GuardFlow platform logoGuardFlow Home

Privacy Policy

Last updated: 14 May 2026

GuardFlow ("we", "us", "our"), operated by FORGEAI STUDIO LTD (trading as NovaStack), is committed to protecting the privacy of all users of our security workforce management platform.

1. Who we are

GuardFlow is a SaaS product provided by FORGEAI STUDIO LTD (trading as NovaStack), a company registered in England and Wales. We act as a data processor on behalf of our customers (security firms) for personal data they upload, and as a data controller for account/billing data.

2. Information we collect

  • Account data: name, email, phone, role, employer.
  • Operational data: shift records, clock-in/out times and locations, timesheets.
  • Compliance data: SIA licence numbers, right-to-work documents, DBS check details, training certificates.
  • Photographs: profile photos, clock-in verification images, and patrol or incident photo evidence.
  • Technical data: IP address, browser type, device info, log files.

3. How we use your information

  • To provide and maintain the service.
  • To verify identity, SIA licence, and right-to-work status.
  • To process payroll data and generate invoices.
  • To send service notifications and compliance reminders.
  • To meet legal and regulatory obligations.

4. Lawful basis (UK GDPR)

We rely on: (a) contract — to deliver the service; (b) legal obligation — to retain employment, tax and SIA records; (c) legitimate interests — to operate, secure and improve the platform; (d) consent — for optional marketing.

5. Sharing

We share data only with: your employer (the tenant); our sub-processors under contract — Supabase (hosting/database), Stripe (payments), Lovable (hosting/email) and Cloudflare (CDN), as listed in our UK GDPR Statement; and authorities where legally required (HMRC, SIA, police). We never sell personal data.

6. Retention

Operational records are retained for the lifetime of your engagement plus 6 years to meet HMRC requirements. Compliance documents are retained per SIA guidance.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with the ICO (ico.org.uk).

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access is role-based and audit-logged. We use row-level security to ensure tenants can only access their own data.

9. Contact

Data Protection Officer: support@guardflowapp.com