Privacy Policy

ClientEnforce Ltd (“ClientEnforce”, “we”, “us”, or “our”) is a company registered in England and Wales and is the data controller of the personal data described in this policy, except where we act as a processor on behalf of our customers (see “Customer data processed on behalf of our customers” below).

• Contact for privacy matters: thomas@clientenforce.com
• General contact: info@clientenforce.com
• Registered office: [to be confirmed — update before publishing]
• Company number: [to be confirmed — update before publishing]
• ICO registration: [to be confirmed — update before publishing]

We have appointed a data protection lead who can be reached at thomas@clientenforce.com.

This policy applies to:

• Visitors to clientenforce.com and our subdomains (the “Website”).
• People who contact us, request a demo, download a resource, or subscribe to marketing communications.
• Customers and authorised users of the ClientEnforce product (the “Service”).
• End clients who are invited into a customer’s onboarding workflow (completing intake forms, uploading documents, signing agreements, etc.).

When a ClientEnforce customer uses the Service to collect and process information about their own clients, the customer is the controller of that data and ClientEnforce acts as a processor. In that case, the customer’s privacy policy applies to the underlying end-client relationship, and our Data Processing Addendum governs our handling of that data.

We collect the following categories of personal data, grouped by source:

a) Information you give us

• Account data: name, work email, password (hashed), company name, job title, phone number (optional).
• Billing data: billing contact, billing address, VAT/tax ID, and payment-card metadata (card details themselves are processed directly by our payment provider and not stored by us).
• Marketing and sales data: form submissions, demo requests, downloaded resources, survey responses, event registrations.
• Support and communications: messages, screenshots, and attachments sent to our support team.

b) Information generated while you use the Service

• Usage data: pages viewed, features used, workflow and task activity, timestamps, click events, performance metrics.
• Device and connection data: IP address, browser type, operating system, device identifiers, language, referring URLs.
• Security and audit logs: sign-in events, password resets, permission changes, audit trail entries.

c) Customer data processed on behalf of our customers

• Client onboarding records: names, contact details, uploaded documents, completed forms, signatures, notes, workflow history, and any other data our customers choose to store in the Service.

d) Information we receive from third parties

• Authentication and identity data from third-party sign-in providers (for example Google) when you use them to log in.
• Enrichment data from business-contact providers used for sales and marketing (company size, industry, role) — where permitted by law.
• Analytics and attribution data from advertising and analytics providers.

We do not intentionally collect special-category personal data (such as data about health, race, religion, or political opinions) through the Website or Service, and we ask customers not to upload such data unless a lawful basis and appropriate safeguards are in place.

We use personal data for the following purposes:

• Providing the Service: creating and managing accounts, running onboarding workflows, storing documents, sending transactional notifications, and enabling collaboration between users and their clients.
• Securing the Service: authenticating users, detecting abuse or fraud, maintaining audit logs, and responding to security incidents.
• Supporting customers: answering questions, investigating issues, and communicating product updates, outages, and maintenance windows.
• Billing and finance: processing subscriptions, issuing invoices, collecting payment, and meeting tax and accounting obligations.
• Improving the Service: analysing usage patterns, diagnosing bugs, testing new features, and measuring reliability and performance.
• Marketing and sales: sending product announcements, newsletters, and relevant offers to existing customers and to individuals who have opted in; measuring the effectiveness of marketing campaigns.
• Legal and compliance: complying with applicable law, responding to lawful requests from public authorities, and enforcing our terms of service.

Under the UK GDPR and EU GDPR we rely on the following legal bases, depending on the activity:

• Performance of a contract (Art. 6(1)(b)) — to create your account, provide the Service, process payments, and respond to support requests.
• Legitimate interests (Art. 6(1)(f)) — to secure and improve the Service, keep audit logs, carry out product analytics, prevent fraud and abuse, and conduct limited direct marketing to existing business contacts. Where we rely on legitimate interests, we balance those interests against your rights and freedoms.
• Consent (Art. 6(1)(a)) — for optional marketing emails to non-customers, for non-essential cookies and similar technologies, and where consent is required by PECR or equivalent EU rules. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)) — to keep tax and accounting records, respond to lawful requests, and meet other statutory obligations.

Where we process data as a processor on behalf of a customer, the customer is responsible for identifying and documenting the lawful basis that applies.

We share personal data only with the categories of recipients listed below:

• Sub-processors and service providers that help us run the Website and Service — including cloud hosting, database and storage providers, email delivery, payment processing, customer support tools, product analytics, error monitoring, and business-intelligence tools. All sub-processors are contractually required to protect personal data on terms consistent with this policy and applicable law.
• Customer-authorised recipients such as team members added by an account administrator, end clients invited into an onboarding, and any integrations the customer chooses to enable.
• Professional advisers including accountants, auditors, lawyers, and insurers, bound by professional duties of confidentiality.
• Authorities and regulators when we are required by law, court order, or binding request to disclose information, and only to the minimum extent necessary.
• Buyers or successors in the event of a merger, acquisition, financing, or sale of all or part of our business, subject to equivalent privacy protections.

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.

A current list of our sub-processors is available on request from thomas@clientenforce.com.

ClientEnforce is based in the United Kingdom, and some of our sub-processors operate in the European Economic Area, the United States, and other jurisdictions. Where personal data is transferred outside the UK or EEA to a country that is not the subject of an adequacy decision, we rely on appropriate safeguards, which may include:

• the European Commission’s Standard Contractual Clauses (SCCs), with the UK International Data Transfer Addendum where the transfer is subject to UK law; or
• the UK International Data Transfer Agreement (IDTA); and
• additional technical and organisational measures (such as encryption in transit and at rest, access controls, and pseudonymisation) where our transfer impact assessment indicates they are needed.

You can request a copy of the relevant safeguards by contacting thomas@clientenforce.com.

We keep personal data only for as long as we need it for the purposes set out in this policy, including any legal, accounting, or reporting requirements. In general:

• Account data is retained for the life of the account and for up to 12 months after account closure, unless a longer period is required or requested.
• Customer content (onboardings, documents, forms) is retained for the life of the account and deleted or returned in accordance with our Data Processing Addendum following termination.
• Billing and tax records are kept for at least 6 years after the end of the relevant financial year, in line with UK statutory requirements.
• Security and audit logs are typically kept for up to 24 months.
• Marketing contact data is kept until you unsubscribe or, for prospective customers, no longer than 24 months after our last meaningful interaction.
• Cookies and similar technologies are retained according to the retention periods stated in our cookie notice.

When personal data is no longer needed, we securely delete or anonymise it.

We maintain a layered set of technical and organisational measures designed to protect personal data, including:

• Encryption of data in transit using TLS and encryption at rest for production databases and file storage.
• Role-based access control, least-privilege permissions, multi-factor authentication for internal systems, and detailed audit logging.
• Secure development practices, code review, dependency scanning, and vulnerability management.
• Regular backups, monitored uptime, and documented business continuity and incident-response processes.
• Staff confidentiality obligations and data-protection training.

No online service can be guaranteed to be completely secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner’s Office (and, where applicable, competent EU supervisory authorities) within 72 hours, and we will notify affected individuals and customers without undue delay where required.

Subject to applicable law and certain exemptions, you have the following rights in relation to your personal data:

• Right of access to the personal data we hold about you.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (the “right to be forgotten”).
• Right to restrict processing in certain circumstances.
• Right to data portability for data you provided to us and that we process by automated means on the basis of consent or contract.
• Right to object to processing based on legitimate interests, including profiling, and to object to direct marketing at any time.
• Right to withdraw consent where processing is based on consent.
• Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. ClientEnforce does not currently carry out this kind of automated decision-making.

To exercise any of these rights, email thomas@clientenforce.com. If you are an end client of one of our customers, please contact that customer in the first instance; we will support them in responding to your request.

You also have the right to complain to a supervisory authority. In the UK that is the Information Commissioner’s Office (ico.org.uk). In the EU, you may complain to the supervisory authority of your country of residence, place of work, or the place of the alleged infringement.

We use cookies and similar technologies on our Website and within the Service for the following purposes:

• Strictly necessary — required to authenticate users, maintain sessions, and protect against fraud and abuse. These cannot be switched off.
• Functional — remember preferences such as language or layout.
• Analytics — measure how the Website and Service are used so that we can improve them.
• Marketing and attribution — measure the effectiveness of marketing campaigns and, where applicable, support advertising on third-party platforms.

Non-essential cookies are only set after you give consent via our cookie banner, and you can change your preferences at any time through the banner or your browser settings. A detailed list of cookies, providers, and retention periods is available on our cookie notice and on request from thomas@clientenforce.com.

The ClientEnforce Website and Service are intended for business users and are not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact thomas@clientenforce.com and we will delete it promptly.

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify customers by email or through the Service. Please check this page periodically for the latest version.

For any privacy-related question or request, contact:

• Email: thomas@clientenforce.com
• Postal address: [to be confirmed — update before publishing]
• General enquiries: contact page

If you are in the EU and wish to contact a representative for GDPR purposes, please email us and we will direct your request appropriately.