DataRoomr

Privacy Policy

Last updated: 10 March 2026

This Privacy Policy explains how Brindleford Technologies Ltd ("we", "us", or "DataRoomr") collects, uses, stores, and protects your personal data when you use the DataRoomr platform at dataroomr.io and any related services.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).

1. Data Controller

The data controller for personal data processed through DataRoomr is:

Brindleford Technologies Ltd
71–75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom
Company No. 16871436
Email: privacy@dataroomr.io

2. Personal Data We Collect

2.1 Account Registration

When you create a DataRoomr account, we collect:

  • Email address — used as your login identifier and for transactional communications
  • Company name — used to set up your tenant organisation
  • Password — stored only as an irreversible cryptographic hash (Argon2id); we never store or have access to your plaintext password
  • Data region preference — your choice of storage location (US, EU, or Asia-Pacific)

2.2 Billing Information

When you subscribe to a paid plan, we collect:

  • Full name, email address, and company name
  • Billing address (street, city, state/county, postal code, country)
  • VAT number (if applicable)

Payment card details are collected and processed directly by our payment processor, Brindleford Billing. We do not store, process, or have access to your full card number, CVV, or expiry date.

2.3 Contact Form Submissions

When you submit our contact form, we collect your name, company name, email address, and message content. Submissions are stored in our database and forwarded to our team via email.

2.4 Automatically Collected Data

When you use DataRoomr, we automatically collect:

  • IP address — recorded in our audit trail for every authenticated action
  • User agent string — browser and operating system information, recorded in our audit trail
  • Page-level document viewing activity — which document pages you viewed, how long you spent on each page, and timestamps (this data is a core product feature and is visible to the data room administrator)
  • Session data — authentication state, stored server-side in our database

2.5 Data We Do Not Collect

We do not use third-party advertising trackers, social media pixels, or cross-site tracking cookies. We do not sell, rent, or trade personal data to third parties for marketing purposes.

3. How We Use Your Data

Purpose Legal Basis (UK GDPR)
Providing and operating the DataRoomr platform Performance of contract (Art. 6(1)(b))
Processing subscription payments Performance of contract (Art. 6(1)(b))
Sending transactional emails (verification, MFA codes, invitations, Q&A notifications) Performance of contract (Art. 6(1)(b))
Maintaining immutable audit trails for compliance and regulatory purposes Legitimate interest (Art. 6(1)(f)) — required for the security and integrity of the platform
Recording IP addresses and user agents in audit logs Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, and NDA enforcement
Responding to contact form enquiries Legitimate interest (Art. 6(1)(f))
Detecting and preventing security threats Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (e.g. tax records, regulatory requests) Legal obligation (Art. 6(1)(c))

4. Data Storage and Security

4.1 Where Your Data Is Stored

DataRoomr offers configurable data residency. At account creation, you select where your documents are stored:

  • United States — AWS us-east-1
  • European Union — AWS eu-west-2 (London)
  • Asia-Pacific — AWS ap-southeast-1 (Singapore)

Account metadata (email, password hash, audit logs) is stored in our primary database infrastructure. Documents are stored in AWS S3 in your selected region.

4.2 How Your Data Is Protected

  • Encryption at rest: All documents are encrypted using AES-256 encryption in AWS S3
  • Encryption in transit: All connections use TLS 1.3
  • Password security: Passwords are hashed using Argon2id and are never stored in plaintext
  • Authentication tokens: Magic links, MFA codes, and email verification tokens are stored as SHA-256 hashes
  • Tenant isolation: Each organisation's data is fully isolated at the application and storage level
  • Session security: Sessions are stored server-side with HTTP-only, secure cookies

5. Data Retention

Data Type Retention Period
Account data (email, company, preferences) Duration of your subscription plus 30 days after cancellation
Documents uploaded to data rooms Duration of your subscription plus 30 days after cancellation
Audit trail records 1 year (Starter), 3 years (Pro), or 7 years (Enterprise), depending on your plan
Billing records 7 years (UK tax and accounting requirements)
Contact form submissions 12 months from submission date
Session data Automatically purged when expired (maximum 30 days for admin sessions, 8 hours for investor sessions)
Server logs 90 days

After your subscription ends, you have a 7-day grace period during which your data remains accessible. After the grace period, your account is locked but data is retained for 30 days. After the retention period, all your data (documents, audit logs, and account data) is permanently and irreversibly deleted.

6. Data Sharing and Sub-Processors

We share personal data only with the following categories of third-party service providers, each acting as a data processor under appropriate contractual safeguards:

Provider Purpose Location
Amazon Web Services (AWS) Cloud infrastructure, document storage (S3), database hosting US, EU, or APAC (per your data region selection)
Brindleford Billing Payment processing and subscription management United Kingdom
Sentry (optional) Application error monitoring (if enabled) United States

We do not sell, rent, or otherwise make personal data available to third parties for their own marketing or commercial purposes.

We may disclose personal data if required to do so by law, regulation, or valid legal process (e.g. a court order or lawful request by a public authority).

7. International Data Transfers

Where personal data is transferred outside the United Kingdom, we ensure adequate protection through one or more of the following mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • Adequacy decisions by the UK Secretary of State
  • AWS data processing agreements with appropriate safeguards

You can minimise international transfers by selecting the EU data region at account creation.

8. Your Rights

Under the UK GDPR and EU GDPR (where applicable), you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data, subject to our legal retention obligations
  • Right to restriction — request that we restrict processing of your personal data in certain circumstances
  • Right to data portability — receive your personal data in a structured, commonly used, machine-readable format
  • Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@dataroomr.io. We will respond within one calendar month of receiving your request.

Note on audit trail data: Audit trail records are immutable by design to ensure the integrity and compliance value of the audit log. We cannot selectively modify or delete individual entries within the audit trail. Audit data is automatically purged according to the retention schedule for your plan tier.

9. Children's Privacy

DataRoomr is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@dataroomr.io and we will delete it promptly.

10. Cookies

DataRoomr uses a small number of cookies to operate the platform. For full details, please see our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
ico.org.uk/make-a-complaint

13. Contact Us

For any questions about this Privacy Policy or our data practices, contact us at:

privacy@dataroomr.io
Brindleford Technologies Ltd
71–75 Shelton Street, Covent Garden
London, WC2H 9JQ