This Privacy Policy explains how RAMSGen Ltd ("RAMSGen", "we", "us", "our") collects, uses, shares and protects personal data when you visit our website or use our software-as-a-service platform (the "Service").
Business use only. The Service is made available only for use in the course of business (including by sole traders). It is not intended for consumer use.
We comply with our obligations under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and other applicable UK data protection laws ("Data Protection Legislation").
This Privacy Policy forms part of our Terms of Service. Where we process personal data on behalf of a business Customer (for example, personal data contained in RAMS documents created in a Customer workspace), our Data Processing Addendum ("DPA") applies.
1. Who We Are (and How to Contact Us)
Data Controller (for most website/account administration data):
| Company | RAMSGen Ltd (company number 16458298) |
| Registered office | 4th Floor, 14 Museum Place, City Centre, Cardiff, CF10 3BH |
| Privacy contact (DPO/Privacy Lead) | privacy@ramsgen.com |
| Support | support@ramsgen.com |
2. When We Act as Controller vs Processor
Because RAMSGen is a B2B SaaS product, we can have different roles depending on what data is being processed:
2.1 Where RAMSGen is the Controller
We act as Controller for personal data we use to run our business and administer accounts, such as:
- account creation and login administration;
- billing and subscription administration;
- customer support communications;
- marketing communications (where you have consented);
- website analytics (where consented), and security logs.
2.2 Where RAMSGen is a Processor (Customer Data)
When a Customer and its Authorised Users use the Service to create and store content in a workspace (e.g., project details and generated RAMS documents), the Customer determines what is entered and why.
In those circumstances:
- the Customer is the Controller of personal data within "Customer Data"; and
- RAMSGen is the Processor, processing that personal data only on the Customer's documented instructions (as set out in the Terms and DPA).
If your personal data is included in a Customer's workspace (for example, your name appears on a RAMS document created by your employer/contracting organisation), you should refer to that organisation's privacy notice and contact them to exercise your rights.
3. Personal Data We Collect
3.1 Information you provide to us (as Controller)
We may collect:
| Category | Examples |
|---|---|
| Account and profile information | Name, email address, company/organisation name, job title (if provided), user/workspace identifiers |
| Authentication details | Authentication is handled via our authentication provider; we do not store your plaintext password |
| Billing/admin information | Subscription plan, billing contact details, invoices/receipts, payment status, transaction references |
| Communications | Messages you send to us (e.g., support requests, feedback), and related metadata |
| Marketing preferences | Your consent status and opt-out history |
3.2 Payment information
Payments are processed by third-party payment processors (e.g., Stripe). We do not store full payment card details on our servers; we receive transaction references and limited billing-related information.
3.3 Information we collect automatically (as Controller)
When you access the website or Service, we may collect:
| Category | Examples |
|---|---|
| Device and connection data | IP address, browser type/version, operating system, device identifiers, approximate location inferred from IP, language settings |
| Usage data and logs | Timestamps, pages/screens viewed, features used, error logs, performance metrics, and security-related logs |
| Cookies and similar technologies | See Section 10 |
3.4 Customer Data (processed as Processor)
Customer Data is the content uploaded or entered into the Service by or on behalf of a Customer, which may include personal data, for example:
- names of staff/contractors;
- role/job title;
- site/project information; and
- other personal data the Customer chooses to include.
Important: The Service is not designed for special category data or criminal offence data. Customers should not input special category data (e.g., health data) or criminal offence data unless separately agreed in writing with appropriate safeguards in place (as reflected in the Terms/DPA).
4. How We Use Personal Data (Purposes)
We use personal data to:
| Purpose | Details |
|---|---|
| Provide and administer the Service | Including creating accounts/workspaces, authenticating users, enabling use of features, and providing requested functionality |
| Provide customer support and respond to enquiries | Including troubleshooting, responding to requests, and communicating about the Service |
| Billing, payments and financial administration | Including processing subscriptions, managing invoices, preventing payment fraud, and maintaining accounting records |
| Security, fraud prevention and abuse monitoring | Including detecting suspicious activity, preventing unauthorised access, enforcing our Terms, and maintaining the security and integrity of the Service |
| Improve and develop the Service | Including understanding how the Service is used, fixing bugs, improving performance, and developing new features. Where cookies are used for analytics, we do so only with consent (see Section 10) |
| Send service communications | Including important notices about the Service, security notices, and billing messages |
| Send marketing communications (consent-based) | Where you have given consent, we may send marketing updates about RAMSGen (you can withdraw consent at any time) |
| Comply with legal obligations and protect our rights | Including responding to lawful requests, meeting tax/accounting obligations, and establishing, exercising or defending legal claims |
5. Our Lawful Bases for Processing (UK GDPR)
Where RAMSGen acts as a Controller, we rely on the following lawful bases:
| Lawful Basis | When We Use It |
|---|---|
| Contract (Article 6(1)(b)) | To provide the Service and perform our contract with a Customer/Authorised User (e.g., account administration, providing core functionality) |
| Legitimate interests (Article 6(1)(f)) | For operating, securing and improving our business and Service (e.g., security monitoring, service improvement, fraud prevention). We consider and balance these interests against your rights |
| Consent (Article 6(1)(a)) | For marketing communications and for non-essential cookies/analytics where required |
| Legal obligation (Article 6(1)(c)) | To comply with applicable laws (e.g., tax and accounting obligations, lawful requests) |
| Vital interests (Article 6(1)(d)) | Rarely, where necessary to protect someone's life |
Where RAMSGen acts as a Processor (Customer Data), the Customer is responsible for identifying a lawful basis for including personal data in Customer Data, and RAMSGen processes that data on the Customer's instructions under the DPA.
6. Sharing and Disclosure of Personal Data
We do not sell personal data.
We share personal data only as necessary for the purposes described above, including with:
6.1 Service providers (processors/subprocessors)
We use trusted third parties to help run the Service. Depending on the context, these may include providers in the following categories:
- Cloud hosting and infrastructure
- Content delivery network (CDN) and security
- Authentication
- Payments and billing
- Email delivery
- AI routing/processing (where AI features are used)
- Analytics (only where you consent to analytics cookies, if applicable)
These providers are required to protect personal data and use it only in accordance with our instructions and contractual terms.
Authoritative subprocessor list: The canonical list of key subprocessors (including provider names and locations) is maintained in Annex 3 of our Data Processing Addendum (DPA), which governs subprocessor appointments under Article 28 UK GDPR. Customers may request a copy of the current DPA at any time.
6.2 Professional advisers
We may share limited personal data with professional advisers (e.g., lawyers, accountants, insurers) where necessary.
6.3 Legal and regulatory disclosures
We may disclose personal data if required by law, court order, or valid request by a regulator or law enforcement agency, or where necessary to protect rights, property or safety.
6.4 Corporate transactions
If we undergo a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate safeguards.
7. AI Features and Third-Party AI Services
Some features of the Service may use third-party AI services to help generate draft outputs. Where AI features are used:
- Customer Data (including prompts/inputs) may be transmitted to OpenRouter and, via OpenRouter, to underlying model providers to generate the requested output.
- We configure OpenRouter with a "zero retention" (or equivalent) setting where available; however, third-party services are not fully within our control and their processing is subject to applicable terms and our DPA/subprocessor arrangements.
- RAMSGen does not use Customer Data to train RAMSGen-owned general-purpose AI models.
- Customers must ensure a competent person reviews outputs before operational use, sharing or reliance, and should not input special category data/criminal offence data.
8. International Data Transfers
Our primary hosting is in the United Kingdom. However, some of our service providers (including certain authentication, email, analytics, CDN/security, payments, and AI providers) may process personal data outside the UK.
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place as required by Data Protection Legislation, such as:
- UK adequacy regulations (where applicable), and/or
- the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, and/or
- additional technical and organisational safeguards where appropriate.
You can contact us to request more information about relevant safeguards (where applicable to you).
9. Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Measures may include (as appropriate):
- encryption in transit (TLS);
- encryption at rest for core storage where supported;
- access controls and least-privilege access;
- monitoring and logging for anomalous activity;
- backups and resilience measures; and
- incident response processes.
No method of transmission or storage is 100% secure, but we work to maintain appropriate safeguards.
10. Cookies and Similar Technologies
We use cookies and similar technologies on our website and/or within the Service.
10.1 Essential cookies
These are necessary for the Service to function (e.g., login/session, security features). You cannot disable these via our consent tool without affecting functionality.
10.2 Analytics cookies (optional)
We use analytics cookies only if you consent. These help us understand usage and improve performance. We do not use marketing/remarketing pixels.
10.3 Managing cookies
You can manage cookies via:
- our cookie banner/consent tool (where available); and/or
- your browser settings.
11. Data Retention
We keep personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.
11.1 Controller data (account administration, support, billing, marketing)
Typical retention periods include:
| Data Type | Retention Period |
|---|---|
| Account/workspace administration data | For as long as the relevant account is active, and for a reasonable period afterwards to administer closure and handle disputes |
| Billing and tax records | Typically 6 years (to meet legal/accounting requirements) |
| Marketing records | Until you withdraw consent or we no longer need the data for marketing, subject to maintaining suppression lists to respect opt-outs |
11.2 Customer Data (processor processing) – aligned to the Terms/DPA
Retention for Customer Data is governed by the contract (including the DPA) and the Customer's instructions. In particular (as reflected in the Terms):
| Data Type | Retention Period |
|---|---|
| Post-termination PDF exports | Published RAMS PDF exports may be available for download for 30 days (subject to contract exceptions) |
| Personal data in Customer Data (live systems) | Deleted (or anonymised) within 30 days after termination/expiry, subject to lawful exceptions |
| Published RAMS (and associated metadata) | May be retained for up to 5 years after termination/expiry for legitimate business purposes such as compliance, audit trails, record-keeping, and establishing, exercising or defending legal claims (and may contain personal data) |
| Backups | Personal data may persist in backups and be deleted in line with backup cycles, typically within 90 days |
12. Your Data Protection Rights
Where RAMSGen is the Controller of your personal data, you have rights under UK GDPR, including:
- Right of access
- Right to rectification
- Right to erasure (in certain circumstances)
- Right to restrict processing (in certain circumstances)
- Right to data portability (in certain circumstances)
- Right to object (particularly where we rely on legitimate interests)
- Right to withdraw consent (where processing is based on consent, e.g. marketing or optional cookies)
- Right to lodge a complaint with the UK supervisory authority (see Section 13)
12.1 How to exercise your rights
Email: privacy@ramsgen.com
We may need to verify your identity and/or authority before acting on a request.
We will respond within one month (this can be extended in certain cases as permitted by law).
12.2 If RAMSGen is a Processor (Customer Data)
If the personal data relates to Customer Data in a workspace (for example, a RAMS document created by your employer), the Customer is the Controller. You should contact the Customer directly. We will assist the Customer with requests where required by the DPA and Data Protection Legislation.
13. Complaints (ICO)
If you have concerns, please contact us first at privacy@ramsgen.com and we will try to resolve the issue.
You also have the right to lodge a complaint with the UK supervisory authority:
| Authority | Information Commissioner's Office (ICO) |
| Website | https://ico.org.uk |
| Telephone | 0303 123 1113 |
| Address | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
14. Children's Privacy
The Service is not intended for use by anyone under 18. We do not knowingly collect personal data from children.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date and, where appropriate, provide notice via the Service or by email.
16. Contact Us
For privacy questions, requests, or concerns:
| privacy@ramsgen.com | |
| Post | RAMSGen Ltd, 4th Floor, 14 Museum Place, City Centre, Cardiff, CF10 3BH |