Risknado Logo

    Risknado

    Risk Mitigation Platform

    Privacy Policy

    Last updated: December 2025

    support@risknado.com

    1. Introduction

    This Privacy Policy explains how Risknado ("Risknado", "we", "us" or "our") collects, uses and protects your personal information when you use our website and platform at risknado.com (the "Platform").

    For the purposes of UK GDPR, Risknado (operated by Jonathan McCallum, United Kingdom) is the data controller of personal data collected through the Platform. Our core service providers, including Lovable Labs Incorporated ("Lovable"), Supabase Inc. ("Supabase") and Stripe, act as data processors on our behalf.

    By using the Platform, you agree to the terms of this Privacy Policy.

    2. Information We Collect

    We collect and process the following information.

    a) Information you provide directly

    • Name, business email address, company name and password when creating an account.
    • Billing details such as your company name, billing address and VAT information.
    • Payment details, which are processed securely via Stripe. We do not store full card numbers on our systems.
    • Risk and mitigation information that you enter into the Platform, including risk titles, descriptions, notes and actions.
    • Messages, feedback and support requests sent to support@risknado.com

    b) Information we collect automatically

    When you use the Platform, we automatically collect:

    • Usage data such as pages visited, features used, time spent, approximate location, and timestamps.
    • Technical data such as IP address, browser type, device type and operating system.
    • Log data relating to errors, performance and security events.
    • Cookies and similar technologies that help us keep you logged in, remember preferences and understand how the Platform is used.

    c) Information about your organisation and users

    If you are an account owner or admin, you may provide:

    • Team member names and business email addresses so they can be invited to your workspace.
    • High level information about your organisation such as sector, size or risk focus areas, where you choose to provide it.

    3. How We Use Your Information

    We use your personal data to:

    • Create and manage your account and your organisation's workspace.
    • Provide, operate and maintain the Platform, including storing your risk register and related notes.
    • Process payments and issue invoices and receipts.
    • Respond to support requests, queries and complaints.
    • Monitor usage, fix bugs and improve performance and security.
    • Develop, test and improve features and the risk library, including using aggregated or anonymised data for analytics.
    • Send service messages such as security notices, changes to this Policy and important updates about the Platform.
    • Send limited product or feature updates and, where you have opted in, marketing communications about Risknado.
    • Comply with legal obligations, including tax and accounting requirements and responding to lawful requests from authorities.

    We will never sell or rent your personal data to third parties.

    4. Legal Basis for Processing

    We process personal data under the following lawful bases:

    • Contractual necessity - to provide you with access to the Platform and fulfil our obligations under our Terms of Service.
    • Legitimate interests - to maintain and improve the Platform, ensure security, prevent abuse, understand how the Platform is used and communicate with you about related products and features, where these interests are not overridden by your rights.
    • Legal obligation - to comply with applicable laws, regulatory requirements and record keeping obligations.
    • Consent - for optional activities that require consent, such as non essential cookies and certain types of marketing communications. You can withdraw consent at any time.

    5. Third Party Services and Infrastructure

    Risknado is built and operated using third party platforms and infrastructure. In particular:

    • The web application is built and hosted using Lovable.
    • Our database, authentication and storage are provided by Supabase.
    • Payments are processed by Stripe Payments UK Ltd ("Stripe").
    • We may use analytics providers (for example, Posthog or Google Analytics) to understand how the Platform is used.
    • We may use email and support tools to send messages and manage support requests.

    These providers help us run the Platform but do not provide any direct contractual rights to you. They act as data processors for us and are contractually required to protect your personal data and only process it according to our instructions and applicable data protection laws.

    Your use of the Platform may also be subject to their publicly available terms and privacy policies, for example the policies at lovable.dev/privacy and supabase.com/privacy.

    We carefully select third party providers, but we do not control their internal systems or data handling practices. They are responsible for their own infrastructure, security and compliance, as described in their policies.

    6. Sharing Your Information

    We share personal data only with trusted service providers where necessary to operate the Platform:

    • Lovable Labs Incorporated - application builder and hosting provider.
    • Supabase Inc. - managed database, authentication and storage provider.
    • Stripe Payments UK Ltd - payment processing.
    • Hosting, CDN and DNS providers - to deliver the website and application.
    • Analytics providers - to collect usage data and improve the Platform.
    • Email and communication tools - to send transactional and support emails.
    • Professional advisers (such as accountants or lawyers) - where necessary for our business operations.
    • Authorities or law enforcement - where we are legally required to do so or where it is necessary to protect our rights or the rights of others.

    We require all such providers to keep your data confidential and to use it only for the services they provide to us.

    We do not sell personal data and we do not share personal data with third parties for their own independent marketing purposes.

    7. International Transfers

    Your personal data may be processed or stored in the United Kingdom, the European Economic Area (EEA), the United States or other locations where our service providers operate.

    In particular:

    • Lovable and Supabase operate infrastructure in countries outside the UK and EEA, including the United States and other regions.
    • Stripe and some analytics or email providers may also process data outside the UK and EEA.

    Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards such as:

    • Standard Contractual Clauses approved by the European Commission and adopted under UK data protection law, or
    • Other lawful transfer mechanisms permitted under UK GDPR and EU GDPR.

    You can contact us if you would like more information about the safeguards used for a specific transfer.

    8. Data Retention

    We retain personal data for as long as necessary to fulfil the purposes set out in this Policy, including to:

    • Provide you with access to the Platform,
    • Maintain records of your purchase and use, and
    • Comply with legal, accounting and reporting requirements.

    In general:

    • Account and workspace data are kept for as long as your account is active.
    • After an account is closed, we may retain limited data (for example invoices and basic account records) for up to 6 years where required for tax, accounting or legal purposes.
    • Logs and analytics data are kept for shorter periods where possible and are often aggregated or anonymised.

    You may request deletion of your account and associated personal data at any time, subject to any information we must keep for legal or legitimate business reasons.

    9. Data Security

    We implement appropriate technical and organisational measures to protect your personal data, including:

    • Encryption in transit using HTTPS.
    • Access controls and authentication on administrative accounts.
    • Limiting access to personal data to people who need it for their role.
    • Regular monitoring and maintenance of the Platform and its infrastructure.

    However, no system is completely secure. We rely on third party infrastructure providers such as Lovable, Supabase and our hosting and payment providers to implement their own security controls. We cannot guarantee the absolute security of information transmitted to or stored on the Platform.

    If we become aware of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority in line with our legal obligations.

    10. Your Rights (UK GDPR)

    If you are in the UK or the EEA, you have the following rights regarding your personal data:

    • Access - request a copy of the personal data we hold about you.
    • Correction - request correction of inaccurate or incomplete data.
    • Deletion - request deletion of your personal data in certain circumstances.
    • Restriction - request that we restrict processing in certain situations.
    • Portability - request transfer of your data to another provider in a structured, commonly used and machine readable format where technically feasible.
    • Objection - object to processing based on our legitimate interests, including certain forms of profiling.
    • Withdraw consent - where processing is based on consent, you can withdraw consent at any time.

    To exercise your rights, contact support@risknado.com. We may need to verify your identity before acting on your request. We aim to respond within one month, and sooner where possible.

    You also have the right to lodge a complaint with your local data protection authority. In the UK this is the Information Commissioner's Office (ICO).

    11. Cookies and Similar Technologies

    Risknado uses cookies and similar technologies for:

    • Core site functionality such as login and session management.
    • Security and fraud prevention.
    • Analytics and performance measurement to understand how the Platform is used and to improve it.

    You can manage or disable cookies through your browser settings. If you disable certain cookies, some features of the Platform may not function properly.

    Where required by law, we will obtain your consent before setting non essential cookies.

    12. No Sensitive Data and Children's Data

    12.1 No sensitive or high risk personal data

    The Platform is designed for general business risk information and related notes. It is not intended to store special category personal data or other highly sensitive information.

    You should not upload or store:

    • Health or medical information about identifiable individuals,
    • Biometric data,
    • Full payment card numbers or bank account details,
    • Government identification numbers such as passport or national insurance numbers,
    • Information about children, or
    • Other special category data as defined under UK GDPR.

    If you choose to upload such information despite this guidance, you do so at your own risk. Our obligations to protect personal data remain, but we do not design the Platform to process these categories of data and cannot guarantee that it is appropriate for such use.

    12.2 Children's data

    The Platform is intended for business use and is not directed at children. We do not knowingly collect personal data from anyone under 18 years of age. If you believe we may have collected personal data from a child, please contact us so we can investigate and delete the data where appropriate.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time to reflect changes to the Platform, our service providers or applicable law.

    The latest version will always be available at risknado.com/privacy.

    The "Last updated" date at the top of this page will show when the Policy was last revised.

    In the case of material changes, we may also notify you by email or through the Platform.

    Your continued use of the Platform after changes take effect will constitute your acceptance of the updated Policy. If you do not agree with the updated Policy, you should stop using the Platform.

    14. Contact

    For privacy questions, data access requests or complaints, please contact:

    support@risknado.com

    Operated by
    Jonathan McCallum, trading as Risknado, United Kingdom
    167-169 Great Portland St, 5th Floor, London, W1W 5PF