1. Introduction
DoorTrace ("we", "our", or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our fire door inspection and compliance management platform.
DoorTrace is operated by DoorTRACE Holdings Ltd, a company registered in England and Wales. We act as a data processor on behalf of Facilities Management companies (our clients) who are the data controllers for the personal data processed through our platform.
This policy applies to all users of our platform, including FM company administrators, engineers, building managers, and anyone who interacts with our services.
2. Data We Collect
We collect and process the following categories of personal data:
Account Information
When you create an account or are added as a user, we collect your name, email address, phone number, job title, and professional qualifications (for engineers).
Inspection Data
When conducting fire door inspections, we collect location data (GPS coordinates), photographs of doors and defects, inspection notes, timestamps, and digital signatures.
Building Information
We collect building addresses, floor plans, door locations, and details about Responsible Persons as required by fire safety regulations.
Technical Data
We automatically collect device information, IP addresses, browser type, operating system, and usage data to ensure platform security and improve our services.
Crash and Performance Data
When you use our mobile app, we collect anonymous crash reports, performance traces, and device diagnostics to identify and fix technical issues. This data is processed by our error monitoring service (see Section 5) and is not linked to your account identity.
Communication Data
If you contact us, we keep records of correspondence including emails, support tickets, and enquiry form submissions.
3. How We Use Your Data
We use your personal data for the following purposes:
Service Delivery
To provide our fire door inspection and compliance management platform, including processing inspections, generating reports, and maintaining audit trails required by UK fire safety regulations.
Legal Compliance
To help our clients meet their obligations under the Fire Safety (England) Regulations 2022, Building Safety Act 2022, and other applicable legislation. The Golden Thread requirements mandate that we maintain comprehensive digital records.
Communication
To send you service-related notifications, including inspection reminders, compliance alerts, and important updates about your account.
Platform Improvement
To analyse usage patterns, identify issues, and improve our platform's functionality and user experience.
Security
To detect, prevent, and respond to security incidents, fraud, or other malicious activity.
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined by the UK General Data Protection Regulation (UK GDPR):
Contract Performance
Processing necessary to perform our contract with you or your employer (the FM company) to provide our platform services.
Legal Obligation
Processing necessary to comply with fire safety regulations, building safety legislation, and other legal requirements that mandate comprehensive record-keeping.
Legitimate Interests
Processing necessary for our legitimate interests (or those of our clients), including platform security, fraud prevention, and service improvement, where these interests do not override your fundamental rights.
Consent
Where you have given clear consent for us to process your personal data for specific purposes, such as marketing communications. You may withdraw consent at any time.
5. Data Sharing
We share your personal data with the following categories of recipients:
FM Companies (Data Controllers)
The Facilities Management company that employs you or manages your building has access to relevant inspection and compliance data.
Building Clients
Building managers and Responsible Persons can access compliance reports and inspection data for their buildings.
Service Providers
We use trusted third-party service providers for hosting (Cloudflare), email delivery, payment processing, and error monitoring (Sentry, hosted in the EU region). These providers act as data processors on our behalf and are contractually bound to protect your data.
Regulatory Authorities
We may disclose data to fire safety authorities, local councils, or other regulatory bodies when required by law or in response to valid legal requests.
Professional Advisors
We may share data with our lawyers, accountants, and insurers where necessary for legal, accounting, or insurance purposes.
We never sell your personal data to third parties.
6. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, and contractual requirements.
Inspection Records
Fire door inspection records are retained for a minimum of 6 years from the date of inspection, as required by UK fire safety legislation and the Golden Thread requirements.
Account Data
User account information is retained for the duration of your account and for 2 years after account closure for audit purposes.
Audit Logs
Platform audit logs are retained indefinitely to support the Golden Thread compliance requirements and to maintain the integrity of historical records.
Communication Records
Support and enquiry records are retained for 3 years after the last communication.
When data is no longer required, we securely delete or anonymise it in accordance with our data retention policies.
7. Your Rights
Under UK data protection law, you have the following rights:
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can request that we correct any inaccurate or incomplete personal data.
Right to Erasure
You can request deletion of your personal data, subject to our legal obligations to retain certain records (such as inspection data required for compliance).
Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format.
Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
To exercise any of these rights, please contact us at privacy@doortrace.co.uk.
8. Data Security
We implement robust technical and organisational measures to protect your personal data:
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
Access Controls
We use role-based access control (RBAC) to ensure users only access data necessary for their role. All access is logged and auditable.
Authentication
We use secure authentication including JWT tokens with short expiry times, password hashing with PBKDF2, and support for multi-factor authentication.
Infrastructure Security
Our platform is hosted on Cloudflare's secure edge network with DDoS protection, Web Application Firewall, and continuous security monitoring.
Regular Testing
We conduct regular security assessments, penetration testing, and vulnerability scanning to identify and address potential security issues.
Incident Response
We have documented incident response procedures to detect, respond to, and recover from security incidents.
9. International Data Transfers
DoorTrace primarily processes and stores data within the United Kingdom and European Economic Area. Our infrastructure provider, Cloudflare, operates a global network but provides data residency controls.
Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as:
Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office, adequacy decisions by the UK government, or binding corporate rules where applicable.
You can contact us for more information about the specific safeguards we use for international data transfers.
11. Children's Privacy
DoorTrace is a business-to-business platform intended for use by adult professionals in the fire safety and facilities management industries. We do not knowingly collect personal data from children under the age of 16.
If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards. When we make material changes, we will:
Notify you via email or through a prominent notice on our platform at least 30 days before the changes take effect, update the "Last Updated" date at the top of this policy, and where required by law, seek your consent to the changes.
We encourage you to review this policy periodically to stay informed about how we protect your data.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us:
Data Protection Officer
Email: privacy@doortrace.co.uk Telephone: 0800 310 1300
Postal Address
DoorTRACE Holdings Ltd 8 Niche Place Brook Road Redhill RH1 6DL United Kingdom
Information Commissioner's Office
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk Telephone: 0303 123 1113