Privacy Policy

1. Introduction

ClassifiedAsset ("we", "us", "our") operates the ClassifiedAsset platform, a cloud-based software-as-a-service (SaaS) application that helps manufacturers comply with Machinery Regulation (EU) 2023/1230.

We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws.

This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have regarding your personal data.

2. Data Controller

The data controller responsible for the processing of your personal data is:

3. Data We Collect

3.1 Account Data

When you register for an account, we collect:

• Email address — used as your login identifier and for account-related communications
• Password — stored in hashed form only (we never store or have access to your plaintext password)
• First name and last name — for account identification within your organization

3.2 Asset & Machine Data

As part of using the platform, you and your organization enter data about machinery and products to assess compliance with EU 2023/1230. This includes:

• Machine names, descriptions, and classification details
• Risk assessment data (hazards, risk scores, mitigation measures)
• Technical documentation records and completeness status
• Declarations of conformity and incorporation
• Workflow status and approval records

This data is business data belonging to your organization (tenant). It is scoped to your tenant and is never shared with or accessible by other tenants.

3.3 Uploaded Attachments

You may upload file attachments (e.g., technical drawings, manuals, certificates) as supporting documentation for your machines. These files are stored securely and are accessible only to authorized users within your organization.

3.4 Audit Log Data

For compliance and traceability purposes, we maintain an audit log of all changes made to business data. This log records the user who made the change, the timestamp, and the specific fields that were modified. Audit logs are append-only and cannot be altered or deleted.

3.5 Technical & Usage Data

• IP address — collected in server logs for security and troubleshooting
• Browser type and version — for compatibility purposes
• Language preference — stored in a cookie to provide the interface in your preferred language

4. Purpose and Legal Basis for Processing

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following categories of service providers, strictly as needed to operate the platform:

• Hosting provider — our infrastructure is hosted within the European Union
• Payment processor (Mollie) — processes subscription payments; Mollie acts as an independent data controller for payment data. See Mollie's Privacy Policy
• Email service provider (SendGrid/Twilio) — used to send transactional emails such as email confirmations

All third-party processors are bound by data processing agreements (DPAs) in accordance with GDPR Art. 28.

6. Data Storage and Security

• All data is stored on servers located within the European Union
• Data is encrypted in transit (TLS/HTTPS) and at rest
• Passwords are hashed using industry-standard algorithms and are never stored in plaintext
• Access to production systems is restricted to authorized personnel only
• Tenant data is logically isolated — each organization's data is strictly separated and inaccessible to other organizations

7. Data Retention

• Account data — retained for the duration of your active subscription, and deleted within 90 days after account closure upon request
• Asset and machine data — retained for the duration of your subscription; exported or deleted upon request after account closure
• Uploaded attachments — retained for the duration of your subscription; deleted upon request after account closure
• Audit logs — retained for a minimum of 10 years to support regulatory compliance obligations under EU machinery legislation
• Server logs — retained for up to 90 days for security and troubleshooting purposes

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate personal data
• Right to erasure (Art. 17) — request deletion of your personal data, subject to legal retention obligations
• Right to restriction (Art. 18) — restrict processing in certain circumstances
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent

To exercise any of these rights, contact us at privacy@classifiedasset.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with your local data protection supervisory authority.

9. Cookies

We use a minimal number of cookies, strictly necessary for the operation of the platform:

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

10. International Data Transfers

Your data is processed and stored within the European Union. In cases where a sub-processor may process data outside the EU/EEA (e.g., email delivery via SendGrid), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children's Privacy

ClassifiedAsset is a business-to-business service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the platform or by email. The "Last updated" date at the top of this page indicates when this policy was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us: