Privacy Policy

Last updated: June 2026

Contents

  1. Who we are
  2. What data we collect
  3. How we use your data
  4. Legal basis for processing
  5. Special category data
  6. How long we keep your data
  7. Your rights
  8. Data transfers
  9. Cookies
  10. Contact us / DPO

1. Who we are

Notice Board is operated by Notice Board Ltd (trading as "Notice Board"), a company registered in England and Wales. Our service is accessible at notice-board.io.

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration number: [PENDING].

For all privacy matters, you can contact us at:

This privacy policy explains how we collect, use, store, and protect personal data when you use the Notice Board platform and the Reporter Free progressive web app. It applies to customers, end users at customer sites, and visitors to this website.

2. What data we collect

2.1 Account data

When you create a Notice Board account, we collect:

  • Name and email address
  • Organisation name and site details
  • Password (stored as a salted hash — we never store your password in plain text)
  • Billing information (handled by Stripe — we do not store card numbers)
  • Account preferences and settings

2.2 Usage data

When you use the Notice Board dashboard, we automatically collect:

  • IP address and approximate location (country/region level only)
  • Browser type and version
  • Pages accessed and timestamps
  • Error logs and diagnostic data to maintain service quality

We do not use third-party analytics services. Usage data is collected solely for operational purposes.

2.3 Record data

The core purpose of Notice Board is to store workplace records that your organisation creates. These records may contain personal data about individuals, including:

  • Incident records: names and contact details of injured persons, witnesses, and reporters; descriptions of injuries; occupation, employer, and address of injured persons; HSE reference numbers and correspondence.
  • Maintenance records: names of persons who raised or completed tasks; location data.
  • Vehicle incident records: vehicle identifiers; names of third parties; damage descriptions.
  • Supplier records: supplier names and contact details; financial information such as invoice values.
  • Photos and attachments: photographs, documents, and other files attached to records. These may contain images of people or other personal data.

You (the customer) are the data controller for record data. We act as data processor on your behalf, processing this data only under your instructions and in accordance with our Terms of Service and any applicable data processing agreement.

2.4 Reporter Free (offline use)

When Reporter Free is used without a Notice Board account, all data is stored locally on the user's device in the browser's IndexedDB. No data is transmitted to us. We have no access to this data.

3. How we use your data

We use personal data for the following purposes:

  • Providing the service: to create and manage your account, store and display your records, and operate the sync service between Reporter devices and your Head Office dashboard.
  • Billing: to process subscription payments via Stripe and send receipts and invoices.
  • Service communications: to send account notifications, security alerts, and material updates to the service that you cannot opt out of.
  • Support: to respond to your support requests and troubleshoot problems.
  • Security and fraud prevention: to detect and prevent unauthorised access, abuse, and other harmful activity.
  • Legal compliance: to comply with legal obligations, including responding to lawful requests from regulatory authorities.
  • Product improvement: to analyse aggregated, anonymised usage patterns and fix bugs. We do not use your record data for this purpose.

We do not sell personal data. We do not share personal data with third parties for their marketing purposes.

Under UK GDPR, we rely on the following legal bases:

  • Contract performance (Article 6(1)(b)): processing necessary to provide the service you have signed up for — account management, record storage, sync, and billing.
  • Legal obligation (Article 6(1)(c)): processing required to comply with legal obligations, such as retaining financial records for HMRC purposes or responding to law enforcement requests.
  • Legitimate interests (Article 6(1)(f)): processing for security, fraud prevention, service maintenance, and aggregate product improvement, where our interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)): where we ask for your consent, such as for optional marketing emails. You may withdraw consent at any time.

5. Special category data

RIDDOR accident records may contain special category personal data under Article 9 of UK GDPR, specifically health data (information about injuries sustained by individuals).

We process this data solely on behalf of our customers (as data processors), who are legally required to maintain RIDDOR records under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (SI 2013/1471) and the Health and Safety at Work etc. Act 1974.

The legal basis for customers to process this special category data is:

  • Legal obligation (Article 9(2)(b)): processing necessary for the controller to carry out obligations under employment or social security law.
  • Vital interests (Article 9(2)(c)): where processing is necessary to protect the vital interests of the data subject.

As data processor, we apply appropriate technical and organisational measures to protect health data, including encryption at rest and in transit, access controls, and audit logging.

Customers are responsible for ensuring they have an appropriate legal basis under Article 9 before recording health information using Notice Board, and for providing required privacy notices to data subjects (injured persons and witnesses).

6. How long we keep your data

6.1 Account data

We retain your account data for as long as your account is active. If you close your account, we will delete account data within 30 days, except where we are required to retain it for legal or regulatory reasons (for example, financial records are retained for 7 years to comply with HMRC requirements).

6.2 Record data

Records synced to your Notice Board account are retained for as long as your subscription is active, plus a 30-day grace period after cancellation during which you can export your data.

RIDDOR-related accident records are subject to a minimum statutory retention period. The Health and Safety Executive recommends retaining RIDDOR records for at least 3 years from the date of the accident (or longer for specific injury types). Many organisations retain accident records for 7 years or more as a legal precaution. Our default retention is 7 years from the date of the record, but this can be extended on Enterprise plans where regulatory requirements demand it.

6.3 Usage and log data

Access logs and usage data are retained for up to 12 months for security and operational purposes, then deleted.

7. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: you can request a copy of the personal data we hold about you.
  • Right to rectification: you can ask us to correct inaccurate data.
  • Right to erasure: you can ask us to delete your personal data in certain circumstances (note: we may be unable to erase data where we have a legal obligation to retain it, or where you are asking us to erase data in records for which a third party is the data subject).
  • Right to restriction: you can ask us to stop processing your data in certain circumstances.
  • Right to data portability: you can ask for your data in a machine-readable format. We provide JSON and Excel export functions for this purpose.
  • Right to object: you can object to processing based on legitimate interests.
  • Rights in relation to automated decision making: we do not make automated decisions that significantly affect you.

To exercise any of these rights, email dpo@notice-board.io. We will respond within one month.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Note for customers: if you are an individual whose personal data appears within a Notice Board customer's records (for example, as an injured person in an accident record), your rights as a data subject are primarily exercisable against that customer, who is the data controller. We will direct requests to the appropriate customer where we receive them directly.

8. Data transfers

All Notice Board personal data is stored exclusively in UK data centres. We do not transfer personal data outside the United Kingdom.

8.1 Sub-processors

We use a small number of sub-processors to operate the service:

  • Stripe: payment processing. Stripe is certified to PCI DSS Level 1. Stripe processes payment card and billing data in accordance with their own privacy policy. Data shared with Stripe is limited to what is necessary for billing. Stripe operates under standard contractual clauses.
  • UK-based hosting provider: infrastructure and data storage. All data remains in the UK.

We do not use advertising networks, behavioural analytics platforms, or social media tracking pixels.

9. Cookies

This website and the Notice Board dashboard use a minimal number of cookies.

9.1 Session cookie

When you sign in to the Notice Board dashboard, we set a session cookie to keep you logged in. This cookie is:

  • Strictly necessary for the service to function
  • Deleted when you close your browser or sign out
  • Not used for tracking or advertising

9.2 No tracking cookies

We do not use:

  • Analytics cookies (e.g. Google Analytics)
  • Advertising or retargeting cookies
  • Social media tracking pixels
  • Third-party cookies of any kind

Because we only set the strictly necessary session cookie, we are not required to show a cookie consent banner under the UK PECR regulations. If this changes, we will update this policy and implement appropriate consent mechanisms.

10. Contact us / DPO

For all data protection enquiries, subject access requests, or complaints, please contact our data protection lead:

  • Email: dpo@notice-board.io
  • Post: Data Protection, Notice Board Ltd, [Registered Address, England]

We will acknowledge your request within 72 hours and respond in full within one month.

If you wish to complain to the supervisory authority:

  • Information Commissioner's Office (ICO)
    Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
    ico.org.uk
    Helpline: 0303 123 1113

Changes to this policy

We may update this privacy policy from time to time. When we make significant changes, we will notify customers by email and by posting a notice on the dashboard. The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of the service after changes are notified constitutes acceptance of the updated policy.