GDPR & Privacy Policy
Zest Assure is a compliance platform that helps organisations manage ISO 9001, ISO 27001, Cyber Essentials and Cyber Essentials Plus certification — from compliance workspaces and evidence management through to reviews, assessor collaboration, staff training and audit-ready exports. Because trust is the foundation of what we sell, we take the privacy of the people who use our platform and visit our website seriously. This policy explains what personal data we collect, why we collect it, who we share it with and the rights you hold under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
Zest Assure, a trading name of Juicy Media Ltd, is the controller of personal data collected through www.zestassure.com and the data processor for content our customers place in the platform. Juicy Media Ltd is registered in England & Wales under company number 05514688 and is registered with the Information Commissioner's Office under registration number Z1589829. Our registered office is DiSH, Heron House, 47 Lloyd Street, Manchester, M2 5LN.
Questions about data protection, including anything you would raise with a Data Protection Officer, can be sent to [email protected] or posted to the registered office above. Juicy Media Ltd holds ISO 9001 and ISO 27001 certification, and the controls described in this policy sit within that certified management system. Further detail on our processing commitments is set out in our Data Protection Policy.
Information we collect
We collect and process the following categories of personal data:
- Account data. When you sign in with a Microsoft or Google account we receive your name, email address and an identifier from your identity provider so we can create and secure your account. We do not receive or store your password.
- Customer compliance content. Organisations using the platform upload policies, control responses, review records, training records and evidence files. This content belongs to the customer; we process it only to provide the service and any personal data it contains is processed on the customer's instructions.
- Usage and technical data. We record how the platform is used — pages viewed, actions taken, timestamps, IP address, browser and device type — to keep the service reliable and secure and to maintain audit trails.
- Billing data. Payments are handled by Stripe, our payment provider. We receive billing contact details and transaction records, but full card details never touch our systems.
- Enquiries. If you contact us by email or through the website, we hold your name, contact details and the content of your message so we can respond.
Cookies and IP addresses
Our website and platform use a small number of cookies. Strictly necessary cookies keep you signed in and protect against fraud; analytics cookies from Google Analytics and Microsoft Clarity are set only after you give consent through our cookie banner. IP addresses and similar technical data are logged for security and system administration and are not used to build profiles of individual visitors. For a full list of the cookies we use, how long they last and how to withdraw consent, see our Cookies Policy.
How we use personal information
We use personal data only where we have a lawful basis to do so, namely to:
- provide, operate and maintain the Zest Assure platform, including authentication, collaboration features and audit-ready exports (performance of a contract);
- respond to support requests and enquiries (performance of a contract, or legitimate interests where you are not yet a customer);
- secure the service, investigate misuse and maintain audit logs (legitimate interests and legal obligation);
- send service emails such as invitations, review reminders and important account or security notices (performance of a contract);
- process subscription payments and keep accounting records (performance of a contract and legal obligation);
- measure and improve the website and platform using consented analytics (consent).
We do not use customer compliance content for advertising, and we do not send marketing emails without your consent.
Disclosing personal information
We never sell personal data. We share it only with the sub-processors listed below, each operating under a data processing agreement, or where the law requires disclosure — for example to a court, regulator or law enforcement body, or to establish or defend legal claims.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, storage and content delivery | UK/EU, with a global edge network |
| OpenAI | AI drafting features, used only when a customer requests them | United States |
| Stripe | Subscription payments and invoicing | UK/EU/US |
| Microsoft and Google | Single sign-on identity providers | Global |
| Google Analytics and Microsoft Clarity | Website and product analytics, only after consent | EU/US |
Where a sub-processor is outside the UK, transfers are protected by an adequacy decision or by the International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.
How long we keep personal information
Account data is kept for the lifetime of your account and removed within a defined period after closure, subject to short backup windows during which deleted data may persist in encrypted backups before being purged. Customers control their own compliance content: administrators can edit or delete records at any time, and when a customer leaves the platform their workspace content is deleted after export. Billing and accounting records are retained for as long as UK tax and company law requires. Enquiry correspondence is kept only as long as needed to deal with the matter and any follow-up.
Children's privacy
Zest Assure is a business-to-business service. Neither the website nor the platform is directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
Security
Personal data is encrypted in transit and at rest. Access within the platform is governed by role-based access controls, so people see only what their role in an organisation permits, and administrative actions are recorded in audit logs. Our own staff access customer content only where needed to provide support, and our security controls are maintained and independently assessed under our ISO 27001 certification.
Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected and incomplete data completed;
- have your data erased in certain circumstances;
- restrict or object to particular processing, including any direct marketing;
- receive the data you provided to us in a portable, machine-readable format;
- withdraw consent at any time where consent is our lawful basis, without affecting processing that took place before withdrawal.
To exercise any of these rights, email [email protected] or write to our registered office. We will respond within one month. Where your data sits inside a customer's workspace we may need to refer your request to that organisation, as they act as controller for their own compliance content.
Complaints
If you are unhappy with how we have handled your personal data, please contact us first at [email protected] and give us the chance to put it right. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or by phone on 0303 123 1113.
Changes to this policy
We review this policy regularly and will update it when our practices, sub-processors or the law change. The date at the top of the page shows when it was last revised, and we will tell account holders about any material change by email or through the platform.
Contact details
Zest Assure, a trading name of Juicy Media Ltd
DiSH, Heron House, 47 Lloyd Street, Manchester, M2 5LN
Email: [email protected]
Phone: 0161 464 9252
Web: www.zestassure.com
This policy is governed by the laws of England & Wales.