Privacy Policy

This Privacy Policy explains how Assura, a product of Privicy Advisory Services Limited (“we”, “us”, “our”), collects, uses, stores, and protects personal data in connection with the Assura platform and this website. We are committed to handling personal data in accordance with applicable Caribbean data protection legislation and the principles of privacy by design.

1. Who We Are

Assura is a SaaS governance, risk, and compliance platform operated by Privicy Advisory Services Limited, incorporated in Trinidad and Tobago. We provide data protection compliance tools to organisations across the Caribbean region.

Data Controller: Privicy Advisory Services Limited
Registered jurisdiction: Trinidad and Tobago
Contact: [email protected]

2. Personal Data We Collect

2.1 Account and registration data

Name, work email address, and job title
Organisation name, type, and jurisdiction
Login credentials (passwords are hashed and never stored in plain text)
Billing contact information

2.2 Platform usage data

Records of processing activities, DPIAs, breach logs, DSR entries, and maturity assessments created by your organisation within the platform
User activity logs, session data, and feature usage for platform operation and security
IP address, browser type, and device information for access security

2.3 Communications data

Enquiries submitted via the website contact form or email
Support tickets and correspondence

2.4 Data you enter on behalf of your organisation

When you use Assura to manage your compliance programme, you may enter personal data about your own employees, customers, or data subjects as part of your ROPA, DSR, or breach records. In relation to this data, we act as your data processor and you remain the data controller. This is governed by a separate Data Processing Agreement.

3. Legal Basis for Processing

Purpose	Legal basis
Providing the Assura platform and your account	Performance of contract
Processing payments and managing subscriptions	Performance of contract
Sending service communications (security alerts, updates)	Legitimate interest / contract
Security monitoring, fraud prevention, and audit logging	Legitimate interest
Responding to enquiries and support requests	Legitimate interest / consent
Improving platform features and performance	Legitimate interest
Complying with legal obligations	Legal obligation

4. How We Use Your Data

To create and manage your Assura account and provide platform access
To process subscription payments through our payment processor
To send transactional communications — account confirmations, security alerts, and service updates
To provide customer support and respond to enquiries
To monitor platform security, investigate incidents, and maintain audit trails
To improve platform functionality based on aggregated, anonymised usage patterns
To comply with applicable legal and regulatory obligations

We do not sell, rent, or trade your personal data to third parties. We do not use your data for automated profiling or decision-making that produces legal or similarly significant effects.

5. Data Sharing and Third Parties

We share personal data only with trusted infrastructure and service providers necessary to operate the platform:

Provider	Role	Data involved
Amazon Web Services (AWS)	Cloud hosting and infrastructure	All platform data, encrypted at rest
MongoDB Atlas	Database platform	Platform records and account data
Cloudflare	Network security and CDN	IP addresses, request metadata
Payment processor	Subscription billing	Billing contact and payment details

All third-party providers are contractually bound to process data only on our documented instructions and to maintain appropriate security measures. We do not permit them to use your data for their own purposes.

We may disclose personal data where required by law, court order, or regulatory authority with appropriate jurisdiction over our operations.

6. International Data Transfers

Our infrastructure providers operate servers in multiple regions. Where personal data is transferred outside your home jurisdiction, we ensure that appropriate safeguards are in place — including contractual protections with our providers — consistent with the requirements of applicable Caribbean data protection legislation.

7. Data Retention

Active account data — retained for the duration of your subscription plus 30 days following cancellation, during which you may export your records
Billing records — retained for 7 years in accordance with financial record-keeping obligations
Security and audit logs — retained for 12 months
Enquiry and correspondence data — retained for 3 years from last contact
Anonymised usage analytics — retained indefinitely

On account closure, your personal data is permanently deleted from live systems within 30 days and from backups within 90 days.

8. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

Right of access — to receive a copy of the personal data we hold about you
Right of rectification — to have inaccurate data corrected
Right of erasure — to request deletion of your data where there is no overriding legal basis to retain it
Right to restrict processing — to limit how we use your data in certain circumstances
Right to object — to processing based on legitimate interest
Right to data portability — to receive your data in a structured, machine-readable format
Right to withdraw consent — where processing is based on consent, at any time

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by your applicable jurisdiction’s data protection law.

9. Cookies and Tracking

The Assura website uses only essential cookies necessary for security and basic functionality. We do not use advertising cookies, cross-site tracking, or third-party analytics services that profile individual users. Session cookies are used within the platform to maintain authenticated sessions and are deleted when you log out or close your browser.

10. Security

We implement technical and organisational measures appropriate to the risk, including AES-256 encryption at rest, TLS 1.3 for data in transit, role-based access controls, multi-factor authentication options, full audit logging, and regular security assessments. Details are set out in our Security page.

11. Children

Assura is a business-to-business platform not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, contact [email protected] and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active account holders of material changes by email with at least 14 days’ notice before the change takes effect. The current version is always available at getassura.app/privacy.html.

Questions or complaints

If you have any questions about this Privacy Policy or wish to exercise your rights, contact our Privacy Officer at [email protected]. If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction.