personal data depend on whether we determine the purposes and means of processing (in which case we are a controller) or whether we act on behalf of another organisation that does (in which case we are a processor). In practice, we wear both hats, depending on the data:
- We are the controller for personal data we collect about visitors to chat.org.uk, prospective customers and people who fill in our contact form, our business contacts, and the staff at customer organisations who administer the service on their organisation's behalf (account holders).
- We are the processor for personal data flowing through governed channels – wherever it comes from, whether our own secure web space or Microsoft Teams – and stored in the record on a customer's behalf. The customer organisation – the school, charity or care provider running the channel – is the controller of that data. They decide who joins, what is discussed, how long it is kept, and who is told.
This notice describes both roles. Sections 4 to 11 mostly concern data we handle as a controller. Sections 12 onwards apply to both. Where we are acting as a processor, the customer's own privacy notice is the primary one that data subjects should read; ours describes the framework we operate within.
Data we handle as a controller
The categories of personal data we collect and process as a controller are limited and listed below. We do not buy lists, scrape contact details, or enrich data from third-party data brokers.
Website visitors
Our website is hosted on Azure Static Web Apps (Microsoft Azure, UK region). When you visit chat.org.uk, Azure's network logs record your IP address, the time of the request, the resource requested, response status, user agent string and referrer. These logs are kept for short-term operational and security purposes (typically 30 days) and are not used to profile visitors or for any marketing purpose. The only third-party tag on this site is Google's advertising tag, which runs under Google Consent Mode v2 with consent denied by default, so it sets no cookies and sends no identifiers unless you accept via our cookie banner (see Cookies and analytics below). We use no third-party analytics, fingerprinting or session replay.
Contact form submissions and demo requests
If you complete the contact form or email us to request a demonstration, you choose what to share. The form asks for your name, work email address, organisation, role (optional), phone (optional), tier of interest (optional) and a message. Your submission is delivered to our staff inbox at enquiries@chat.org.uk via a serverless function and is not retained anywhere else. We use it to respond to you, and (if a sales conversation begins) to keep a minimal record of the discussions we have had, so that we are not asking you the same questions twice.
Prospective and live customers
If you become a paying customer, we record the contact details of the people at your organisation who administer the account, our contractual correspondence with you, and the billing information needed to invoice and collect payment. We do not store full payment card details; card payments are processed by our payment provider (see Sub-processors).
People who write to us
Where you contact us by email, telephone, post or any other channel, we keep a record sufficient to provide a coherent reply and to demonstrate, where necessary, that we handled your enquiry properly.
Data we handle as a processor
When a customer runs a governed channel on our platform – from any of these places, whether our own secure web space or Microsoft Teams – the personal data flowing through it while it is captured and passed on is processed by us strictly on the customer's documented instructions, set out in a Data Processing Agreement (DPA) that forms part of our contract. The record at rest lives in the customer's own Microsoft 365 tenant; we do not store it. The data passing through may include:
- Identifiers of participants – staff, volunteers, family members, residents and others – which depending on where the conversation happens may be a phone number verified by SMS (our secure web space), a Microsoft 365 identity (Teams), or a participant name and contact details (our secure web space).
- Message content (text, images, voice notes, documents, location pins and other attachments) sent to or within a governed channel.
- Voice and video calls (recorded, with a transcript), where the customer has switched calls on for a channel.
- Message metadata: timestamps, sender identity, delivery and read receipts, and membership changes.
- Administrative records: which staff member added or removed which participant, when, and on whose authority.
Recorded calls. Where a customer switches calls on for a channel, voice and video calls happen inside the same governed app, and every call is recorded — there is no unrecorded option. Both people are told before the call connects and must accept a recorded call; a spoken notice at the start of the call is captured on the recording itself, and a recording indicator stays on screen throughout. The recording (audio) and a written transcript then land in the customer's own Microsoft 365, alongside the message record, under the same retention and access rules — the accepted-recording taps of both participants are kept on the record. Calls are carried by Microsoft Azure Communication Services under the same Microsoft DPA as the rest of the platform (see our sub-processors page): the service is set to the United Kingdom data location, so data it holds at rest — including the short built-in window (up to 24 hours) it keeps a recording before hand-off — rests in the UK, while live call audio and video are carried transiently over Microsoft's network with nothing retained. The customer, as controller, decides which channels carry calls, tells its people, and owns the lasting record.
None of this data is mined, profiled, sold, used to train machine learning models, or used for any purpose beyond providing the service the customer has contracted for. The customer decides what is discussed in the channel, who joins, and what they are told; wherever the conversation happens, our system does one thing: capture it, deliver it into the customer's own record, and make it answerable.
Our own secure web space, including the SMS-verified web room, is built so that the record is made in our system and lands in the customer's own Microsoft 365 with no other messaging platform in the path. Where a customer takes the dedicated setup, the capture machinery and the working copy are placed inside that customer's own Microsoft Azure subscription, so neither the processing step nor the operational copy runs on systems we could browse. In every case, the permanent governed record – the SAR-answerable, eDiscovery system of record – rests in the customer's own Microsoft 365 tenant, per organisation and never pooled; we never become a customer's system of record. To operate the live room on the default deployment, our multi-tenant Azure SQL holds a working copy of message content; the customer controls how long that lasts, switching on a 90-day purge from the admin portal or moving the working copy into their own Azure on the dedicated setup. The central billing and account systems we run hold only your account and billing details – plan, numbers, billing, service health – never your message content. A break-in at our hosted service could expose recent operational conversation data, never a permanent, pooled archive of every client – the authoritative record sits in each customer's own tenant, not on our servers.
Where a customer asks for our help with a Subject Access Request, our team advises while the customer's own administrators run the searches in Microsoft Purview eDiscovery inside their own tenant – typically over a screen-share. We do not take copies of record content, and we hold no standing access to customer environments.
Lawful bases under UK GDPR
Article 6 of the UK GDPR requires us to identify a lawful basis for each category of processing. The table below sets out the basis we rely on as a controller.
| Purpose | Personal data | Lawful basis (Article 6) |
|---|---|---|
| Operating and securing chat.org.uk | Access logs (IP, user agent, request data) | Legitimate interests (running a website securely) |
| Responding to your enquiry or demo request | Form submission and any subsequent correspondence | Legitimate interests, or steps prior to entering a contract at your request |
| Managing the customer relationship | Account administrator contact details, contractual records | Performance of a contract |
| Billing, accounting and tax compliance | Billing contacts, invoice records | Performance of a contract; legal obligation (tax law) |
| Detecting fraud, abuse or security incidents | Access logs, account activity | Legitimate interests (protecting customers and the service) |
| Sending occasional service-related notices | Account administrator email | Legitimate interests, performance of a contract |
Where we rely on legitimate interests, we have carried out a balancing assessment that weighs our interest against your rights and freedoms. You can request a summary of any such assessment by writing to compliance@chat.org.uk.
When we are acting as a processor (for governed channel data), the customer – not us – is responsible for identifying and recording the lawful basis under Article 6 (and, where applicable, Article 9). We provide template wording, notification copy for participants, and a Data Protection Impact Assessment template to help, but the assessment and the decision remain the customer's.
Special category data and safeguarding information
Conversations in a care or charity setting routinely include special category data under Article 9: health information, ethnicity, religious belief, sexual orientation, and information about safeguarding concerns that, while not always a special category in itself, is treated with comparable sensitivity.
As a processor we will inevitably encounter such data – it is the nature of the conversations our customers govern – but we do not single it out, profile it, or use it for any purpose other than storing and making it retrievable for the customer. The customer, as controller, must identify an Article 9 condition (in practice, typically the substantial public interest conditions in Schedule 1 of the Data Protection Act 2018 relating to safeguarding, the provision of health or social care, or the protection of vulnerable adults) and document it in their Article 30 record. Our DPA template includes a section in which the customer formally records that determination.
Our security controls (UK-region transient processing, role-based access, audit logging) apply uniformly to all data passing through our systems, and data at rest is protected by the customer's own Microsoft 365 tenant controls; we do not consider Article 9 data to need a stronger baseline because the baseline is already set for it.
Children's personal data
Our service is sold business-to-business. We do not offer it to children and we do not knowingly process children's data as a controller.
Where a customer's governed channel includes participants under the age of 18 (for example, in a youth-focused charity, a young carers' group, or a children's service), the customer remains the controller of that data and is responsible for obtaining the necessary parental consent or alternative lawful basis, providing age-appropriate notices, and applying the additional protections required by the ICO's Children's Code where relevant. The standard contractual terms we make available to customers specifically address this scenario.
The personal-device boundary.
This is the most important honest disclosure in this notice, and we will not bury it.
Our service governs conversations that take place on the channels the organisation sets up – our own secure web space (including the SMS-verified web room) or a Microsoft Teams channel. It does not, and cannot, govern conversations that staff, volunteers or family members hold on their own personal accounts on their own personal phones – whether that is personal WhatsApp, Telegram, or any other consumer messaging app. Nothing we install would expose those conversations, and any supplier claiming otherwise is either misleading you or working outside the relevant platform's terms of service.
This matters because the real problem – conversations about service users taking place in side-channels nobody can answer for – cannot be solved by software alone. Our service reduces the risk; it does not remove it. It gives people an easy, supported alternative to personal messaging, and gives the organisation the culture, policy and practical levers to make that alternative the only one in use. Our own secure web space narrows this gap further, because it gives the organisation a governed channel of its own that needs no consumer messaging account at all; but closing the rest is governance work that sits with the customer.
To support that work we provide: ready-made staff and volunteer policies banning work-related discussion of service users on personal channels; ready-made family and resident notices explaining what the governed channel is and how to use it; trustee briefings; and guidance on enforcing the policy through mobile device management on organisation-issued devices. We also publish, alongside this notice, our standard terms of service, which require customers to put in place and enforce such a policy as a condition of using the platform.
Encryption: what changes and what does not
Messages sent through our own secure web space, including the SMS-verified web room, are written straight into the record as they are sent, over an encrypted connection (TLS) between the sender's device and our systems – there is no separate encrypted messaging platform in the middle to reconcile with, because the room is ours to run. Microsoft Teams messages reach us the same way, over Microsoft's own encrypted channels. Neither channel involves Meta or any other messaging platform at all – there is no other platform in the path, which is a clean shape for a governed record, with the data kept in the same place throughout.
From the moment a message reaches us, it is delivered into the customer's record – which lives in the customer's own Microsoft 365 tenant, under the customer's rules for keeping it, holding it and reading it. Our processing is brief: capture and delivery run in UK-region Microsoft Azure, and the record at rest is never held on our systems.
We do not claim that nobody can read the record, and any supplier that claims both a usable record and one nobody can read, over the same content, is misrepresenting how this works. To keep a usable record, the controller (or its processor) has to be able to read the content; that is the whole point of the record. The right question is not "can anyone read it?" – someone has to be able to – but "who can read it, under what controls, and who checks?" The answer, on our platform, is: only the customer's chosen administrators, each with their own level of access, and every time they look it is logged.
International data transfers
Customer content (messages and attachments) is processed transiently in UK-region Microsoft Azure data centres (UK South) and stored at rest in the customer's own Microsoft 365 tenant, under the customer's own data-residency configuration. It is not transferred outside the United Kingdom by us in the normal course of providing the service.
There are three narrow exceptions, each named in our Sub-processors list. First, billing and payment processing is handled by Stripe Payments UK Limited (an FCA-authorised payment institution that contracts with us under UK law); Stripe's underlying processing infrastructure is global, with the UK Addendum to the EU SCCs governing any transfers outside the UK. We do not see or store full payment card details; those are entered directly into Stripe-hosted elements. Second, our operational mailboxes (enquiries@ and compliance@) run on Microsoft 365 Exchange Online within Microsoft's EU Data Boundary, so correspondence you send us may be stored in the European Union as well as the United Kingdom; the UK's adequacy regulations for the EU cover that processing. Third, the one-time passcode text used to verify a phone number for our own secure web space is delivered by Twilio, whose global messaging infrastructure may process outside the United Kingdom; Twilio is in the data path only for that verification text, under its own Data Protection Addendum and the UK Addendum to the EU SCCs for transfers outside the UK.
Our application telemetry (errors, performance traces, operational logs) is operational metadata, which may include phone numbers in transient diagnostic logs. It is processed in a UK Azure region using Microsoft Application Insights, so no transfer arises in respect of it.
Where we add a sub-processor that would meaningfully change this picture, we will give customers thirty days' prior notice and the opportunity to object.
Retention
As a controller:
- Website access logs: 30 days, then automatically deleted.
- Contact form submissions: retained as long as the conversation is reasonably live, plus the limitation period applicable to any contract that follows. If no contract follows, deleted within 12 months of the last meaningful contact.
- Customer relationship records: for the duration of the contract, plus the limitation period under the Limitation Act 1980 (typically six years).
- Billing and accounting records: as required by HMRC, currently six years.
As a processor: retention of the archive is determined and enforced by the customer in their own Microsoft 365 tenant, using Microsoft Purview retention policies applied to the archive (a restricted SharePoint document library). Legal holds, eDiscovery and data-subject-request tooling likewise operate inside the customer's tenant, under the customer's control. Transient operational data on our systems is kept only as long as capture and relay require.
Sub-processors and recipients
We use a small set of sub-processors to provide the service. Each is bound by a written contract that imposes the same data protection obligations on them as our contract imposes on us, in line with Article 28(4) UK GDPR. The current list is maintained at /sub-processors.html and is updated whenever a sub-processor is added, removed or changes.
Beyond sub-processors, we share personal data only with: our professional advisers (lawyers, accountants, auditors) under a duty of confidentiality; regulators, courts or law enforcement where a valid legal request requires it; and an acquirer if the business is sold (in which case data is transferred subject to confidentiality and continued application of this notice).
Your rights and how to exercise them
Under the UK GDPR you have the right to be informed (this notice), the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to solely automated decision-making with legal or similarly significant effects. We do not undertake any such automated decision-making.
To exercise any of these rights in relation to data we hold as a controller, write to compliance@chat.org.uk. We will respond within one month (extendable by two further months for complex requests, with notice to you). We will not charge a fee unless the request is manifestly unfounded or excessive.
To exercise these rights in relation to data we hold as a processor – i.e. data flowing through a governed channel at a particular customer organisation – please direct your request to that organisation (the controller) in the first instance. Where you are unsure who the controller is, write to us and we will tell you. We provide Article 17 erasure tooling; Article 15 access/export requests are served via Microsoft Purview eDiscovery inside your own tenant.
Cookies and analytics
This marketing site loads one third-party tag: Google Ads (gtag.js), used only to measure which adverts bring visitors to the site. It runs under Google Consent Mode v2 with consent denied by default, so it sets no advertising or analytics cookies and sends no identifiers to Google unless you accept via our cookie banner. If you reject or ignore the banner, the tag stays in its consent-denied state and sets no cookies. We use no other third-party analytics, fingerprinting or tracking technologies, and no message content is ever involved. Google is listed as a sub-processor on our sub-processors page, and we handle all cookie use in line with the Privacy and Electronic Communications Regulations 2003.
The product itself (which is delivered behind authentication, not via this public site) uses a small number of strictly necessary first-party cookies to keep you logged in. Those are governed by the in-product privacy notice presented to administrators on first sign-in.
Security
We operate an information security management programme designed to ISO/IEC 27001:2022 and are pursuing certification under that standard and Cyber Essentials. Controls in place include UK-region processing, encryption in transit (TLS 1.2+) and AES-256 encryption of transient operational data at rest (the archive itself rests in the customer's own Microsoft 365 tenant, under the customer's encryption and access controls), role-based access control with least-privilege defaults, comprehensive audit logging, multi-factor authentication on administrator and production access, hardware-key requirements for production access, separation of duties between development and operations, regular vulnerability scanning, and an incident response plan with defined RTO and RPO targets that we publish to customers under NDA. As the programme matures toward certification we are extending multi-factor authentication to all accounts and adding independent penetration testing.
We are not so naive as to claim we cannot be breached. We have written this section so that, if one day we are, the question of "what was in place beforehand" is answerable.
Personal data breaches
If we become aware of a personal data breach affecting data for which we are the controller, we will notify the ICO within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons, and we will inform affected data subjects without undue delay where the risk is high.
If the breach affects data we process on a customer's behalf, we will notify the affected customer without undue delay – in practice, within 24 hours of confirmation – with all the information the customer needs to discharge its own notification obligations under Article 33.
Changes to this notice
We will update this notice when the law, the service or our practices change. Material changes will be announced at the top of this page and (for our customers) by direct notice to the account administrator. The "Effective" date at the top of this notice always reflects the date of the most recent version. Archived versions are kept and can be requested.
Complaints
If you are unhappy with how we have handled your personal data, we would like the chance to put it right. Please write to compliance@chat.org.uk in the first instance.
You also have the right to complain to the Information Commissioner's Office at any time. The ICO can be contacted at ico.org.uk, on 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Contact us
General: enquiries@chat.org.uk
Privacy and data protection: compliance@chat.org.uk
Post: CIaaS Limited, C/O Aardvark Accounting, 1 Cedar Office Park, Cobham Road, Wimborne, BH21 7SB