Skip to content
Rofterm Rofterm
Platform Compliance Reporting Industries Security FAQ
Sign in Book a demo
Platform Compliance Reporting Industries Security FAQ Book a demo

Legal

Privacy Policy

Last updated: 28 June 2026 Effective: 28 June 2026

On this page

1. Scope & roles 2. Data we collect 3. How we use data 4. Legal bases 5. Sharing & subprocessors 6. International transfers 7. Retention 8. Security 9. Your rights 10. Cookies 11. Children 12. Changes 13. Contact

This Privacy Policy explains how Rofterm collects, uses, shares and safeguards personal data when you visit our website, request a demo, or use the Rofterm enterprise risk, controls and compliance platform (the "Service").

Template notice: This document is a good-faith starting point and not legal advice. Rofterm is not yet incorporated as a registered company, so it references no legal entity or registered address. Update this policy with your company details once Rofterm is registered, and have qualified counsel review it before relying on it.

1. Scope & our roles

This policy applies to personal data processed by Rofterm ("Rofterm", "we", "us"), the operator of the Rofterm platform.

Rofterm acts in two distinct roles:

  • As a controller for personal data relating to our website visitors, prospects, demo requesters, marketing contacts, and the administrators and named users of customer accounts (for example, account login and contact details).
  • As a processor for the content our customers load into the Service (risks, controls, evidence, incidents, reports and any personal data contained within them). For that content, the customer is the controller and our handling is governed by our Data Processing Agreement.

2. Data we collect

Information you provide

  • Demo & contact requests: name, business email, company, role, company size and any message you submit.
  • Account data: name, work email, role and authentication identifiers for users provisioned into the Service.
  • Customer content: data you enter into the Service, which may include the names and contact details of risk owners, control owners and other colleagues.
  • Support & correspondence: messages you send us and their contents.

Information collected automatically

  • Usage & device data: IP address, browser and device type, pages viewed, referring URLs and timestamps.
  • Cookies & similar technologies: see Cookies below.

Information from third parties

  • Authentication providers (for single sign-on), and business contact data from reputable enrichment or referral sources where permitted by law.

3. How we use personal data

  • Provide, operate, secure and improve the Service and our website.
  • Respond to demo requests, enquiries and support tickets.
  • Authenticate users and manage accounts, billing and subscriptions.
  • Send service and transactional communications (for example, security and overdue-item notifications).
  • Send marketing communications where permitted, which you can opt out of at any time.
  • Monitor for, investigate and prevent fraud, abuse and security incidents.
  • Comply with legal, regulatory and contractual obligations.

4. Legal bases for processing (EEA/UK)

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:

  • Contract — to provide the Service and account features you request.
  • Legitimate interests — to operate, secure and improve our business, and for B2B marketing, balanced against your rights.
  • Consent — for non-essential cookies and certain marketing, withdrawable at any time.
  • Legal obligation — to meet our compliance, tax and accounting duties.

5. Sharing & subprocessors

We do not sell personal data. We share it only with:

  • Service providers / subprocessors that host and support the Service under contract (for example, cloud hosting, database, authentication and email providers).
  • Professional advisers such as auditors, lawyers and accountants.
  • Authorities where required by law or to protect rights, safety and security.
  • Corporate transactions such as a merger, acquisition or asset sale, subject to this policy.

A current list of subprocessors is available on request and is maintained alongside our DPA.

6. International transfers

We may process personal data in countries other than your own. Where we transfer data outside the UK or EEA, we use an approved transfer mechanism such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, together with supplementary safeguards where needed.

7. Data retention

We keep personal data only as long as necessary for the purposes set out here, then delete or anonymize it. Account and customer content is retained for the life of the subscription and deleted or returned after termination in line with the DPA. Prospect and marketing data is retained until you unsubscribe or it is no longer relevant. Legal, tax and security records are kept for the periods required by law.

8. Security

We maintain technical and organizational measures appropriate to the risk, including encryption in transit, access controls, role-based permissions, tenant isolation, logging and monitoring. No method of transmission or storage is completely secure, but we work to protect personal data and to notify affected parties of breaches as required by law.

9. Your rights

Subject to applicable law, you may have the right to access, correct, delete or port your personal data, to restrict or object to processing, and to withdraw consent. To exercise these rights, contact us using the details below. You also have the right to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner's Office).

If your personal data sits inside a customer's account, please direct your request to that customer (the controller); we will assist them as their processor.

10. Cookies & similar technologies

Our website uses strictly necessary cookies to function, and may use analytics or preference cookies to understand usage and improve the site. You can control non-essential cookies through your browser settings or our cookie controls where presented. Disabling some cookies may affect site functionality.

11. Children

The Service is a business product and is not directed to anyone under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above and, where appropriate, communicated to you. Continued use of the Service after an update constitutes acceptance of the revised policy.

13. How to contact us

For privacy questions or to exercise your rights, contact us by email at hey@rofterm.com. We will add a postal address and a named data protection contact once Rofterm is incorporated.

Rofterm

Board-ready enterprise risk & compliance, built for modern Chief Risk Officers.

Product

PlatformComplianceReportingSecurity

Legal

PrivacyTermsDPA
© 2026 Rofterm. All rights reserved. Built for Chief Risk Officers who'd rather walk into the boardroom ready.