Draft, pending solicitor review. The processing facts below are accurate to how the product works. A solicitor should review the wording before it is relied on.

Privacy Policy

Last updated: 3 July 2026

Who we are

DBIM Elostir (“we”) is operated by DBIM Limited, 295 Ainsworth House, Bury, BL8 2LS, registered in England and Wales, company number 16771428, ICO registration ZC039507. Contact: dan@dbim.co.uk.

Our two roles

For your account data (your name, email, login) we are the data controller. For the QHSE records you enter, which may include personal data about your workers, contractors and, in the people module, special-category health information (occupational health, return-to-work, DSE), you are the controller and we act as your processor, governed by our Data Processing Agreement.

What we process, why, and our lawful basis

  • Account & authentication data (name, email, hashed credentials), to give you access and secure your workspace. Lawful basis: for the person or organisation that holds the subscription, performance of a contract (UK GDPR Art 6(1)(b)); providing this data is a contractual requirement, since without it we cannot create your account. For users invited into a customer workspace, legitimate interests (Art 6(1)(f)): providing the service your organisation has signed up for and keeping each account secure and attributable to a named person. If a colleague invited you, your workspace admin gave us your email address; if DBIM set up your workspace, your organisation gave us your name and email address.
  • The QHSE content you create (audits, incidents, risk, documents, training, permits and related records), to provide the service. We process this as your processor, on your documented instructions under the DPA; the lawful basis is yours to determine as controller.
  • Limited diagnostic data (error reports, which may include your IP address, user ID and browser details; basic usage), to keep the service working and fix faults. Lawful basis: legitimate interests (Art 6(1)(f)), our interest being the security and reliability of the service.
  • Service emails (reminders driven by your due dates, invites, and a weekly digest we send to workspace admins and managers while items are open or overdue), to operate the workspace. Lawful basis: performance of a contract for the subscription holder; legitimate interests (operating the workspace your organisation has subscribed to) for invited users. We do not send marketing email.
  • Billing and subscription data (billing contact details, plan and employee band, subscription and payment status, invoices), to charge for the service and keep the accounting records we must hold. Card details go directly to Stripe; we never see or store them. Lawful basis: performance of a contract (Art 6(1)(b)), and legal obligation (Art 6(1)(c)) for invoices and accounting records, which we keep for 6 years after the end of the financial year they relate to.

We do not rely on consent for any processing described here, so there is no consent to withdraw; if that changes, you will be able to withdraw it at any time. We do not make solely automated decisions about you with legal or similarly significant effects. AI features generate draft text for a human to review; they do not decide anything.

Where your data is stored (sub-processors)

  • Supabase, database, authentication and file storage, hosted in London (UK / eu-west-2).
  • Vercel (US), application hosting and delivery.
  • Resend (US), transactional email (reminders, invites, notifications).
  • Sentry (US), error monitoring (diagnostic data only; no session recording).
  • Anthropic (US), AI features (for example audit summaries, incident and investigation analysis, document drafting and Q&A, and extracting data from documents you upload for import); we send the relevant record or document text to Anthropic to generate the output.

Separately, Stripe (US) processes payments for paid subscriptions as an independent controller under its own privacy policy (stripe.com/privacy); we share the billing contact details needed to invoice and take payment, and card details are entered on Stripe's own pages and never touch our servers. Stripe holds a current UK Extension to the EU–US Data Privacy Framework certification.

International transfers

Your primary data lives in the UK (Supabase, London). Some sub-processors above process data in the United States. Each such transfer is protected by the UK Extension to the EU–US Data Privacy Framework where the provider holds a current certification, or otherwise by the ICO's International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment. The current safeguard for each provider is listed in the DPA. To obtain a copy of the safeguard in place for any provider, email dan@dbim.co.uk (we may redact commercially sensitive terms); Data Privacy Framework certifications can be checked on the official list at dataprivacyframework.gov.

Retention

QHSE records are retained per the configurable retention periods in your workspace settings, which default to common UK retention practice (for example 6 years for incidents, reflecting civil limitation periods, and the statutory 40 years for health-surveillance records) — UK GDPR storage limitation. The product flags records past retention for your review; it never deletes them itself. Account data is kept while your account is active; when your account closes we delete it within 30 days (sooner on request), after the export window described in our DPA, and backup copies are overwritten by the rolling backup cycle within a further 7 days. Diagnostic data is short-lived: error reports are kept in Sentry for 90 days and then deleted automatically. We keep invoices and accounting records for 6 years after the end of the financial year they relate to (legal obligation). Backups are kept on a rolling window of up to 7 days and then overwritten.

Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability and objection. To exercise them, contact dan@dbim.co.uk. Where we act as processor, we will pass your request to your employer or the organisation that controls the record. You may also complain to the Information Commissioner's Office (ico.org.uk).

Right to object: we rely on legitimate interests to process the diagnostic data described above and the account data of invited users, so you can object to that processing at any time by emailing dan@dbim.co.uk. We will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

Cookies

We use only cookies needed to run the service and remember your settings; there are no advertising or analytics trackers, so no cookie banner is needed:

  • Authentication cookies (set by our auth provider), keep you signed in; refreshed on use, persist up to 400 days (about 13 months) after your last visit.
  • Active workspace cookie, remembers which organisation you are working in; session-length.
  • Theme cookie, set only if you use the light/dark toggle, remembers your display preference; persists 12 months.
  • Support-session cookie, set only while DBIM support accesses your workspace; each access shows an on-screen banner in your workspace and is recorded in your audit log; cleared when support exits.