SiteBot

Privacy Policy

1. Introduction

SiteBot Ltd ("we", "us", "our") is committed to protecting the privacy of our customers, their employees, and the workers whose data is processed through our platform. This Privacy Policy explains how we collect, use, store, and protect personal data.

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller and Processor

  • For Customer account data: SiteBot is the data controller.
  • For Worker data (attendance records, induction records, photos, personal details): The Customer is the data controller and SiteBot is the data processor. Processing is governed by our Data Processing Agreement.

3. Data We Collect

Customer Account Data

  • Name, email address, phone number
  • Organisation name and billing information
  • Login credentials (passwords are hashed, never stored in plain text)

Worker Data (Processed on Behalf of Customers)

  • Name, employer/company, role
  • RFID/NFC card identifiers
  • Attendance records (timestamps, location)
  • Photographs captured at site entry (where cameras are deployed)
  • Induction completion records
  • Certificate and qualification records (e.g., CSCS card details, expiry dates)

Website Visitor Data

  • We use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 collects anonymised usage data such as pages visited, time on site, and referral source. GA4 cookies are only set after you give consent via our cookie banner. You can reject analytics cookies at any time.
  • For more information on how Google processes this data, see Google's Privacy Policy.
  • Contact form submissions: name, email, company, and message content.

4. How We Use Data

We process data for the following purposes:

  • Service delivery: Providing the SiteBot platform and its features
  • Account management: Managing subscriptions, billing, and support
  • Communication: Responding to enquiries, sending service updates
  • Legal compliance: Meeting our obligations under UK law, including GDPR and CDM 2015
  • Service improvement: Aggregated, anonymised usage data to improve the platform

We do not sell personal data. We do not use Worker data for marketing.

5. Legal Basis for Processing

| Data Type | Legal Basis | |-----------|------------| | Customer account data | Contract performance, legitimate interests | | Worker attendance data | Legitimate interests of the Customer (CDM 2015 compliance, site safety) | | Worker photographs | Legitimate interests (attendance verification) | | Contact form submissions | Consent (provided by submitting the form) | | Website analytics (GA4) | Consent (via cookie banner) |

6. Data Storage and Location

  • All data is stored on servers located in the United Kingdom (London data centre).
  • We do not transfer personal data outside the UK unless required by a Customer and covered by appropriate safeguards.
  • Data is encrypted at rest and in transit.

7. Data Retention

  • Customer account data: Retained for the duration of the subscription plus 12 months.
  • Worker attendance records: Retained for 12 months after the worker's last recorded site visit, unless the Customer requests earlier deletion.
  • Photographs: Same retention period as attendance records.
  • Contact form submissions: Retained for 12 months.
  • Deleted data: Permanently erased within 30 days of the retention period ending.

8. Your Rights

Under the UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate personal data
  • Erase your personal data (right to be forgotten)
  • Restrict processing of your personal data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (where consent is the legal basis)

To exercise any of these rights, contact us at privacy@site-bot.ai.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption at rest and in transit (TLS 1.2+)
  • Role-based access control with row-level security
  • Regular security updates and vulnerability monitoring
  • Secure password hashing (bcrypt)
  • API key authentication with scoped permissions

10. Third-Party Services

We use the following third-party services that may process data on our behalf:

| Service | Purpose | Data Processed | |---------|---------|---------------| | DigitalOcean | Cloud hosting (UK) | All platform data | | Cloudflare | CDN, DDoS protection | Web traffic metadata | | Google Analytics 4 | Website analytics (consent-based) | Anonymised usage data (pages visited, session duration, referral source) | | Web3Forms | Contact form processing | Form submission data | | Telegram | Bot notifications (optional) | Worker names, attendance events |

All third-party processors are bound by data processing agreements.

11. Children

Our Service is not directed at individuals under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes by email. The latest version is always available on our website.

13. Contact Us

For privacy-related queries or to exercise your data rights:

  • Email: privacy@site-bot.ai
  • Post: SiteBot Ltd, [address to be confirmed]
  • Data Protection Enquiries: privacy@site-bot.ai

This privacy policy is provided as a framework and should be reviewed by a qualified legal professional before use. Last updated: March 2026.