govn.ai

Privacy policy

Effective 21 May 2026

govn.ai is a multi-tenant software-as-a-service application for AI governance in UK-regulated financial services firms. This policy explains how we (govn.ai, the controller of personal data we collect about you when you visit our website or use the platform) handle that personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Where you are a user of the platform on behalf of your employer (our customer), your employer is the controller of the personal data they enter into the platform and govn.ai is the processor. The processor relationship is governed by the Data Processing Agreement attached to the customer's order form (see /dpa).

1. Who we are

govn.ai is operated by govn.ai Limited (a company to be incorporated in England & Wales; registered office to be confirmed before customer 1). Until incorporation, the platform is operated by Ashley Young as a sole trader trading as govn.ai, with primary residence in London. You can contact us at privacy@govn.ai.

Our nominated Data Protection contact is the founder, reachable at the address above. We do not currently appoint a statutory Data Protection Officer — our processing does not require one under Article 37 UK GDPR — but the founder discharges DPO-equivalent responsibilities.

2. What data we collect

2.1 Website visitors

  • IP address (collected by our hosting provider; used to detect abuse and load-balance).
  • Pages viewed, browser type, screen resolution (collected by PostHog product analytics, only after you accept the analytics cookie).
  • The content of any form you submit (e.g. the contact form).

2.2 Platform users

  • Name, email address, job title, and authentication metadata (managed by Clerk).
  • Membership of an organisation in the platform, the role you hold (Owner, Admin, Reviewer, Business Owner, AIGC Member, Read-only), and your activity within the platform.
  • Audit trail of state-changing actions you take in the platform (creating use cases, reporting incidents, recording assessments, casting committee votes, etc.). The audit log is immutable by design — see clause 6.
  • Any documents or attachments you upload to the platform (governance evidence, policy drafts, incident artefacts).

3. Why we collect it (lawful bases)

  • Contract (Article 6(1)(b)): to provide the service to your employer (our customer).
  • Legitimate interests (Article 6(1)(f)): to operate, secure, and improve the platform; to detect and prevent abuse; to communicate service updates to you. We balance these against your interests and rights and document the assessment internally.
  • Consent (Article 6(1)(a)): for non-essential analytics cookies. You can withdraw consent any time via the cookie banner.
  • Legal obligation (Article 6(1)(c)): to respond to lawful requests from regulators or law-enforcement authorities.

4. Who we share it with

We do not sell personal data. We share personal data only with the sub-processors listed at /sub-processors, each of whom is contractually bound to the same protections as this policy and the customer's DPA. Sub-processors include our hosting provider, authentication provider, error-reporting service, analytics provider, and similar infrastructure vendors.

5. Where it lives (cross-border transfers)

Customer data is stored primarily in the European Union (Frankfurt, Germany) by our database provider Neon. Some sub-processors store metadata in the United States (Clerk for authentication, PostHog for analytics where the EU data residency option is selected we use it). Where data leaves the UK, we rely on the UK Government's adequacy decisions or, where not available, on the UK International Data Transfer Agreement. The Sub-processors page identifies each provider's primary jurisdiction.

6. How long we keep it

  • Account and authentication data: while your account is active, plus 90 days after closure for billing and dispute reasons.
  • Customer-entered data (use cases, incidents, policies, assessments): for the duration of your employer's subscription, plus a 90-day retention window after termination during which an export is available, then deleted.
  • Audit log entries: retained for the full subscription term plus 6 years after termination, aligned with the FCA SYSC record-keeping expectations. The audit log is immutable; entries cannot be edited or deleted by anyone (including govn.ai operators).
  • Website analytics: 12 months from the visit, then aggregated and anonymised.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, port, or object to our processing of your personal data. To exercise any of these rights, email privacy@govn.ai. We will respond within 30 days; if your request is complex, we may extend by a further 60 days and will explain why.

Where you are a platform user acting in your employment, your employer is the controller of most of the data we process about you. We may forward your request to them; we will tell you when we do.

You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

See our cookie policy for the full list of cookies set by the website and the platform, the categories they fall into, and how to manage them.

9. Security

We protect personal data using industry-standard controls: TLS 1.2+ in transit, AES-256 at rest, role-based access control, mandatory MFA for all platform users, application-layer tenant isolation, and immutable audit logging. Our control adoption is visible to customers via the in-app evidence pack.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified to platform customers by email and announced on this page; minor wording edits will only update the effective date.

11. Contact

Questions about this policy or how we handle your data: privacy@govn.ai.

We use cookies to keep you signed in and (with your permission) to understand how the site is used. See our cookie policy for details. Strictly-necessary cookies are always on.