RAMS Builder
PricingSign in

Privacy Policy

Last updated: June 2026

This Policy explains what personal data RAMS Builder (“we”, operating as Risk and Method) collects, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.

Placeholder notice: Plain-English summary, not solicitor-reviewed. Review with a qualified data-protection advisor before commercial reliance.

1. Data we collect

  • Account data: email address, password hash (via Supabase Auth), authentication provider IDs (Google/Apple if used).
  • Company profile: company name, address, phone, email, website, registration/VAT numbers, default signatories, company logo image.
  • RAMS content: project titles, site addresses, client names, hazards, controls, method steps and sign-off details you create.
  • Billing data: Stripe customer and subscription IDs, plan status, billing period dates. Card details are held by Stripe, never by us.
  • Usage counters: number of RAMS created and exports per month, used to enforce plan limits.
  • Technical data: standard server logs (IP address, user-agent, timestamps) for security and abuse prevention.

2. Lawful bases

  • Contract: to provide the Service you have signed up for.
  • Legitimate interests: security, fraud prevention, service improvement.
  • Legal obligation: to comply with accounting and tax law.
  • Consent: where required (e.g. optional marketing email — currently we do not send marketing).

3. Sub-processors

  • Supabase / Lovable Cloud — database, authentication and file hosting.
  • Stripe — payments and subscription management.
  • Cloudflare — content delivery and DDoS protection.

These providers are bound by their own data processing agreements. Data may be processed in the EEA, UK or USA under appropriate safeguards (Standard Contractual Clauses where applicable).

4. Retention

Account and RAMS data is retained while your account is active. If you delete your account, the associated company profile and RAMS documents are deleted from the live database. Encrypted backups may retain residual copies for up to 30 days. Billing records are retained for at least 6 years to meet UK accounting obligations.

5. Your rights

You have the right to:

  • Access a copy of your personal data.
  • Correct inaccurate data.
  • Request erasure (subject to legal exceptions).
  • Restrict or object to certain processing.
  • Request data portability.
  • Complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

To exercise any of these rights, email support@riskandmethod.com.

6. Cookies and local storage

We use first-party browser storage (localStorage) to keep you signed in. We do not use third-party advertising cookies. Stripe and Cloudflare may set their own functional cookies as part of payment processing and security.

7. Security

Data is held in the UK/EEA on Supabase infrastructure with row-level security ensuring users only see their own data. Passwords are hashed by Supabase Auth. Stripe is PCI-DSS Level 1 certified.

8. Contact

Data controller: Risk and Method. Contact: support@riskandmethod.com.