Skip to main content

Legal

Privacy Policy

Last updated: 2 April 2026

1. Who we are

CrisisLoop ("we", "us", "our") is an operational resilience platform operated by CrisisLoop Ltd, registered in the United Kingdom. This policy explains how we collect, use, store, and protect personal data when you use our website and platform.

2. Data we collect

We collect the following categories of personal data:

  • Account data: Name, email address, job title, and company name when you register or are invited to the platform.
  • Usage data: How you interact with the platform, including pages visited, features used, exercise participation, and session duration.
  • Contact data: Information you provide when contacting us through forms, email, or the waitlist.
  • Technical data: IP address, browser type, operating system, and device information collected automatically through server logs.

3. How we use your data

We use personal data for the following purposes:

  • Providing and maintaining the CrisisLoop platform and services
  • Authenticating users and managing account security (including MFA)
  • Sending service-related communications (welcome emails, password resets, assignment notifications)
  • Responding to enquiries submitted through our contact forms
  • Improving the platform based on usage patterns
  • Complying with legal and regulatory obligations

We do not sell personal data to third parties. We do not use personal data for advertising purposes.

4. Legal basis for processing

We process personal data on the following legal bases under UK GDPR:

  • Contract: Processing necessary to provide the platform services you or your organisation have engaged.
  • Legitimate interests: Improving our services, ensuring platform security, and communicating with prospects who have expressed interest.
  • Consent: Where you have opted in to receive communications (e.g., waitlist signups).
  • Legal obligation: Where we are required to retain data for compliance, audit, or regulatory purposes.

5. Data retention

We retain personal data for as long as necessary to fulfil the purposes described above. Account data is retained for the duration of the customer relationship and for a reasonable period thereafter for audit and legal purposes. Contact form submissions are retained for 12 months. You may request deletion at any time.

6. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS) and at rest
  • Multi-factor authentication for all platform access
  • Role-based access controls with audit logging
  • Regular security reviews and vulnerability management
  • Secure password hashing (bcrypt)

7. Multi-tenancy and data isolation

The CrisisLoop platform is multi-tenant. Each customer's data is logically isolated by company identifier at the database query level. Users can only access data belonging to their own organisation. Platform staff access is logged and auditable.

8. Sub-processors

We use the following third-party services to operate the platform:

  • Anthropic (Claude API): AI-powered exercise generation and scoring. Data is processed in accordance with Anthropic's data processing terms.
  • Infrastructure providers: Hosting and database services within the UK/EU.

9. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Request erasure of your personal data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise any of these rights, contact us at privacy@crisisloop.io.

10. Cookies

The CrisisLoop platform uses essential cookies for authentication (JWT session tokens stored as httpOnly cookies). We do not use tracking cookies, advertising cookies, or third-party analytics on the marketing website.

11. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated to registered users via email. The "last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any questions about this privacy policy or our data practices:

Email: privacy@crisisloop.io
CrisisLoop Ltd
United Kingdom