This Privacy Notice explains how we collect, use, store, and protect personal data, specifically work email addresses, within our product. We are committed to safeguarding personal data in accordance with applicable data protection and information security standards including ISO/IEC 27001.

1. Scope

This notice applies to all users of our product. We collect, process, and store every user’s work email address for the purposes of authentication, authorisation, distribution of alerts, and maintaining audit logs of user activity.

2. What Information We Collect

We collect and store work email addresses which are considered personal data because they may identify a natural person.

3. Where Data Is Stored

The Processor shall store and process all Personal Data exclusively within AWS data centres located in regions aligned with the Customer’s geographic location, in order to comply with applicable data residency and data protection laws.

The Processor shall not store or transfer Personal Data outside of the designated regions without the Controller’s prior written consent and the implementation of appropriate safeguards.

Work email addresses are stored in the following regions:

  • United Kingdom

  • Ireland

  • New Zealand

  • Australia

The following AWS services are used for data processing and storage:

  • AWS Cognito for identity management and user authentication

  • AWS DynamoDB and PostgreSQL for audit logging

  • Encrypted AWS S3 for storing email distribution lists

  • Private production servers for hosting and managing email distribution lists

4. Purpose of Processing

We use work email addresses for the following purposes:

  • Login and authentication to enable secure access to the product.

  • Alert distribution to deliver notifications and alerts via email distribution lists.

  • Audit logging to record actions taken by users, for example:

    • Logging in and out of the portal

    • Service changes enacted by the user (e.g. configuration changes and alert categorisation changes)

    • Notes created associated with an alert or site

    • Uploading a set of documents

We process your work email address under the following lawful bases:

  • Contractual necessity: Processing is necessary to fulfil the contract, specifically to provide registered users with access to and functionality within the product.

  • Legitimate interests: Processing is necessary for our legitimate interests, including ensuring the security of the product, maintaining accurate audit trails, and supporting product functionality.

6. Data Access and Disclosure

Access to email addresses is restricted to authorised personnel. These addresses:

  • Are displayed within the StormHarvest Portal where necessary for functionality, such as displaying audit logs.

  • May appear in system logs and reports accessible only to the StormHarvester Engineering team.

  • Are never shared with third parties for marketing purposes.

7. Data Retention

We retain email addresses for the duration of the customer contract, unless a longer retention period is required by applicable law or necessary for compliance and security purposes. Upon a legitimate customer request:

  • User email addresses are deleted from AWS Cognito within 24 hours.

  • Full environment deletion occurs within 30 days.

8. Security Measures

We implement appropriate technical and organisational measures to protect email addresses and associated data, in accordance with our ISO/IEC 27001-certified Information Security Management System (ISMS). These measures include, but are not limited to:

  • Role-based access control (RBAC) to ensure only authorised personnel can access personal data.

  • Audit trails and monitoring to detect and investigate unauthorised access or misuse.

  • Regular security assessments and reviews as part of our ISMS to maintain and improve our security posture.

9. Your Data Protection Rights

Depending on your jurisdiction, you may have rights concerning your personal data, such as:

  • Access your personal data

  • Rectify inaccuracies

  • Request deletion

  • Object to or restrict processing

  • Lodge a complaint with a data protection authority

To exercise your rights, contact our DPO Lisa Shields lisa.shields@stormharvester.com