Privacy Policy

Sign in Register

The Chain · Last updated 25 May 2026

This Privacy Policy describes how The Chain (“we”, “us”, or “our”) collects, uses, stores, and shares personal data when you visit our website, use our software, or otherwise interact with our supply chain and sustainability platform and related services (together, the “Services”). By using the Services, you acknowledge that you have read this notice.

Who is responsible for your data?

The organisation that operates this deployment of the Services acts as the data controller for personal data processed in connection with your account and use of the platform, unless we tell you otherwise (for example where we process data only on behalf of a customer—in that case the customer may be the controller for certain data sets). If you are unsure who controls your data in a specific context, contact your organisation’s administrator or our support team.

What personal data do we collect?

Depending on how you use the Services, we may process:

  • Identity and contact data — such as your name, work email address, telephone number, job title, organisation name, and similar professional details you provide when you register, are invited to an account, or communicate with us.
  • Account and authentication data — such as username, password (stored in a secure hashed form where applicable), security questions, session tokens, and role or permission settings.
  • Service and transactional data — such as subscription or billing information, invoices, and records of changes you make in the platform.
  • Content you submit — such as data, documents, assessments, factory or product information, or other materials you upload or enter. Some of this may relate to individuals other than you; you must ensure you have the right to provide it.
  • Usage and technical data — such as IP address, device identifiers, browser type and version, time zone, operating system, referral URL, pages viewed, actions taken in the application, approximate location derived from IP, and diagnostic or error logs.
  • Marketing and communications — such as your preferences for receiving news or product information, and records of correspondence with us (for example support tickets).

How and why we use personal data

We use personal data to:

  • Create and administer your account, authenticate you, and authorise access to features;
  • Provide, maintain, monitor, and improve the functionality, performance, and security of the Services;
  • Process payments and fulfil contractual obligations;
  • Send service messages (for example security alerts, password resets, and essential account notices);
  • Respond to enquiries and provide customer support;
  • Detect, investigate, and prevent fraud, abuse, and violations of our terms;
  • Comply with applicable laws, regulations, court orders, or lawful requests from public authorities;
  • Analyse aggregated or de-identified usage trends to develop and improve our product (where we do not rely on identifiable personal data for that purpose); and
  • Where permitted by law or with your consent, send marketing or promotional communications (which you may opt out of).

We do not use your personal data for automated decision-making that produces legal or similarly significant effects solely by automated means, unless we expressly inform you and such use is permitted by law.

Legal bases (UK / EEA)

Where UK or EU data protection law applies, we process personal data on one or more of the following bases: performance of a contract with you or your organisation; our legitimate interests in running a secure, efficient business platform (balanced against your rights); compliance with a legal obligation; protection of vital interests; or your consent where we specifically ask for it (for example certain marketing or non-essential cookies). You may withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.

Who we share data with

We do not sell your personal data. We may share personal data with:

  • Service providers and processors who assist us with hosting, infrastructure, analytics, email delivery, payment processing, customer support tools, security monitoring, and other functions, under contracts that require them to protect the data and use it only for the purposes we specify;
  • Professional advisers such as lawyers or auditors where necessary;
  • Business transfers — if we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate safeguards; and
  • Authorities and others when we believe disclosure is required by law, to enforce our agreements, or to protect the rights, property, or safety of users, the public, or our organisation.

Where your organisation uses the Services, administrators or other users authorised by your organisation may be able to see certain profile or activity data according to the permissions your organisation sets.

International transfers

We may process or store personal data in the United Kingdom, the European Economic Area, and other countries. If we transfer personal data from the UK, EEA, or Switzerland to countries that are not recognised as providing an adequate level of protection, we implement appropriate safeguards, such as standard contractual clauses approved by relevant regulators, unless a specific derogation applies.

How long we keep data

We retain personal data only as long as necessary for the purposes described in this policy, including to satisfy legal, accounting, tax, or reporting requirements. Retention periods depend on the nature of the data, why we collected it, and applicable law. When data is no longer needed, we delete or anonymise it in line with our internal policies, subject to limited exceptions (for example backups or dispute resolution).

Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures are reviewed and updated as appropriate. No method of transmission over the internet or electronic storage is completely secure; we cannot guarantee absolute security.

Your rights

Depending on your location and subject to applicable law, you may have the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate data;
  • Request erasure in certain circumstances (“right to be forgotten”);
  • Restrict or object to certain processing;
  • Data portability, where processing is based on consent or contract and is carried out by automated means;
  • Withdraw consent where processing is based on consent; and
  • Lodge a complaint with a supervisory authority (in the UK, the ICO; in the EU, your local data protection authority).

To exercise these rights, please contact us using the details below. We may need to verify your identity before responding. We will respond within the timeframe required by applicable law.

Cookies and similar technologies

We use cookies and similar technologies to operate the Services (for example to keep you signed in), to remember preferences, and to understand how the platform is used. Some cookies are strictly necessary; others may require your consent depending on your jurisdiction. You can control many cookies through your browser settings. For more detail, refer to any cookie notice or preference centre we provide alongside the Services.

Children

The Services are intended for business and professional use. They are not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us so we can take appropriate steps.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Services. The “Last updated” date at the top of this page will be revised when changes are posted. Where changes are material, we may notify you through the Services or by email. We encourage you to review this page periodically.

Contact us

For any questions about this Privacy Policy or our processing of personal data, or to exercise your rights, please contact us through the support channel or email address provided to your organisation for this platform, or via the contact details published on our main website for The Chain. If you use the Services on behalf of an organisation, your administrator may be best placed to assist with account-specific requests.

This policy is intended to inform you about our practices. It does not constitute legal advice. You should obtain independent legal advice to ensure your use of the Services and your own privacy notices meet your compliance obligations.