Privacy Policy
Last updated: 3 April 2026
This Privacy Policy explains how DORSET CREATIVE LTD (“Threadsovereign”, “we”, “us”, “our”) collects, uses, stores and protects your personal data when you use the Threadsovereign platform (“Platform”). It applies to all portal users including Principal Designers, Contractors, Clients, Residents and Platform Administrators.
This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
DORSET CREATIVE LTD is the data controller for personal data processed through the Platform.
Data Controller Details
DORSET CREATIVE LTD
Registered in England and Wales
Company Registration Number: 16753535
Registered Office: Flat 1, 25 Old Coach Mews, Poole, England, BH14 0LB
ICO Registration Number: [PENDING — register at ico.org.uk before launch]
Data Protection contact: privacy@threadsovereign.io
2. Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Full name, email address, job title, phone number, password (hashed) | Provided by you at registration |
| Organisation data | Company name, Companies House registration number, VAT number, registered address | Provided by your organisation admin |
| Profile data | Role within the platform (e.g. Principal Designer), user preferences, notification settings | Provided by you or your admin |
| Project & building data | Building addresses, project names, building height, number of storeys and units, Gateway submission records, document metadata | Provided by you in the course of using the Platform |
| Resident data | Flat/unit number, floor, resident name and contact details (for Resident Portal users) | Provided by the Accountable Person or BSM, or directly by residents |
| Usage data | Login timestamps, IP address at login, pages visited, features used | Collected automatically |
| Audit log data | Record of actions taken on the Platform (document uploads, approvals, Gateway submissions) | Generated automatically |
| Communications | Messages sent through the Platform's messaging feature, RFI content | Provided by you |
| Cookie data | Session identifiers, analytics data (with consent) | See Section 9 |
We do not intentionally collect any special category personal data (e.g. health data, biometric data, racial or ethnic origin). If you believe special category data has been included in a document upload, please contact us immediately at privacy@threadsovereign.io.
3. Lawful Basis for Processing
UK GDPR requires that every processing activity has a lawful basis. Below we set out the basis for each type of processing we carry out:
| Processing Activity | Lawful Basis | Detail |
|---|---|---|
| Creating and managing your account | Contract (Article 6(1)(b)) | Processing is necessary to perform the contract between you (or your organisation) and Threadsovereign |
| Providing all Platform features | Contract (Article 6(1)(b)) | Core service delivery |
| Storing building safety records, Gateway submissions, Golden Thread documents | Legal obligation (Article 6(1)(c)) | The Building Safety Act 2022 requires these records to be maintained. We cannot delete them even on request — see Section 8. |
| Maintaining immutable audit logs | Legal obligation (Article 6(1)(c)) + Legitimate interests (Article 6(1)(f)) | BSA 2022 audit obligations and our legitimate interest in platform security and fraud prevention |
| Sending transactional emails (password reset, notifications) | Contract (Article 6(1)(b)) | Part of service delivery |
| Session management and security monitoring | Legitimate interests (Article 6(1)(f)) | Our legitimate interest in platform security and preventing unauthorised access. We have conducted a balancing test and concluded this processing does not override your interests. |
| Analytics cookies (Vercel Analytics) | Consent (Article 6(1)(a)) | Only fires after you grant consent via the cookie banner. You may withdraw at any time. |
| Marketing communications (not currently active) | Consent (Article 6(1)(a)) | We will only send marketing communications with your explicit consent |
4. How We Use Your Data
We use your personal data to:
- Create and manage your Platform account
- Provide the building safety compliance features of the Platform
- Enable collaboration between Principal Designers, Contractors, Clients, Residents and Regulators
- Generate, store and maintain Gateway submission records required by the Building Safety Regulator (BSR)
- Maintain the Golden Thread of building information as required by the Building Safety Act 2022
- Send you notifications about tasks, deadlines, approvals and system alerts
- Provide customer support
- Detect and prevent fraud, abuse and security incidents
- Comply with our legal obligations
- Improve the Platform (with your consent for analytics)
5. How Long We Keep Data
We retain personal data only as long as necessary for the purposes set out in this policy, and no longer than required by applicable law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Building safety records (documents, Gateway submissions, Golden Thread, Safety Cases) | Minimum 15 years from building completion / last Gateway submission | Building Safety Act 2022, Sections 79–82 — mandatory retention of higher-risk building information |
| Audit log entries | Minimum 15 years | BSA 2022 audit obligations and legal requirement |
| User account data (name, email, job title, phone) | Duration of active subscription + 6 months after termination | Operational necessity; soft-anonymised after 6 months where legally permissible |
| Session data and login logs | 24 hours (rolling) | Security monitoring only |
| Marketing consent records | Until withdrawn + 3 years | ICO guidance on evidencing consent |
| Cookie consent records | 3 years or until withdrawn | ICO guidance |
| Billing records and invoices | 6 years from invoice date | UK tax law (HMRC requirement) |
| Failed login attempt logs | 90 days | Security monitoring |
7. International Data Transfers
The UK has not yet made an adequacy decision in respect of all countries where our sub-processors operate. Where data is transferred outside the UK we rely on:
- UK–US Data Bridge — for transfers to US-based sub-processors that are certified under the Bridge (Vercel Inc.)
- Standard Contractual Clauses (SCCs) — UK International Data Transfer Agreements (IDTAs) as a fallback where required
Our primary database hosting is in the EU (Supabase, Frankfurt). No adequacy transfer mechanism is required for EU-hosted data as the UK recognises EU data protection as adequate.
You can request a copy of the relevant transfer safeguards by contacting privacy@threadsovereign.io.
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any right, contact privacy@threadsovereign.io. We will respond within 30 calendar days.
| Right | What It Means | Limitations |
|---|---|---|
| Right of access (DSAR) | Request a copy of all personal data we hold about you, in a portable format | We may verify your identity before releasing data |
| Right to rectification | Ask us to correct inaccurate or incomplete data | Applies to personal data, not to building safety records which are legally required to be accurate and immutable |
| Right to erasure ('right to be forgotten') | Ask us to delete your personal data | IMPORTANT: We cannot erase audit log entries, Gateway submission records, Golden Thread documents or other BSA 2022-required records. We will tell you exactly what cannot be erased and why. |
| Right to data portability | Receive your personal data in a machine-readable format (JSON) | Applies to data you provided to us and that we process on the basis of consent or contract |
| Right to restriction | Ask us to stop actively processing your data (while retaining it) | Available while an objection or rectification request is pending |
| Right to object | Object to processing based on legitimate interests | We will stop unless we can demonstrate compelling legitimate grounds |
| Rights related to automated decision-making | We do not make solely automated decisions that produce significant effects on individuals | — |
10. Security
We take the security of your data seriously and implement the following technical and organisational measures:
- All data encrypted in transit via TLS 1.2+
- All data encrypted at rest (Supabase AES-256)
- Role-based access control (RBAC) with Row Level Security (RLS) on all database tables
- Multi-factor authentication available to all users
- Account lockout after 5 failed login attempts (30-minute cooldown)
- Immutable audit logs for all significant actions
- Private file storage — all uploaded documents are stored with access controls
- Regular security assessments
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.
11. Children
The Platform is designed for professional use only and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@threadsovereign.io.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law or our practices. We will notify you of material changes by email or by a prominent notice in the Platform. The “Last updated” date at the top of this page indicates when the policy was last revised.
Your continued use of the Platform after any change constitutes acceptance of the updated policy. Where changes require fresh consent, we will obtain it explicitly.
13. Contact Us
For any data protection queries, requests or complaints:
Data Protection Contact
DORSET CREATIVE LTD
Flat 1, 25 Old Coach Mews, Poole, England, BH14 0LB
Email: privacy@threadsovereign.io
We aim to acknowledge all requests within 5 working days and respond in full within 30 calendar days. Where a request is complex, we may extend this by a further 2 months — we will notify you if this applies.