Skip to main content
CrownSyncCrownSync
Home

Privacy Policy

CrownSync LTD — All Services

Last updated: April 2026

CrownSync LTD (“CrownSync”, “we”, “us”, “our”) is committed to protecting personal data and handling it responsibly. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use any CrownSync service.

This policy applies to all CrownSync services, including:

  • CrownSync CE Readiness (ce.crownsync.uk)
  • CrownSync Playbooks (pb.crownsync.uk)
  • crownsync.uk (our website)

CrownSync LTD is registered with the Information Commissioner’s Office (“ICO”) as a data controller. Registration reference: ZC109210.

1. Who We Are

CrownSync LTD
Company number: 15464490
128 City Road, London, EC1V 2NX, United Kingdom

Email: [email protected]
Website: crownsync.uk

For all data protection queries, please contact us at [email protected]using the subject line “Data Protection”.

2. Our Role in Relation to Personal Data

Depending on the context, CrownSync may act as either a data controller or a data processor.

  • Where an organisation uses our Services to store, manage, or process assessment data, playbook data, collaboration data, or similar operational data, that organisation will generally act as the controller, and CrownSync will generally act as its processor.
  • CrownSync acts as an independent controller for personal data we process for our own business purposes, including account administration, service security, fraud prevention, support, billing, legal compliance, and service analytics at platform level.

This Privacy Policy explains how CrownSync handles personal data in both capacities where relevant.

3. What Data We Collect

We may collect and process the following categories of personal data.

3.1 Account and identity data

  • Name
  • Email address
  • Authentication tokens
  • Session data

3.2 Organisation data

  • Organisation name
  • Company registration number
  • Registered address
  • Operational address
  • Sector
  • Employee count
  • Website
  • Publicly available company information retrieved from Companies House
  • Regulatory flags, technology stack details, IT team structure, insurance status, and incident command contacts, where entered into the Services

3.3 Assessment data (CE Readiness)

  • Answers to Cyber Essentials preparation questions
  • Evidence notes attached to answers
  • Gap analysis results
  • Comments and discussion threads
  • Version history of answers

3.4 Playbook data (Playbooks)

  • Edits, notes, and customisations to playbook sections
  • Version history of playbook changes
  • Export verification metadata

3.5 Team and collaboration data

  • Names and email addresses of invited contributors
  • Question assignments and deadlines
  • Contributor access tokens
  • Names and email addresses of remediation task assignees, including external contractors or managed service providers
  • Task instructions and completion notes
  • External collaborator access data, including authentication and access event records

3.6 Board sign-off data (CE Readiness)

  • Names and email addresses of board approvers or signatories
  • Job titles, where provided
  • Approval tokens
  • Approval timestamps
  • IP addresses and user agent data at the time of approval
  • Declaration text confirmed by the approver

3.7 Partner data (Playbooks)

Where your organisation is managed through a CrownSync partner arrangement (such as an MSP or MSSP), authorised partner users may be able to view certain organisation-level data in accordance with the relevant service permissions. Partners cannot edit playbook content unless expressly permitted.

3.8 Lead and access request data

If you request a demo, quote, free trial, or access to a Service, we may collect:

  • Name
  • Email address
  • Organisation name
  • Sector
  • Any additional information you choose to provide

3.9 Audit log data

We maintain audit and event records relating to significant actions taken within the Services, such as:

  • Logins
  • Invitations
  • Question answers
  • Edits
  • Sign-off decisions
  • Data exports
  • Settings changes

Audit records may include:

  • User or account identifier
  • Name and email address
  • Timestamp
  • Action description
  • IP address
  • User agent
  • Related technical metadata

Audit logs are immutable and cannot be edited or deleted by users.

3.10 Technical data

  • Browser type and version
  • Device and session metadata
  • IP address
  • Pages visited
  • Approximate usage and interaction data

3.11 Onboarding progress data

We may store information about your progress through onboarding steps, including:

  • Steps completed
  • Tooltips dismissed
  • Setup actions taken

This is used only to personalise and improve your onboarding experience.

4. How We Use Your Data

We process personal data for the following purposes.

4.1 To provide and operate the Services

Including to:

  • Create and manage accounts
  • Authenticate users
  • Provide CE Readiness and Playbooks functionality
  • Enable collaboration workflows
  • Send invitations, reminders, and transactional emails
  • Generate reports and exports
  • Process board sign-off and approval workflows

4.2 To secure and improve the Services

Including to:

  • Prevent fraud, abuse, and unauthorised access
  • Maintain service security and integrity
  • Investigate incidents and misuse
  • Improve product performance, reliability, and usability
  • Maintain audit trails and governance records

4.3 To manage our business and comply with legal obligations

Including to:

  • Respond to legal or regulatory requests
  • Maintain financial and business records
  • Enforce our contractual terms
  • Establish, exercise, or defend legal claims

4.4 To communicate with you

Including to:

  • Respond to support enquiries
  • Send service updates
  • Provide onboarding assistance
  • Send marketing communications where you have chosen to receive them

4.5 Automated reminders

Where contributors or assignees have been given tasks with deadlines, we may send automated reminder emails at intervals before and after the deadline (for example, at 7 days, 3 days, and 1 day before deadline, and after the deadline passes). Recipients may contact the assessment or playbook owner to be removed from assignments.

We do not sell personal data to third parties. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

5. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases under UK GDPR.

5.1 Contract

Where processing is necessary to provide the Services you have requested, including:

  • Account creation and authentication
  • Service delivery
  • Invitation and workflow emails
  • Reports, exports, and collaboration features

5.2 Legitimate interests

Where processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and interests. This includes:

  • Securing the Services
  • Preventing misuse and fraud
  • Maintaining audit trails
  • Improving the Services
  • Handling support and operational communications
  • Retaining appropriate records for governance and legal protection

5.3 Legal obligation

Where we must process data to comply with applicable law, regulation, court order, or lawful request.

5.4 Consent

Where we rely on consent, such as for certain marketing communications, you may withdraw that consent at any time.

6. Data Sharing and Processors

We may share personal data with trusted service providers that help us operate the Services. These providers act on our behalf under appropriate contractual and data protection terms, including Data Processing Agreements where required under UK GDPR Article 28.

Our current providers are as follows.

6.1 Hetzner Online GmbH — Cloud Infrastructure and Data Hosting

Purpose: Cloud hosting, infrastructure services, and data storage.
Location: European Union (Germany and Finland).

Your assessment data, playbook data, and organisation data is stored on servers hosted by Hetzner. Hetzner’s data centres hold the following certifications:

  • ISO/IEC 27001:2022 — Information security management systems
  • ISO/IEC 27018 — Protection of personally identifiable information in cloud services
  • BSI C5:2020 — German Federal Office for Information Security Cloud Computing Compliance Criteria Catalogue
  • PCI DSS — Payment Card Industry Data Security Standard
  • KRITIS-V / NIS-2 — Compliance with EU Network and Information Security Directive and German critical infrastructure regulations
  • BSI Grundschutz — German Federal Office for Information Security baseline protection standards
  • SOC 2 — Service Organisation Controls for security, availability, and confidentiality

Hetzner maintains Technical and Organisational Measures (TOMs) that meet the requirements of Article 32 of the UK GDPR. Your data is stored in the European Union and does not leave the EU/EEA.

6.2 Cloudflare, Inc. — Web Application Firewall and DDoS Protection

Purpose: DNS, CDN, DDoS protection, traffic filtering, Web Application Firewall (WAF), and SSL/TLS termination.

All traffic to CrownSync passes through Cloudflare’s network. Cloudflare holds the following certifications:

  • ISO/IEC 27001 — Information security management (certified since 2019, full platform scope)
  • ISO/IEC 27701:2019 — Privacy information management system, aligned with GDPR — certified as both data processor and data controller
  • ISO/IEC 27018 — Protection of personal data in cloud services
  • SOC 2 Type II — Annual independent audit of security, confidentiality, and availability controls
  • PCI DSS Level 1 — Highest level of payment card industry certification, audited annually
  • BSI C5:2020 — German Federal Office for Information Security cloud standard
  • European Cloud Code of Conduct — EU framework for cloud service provider data protection compliance

Cloudflare acts as a data processor on behalf of CrownSync. A Data Processing Agreement is in place with Cloudflare in accordance with UK GDPR Article 28.

6.3 Resend Inc. — Transactional Email Delivery

Purpose: Sending transactional emails, including invitations, reminders, sign-off links, contributor notifications, and service communications.
Location: United States.

Resend holds:

  • SOC 2 Type II — Annual independent audit covering security, availability, and confidentiality of customer data

Resend processes only the email addresses necessary to deliver transactional emails. No marketing emails are sent via Resend. A Data Processing Agreement is in place with Resend in accordance with UK GDPR Article 28. Transfers to the United States are protected by Standard Contractual Clauses approved by the ICO.

6.4 Plausible Analytics (self-hosted)

Purpose: Privacy-focused analytics for website and product usage.
Location:Hosted by us on our own infrastructure at Hetzner in the European Union. No data is sent to Plausible’s own servers.

Plausible does not use cookies and does not collect personally identifiable information. It records page views and events in aggregate only. Your IP address is not stored by Plausible.

6.5 Authentik (self-hosted)

Purpose: Authentication, sign-in, and identity management.
Location: Hosted by us on our own infrastructure at Hetzner in the European Union. Authentication data does not leave the EU.

Authentication is self-hosted specifically to keep all identity data within the EU under our direct control.

6.6 Companies House API

Purpose: Retrieving publicly available company information to help populate organisation details during onboarding.
Note: We query public data only. No personal data is sent to Companies House.
Operated by: Companies House, Cardiff, Wales.

Why we chose these providers

Each provider was selected based on their security certification status, data residency options, and compliance with UK and EU data protection law. Authentication is self-hosted specifically to keep all identity data within the EU. We review our provider arrangements periodically and will update this section when they change.

For questions about our infrastructure security or to request copies of relevant Data Processing Agreements, contact [email protected].

We do not sell personal data. We may disclose personal data where required by law, court order, or regulatory authority, or where reasonably necessary to protect our rights, users, systems, or Services.

7. Analytics

We use Plausible Analytics, a privacy-focused analytics service, to understand how our websites and Services are used and to improve performance and usability.

Plausible does not use cookies and does not collect personally identifiable information. Data collected may include:

  • Pages visited
  • Referring site
  • Browser type
  • Approximate geography derived from IP address (IP address itself is not stored)
  • Product interaction events

Our analytics setup is designed to avoid identifying individual users. We do not use analytics for advertising or behavioural profiling.

No consent is required for Plausible analytics under UK GDPR as no personal data is processed by Plausible in its standard configuration.

8. Cookies

We use only cookies and similar technologies that are strictly necessary for the operation, security, and authentication of the Services, unless we clearly state otherwise elsewhere.

8.1 Authentication cookies

Purpose: Keeping you signed in and maintaining secure sessions.
Duration: Session-based or up to 30 days depending on configuration.
Basis: Strictly necessary — no consent required.

We do not use advertising, tracking, or analytics cookies. Further information is available in our Cookie Policy.

9. How Long We Keep Your Data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including service provision, security, audit, dispute resolution, legal compliance, and protection of our legitimate interests.

Typical retention periods are as follows:

Data typeTypical retention periodBasis
Assessment answers and gap analysis12 months from last activityLegitimate interests / contract
Playbook customisations and version historyDuration of subscription plus up to 90 daysContract
Account data (name, email)Until account deletion or valid erasure request, plus up to 12 months to allow for reactivation where applicableContract / legitimate interests
Audit log recordsUp to 6 years, and in some cases longer where required for legal claims or complianceLegitimate interests / legal obligation
Board sign-off recordsUp to 6 yearsLegitimate interests / legal claims
Contributor data12 months from assessment end, unless longer retention is requiredLegitimate interests
Lead and access request dataUp to 24 monthsLegitimate interests / pre-contract steps
Financial records6 years or such longer period as required by lawLegal obligation (HMRC)
Support communicationsUp to 12 months from closure of the enquiry, unless longer retention is requiredLegitimate interests

After the relevant retention period, we delete, anonymise, or otherwise reduce the identifiability of the data where appropriate.

Onboarding progress data is generally retained for the lifetime of the account and is deleted or anonymised where appropriate following account closure or a valid erasure request.

Exported PDFs may be generated on demand. Where we do not store the PDF itself, we may retain associated verification or audit metadata.

10. Erasure, Deletion, and Anonymisation

You have the right, in certain circumstances, to request erasure of your personal data under UK GDPR Article 17.

How we handle erasure requests

Rather than deleting all data associated with your account, we anonymise your personal identifiers while retaining your organisation’s operational and governance records. This approach satisfies your right to erasure while protecting our legitimate interests and those of your organisation and other users connected to the same records.

What we anonymise (your personal data)

  • Your name— replaced with a generic label such as “Former User” or “Former Signatory”
  • Your email address — replaced with an anonymised identifier
  • Your IP addresses in audit records — removed
  • Your login account — permanently deleted

What we retain (organisational data)

  • Your organisation’s name and company details
  • Assessment answers and gap analysis results
  • Playbook customisations and version history (in anonymised form)
  • Board sign-off decisions and timestamps (your name anonymised)
  • Audit log events (your name anonymised, IP address removed)
  • Remediation notes (content retained, your name anonymised)

Why we retain organisational data

Assessment, playbook, and audit records are retained for up to 6 years under UK GDPR Article 17(3) for the following legitimate purposes:

  • Governance and accountability of the organisation’s preparation and response processes
  • Defence of legal claims (6-year limitation period under the Limitation Act 1980)
  • Fraud prevention and dispute resolution
  • Compliance with our obligations to other users of the same assessment or playbook
  • Maintaining the integrity of audit trails relied upon by other team members

Where we anonymise data, we do so with the aim that individuals are no longer identifiable, taking into account the means reasonably likely to be used to identify them. Anonymised records cannot be re-linked to you. Where data is anonymised such that individuals are no longer identifiable, it falls outside the scope of UK GDPR.

Where full anonymisation is not possible or appropriate, we may instead retain limited information where necessary for legal claims, fraud prevention, audit integrity, compliance obligations, or protection of other users or organisations connected to the same records.

How to request erasure

Submit an erasure request through your account privacy settings, or email [email protected]. We will acknowledge your request within 72 hours and complete processing within 30 days.

Contributors and external participants

Contributors or other individuals who do not hold a CrownSync account may submit an erasure request by emailing [email protected] or by using any request route we make available on the relevant Service (for example, ce.crownsync.uk/privacy/erasure-request). Contributor personal identifiers will be anonymised within 30 days of a valid request. Assessment answers or task records submitted by contributors will be retained in anonymised form as part of the organisation’s records.

11. Your Rights

Subject to applicable law, you may have the following rights in relation to your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete personal data
  • Right to erasure — request deletion or anonymisation of personal data where applicable (see Section 10)
  • Right to restriction — ask us to restrict processing in certain circumstances
  • Right to data portability — receive certain personal data in a structured, commonly used, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent

To exercise any of these rights, contact [email protected] or visit your account privacy settings where available.

We will acknowledge all data subject requests within 72 hours and respond in full within 30 days of receipt. If we need additional time (up to a further 2 months for complex requests under Article 12(3)), we will notify you within the initial 30-day period explaining the reason for the delay. We may ask for proof of identity before completing certain requests.

Contributors and remediation assignees

If you have been invited to contribute to an assessment or assigned a remediation task, your name and email address are processed by CrownSync on behalf of the organisation that invited you. You can submit a data subject request by emailing [email protected] or by using the privacy request route on the relevant Service.

Board sign-off participants

Where an assessment owner requests board sign-off, we process the name, job title, and email address of the director or signatory to send the sign-off request and record the declaration. Upon approval or rejection, the signatory’s IP address and timestamp are recorded for audit purposes. A partial IP address is visible to the assessment owner as confirmation that the sign-off was completed. The full IP address is retained in system audit logs accessible only to CrownSync administrators.

The legal basis for this processing is legitimate interests — specifically the organisation’s interest in maintaining a tamper-evident record of the sign-off declaration.

In the event of an erasure request from a signatory, their name will be replaced with “Former Signatory” in all records. The sign-off decision, timestamp, and role/title are retained for up to 6 years as part of the organisation’s governance record. This anonymised record no longer constitutes personal data under UK GDPR.

Sign-off participants may exercise their data rights by contacting [email protected].

Automated reminders

Where contributors or assignees have been given tasks with deadlines, we may send automated reminder emails at intervals before and after the deadline. Recipients may contact the assessment or playbook owner to be removed from assignments.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

12. Data Security

We implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures include:

  • All data transmitted over HTTPS/TLS
  • Database encrypted at rest
  • Access controls limiting staff access to personal data
  • Authentication via self-hosted Authentik with multi-factor authentication (MFA) available
  • TOTP-based multi-factor authentication required for external collaborators (Playbooks)
  • Regular security updates applied within 14 days of release
  • Audit logging of all significant data access and changes
  • Web Application Firewall (WAF) protection via Cloudflare
  • Infrastructure and application security controls
  • Segregation of data and user access controls where appropriate

We regularly review security advisories for our software dependencies and address security vulnerabilities as part of our commitment to keeping your data secure. Where vulnerabilities require major version upgrades that would introduce breaking changes, we assess the practical risk in the context of our infrastructure before upgrading. Our application is protected by a Web Application Firewall and authenticated access controls which mitigate the majority of known vulnerabilities in our current dependency versions.

No system can be guaranteed to be completely secure. However, we take reasonable steps appropriate to the nature of the data and the risks involved.

Where required by law, we will notify relevant regulators and affected individuals of personal data breaches within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33.

13. Infrastructure and Provider Certifications

CrownSync is built on infrastructure from providers that hold independent third-party security certifications. We selected these providers specifically because of their security posture and compliance with international standards relevant to UK and European data protection law.

Full details of provider certifications are set out in Section 6 of this Privacy Policy.

Further information about our technical and organisational measures, sub-processors, and relevant provider arrangements may be made available on request, subject to confidentiality, security, and operational limits. Contact [email protected].

14. International Transfers

Some of our providers may process personal data outside the United Kingdom or European Economic Area.

Where we transfer personal data internationally, we take steps to ensure that appropriate safeguards are in place where required by law. These may include:

  • Adequacy regulations
  • Standard contractual clauses
  • International data transfer addenda
  • Other recognised safeguards

Specifically:

  • Resend (United States) — transfers are protected by Standard Contractual Clauses approved by the ICO.
  • Cloudflare — may process certain traffic data outside the UK/EEA in the course of providing CDN and security services. A DPA with standard contractual clauses is in place.

Authentication and core service data are hosted within the European Economic Area on our self-hosted infrastructure and do not leave the EEA.

Your assessment data and organisation data is hosted by Hetzner within the European Union.

The European Union has been granted adequacy status by the UK government, meaning data transfers between the UK and EU meet the required legal standards under UK GDPR.

15. Changes to This Policy

We may update this Privacy Policy from time to time.

Where changes are material, we will notify affected users by email, in-product notice, or other appropriate means at least 14 days before the updated policy takes effect.

The latest version will always be available at crownsync.uk/privacy-policy.

16. Contact

For privacy-related queries or to exercise your rights, contact:

Email: [email protected]
Subject line: Data Protection

CrownSync LTD
128 City Road, London, EC1V 2NX, United Kingdom

Website: crownsync.uk

ICO Registration: ZC109210

End of Privacy Policy

CrownSync LTD — Company No. 15464490 — ICO Registration: ZC109210