Privacy Policy

Last updated: 7 February 2026

This policy explains how COSHHmate (coshhmate.co.uk) collects, uses, and protects your personal data. COSHHmate is operated by Crocker Digital Ltd (Company No. 17008789), which is the data controller for the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018).

We have written this policy in plain English so it is easy to understand.

What data we collect

Account information

When you create an account, we collect:

  • Your email address
  • Your name
  • Your organisation name (if provided)

COSHH assessment data

When you use COSHHmate, you may enter:

  • Substance names and details
  • Hazard and risk information
  • Control measures
  • Assessment records and review schedules

This is workplace safety data about chemical substances. We do not collect personal health data about individuals.

Payment information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your card details. Stripe provides us with limited billing information such as the last four digits of your card, your billing email, and transaction history.

Usage analytics

We use GoatCounter for website analytics. GoatCounter is privacy-friendly: it does not use cookies, does not track individuals, and does not collect personal data. We receive only aggregate information such as page view counts and referral sources.

Technical data

When you use COSHHmate, our hosting provider (Netlify) may collect standard access logs including IP addresses and browser information. These are used for security and performance purposes.

How we use your data

We use your data to:

  • Provide and operate COSHHmate
  • Manage your account and subscription
  • Send transactional emails (such as password resets and billing receipts)
  • Improve the service based on aggregate usage patterns
  • Respond to support requests
  • Meet our legal obligations

We do not sell your data. We do not use your data for advertising. We do not share your COSHH assessment data with third parties except as described in this policy.

Lawful basis for processing

Under UK GDPR, we process your data on the following bases:

  • Contract: If you have a paid subscription, we process your data as necessary to perform our contract with you (Article 6(1)(b))
  • Legitimate interest: If you use the free tier, we process your data based on our legitimate interest in providing and improving the service (Article 6(1)(f)). You can object to this processing at any time
  • Legal obligation: We may process data where necessary to comply with a legal obligation (Article 6(1)(c))

Who we share data with

We use a limited number of third-party service providers (subprocessors) to operate COSHHmate. Each provider only processes data as necessary for its specific purpose. See our Subprocessors list for full details.

| Provider | Purpose | Location | |---|---|---| | Supabase | Database and authentication | EU | | Stripe | Payment processing | US (EU-US Data Privacy Framework) | | Resend | Transactional email | US | | Netlify | Web hosting | US (Standard Contractual Clauses) | | GoatCounter | Analytics (no personal data) | EU |

International data transfers

Some of our subprocessors are based outside the UK and EU:

  • Supabase: Data is hosted in the EU. No international transfer required.
  • Stripe: Based in the US. Stripe is certified under the EU-US Data Privacy Framework, which provides adequate protection for data transfers.
  • Resend: Based in the US. Transfers are covered by Standard Contractual Clauses.
  • Netlify: Based in the US. Transfers are covered by Standard Contractual Clauses.
  • GoatCounter: Hosted in the EU. No personal data is collected.

Data retention

We retain your data for as long as your account is active. If you request account deletion, we retain your data for 30 days to allow recovery, then permanently delete it. See our Retention and Deletion Policy for more detail.

Your rights

Under UK GDPR, you have the right to:

  • Access your personal data (request a copy of what we hold)
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Export your data in a portable format (data portability)
  • Object to processing based on legitimate interest
  • Restrict processing in certain circumstances
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email us at hello@coshhmate.co.uk. We will respond within one month, as required by law.

Children

COSHHmate is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email. The "Last updated" date at the top of this page indicates when the policy was last revised.

Contact

If you have questions about this policy or how we handle your data, contact us at:

  • Email: hello@coshhmate.co.uk
  • Data controller: Crocker Digital Ltd, Company No. 17008789

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Questions? Email hello@coshhmate.co.uk