UK GDPR Statement

Last updated: 14 May 2026

GuardFlow is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Roles

For personal data uploaded by tenants (staff, applicants, customer contacts), GuardFlow acts as a processor and the tenant company acts as the controller. For account, billing and platform-usage data, GuardFlow acts as the controller.

Data subject rights

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making — GuardFlow does not perform solely-automated decisions with legal effects.

Submit a request at support@guardflowapp.com. We respond within 30 days.

International transfers

All production data is hosted within the UK/EEA. Where a sub-processor is outside this region, we rely on UK Addendum / Standard Contractual Clauses.

Sub-processors

We use the following sub-processors to deliver the service:

• Supabase — database, authentication and file storage (UK/EEA region).
• Stripe — payment processing for subscriptions and invoices (PCI-DSS Level 1; transfers under SCCs where applicable).
• Lovable — application hosting and delivery of transactional email.
• Cloudflare — CDN and edge delivery, with data localisation.

We keep this list current. Customers can request advance notice of changes to sub-processors at support@guardflowapp.com.

Breach notification

We notify affected controllers without undue delay and within 72 hours where feasible, providing details of the breach, likely consequences and remediation.

DPO

Data Protection Officer: support@guardflowapp.com