SENSERITY — Privacy Policy
Version 1.0 | February 2026
Data Controller: Blueloop Limited Company No: 03981322 Registered Office: Blueloop House, Ilchester Road, Yeovil, Somerset BA21 3AA Data Protection Lead: Robin Barker Contact: legal@senserity.co.uk ICO Registration: ZA128870
1. Introduction
This Privacy Policy explains how Blueloop Limited ("Blueloop", "we", "us", "our") collects, uses, stores, and protects personal data in connection with the Senserity platform ("the Platform") accessible at app.senserity.co.uk and the Senserity website at senserity.co.uk ("the Website").
Blueloop Limited is the data controller for all personal data processed as described in this policy. We are registered with the Information Commissioner's Office and committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy covers two distinct groups of individuals:
- Platform Users — individuals who create an account and use the Senserity platform.
- Data Subjects within Company Data — company directors, officers, persons with significant control, charity trustees, and other individuals whose personal data appears within the business intelligence data that the Platform aggregates and presents.
If you have any questions about this policy, please contact us at legal@senserity.co.uk.
2. Personal Data We Collect About Platform Users
2.1 Account Registration
When you create a Senserity account, we collect:
- Your name.
- Your email address.
- Your authentication provider identity (Google, Microsoft, or email magic link).
This is the minimum data required to use the Platform. Tenant Owners may optionally add additional information (such as job title or phone number) through the Platform settings, but this is not required.
2.2 Authentication Data
When you sign in, we receive limited profile information from your authentication provider:
- Google: Name, email address, profile image URL.
- Microsoft Entra ID: Name, email address, profile image URL.
- Email magic link: Email address only.
We do not receive or store your passwords. Authentication is handled by the respective provider, and we receive only a confirmation of your identity.
2.3 Account Activity and Audit Logs
We record your actions within the Platform in an audit log, including:
- Pages and company profiles viewed.
- Companies added to or removed from watchlists.
- Reports generated.
- Settings changed.
- User management actions (invitations, role changes).
- IP addresses associated with your activity.
- Timestamps of all actions.
Audit log data is retained for twelve months.
2.4 Session Data
When you use the Platform, we maintain a database session that stores:
- A session token (stored as a secure cookie in your browser).
- Your active tenant context (which organisation you are currently viewing).
- Session expiry information.
2.5 Payment Data
If you subscribe to a paid tier, payment is processed by our payment partner, Stripe. We do not receive, process, or store your full payment card details. Stripe provides us with:
- A Stripe customer identifier.
- The last four digits of your payment card (for display purposes).
- Subscription status and billing history.
Stripe's own privacy policy governs how they handle your payment data: https://stripe.com/gb/privacy
2.6 Cookies and Similar Technologies
On the Platform (app.senserity.co.uk):
The Platform uses only cookies that are strictly necessary for its operation:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie (Auth.js) | Maintains your authenticated session | Strictly necessary | Session / configurable expiry |
| Active tenant preference | Remembers which organisation you last accessed | Functional | Session |
The Platform does not use analytics cookies, advertising cookies, or third-party tracking technologies.
On the Website (senserity.co.uk):
The Senserity marketing website uses analytics cookies to help us understand how visitors use the site and to improve our content. These cookies are set only with your consent via the cookie banner presented on your first visit. You can change your cookie preferences at any time through the cookie settings link in the website footer.
2.7 Marketing Website Data
If you interact with the Senserity marketing website (senserity.co.uk), we may collect:
- Your name and email address if you submit a "request a demo" form, contact form, or newsletter signup.
- Analytics data (with your consent) including pages visited, time on site, and referral source.
3. How We Use Platform User Data
We process your personal data for the following purposes and on the following lawful bases:
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Providing and administering the Platform | Name, email, authentication identity, session data | Performance of contract (Article 6(1)(b)) |
| Managing your account and subscription | Name, email, Stripe customer ID, subscription status | Performance of contract (Article 6(1)(b)) |
| Recording audit logs for security and accountability | Activity records, IP addresses, timestamps | Legitimate interest (Article 6(1)(f)) — security and integrity of the Platform |
| Sending transactional emails (alerts, enrichment notifications, account management) | Name, email | Performance of contract (Article 6(1)(b)) |
| Sending marketing communications (product updates, feature announcements, newsletters) | Name, email | Consent (Article 6(1)(a)) — you can opt out at any time |
| Responding to support enquiries | Name, email, content of your enquiry | Legitimate interest (Article 6(1)(f)) — providing customer support |
| Analytics on the marketing website | Analytics cookies, browsing behaviour | Consent (Article 6(1)(a)) — via cookie banner |
3.1 Marketing Communications
We will only send you marketing communications (product updates, feature announcements, newsletters) where you have given your consent. You can withdraw your consent and unsubscribe at any time by:
- Clicking the unsubscribe link in any marketing email.
- Updating your notification preferences in the Platform settings.
- Contacting us at legal@senserity.co.uk.
Withdrawal of consent does not affect transactional communications that are necessary for the operation of your account (such as security alerts, enrichment completion notifications, and billing confirmations).
4. Personal Data Within Company Data
4.1 What Data and Why
The Senserity platform aggregates business intelligence data from public registers, regulatory bodies, and third-party commercial providers. This data includes personal data about individuals in their capacity as company directors, officers, persons with significant control, charity trustees, and other corporate governance roles.
The categories of personal data processed and their sources are set out in detail in our Legitimate Interest Assessment, which is published on the Senserity website. In summary:
Company Directors and Officers: Names, partial dates of birth (month and year only), nationality, country of residence, correspondence address, appointment dates, occupation, and officer role. Source: Companies House.
Persons with Significant Control (PSCs): Names, partial dates of birth, nationality, country of residence, correspondence address, natures of control, and notification dates. Source: Companies House.
Charity Trustees: Names, trustee role, and appointment dates. Source: Charity Commission for England and Wales, Office of the Scottish Charity Regulator.
Individuals in Sanctions Records: Names (including aliases), dates of birth, nationality, regime and designation details. Source: HM Treasury OFSI consolidated list.
Individuals in Disqualification Records: Names, disqualification dates and reasons, case references. Source: Companies House Register of Disqualified Directors.
Individuals in Adverse Media Screening: Names, dates of birth (for matching), categories of media coverage, article summaries and source references. Source: Dilisense adverse media screening API.
Individuals in Court Records: Party names, role in proceedings, court and case details. Source: National Archives Find Case Law service.
4.2 Lawful Basis for Processing Company Data
We process this personal data on the basis of legitimate interest under Article 6(1)(f) of the UK GDPR. Our legitimate interests are:
- Providing a commercial supply chain risk intelligence service to UK businesses.
- Supporting supply chain transparency, corporate accountability, and financial crime prevention in the public interest.
- Enabling our customers to fulfil their own legal and regulatory due diligence obligations.
We have conducted a Legitimate Interest Assessment (LIA) in accordance with ICO guidance, which is published on the Senserity website. The LIA concludes that our legitimate interests are not overridden by the rights and interests of the data subjects, given that the data is predominantly sourced from public registers designed for public access, and that comprehensive safeguards are in place.
4.3 How Company Data Is Processed
Company Data is processed in the following ways:
- Collection and storage: Data is collected through scheduled automated processes from the sources listed above and stored in a database hosted on UK infrastructure.
- Normalisation and linking: Records from different sources are linked to create a unified view of each UK company and its associated individuals.
- Automated risk analysis: Over 660 automated analytical checks assess companies across categories including financial health, governance, compliance, cyber security, legal proceedings, media exposure, and ESG.
- Network graph analysis: Relationships between companies are mapped through shared directors and PSCs, enabling analysis of corporate networks and indirect risk exposure.
- Sanctions and adverse media screening: Director and PSC names are matched against the OFSI sanctions list and adverse media databases to identify potential risk indicators.
- Presentation to Platform users: Data is presented to authorised users as part of company risk profiles, due diligence reports, and alert notifications, subject to role-based access control and subscription tier restrictions.
4.4 Data Retention for Company Data
- Active records: Retained for as long as the associated company remains on the relevant public register, updated through regular processing cycles.
- Historical records: When a director resigns, a PSC ceases, or a company is dissolved, records are marked as inactive but retained for historical analysis. Historical data is held from 2020 onwards.
- Adverse media and sanctions matches: Retained for as long as the associated company record is active, refreshed according to enrichment schedules.
5. Third Parties Who Receive Personal Data
5.1 Platform User Data
We share Platform User personal data with the following third parties, solely for the purposes described:
| Third Party | Data Shared | Purpose | Basis |
|---|---|---|---|
| Stripe (payments) | Name, email, payment information | Processing subscription payments and managing billing | Performance of contract |
| Microsoft (authentication) | Email, name (via Entra ID OAuth) | Authenticating users who sign in with Microsoft | Performance of contract |
| Google (authentication) | Email, name (via Google OAuth) | Authenticating users who sign in with Google | Performance of contract |
| Microsoft (transactional email) | Recipient email address, email content | Sending transactional and marketing emails via Microsoft Graph API | Performance of contract / Consent (marketing) |
We do not sell, rent, or trade your personal data to any third party. We do not share your personal data with advertisers.
5.2 Company Data
Company Data originates from the third-party sources listed in Section 4.1. We do not share Company Data with third parties beyond presenting it to authorised Platform users in accordance with the Terms of Service.
Platform users may include Company Data in due diligence reports that they share with their own third parties (boards, auditors, regulators). This is governed by the Terms of Service, which require users to make recipients aware of the data limitations and their responsibilities.
5.3 Legal and Regulatory Disclosure
We may disclose personal data where required to do so by law, regulation, or court order, or where disclosure is necessary for the prevention or detection of crime.
6. Data Transfers
All personal data processed in connection with the Senserity platform is stored on infrastructure located within the United Kingdom, owned and operated by Blueloop Limited. We do not use sub-processors or cloud hosting providers for data storage.
However, when you authenticate using Google or Microsoft, limited authentication data (name, email) is processed by those providers' global infrastructure. Both Google and Microsoft maintain appropriate safeguards for international data transfers, including Standard Contractual Clauses and UK International Data Transfer Agreements.
Similarly, when you make a payment, Stripe processes your payment data using its global infrastructure. Stripe maintains appropriate safeguards for international data transfers as described in their privacy policy.
7. Data Security
We take the security of personal data seriously and maintain appropriate technical and organisational measures, including:
- All data is hosted on infrastructure owned and operated by Blueloop Limited within the United Kingdom.
- No sub-processors are used for data storage or processing.
- Blueloop holds Cyber Essentials, ISO 9001 (Quality Management), and ISO 27001 (Information Security Management) certifications, each including the Senserity platform within scope.
- Access to the Platform is controlled through authenticated sessions, role-based access control, and subscription tier gating.
- Database access is restricted and audited.
- We maintain a data breach response procedure in compliance with Articles 33 and 34 of the UK GDPR.
8. Your Rights — Platform Users
If you are a Platform user, you have the following rights under the UK GDPR:
Right of access — You can request a copy of the personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate personal data. You can update your name directly through the Platform settings. Your email address is managed through your authentication provider.
Right to erasure — You can request that we delete your account and associated personal data. Certain data may be retained where we have a legal obligation to do so (for example, billing records for tax purposes).
Right to restrict processing — You can ask us to temporarily restrict the processing of your personal data in certain circumstances.
Right to data portability — You can request your personal data in a structured, commonly used, machine-readable format.
Right to object — You can object to processing based on legitimate interest (such as audit logging). We will consider your objection and stop processing unless we have compelling legitimate grounds.
Right to withdraw consent — Where processing is based on consent (marketing communications, analytics cookies), you can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at legal@senserity.co.uk. We will respond within one month of receiving your request.
9. Your Rights — Data Subjects Within Company Data
If your personal data appears within the Senserity platform because you are a company director, officer, person with significant control, charity trustee, or appear in sanctions, disqualification, adverse media, or court records, you have the following rights:
Right of access — You can request confirmation of whether your personal data is processed by Senserity and, if so, a copy of that data. We will use automated lookup where practicable given the volume of records held.
Right to rectification — You can ask us to correct inaccurate data. Where the data originates from a public register (such as Companies House), we will direct you to the source to make the correction, and we will update our records when the source is corrected. Where the inaccuracy is in our own processing (for example, an incorrect sanctions match), we will correct it directly.
Right to object — You have the right to object to the processing of your personal data under Article 21 of the UK GDPR. We will consider each objection individually. However, as set out in our Legitimate Interest Assessment, we generally consider that we have compelling legitimate grounds for processing data sourced from public registers designed for public access, particularly where the processing serves supply chain transparency and financial crime prevention objectives. You will be informed of the outcome of your objection and your right to complain to the ICO.
Right to erasure — We will consider erasure requests on a case-by-case basis. Where your data is sourced from public registers and you remain an active director or PSC, erasure would compromise the integrity of the risk intelligence service. Where you have resigned or ceased to hold a relevant role, and the data is no longer necessary, your request may be granted.
Sanctions and adverse media matches — If you believe you have been incorrectly matched against a sanctions designation or adverse media record, you can contact us at legal@senserity.co.uk. We maintain a review and correction process for disputed matches. The Platform also includes a mechanism for users to flag data they believe to be inaccurate, which triggers manual review by Blueloop.
To exercise any of these rights, contact us at legal@senserity.co.uk. We will respond within one month of receiving your request. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you within the initial one-month period.
10. Children's Data
The Senserity platform is a B2B business intelligence service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
Company Data may include records relating to directors or PSCs who are under 18 in exceptional cases (Companies House permits appointment of directors aged 16 and over). Such records are processed in the same manner as all Company Data, on the basis of legitimate interest, and are sourced from public registers.
11. Automated Decision-Making
The Senserity platform uses automated processing to generate risk scores, severity classifications, and other analytical outputs (Insight Tests). These outputs are informational indicators provided to Platform users to support their decision-making.
Blueloop does not make any decisions based solely on automated processing that produce legal effects concerning, or similarly significantly affect, any individual. The Terms of Service explicitly prohibit Platform users from using Insight Tests for such purposes.
Risk scores and match confidence levels are the output of automated analysis. They are always presented alongside source data and context, enabling human review and judgement.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance.
Where changes are material, we will notify Platform users by email or through the Platform at least 30 days in advance.
The current version of this policy is always available on the Senserity website.
| Version | Date | Changes |
|---|---|---|
| 1.0 | February 2026 | Initial policy |
13. Complaints
If you are not satisfied with how we handle your personal data or your privacy rights, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office Website: https://ico.org.uk/make-a-complaint/ Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at legal@senserity.co.uk in the first instance.
14. Contact
For any questions about this Privacy Policy or to exercise your data protection rights:
Data Protection Lead: Robin Barker Email: legal@senserity.co.uk Post: Blueloop Limited, Blueloop House, Ilchester Road, Yeovil, Somerset BA21 3AA