Control Signal
CONTROLSIGNAL
Legal

Privacy Policy

Control Signal · Last updated 29 May 2026 · Effective 29 May 2026
This Privacy Policy explains how Control Signal (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our website at controlsignal.uk and related services (the “Service”). We are the data controller for the personal data we collect. Questions? Email us at george@controlsignal.uk.
1.

Personal data we collect

When you use the Service, we collect the following categories of personal data:

Account information

  • Your full name
  • Your work email address
  • A password (stored as a one-way cryptographic hash — we never see or store your actual password)

Professional information (optional)

  • Your role (e.g. Controls Engineer, OT Security Engineer)
  • The industry sector you work in (e.g. Oil & Gas, Manufacturing, Power & Utilities)

Service preferences

  • Vendors you have selected to track in your environment
  • Your preferred email send time and days
  • Whether you have enabled or disabled the email digest

Usage & technical data

  • Email open and click data (via Resend)
  • Login timestamps and account creation date
  • IP address, browser type and version, device type, pages visited, visit timestamps

We do not collect any special category data and we do not knowingly collect data from anyone under 18.

2.

How we use your data

PurposeLawful basis (UK GDPR)
Delivering your daily digestPerformance of contract
Sending transactional emails (verification, password reset, alerts)Performance of contract
Personalising digest content based on your preferencesPerformance of contract
Analysing aggregated usage data to improve the ServiceLegitimate interest
Responding to enquiries and providing supportPerformance of contract
Detecting and preventing fraud, abuse, and security threatsLegitimate interest
Complying with legal and regulatory obligationsLegal obligation

We do not sell your personal data to anyone, ever. We do not use your data for advertising or marketing to third parties.

3.

Who we share your data with

We share your data only with the following service providers, bound by data processing agreements:

Supabase Inc.
Database hosting and authentication · EU West (London)
Privacy policy →
Resend Inc.
Email delivery
Privacy policy →
Anthropic PBC
AI content generation — we do not send your personal data to Anthropic, only public news articles
Privacy policy →
Vercel Inc.
Website hosting
Privacy policy →
Cloudflare Inc.
Domain management
Privacy policy →

We may also disclose your data if required by law or to protect our rights, property, or safety.

4.

International data transfers

Your data is stored in the EU (United Kingdom) by Supabase. Some service providers (Resend, Anthropic, Vercel) may process data in the United States. Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or Standard Contractual Clauses.

5.

How long we keep your data

  • Account data: while your account is active, plus 30 days after deletion request
  • Email engagement data: individual events deleted within 12 months
  • Technical logs: 90 days
  • Backups: encrypted, retained for 30 days then permanently deleted
6.

Your rights

Under UK GDPR you have the following rights:

  • Right of accessrequest a copy of all personal data we hold about you
  • Right to rectificationcorrect any inaccurate or incomplete data
  • Right to erasurerequest deletion of your data ("right to be forgotten")
  • Right to restrict processinglimit how we use your data
  • Right to data portabilityreceive your data in a structured, machine-readable format
  • Right to objectobject to processing based on legitimate interest
  • Right to withdraw consentwhere processing is based on consent
  • Right to lodge a complaintwith the UK ICO at ico.org.uk

To exercise any right, email george@controlsignal.uk. We will respond within 30 days. You can also delete your account directly from Settings at any time.

7.

How we protect your data

  • All data transmitted over HTTPS (TLS 1.3)
  • Passwords stored using bcrypt one-way hashing
  • Database encrypted at rest
  • Row-level security policies ensuring users can only access their own data
  • API endpoints protected by authentication and rate limiting
  • Secrets and credentials never committed to version control

In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by law.

8.

Cookies and tracking

We use minimal cookies, all strictly necessary:

  • Authentication cookies — to keep you logged in
  • CSRF tokens — to protect against cross-site request forgery

We do not use third-party advertising cookies, social media tracking pixels, or any non-essential tracking. We use Vercel Analytics for aggregated, privacy-respecting visitor statistics — it does not use cookies and does not track individuals.

9.

Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

10.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top and notify users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

11.

Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights:

Email: george@controlsignal.uk
Website: controlsignal.uk
ICO registration: Pending registration

If you are not satisfied with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

Terms of Service →← Back to home