Privacy Policy

1. Who we are

Data controller: EQUAL FORCE SECURITY SERVICES LIMITED (trading as Guardflow)

Contact email: info@guardflow.co.uk

Website: https://www.guardflow.co.uk

If you have any questions about this Privacy Policy or want to exercise your privacy rights, please contact us using the details above.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal information processed through:

• our website;
• our web dashboard;
• our mobile application;
• our internal workforce operations managed through Guardflow; and
• related communications and support interactions.

This Privacy Policy does not apply to third-party websites, apps, or services that may be linked from our Service and that we do not control.

3. The personal information we collect

Depending on how you use the Service, we may collect and process the following categories of personal information.

3.1 Information you provide directly

We may collect information that you provide to us directly, including:

• full name;
• email address;
• phone number;
• account login details;
• profile details;
• role information (for example, guard, supervisor, manager, or administrator);
• comments, notes, ratings, and other content submitted through the Service;
• incident reports, operational reports, and related descriptions (currently collected as text in the apps we provide; we do not operate an in-app camera or file upload flow for reports in the current mobile and web interfaces).

3.2 Workforce and operational information

Because the Service is used to manage security operations, we may process operational and workforce-related information, including:

• sites, assignments, shifts, schedules, and availability;
• attendance and time records;
• check-in and check-out records;
• hourly check-in records, where used;
• supervisor notes and internal operational records;
• compliance, audit, and activity history relevant to service operations.

3.3 Location information

If you use mobile attendance features, the app may collect precise location information at the time you perform actions such as:

• check-in;
• check-out; or
• hourly attendance confirmation.

This may include:

• latitude and longitude;
• accuracy data;
• timestamp; and
• related attendance metadata.

Location access is used to support attendance verification and on-site operational checks. If location permission is denied, some features may not function correctly.

We do not use this Privacy Policy to describe continuous background location tracking; the app is not implemented to collect location continuously in the background.

3.4 Device, technical, and log information

When you use the Service, we may automatically collect certain technical information, including:

• IP address;
• device identifiers associated with push notifications (where enabled);
• device model and operating system version (where available to our systems);
• browser type (web dashboard);
• app version (where available);
• timestamps;
• audit logs; and
• security and application logs generated by our servers and software.

We do not operate a dedicated third-party crash-reporting or in-app analytics product (such as Sentry or Firebase Analytics) in the Service as implemented in our codebase.

3.5 Notifications information

If notifications are enabled, we may collect and process information needed to deliver them, such as:

• push notification token (including Expo push tokens on supported builds);
• limited device-related identifiers; and
• notification delivery metadata.

3.6 Information from other sources

We may receive personal information from:

• authorised personnel within our organisation;
• managers, supervisors, or administrators using the Service;
• service providers supporting our infrastructure, authentication, communications, storage, security, or notifications (see section 7); and
• lawful public authorities where required by law.

4. How we use personal information

We use personal information for the following purposes:

• to provide, operate, maintain, and improve the Service;
• to create and manage accounts and user access;
• to schedule shifts, assignments, and workforce availability;
• to verify attendance, including location-based attendance where applicable;
• to manage incident reporting, operational reporting, and internal records;
• to support safety, supervision, and compliance workflows;
• to communicate with users about the Service;
• to send service-related alerts, notices, and notifications;
• to protect the security, integrity, and reliability of the Service;
• to investigate misuse, unauthorised access, fraud, or policy violations;
• to maintain audit trails and internal accountability;
• to comply with legal, regulatory, insurance, and contractual obligations; and
• to establish, exercise, or defend legal claims.

We do not sell personal information.

We do not use personal information for third-party advertising.

5. Lawful bases for processing (UK GDPR)

Where UK data protection law applies, we rely on one or more of the following lawful bases:

• Contract – where processing is necessary to perform a contract with you or to take steps before entering into a contract;
• Legitimate interests – where processing is necessary for our legitimate interests in operating and securing the Service and managing workforce operations, provided those interests are not overridden by your rights and freedoms;
• Legal obligation – where processing is necessary to comply with a legal or regulatory obligation; and
• Consent – where consent is required, for example for certain device permissions or specific optional communications.

Where we rely on consent, you may withdraw it at any time, although this does not affect processing already carried out lawfully before withdrawal.

6. Who can access personal information within our organisation

Because Guardflow supports security workforce operations, authorised personnel within EQUAL FORCE SECURITY SERVICES LIMITED may access personal information where reasonably necessary for their duties, including for:

• scheduling;
• supervision;
• attendance verification;
• incident handling;
• safety management;
• compliance;
• internal reporting; and
• system administration.

We require staff to access personal information only where necessary and in line with internal policies, confidentiality expectations, and security controls.

7. How we share personal information

We may share personal information in the following circumstances.

7.1 Service providers and processors

We may share personal information with trusted service providers that help us operate the Service, such as providers of:

• cloud hosting and infrastructure (specific providers and regions depend on where we deploy the Service);
• database and storage services;
• authentication and account security (handled within our application stack);
• push notification delivery, including Expo (Expo push notification service) and, for delivery to devices, Apple (Apple Push Notification service) and Google (Firebase Cloud Messaging on Android as used by the platform);
• communications and email delivery (if and when we use a provider for service emails);
• technical support and maintenance.

These providers are permitted to process personal information only on our instructions or where necessary to provide services to us, and we require them to protect personal information using appropriate safeguards.

Opening a map link (for example, to view a site address in an external maps application) may cause information to be processed by that third party under its own terms and privacy policy.

7.2 Within our organisation

We may share personal information internally where needed for workforce operations, supervision, security management, compliance, and administration.

7.3 Legal and regulatory disclosures

We may disclose personal information where necessary to:

• comply with applicable law;
• respond to lawful requests from courts, regulators, law enforcement, or public authorities;
• protect the rights, safety, property, or security of individuals, our organisation, or the Service; or
• investigate or prevent unlawful activity, fraud, or abuse.

7.4 Business reorganisation

If our business is reorganised, sold, merged, or transferred, personal information may be disclosed to relevant parties involved in that transaction, subject to appropriate confidentiality and legal safeguards.

8. International transfers

We aim to process and store personal information in the United Kingdom where possible. However, some service providers that support our infrastructure, communications, storage, security, or notifications may process personal information outside the United Kingdom. In particular, push notifications may be routed through Expo and platform providers (Apple and Google), which may involve processing in the United States or other countries.

Where personal information is transferred outside the United Kingdom, we take appropriate steps to protect it in accordance with applicable data protection law. These steps may include:

• transferring data to countries recognised as providing adequate protection;
• using approved contractual safeguards, such as the UK International Data Transfer Agreement or equivalent contractual protections; and
• applying supplementary technical and organisational security measures where appropriate.

9. Data retention

We retain personal information only for as long as necessary for the purposes described in this Privacy Policy, including to:

• provide and manage the Service;
• maintain operational and attendance records;
• meet legal, regulatory, accounting, tax, insurance, and reporting obligations;
• resolve disputes;
• investigate incidents or misuse; and
• enforce agreements or protect legal rights.

Retention periods vary depending on the type of information and the reason it was collected. For example:

• account and profile information may be retained while an account remains active and for a reasonable period afterwards;
• attendance, operational, incident, and compliance records may be retained longer where required for legal, regulatory, employment, contractual, insurance, or health and safety reasons;
• technical logs and backups may be retained for limited periods based on security and system recovery needs.

When personal information is no longer needed, we will delete it, anonymise it, or securely isolate it unless we are legally required or otherwise permitted to retain it.

You may request deletion of your personal information by contacting info@guardflow.co.uk. We may retain certain information where required or permitted by law.

10. Security

We implement appropriate technical and organisational measures designed to protect personal information against unauthorised access, disclosure, alteration, loss, and misuse. These measures may include:

• access controls;
• role-based permissions;
• authentication safeguards;
• password hashing;
• encrypted transmission where appropriate;
• logging and monitoring; and
• internal security and confidentiality procedures.

No method of transmission over the internet or electronic storage is completely secure. For that reason, we cannot guarantee absolute security.

11. Your choices and device permissions

11.1 Location permissions

The mobile app may request location access to support attendance and operational verification features. You can manage location permissions in your device settings. If you disable location access, some features may not work properly.

11.2 Notifications

If you enable push notifications, you can later disable them in your device settings. Our app registers a push token with our servers so we can send work-related notifications.

11.3 Camera, photos, and files

The current mobile and web interfaces we provide do not request access to your camera, photo library, or device files for capturing or uploading report attachments. If we add such features in the future, we will update this Privacy Policy and, where required, permission prompts and store disclosures accordingly.

For App Store and Play Store disclosures, align your app’s permission prompts and data safety answers with this policy: foreground location for check-in related features, notifications if enabled, and no camera or photo library access in the current app build.

12. Your privacy rights

If UK data protection law applies to you, you may have the right to:

• request access to your personal information;
• request correction of inaccurate or incomplete information;
• request deletion of personal information;
• request restriction of processing;
• object to certain processing;
• request transfer of your personal information to you or another provider, where applicable;
• withdraw consent where processing is based on consent; and
• lodge a complaint with the UK Information Commissioner’s Office (ICO).

To exercise your rights, contact info@guardflow.co.uk.

We may need to verify your identity before responding to your request. We may also refuse or limit a request where the law allows us to do so.

If you believe your personal information has been handled unlawfully, you may complain to the UK Information Commissioner’s Office at https://ico.org.uk.

13. Account deletion

User accounts may be removed by authorised administrators using the web dashboard (where that functionality is available to them). The mobile app does not provide a self-service “delete my account” control for end users.

You may also request deletion or account closure by contacting info@guardflow.co.uk.

Deleting an account does not always mean immediate deletion of all related data. We may keep certain records where required for legal, regulatory, operational, insurance, security, or dispute-resolution purposes.

14. Children

The Service is intended for professional use by adults involved in security workforce operations. It is not directed to children, and we do not knowingly collect personal information from children.

If you believe that a child has provided personal information through the Service, please contact us at info@guardflow.co.uk so that we can take appropriate steps.

15. Third-party links and services

The Service may contain links to third-party websites, platforms, or services. We are not responsible for the privacy practices, content, or security of third-party services that we do not control. You should review their privacy policies separately.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Where required by law, we will provide additional notice of material changes.

Your continued use of the Service after an updated Privacy Policy takes effect means you acknowledge the revised version, to the extent permitted by law.

17. Contact us

If you have questions about this Privacy Policy, your personal information, or your rights, contact:

EQUAL FORCE SECURITY SERVICES LIMITED (trading as Guardflow)
Email: info@guardflow.co.uk
Website: https://www.guardflow.co.uk