RISKFEND PRIVACY POLICY

Last Updated: January 10, 2026

I. INTRODUCTION

Riskfend ("we", "us", or "our") provides an operational risk scanning solution. This Privacy Policy describes how we collect, use, and protect your data across our website (riskfend.com), our .NET Backend Services, and our Windows Desktop Client Application.

Data Controller Identity

  • Entity Name: Riskfend Ltd.
  • Country of Incorporation: United Kingdom
  • Registered Address: 12 Chatsworth park, Telscombe cliffs, East sussex, BN10 7DZ, UK
  • Contact Email: support@riskfend.com

Data Protection Officer (DPO)

Riskfend has not appointed a Data Protection Officer as it is not required under Article 37 GDPR. Privacy matters and compliance inquiries may be directed to support@riskfend.com.

II. LEGAL BASIS FOR PROCESSING (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  1. Contractual Necessity: To provide and maintain the Riskfend service, including account management and Magic Link delivery.
  2. Legitimate Interest: To ensure the security of our services, prevent fraud, perform diagnostics, improve application performance, and maintain the integrity of the Service (including sending notifications regarding planned maintenance, downtime, or security incidents).
  3. Consent: Where you have explicitly opted into specific processing activities (e.g., optional marketing communications).

III. DATA WE COLLECT

1. Account Information (PII)

  • Email Address: Collected when you sign up for an account via Magic Link. This is the primary identifier for your account.
  • Name: Collected via contact forms on the website.

2. Application Data (Risk Analysis)

  • Dependency Lists: When you use the Desktop Client or Web Dashboard to record "Dependencies" (e.g., software vendors, cloud providers), we process the name, notes, category, and estimated financial impact (Profit Impact).
  • Desktop Client Storage: All dependency data and scan results are stored LOCALLY on your machine in the folder %AppData%\Riskfend\. This data is not uploaded to our servers in a persistent or identifiable form, except when you explicitly request AI-assisted analysis.

3. Technical Data

  • Tokens: We use JSON Web Tokens (JWT) to authenticate sessions. On the Desktop Client, these are encrypted using Windows Data Protection API (DPAPI) to ensure only your Windows user can access them.
  • IP Addresses: Collected in server logs for security, diagnostics, and to prevent abuse of the API proxy.
  • Device ID: A unique identifier (random GUID) generated on your browser/client to manage Magic Link security. This identifier is non-persistent across fresh installations and is not used for tracking, profiling, or identification across other services.

4. Financial & Billing Data

We utilize secure, third-party payment processors for billing. Riskfend does not store your credit card numbers or bank details on our servers. We only store your current subscription plan and credit balance.

IV. HOW WE USE YOUR DATA

  1. To Provide the Service: Processing your email to send Magic Links for passwordless login.
  2. AI Risk Guidance: When you request "AI Guidance", a list of your dependencies is sent to our secure backend, which proxies the request to third-party artificial intelligence service providers acting as data processors. Such providers include large language model (LLM) services hosted in the United States or other international jurisdictions.

    NOTE: We do not use your data to train AI models. Data is sent as a prompt for real-time analysis only.

  3. Communication: Using your email to provide support or send critical service updates.
  4. Security & Audit: Admin logs track changes to credit balances and account roles to prevent fraud.

V. DATA SHARING & THIRD PARTIES

  • AI Providers & Cross-Border TransfersDependency names and notes are sent to third-party artificial intelligence service providers acting as data processors for risk analysis.
    • Data may be processed outside your country of residence (including in the United States or international jurisdictions).
    • We engage vetted service providers under contractual confidentiality and data protection obligations, including Standard Contractual Clauses (SCCs) where applicable. Where required, we implement supplementary technical and organizational measures to ensure an adequate level of protection.
  • Email Services: We use SMTP services to deliver magic links and contact form notifications.
  • No Sale of Data: Riskfend does not sell your personal data, contact lists, or dependency risk profiles to third parties.

VI. DATA RETENTION & SECURITY

  • Retention
    • Account Data: We keep your account data as long as your account is active.
    • After Deletion: Users may request account deletion by contacting support@riskfend.com. Upon verified request, personal data is removed from active production systems within 30 days.
    • Backups: Residual data may remain in encrypted backups for up to 90 days.
    • Logs: Server logs (including IP addresses) are retained for 12 months for security auditing.
  • Security Measures
    • Encryption at Rest: Customer data is protected using industry-standard encryption mechanisms (such as AES-256) at the infrastructure or database level.
    • Secret Management: Application secrets and API keys are managed via secure environment variables.
    • Transport Security: All data in transit is encrypted via TLS/SSL.
    • Desktop Hardening: Local tokens are protected via hardware-backed DPAPI where available.
  • User ResponsibilityUsers are responsible for maintaining the confidentiality of their email accounts. Riskfend is not responsible for unauthorized access resulting from compromised email credentials.

VII. CHILDREN'S PRIVACY

Riskfend is not intended for use by children under 16, and we do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.

VIII. YOUR RIGHTS (GDPR / CCPA / UK GDPR)

Subject to applicable law, Riskfend provides the following rights:

  • Response Time: We will respond to verified privacy requests within the timeframes required by applicable law, typically within 30 days.
  • Access: You can view your dependency data in the app or request a copy of your server account data.
  • Rectification: You can update your settings and project info in the app.
  • Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
  • Data Portability: You may request a copy of your personal data in a structured, commonly used format where technically feasible.
  • Deletion (The "Right to be Forgotten"): You can request that we delete your email and account history from our servers.
  • Complaint: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.
  • Local Control: Since dependency data is stored locally on your PC, you can delete it simply by clearing the %AppData%\Riskfend\ folder.

California Residents (CCPA)

California residents have the right to request disclosure of the categories of personal information collected, the purposes for which it is used, and to request deletion of personal information. Riskfend does not sell personal information. Requests may be submitted via support@riskfend.com.

IX. COOKIES & LOCAL STORAGE

Our website uses minimal cookies and local storage technology strictly necessary for authentication and security to provide you with a secure experience.

  • Authentication: riskfend_staff_token (Duration: Persists until logout or expiry). Used to maintain your secure session.
  • Consent & Security: riskfend_cookie_consent (Duration: 1 year). Used to record your agreement to mandatory site technology.
  • Device Identity: riskfend_device_id (Local Storage). A random GUID used to manage Magic Link security.

Consent to these technologies is required to use the Service for professional purposes. We do not use invasive third-party tracking pixels or marketing cookies.

X. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Material changes will be communicated via email or in-app notification.

XI. CONTACT US

For privacy requests or to report a security concern: