Legal · Privacy

Privacy Policy

Last updated · 14 May 2026 · UK GDPR + Data Protection Act 2018

The plain English summary
  • We collect only what we need to run your account and the service you signed up for.
  • We don't sell your data. Ever.
  • Your data lives in the UK, encrypted in transit and at rest.
  • You can export everything in CSV / JSON whenever you want, free.
  • You can delete your account and everything in it. We hold legally-required records (e.g. billing) for seven years; everything else goes within 30 days.
  • You can complain to the ICO at any time. We hope you talk to us first, but you don't have to.

1. Who we are

Site Lynx Group Ltd is a UK construction software company. We build SiteLynx, WorkLynx, CostLynx and InvoLynx — together, the Lynx Group suite. This policy covers all of those products and the marketing site at site-lynx-group.co.uk.

Data controller
Site Lynx Group Ltd, a company registered in England and Wales (Companies House number 17151377), registered office at available from the public Companies House register (company 17151377).
ICO registration
We are registered with the UK Information Commissioner's Office under registration number ZC127371.
Contact
For anything privacy-related, write to info@site-lynx.co.uk.
Trading names
SiteLynx, WorkLynx, CostLynx, InvoLynx and the Lynx Group brand are trading names of Site Lynx Group Ltd.

2. What personal data we collect

We only collect what we need to run the service. We do not collect special-category data (health, political opinions, biometric, etc.) unless you put it into a document you upload yourself — and in that case you are the controller of that content, not us.

Account & identity data

  • Name, work email address, phone number (optional), job title (optional)
  • Password — stored only as a salted hash, never in readable form
  • Authentication tokens, sign-in timestamps, IP address at sign-in
  • Multi-factor authentication settings and recovery codes (if enabled)

Company & billing data

  • Company name, registered address, VAT number, Companies House number, CIS UTR (where you provide them)
  • Billing address, contact email for invoices, your subscription plan and history
  • Payment card details are handled directly by our payment processor — we receive only a redacted card reference (e.g. last 4 digits), brand, and expiry date

Service content

  • Documents and records you create or upload — RAMS, QA reports, invoices, applications for payment, timesheets, employee records, etc.
  • Files you attach (PDFs, images, drawings)
  • Data you input into product forms

Usage data

  • Which features you use and when (e.g. "user X viewed dashboard at 09:14 BST")
  • Audit logs of who changed what, used for security and to satisfy your own compliance needs
  • Aggregate analytics about active features, performance, and error rates

Technical data

  • IP address, browser type and version, operating system, device type
  • Pages visited on our marketing site and how you got there (referrer)
  • Cookies and similar technologies — see our separate Cookie Policy

Communications

  • Support tickets, emails, and any messages you send us
  • Survey responses you choose to give us

3. Why we collect it, and our lawful basis

UK GDPR requires us to have a specific legal reason for every type of processing. Here are ours.

Contract
Covers: Account & identity data, billing data, service content, essential usage data
Why: We need this to actually provide the service you've signed up for and to bill you for it.
Legitimate interests
Covers: Audit logs, security telemetry, aggregate analytics, fraud prevention, product improvement
Why: We have a legitimate interest in keeping the service secure, working well, and improving over time. We balance this against your interests and don't use it for anything intrusive.
Legal obligation
Covers: Tax records, billing records, sanctions screening
Why: We're required to keep certain financial records for seven years under UK tax law, and to screen against sanctions lists.
Consent
Covers: Marketing emails to non-customers, non-essential cookies, optional features
Why: Where consent applies, we ask for it clearly and you can withdraw it at any time without affecting the service.

4. Who we share data with

We do not sell your data. Ever. We share it with a small number of trusted processors who help us run the service, and with no one else except when legally required.

Subprocessors (categories)

  • Cloud hosting and database — provides the servers and database that run the service. Data stays in UK / EU regions.
  • Payment processing — handles card data so we never have to. PCI-DSS certified.
  • Transactional email delivery — sends sign-up confirmations, password resets, billing emails.
  • Error monitoring & logging — captures application errors so we can fix bugs quickly.
  • AI processing — for features that use AI to draft documents or answer questions, the prompt and necessary context are sent to a Large Language Model provider. We do not include any data that the AI doesn't strictly need for the feature.
  • Customer support tooling — for tickets and conversations you start with us.

A current list of subprocessors with names is available on request to info@site-lynx.co.uk. We will give you 30 days' notice of any new subprocessor for service-critical data.

Legal requests

We may disclose data if compelled to by a valid legal request from a UK authority (court order, ICO investigation, statutory request from HMRC or law enforcement). We will challenge requests we think are improper and inform you unless legally prohibited.

Business transfers

If Site Lynx Group Ltd is sold, merged, or transfers part of the business, your data may transfer to the new owner. The new owner will be bound by this Privacy Policy or one that protects you to the same standard. We will tell you before any such transfer.

5. How long we keep it

Different categories of data have different retention periods. We delete or anonymise data when there's no longer a legal or business reason to keep it.

  • Active account data — for as long as your subscription is active.
  • After you cancel — 30 days to let you re-activate or export. Then 90 more days in cold storage as a safety net (no live access). Then deletion within 7 days.
  • Service content (your documents) — deleted together with your account, per the timeline above. You can also delete individual items at any time from inside the product.
  • Financial records — retained for 7 years after the tax year they relate to, as required by HMRC.
  • Audit logs and security telemetry — 12 months, then aggregated and anonymised.
  • Marketing email subscriptions — until you unsubscribe, then 12 months to record the unsubscribe.
  • Support conversations — 3 years for quality and dispute resolution.

6. International transfers

Our primary hosting region is the United Kingdom. Some of our subprocessors operate in the European Economic Area (EEA), and a small number may operate from the United States.

Where data is transferred outside the UK or EEA, we rely on one of the following safeguards required by UK GDPR:

  • UK adequacy regulations for the destination country
  • The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum
  • Specific derogations under Article 49 (limited cases, with notice to you)

We assess every transfer and avoid jurisdictions that don't meet UK GDPR standards.

7. How we protect your data

  • Encryption in transit — every connection to our service uses TLS 1.2 or higher.
  • Encryption at rest — your data is encrypted with AES-256 on the servers that store it.
  • Access controls — only the engineers who need access can reach production data, with audit logging on every access.
  • Multi-factor authentication — available on every account; required for admin / owner roles on accounts on Business and above tiers.
  • Backups — encrypted daily backups with 30-day point-in-time recovery.
  • Penetration testing — independent testing on at least an annual basis once we cross 100 paying customers.
  • Breach notification — we will tell you within 72 hours of becoming aware of any breach affecting your data, and notify the ICO where required.

8. Your rights

Under UK GDPR you have eight specific rights over your personal data. You can exercise any of them by emailing info@site-lynx.co.uk from the email address on your account. We will respond within one calendar month, sometimes faster.

Right to be informed
This policy is how we meet this right. We'll always tell you up front what we're doing with your data.
Right of access
You can request a copy of the personal data we hold about you. We'll provide it in a portable, machine-readable format.
Right to rectification
If anything we hold about you is wrong or out of date, we'll correct it. Most of it you can correct yourself from your account settings.
Right to erasure ('right to be forgotten')
You can ask us to delete your personal data. We'll do it unless we have a legal reason to retain it (e.g. HMRC seven-year rule on billing records).
Right to restrict processing
You can ask us to pause processing your data while we resolve a dispute about its accuracy or use.
Right to data portability
You can take your data with you. We provide export in CSV and JSON formats from your account at any time, free.
Right to object
You can object to processing based on legitimate interests, and to direct marketing. Direct marketing objections are absolute — we'll stop straight away.
Rights related to automated decision-making and profiling
We don't make any solely automated decisions about you that have legal or similarly significant effects. AI features assist you, they don't decide for you.

You also have the right to complain to the ICO if you think we've handled your data badly. We'd much rather sort it out with you directly first, but you don't have to talk to us before going to the regulator. Their contact details are at ico.org.uk.

9. Cookies

We use a small set of cookies, mostly essential for the service to work. Some optional analytics and preference cookies need your consent. Full details in our Cookie Policy.

10. Children

Our service is for businesses and is not directed at children under 18. We don't knowingly collect personal data from anyone under 18. If you believe we have, write to info@site-lynx.co.uk and we'll delete it.

11. Changes to this policy

We may update this policy from time to time — for example when we add a new feature, change a subprocessor, or when the law changes. For any material change we'll:

  • Update the "Last updated" date at the top of this page
  • Email all active customers at least 30 days before the change takes effect
  • Show an in-app banner so you can read the changes when you next sign in

Non-material changes (clarifications, typo fixes, ICO-suggested wording improvements) we publish with just an updated date.

12. Contact us

For anything in this policy — questions, concerns, or to exercise a right — write to us:

Site Lynx Group Ltd · Privacy
Post · available from the public Companies House register (company 17151377)
Companies House 17151377 · ICO Registration ZC127371

We aim to respond within five working days, and always within the one-calendar-month statutory deadline.