Privacy Policy

This Privacy Notice explains how we collect, use, store, and protect personal data, within our product. We are committed to safeguarding personal data in accordance with applicable data protection and information security standards including ISO/IEC 27001.

  1. Scope

This notice applies to all users of our product. We collect, process, and store every user’s work email address for the purposes of authentication, authorisation, distribution of alerts, and maintaining audit logs of user activity.

We also use limited analytics to understand how users interact with our product and to improve usability and performance.

  1. What Information We Collect

We collect and store work email addresses which are considered personal data because they may identify a natural person.

We also use Hotjar, a tool that helps us understand general usage patterns within our product (for example, clicks and navigation behaviour). Hotjar does not record keystrokes or capture personal data entered forms, and all data collected is de-identified before being stored.

  1. Where Data Is Stored

The Processor shall store and process all Personal Data exclusively within AWS data centres located in regions aligned with the Customer’s geographic location, to comply with applicable data residency and data protection laws.

The Processor shall not store or transfer Personal Data outside of the designated regions without the Controller’s prior written consent and the implementation of appropriate safeguards.

Work email addresses are stored in the following regions:

  • United Kingdom
  • Ireland
  • New Zealand
  • Australia

The following AWS services are used for data processing and storage:

  • AWS Cognito for identity management and user authentication
  • AWS DynamoDB and PostgreSQL for audit logging
  • Encrypted AWS S3 for storing email distribution lists
  • Private production servers for hosting and managing email distribution lists

Hotjar processes analytics data within the European Economic Area (EEA) and does not transfer data outside the EEA. For more information, see Hotjar’s privacy statement at https://help.hotjar.com/hc/en-us/articles/6952777582999.

  1. Purpose of Processing

We use work email addresses for the following purposes:

  • Login and authentication to enable secure access to the product.
  • Alert distribution to deliver notifications and alerts via email distribution lists.
  • Audit logging to record actions taken by users, for example:
    • Logging in and out of the portal
    • Service changes enacted by the user (e.g. configuration changes and alert categorisation changes)
    • Notes created associated with an alert or site
    • Uploading a set of documents

We use Hotjar in a limited way to help improve product design and user experience. The data collected is used only for aggregated analysis and product improvement.

  1. Legal Basis for Processing

We process your work email address under the following lawful bases:

  • Contractual necessity: Processing is necessary to fulfil the contract, specifically to provide registered users with access to and functionality within the product.
  • Legitimate interests: Processing is necessary for our legitimate interests, including ensuring the security of the product, maintaining accurate audit trails, supporting product functionality, and improving usability.
  1. Data Access and Disclosure

Access to email addresses is restricted to authorised personnel. These addresses:

  • Are displayed within the StormHarvester Portal where necessary for functionality, such as displaying audit logs.
  • May appear in system logs and reports accessible only to the StormHarvester Engineering team.
  • Are never shared with third parties for marketing purposes.

Hotjar acts as a sub-processor for analytics data and processes only de-identified usage information under our instructions.

  1. Data Retention

We retain email addresses for the duration of the customer contract, unless a longer retention period is required by applicable law or necessary for compliance and security purposes. Upon a legitimate customer request user email addresses are deleted from AWS Cognito within 24 hours.

Full environment deletion occurs within 30 days.

Hotjar analytics data is automatically deleted after a short retention period (maximum 12 months).

  1. Security Measures

We implement appropriate technical and organisational measures to protect email addresses and associated data, in accordance with our ISO/IEC 27001-certified Information Security Management System (ISMS). These measures include, but are not limited to:

  • Role-based access control (RBAC) to ensure only authorised personnel can access personal data.
  • Audit trails and monitoring to detect and investigate unauthorised access or misuse.
  • Regular security assessments and reviews as part of our ISMS to maintain and improve our security posture.
  • Supplier risk assessments to ensure that third-party tools such as Hotjar maintain appropriate security and privacy controls.
  1. Your Data Protection Rights

Depending on your jurisdiction, you may have rights concerning your personal data, such as:

  • Access your personal data
  • Rectify inaccuracies
  • Request deletion
  • Object to or restrict processing
  • Lodge a complaint with a data protection authority

To exercise your rights, contact our DPO Lisa Shields lisa.shields@stormharvester.com.

If you wish to object to analytics processing, you can disable Hotjar by visiting https://www.hotjar.com/policies/do-not-track/ or by enabling “Do Not Track” in your browser settings.