Privacy Policy
Last updated · 14 May 2026 · UK GDPR + Data Protection Act 2018
- ✓We collect only what we need to run your account and the service you signed up for.
- ✓We don't sell your data. Ever.
- ✓Your data lives in the UK, encrypted in transit and at rest.
- ✓You can export everything in CSV / JSON whenever you want, free.
- ✓You can delete your account and everything in it. We hold legally-required records (e.g. billing) for seven years; everything else goes within 30 days.
- ✓You can complain to the ICO at any time. We hope you talk to us first, but you don't have to.
1. Who we are
Site Lynx Group Ltd is a UK construction software company. We build SiteLynx, WorkLynx, CostLynx and InvoLynx — together, the Lynx Group suite. This policy covers all of those products and the marketing site at site-lynx-group.co.uk.
- Data controller
- Site Lynx Group Ltd, a company registered in England and Wales (Companies House number 17151377), registered office at available from the public Companies House register (company 17151377).
- ICO registration
- We are registered with the UK Information Commissioner's Office under registration number ZC127371.
- Contact
- For anything privacy-related, write to info@site-lynx.co.uk.
- Trading names
- SiteLynx, WorkLynx, CostLynx, InvoLynx and the Lynx Group brand are trading names of Site Lynx Group Ltd.
2. What personal data we collect
We only collect what we need to run the service. We do not collect special-category data (health, political opinions, biometric, etc.) unless you put it into a document you upload yourself — and in that case you are the controller of that content, not us.
Account & identity data
- Name, work email address, phone number (optional), job title (optional)
- Password — stored only as a salted hash, never in readable form
- Authentication tokens, sign-in timestamps, IP address at sign-in
- Multi-factor authentication settings and recovery codes (if enabled)
Company & billing data
- Company name, registered address, VAT number, Companies House number, CIS UTR (where you provide them)
- Billing address, contact email for invoices, your subscription plan and history
- Payment card details are handled directly by our payment processor — we receive only a redacted card reference (e.g. last 4 digits), brand, and expiry date
Service content
- Documents and records you create or upload — RAMS, QA reports, invoices, applications for payment, timesheets, employee records, etc.
- Files you attach (PDFs, images, drawings)
- Data you input into product forms
Usage data
- Which features you use and when (e.g. "user X viewed dashboard at 09:14 BST")
- Audit logs of who changed what, used for security and to satisfy your own compliance needs
- Aggregate analytics about active features, performance, and error rates
Technical data
- IP address, browser type and version, operating system, device type
- Pages visited on our marketing site and how you got there (referrer)
- Cookies and similar technologies — see our separate Cookie Policy
Communications
- Support tickets, emails, and any messages you send us
- Survey responses you choose to give us
3. Why we collect it, and our lawful basis
UK GDPR requires us to have a specific legal reason for every type of processing. Here are ours.
5. How long we keep it
Different categories of data have different retention periods. We delete or anonymise data when there's no longer a legal or business reason to keep it.
- Active account data — for as long as your subscription is active.
- After you cancel — 30 days to let you re-activate or export. Then 90 more days in cold storage as a safety net (no live access). Then deletion within 7 days.
- Service content (your documents) — deleted together with your account, per the timeline above. You can also delete individual items at any time from inside the product.
- Financial records — retained for 7 years after the tax year they relate to, as required by HMRC.
- Audit logs and security telemetry — 12 months, then aggregated and anonymised.
- Marketing email subscriptions — until you unsubscribe, then 12 months to record the unsubscribe.
- Support conversations — 3 years for quality and dispute resolution.
6. International transfers
Our primary hosting region is the United Kingdom. Some of our subprocessors operate in the European Economic Area (EEA), and a small number may operate from the United States.
Where data is transferred outside the UK or EEA, we rely on one of the following safeguards required by UK GDPR:
- UK adequacy regulations for the destination country
- The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum
- Specific derogations under Article 49 (limited cases, with notice to you)
We assess every transfer and avoid jurisdictions that don't meet UK GDPR standards.
7. How we protect your data
- Encryption in transit — every connection to our service uses TLS 1.2 or higher.
- Encryption at rest — your data is encrypted with AES-256 on the servers that store it.
- Access controls — only the engineers who need access can reach production data, with audit logging on every access.
- Multi-factor authentication — available on every account; required for admin / owner roles on accounts on Business and above tiers.
- Backups — encrypted daily backups with 30-day point-in-time recovery.
- Penetration testing — independent testing on at least an annual basis once we cross 100 paying customers.
- Breach notification — we will tell you within 72 hours of becoming aware of any breach affecting your data, and notify the ICO where required.
8. Your rights
Under UK GDPR you have eight specific rights over your personal data. You can exercise any of them by emailing info@site-lynx.co.uk from the email address on your account. We will respond within one calendar month, sometimes faster.
You also have the right to complain to the ICO if you think we've handled your data badly. We'd much rather sort it out with you directly first, but you don't have to talk to us before going to the regulator. Their contact details are at ico.org.uk.
10. Children
Our service is for businesses and is not directed at children under 18. We don't knowingly collect personal data from anyone under 18. If you believe we have, write to info@site-lynx.co.uk and we'll delete it.
11. Changes to this policy
We may update this policy from time to time — for example when we add a new feature, change a subprocessor, or when the law changes. For any material change we'll:
- Update the "Last updated" date at the top of this page
- Email all active customers at least 30 days before the change takes effect
- Show an in-app banner so you can read the changes when you next sign in
Non-material changes (clarifications, typo fixes, ICO-suggested wording improvements) we publish with just an updated date.
12. Contact us
For anything in this policy — questions, concerns, or to exercise a right — write to us:
We aim to respond within five working days, and always within the one-calendar-month statutory deadline.