Privacy Policy
Effective Date: 16 January 2026
Last Updated: 16 January 2026
Version: 1.0
1. Introduction
Welcome to ScopeShift ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect your data, and your rights regarding your personal data.
Our commitment:
We collect only the data necessary to provide our variation order management services and protect it with industry-leading security measures including AES-256-GCM encryption.
2. Who We Are (Data Controller)
Data Controller: ScopeShift Ltd
Data Protection Officer:
Email: dpo@vomanagementsystem.com
ICO Registration Number: [ICO Registration Number]
3. What Personal Data We Collect
3.1 Data We Collect Directly From You
Account Information:
- Full name
- Email address (encrypted with AES-256-GCM)
- Phone number (encrypted with AES-256-GCM)
- Job title and company
- Password (hashed with bcrypt, never stored in plain text)
Project and Variation Order Data:
- Project details (name, address, reference)
- Variation order instructions, descriptions, and scope
- Materials and costs
- Time and materials tracking data
- Client signatures (encrypted)
- Photos with metadata (GPS coordinates encrypted with AES-256-GCM)
- Drawing files and annotations
4. Why We Collect Your Data (Legal Basis)
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract performance (6(1)(b)) |
| Variation order processing | Contract performance (6(1)(b)) |
| WhatsApp notifications | Consent (6(1)(a)) |
| Security monitoring | Legitimate interests (6(1)(f)) |
| 7-year record retention | Legal obligation (6(1)(c)) |
5. How We Protect Your Data
Encryption
At Rest: AES-256-GCM encryption for sensitive fields
In Transit: TLS 1.3 for all data transmission
Automated Backups
Daily backups at 2:00 AM UTC
RTO: 4 hours | RPO: 1 hour
Access Controls
Role-based access (RBAC)
MFA for admin accounts
Quarterly access reviews
Incident Response
24/7 security monitoring
72-hour GDPR breach notification
Incident Response Team on standby
6. Your Rights Under GDPR (Articles 15-22)
Article 15Right of Access
Request a copy of all personal data we hold about you
Timeline: 30 days | Format: JSON, CSV, or PDF
Article 17Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data
Exception: 7-year construction records (CDM Regulations 2015)
Article 20Right to Data Portability
Receive your data in a machine-readable format (JSON, CSV)
Timeline: 30 days
Article 21Right to Object
Object to processing based on legitimate interests or direct marketing
Settings → Notification Preferences → Unsubscribe
How to exercise your rights:
Email: dpo@vomanagementsystem.com
Or go to: Settings → Data & Privacy
7. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Construction records | 7 years | CDM Regulations 2015 |
| Financial records | 7 years | HMRC requirements |
| User accounts | Active + 1 year | Contract + legitimate interests |
| Audit logs | 2 years | Legitimate interests |
8. Contact Us
For any data protection questions, concerns, or requests:
Data Protection Officer:
Email: dpo@vomanagementsystem.com
General Support:
Email: support@vomanagementsystem.com
Right to Lodge a Complaint:
If you believe we have violated your data protection rights, you can lodge a complaint with the UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113