Privacy Notice
Last updated: July 2026
This Privacy Notice explains how ConductPath UK Limited ("ConductPath", "we", "us") collects, uses and protects personal data when you (a) visit our website, (b) use our workplace-investigations platform as an HR practitioner, or (c) are the subject of an investigation being conducted on the platform by your employer.
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and applicable employment legislation including the Employment Rights Act 1996, the Equality Act 2010, the Public Interest Disclosure Act 1998 (PIDA) and the ACAS Code of Practice on Disciplinary and Grievance Procedures.
1. Who we are (Data Controller)
ConductPath UK Limited (in formation), England & Wales. Registered office to follow.
Data Protection contact: privacy@conductpath.co.uk
Postal address: to be published on incorporation.
Once ICO registration is complete, our data controller registration number will be published on this page. We are, and will remain, registered with the UK Information Commissioner's Office (ICO) as required by law.
2. Controller vs Processor — an important distinction
Our role depends on which data we are handling:
- Website visitors, marketing prospects, and our own user accounts: ConductPath is the controller. This Notice governs that processing.
- Customer investigation data uploaded to the platform by an employer (case files, statements, evidence, employee records): the employer is the controller. ConductPath is the processor, acting only on the employer's documented instructions under a signed Data Processing Addendum.
- If you are the subject of a workplace investigation being conducted on ConductPath, your employer is the controller. Please request their privacy notice — they are required by Article 14 UK GDPR to provide it to you.
3. What personal data we collect
3.1 Account and identity data. Name, work email, job title, organisation, hashed password, MFA factors, sign-in history, IP address of last sign-in.
3.2 Usage and technical data. Pages viewed, feature usage, session duration, browser, device, operating system, referring URL, IP address (truncated for analytics), and error/diagnostic logs.
3.3 Support and correspondence data. The content of enquiries you send us (email, contact form, demo requests), together with any files you attach.
3.4 Customer investigation content (as processor). Case files, allegations, witness statements, uploaded documentary evidence, interview transcripts, findings and outcome letters. This data is processed only on employer instructions and is governed by the DPA.
3.5 Special-category data (Article 9 UK GDPR). Workplace investigations may involve health information, sexual orientation, religion or belief, ethnicity, or trade-union membership. Where we process such data as processor, we do so under Schedule 1 Part 1 DPA 2018 (employment, social security and social protection) or Schedule 1 Part 2 paragraph 6 (statutory and government purposes). Employers retain the appropriate policy document as required by paragraphs 39–41 of Schedule 1.
3.6 Criminal-offence data. Some investigations involve alleged criminal misconduct. Such data is processed only where the employer has established lawful authority under Article 10 UK GDPR / s.10 DPA 2018.
4. Lawful bases
As controller (accounts, marketing, support), we rely on:
- Article 6(1)(b) — Contract: to provide the service you or your employer has subscribed to and manage your user account.
- Article 6(1)(f) — Legitimate interests: to secure the service, prevent fraud, improve the product, defend our legal rights, and send factual service updates. You may object at any time (see Section 9).
- Article 6(1)(a) — Consent: for optional marketing emails, non-essential cookies, and analytics. Consent can be withdrawn at any time without affecting lawfulness of prior processing.
- Article 6(1)(c) — Legal obligation: where we must comply with UK law (e.g. tax records, statutory disclosure requests).
As processor for investigation data, the employer determines the lawful basis (typically Article 6(1)(b) or 6(1)(f) with an Article 9 exception under Schedule 1 DPA 2018 where special-category data is involved).
5. Where we host and store your data
All customer content and account data are hosted in the United Kingdom (AWS London, eu-west-2). Backups remain in-region. We do not transfer customer content outside the UK or EEA without an adequate safeguard — either the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, or a UK-recognised adequacy decision — and a documented Transfer Risk Assessment (TRA).
6. AI sub-processors
We use Anthropic Ireland Ltd and OpenAI Ireland Ltd (or equivalent UK/EU entities) to perform generative-AI inference on customer instructions. Prompts and outputs are transmitted under zero-retention terms and are contractually excluded from training any third-party model. AI output is decision-support only; every material decision is made by a human practitioner. This preserves employees' rights under Article 22 UK GDPR (right not to be subject to solely automated decisions with legal or similarly significant effects).
7. Recipients & disclosures
We disclose personal data only:
- To sub-processors listed in the DPA (hosting, AI inference, email delivery, error monitoring).
- To our professional advisers (accountants, lawyers, insurers) under duties of confidence.
- Where required by law, court order, or a validly issued statutory notice (e.g. from HMRC, ICO, or law enforcement).
- In a corporate restructure, sale or acquisition, subject to appropriate confidentiality obligations.
We do not sell personal data. We do not share personal data for advertising purposes.
8. Retention
- Account data: for the life of the subscription, plus 12 months, then deleted or anonymised.
- Customer investigation content (as processor): per your workspace configuration. Default retention is 6 years from case closure, aligned with the statutory limitation period for contract claims (s.5 Limitation Act 1980) and recommended retention for HR records. Customer may configure a shorter or longer period.
- Whistleblowing/PIDA cases: retained for the minimum necessary period, typically 6 years or until any legal proceedings and appeals are exhausted.
- Audit trail: retained for the life of the case plus the retention period above, as required for tribunal defence.
- Support correspondence: 24 months from resolution.
- Marketing data: until you unsubscribe or 24 months of inactivity, whichever is sooner.
- Financial and tax records: 7 years (s.386 Companies Act 2006, HMRC requirements).
9. Your rights under UK GDPR
Where we are the controller, you have the right to:
- Be informed about the processing (this Notice).
- Access a copy of your personal data (Subject Access Request).
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") where the grounds in Article 17 apply.
- Restrict processing in specific circumstances.
- Data portability for data you provided under contract or consent.
- Object to processing based on legitimate interests or direct marketing.
- Withdraw consent where consent is the basis.
- Not to be subject to solely automated decisions with legal or similarly significant effects (Article 22).
Requests should be sent to privacy@conductpath.co.uk. We will respond within one month, extendable by two further months for complex requests. There is no fee unless a request is manifestly unfounded or excessive.
If you are the subject of an investigation and want to exercise your rights against investigation content, please contact your employer's DPO — they are the controller for that data.
10. Automated decision-making and profiling
ConductPath uses AI to draft investigation documents and score procedural fairness. It does not make final decisions. Every material determination — whether an allegation is upheld, whether a sanction applies, whether an appeal is allowed — is made by a qualified human practitioner. This structural safeguard is why ConductPath does not engage Article 22 UK GDPR.
11. Security
We maintain technical and organisational measures appropriate to the sensitivity of the data, including UK-region hosting, encryption at rest (AES-256) and in transit (TLS 1.2+), row-level tenant isolation, enforced MFA for privileged users, least-privilege access controls, and immutable audit logs. Details are on our Security page.
12. Breach notification
Where we are the controller and a personal-data breach is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours (Article 33 UK GDPR) and, where the risk is high, affected individuals without undue delay (Article 34). As processor we notify affected customers without undue delay (target: 24 hours).
13. Cookies
See our Cookie Notice for detail on cookies and similar technologies.
14. Complaints
You may complain to the UK Information Commissioner's Office at ico.org.uk, or by post to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or by phone on 0303 123 1113. We would appreciate the chance to address your concerns first.
15. Changes to this Notice
We may update this Notice from time to time. The date at the top reflects the most recent revision. Material changes will be notified by email or in-product notice.