Legal · UK GDPR / DPA 2018

Privacy Policy

In force from 31 May 2026 · Reviewed annually

This policy explains how RobinsFire (trading as Cambs Fire Safe) collects, uses, and protects personal information when we deliver fire risk assessments and related services. It applies to anyone whose data we hold — clients, contacts at client premises, and visitors to our online tools.

We take the protection of personal data seriously. This policy tells you what we collect, why, who we share it with, how long we keep it, and the rights you have under UK data protection law.

1. Who we are

Data controller: RobinsFire, trading as Cambs Fire Safe — a fire risk assessment business operating in Cambridgeshire and the surrounding area. We are the controller for the personal data described in this policy.

Contact: marco.fiore@cambsfiresafe.com

2. What we collect, and why

We only collect what we need to deliver the service you've engaged us for, or to fulfil a legitimate operational need.

Information you give us

Contact details — name, email, phone number, role at the premises being assessed
Premises details — building address, occupancy type, floor plans, fire safety arrangements
Pre-inspection answers — your responses to our pre-visit form, used to focus the assessment
Account details — for clients with portal access, an email address and password

Information we generate during the assessment

Photos, video, voice notes — captured on site to support findings
Assessor notes & observations — written by our team during the walk-through
The Fire Risk Assessment itself — the final report, action plan, and any subsequent amendments

Information collected automatically

Service usage logs — when you log in, IP address, browser type. Used for security, abuse prevention, and diagnostics
Essential cookies — to keep you signed in. See our Cookies notice for detail

Special category data: we don't deliberately collect health, religious, or other special-category information. If sensitive information (e.g. about a vulnerable occupant) is volunteered in pre-inspection answers or assessor notes because it's relevant to fire safety, we treat it with the same protections as the rest of the assessment record and store it only as long as needed.

3. The lawful basis we rely on

UK GDPR requires us to identify the legal grounds for processing your data. For most of what we do, that's:

Performance of a contract

If you've engaged us to carry out a Fire Risk Assessment, we process your data because we need to in order to deliver that service — to plan the visit, conduct the assessment, produce the report, and provide aftercare.

Legitimate interests

Where we use data to operate our business safely and efficiently — securing our systems, managing the team, detecting and preventing abuse of our online tools — we rely on legitimate interests. We've balanced this against your rights and believe the impact on you is minimal.

Legal obligation

Some records (assessments, evidence of findings) we retain to satisfy fire safety regulations, professional indemnity requirements, and to defend ourselves against complaints. The Regulatory Reform (Fire Safety) Order 2005 and our professional accreditation drive these retention periods.

Consent

For anything outside the above — for instance, optional marketing — we'll ask for explicit consent first, and you'll be able to withdraw it at any time.

4. Who we share it with

We don't sell personal data. We share it with the following categories of recipient, each only where necessary for the service:

Recipient	What they do	Location
Supabase, Inc.	Database + file storage hosting	United States
Railway Corporation	Application hosting	United States / Global
Anthropic, PBC	AI assistance (Claude) for prep + write-up	United States
Groq, Inc.	Voice-to-text transcription	United States
Resend, Inc.	Transactional email delivery	United States
HighLevel, Inc. (SmartHub)	Booking calendar + CRM	United States
Google LLC	Legacy email polling (Gmail)	United States

Each of these is a data processor acting under our instructions. They are bound by contract not to use your data for their own purposes. Where personal data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, plus supplementary measures (encryption in transit and at rest) to give your data equivalent protection.

We also share data with:

Our regulators and insurers — where required by law or to defend a complaint
Successors — if we ever sell or restructure the business, with continuity of protection

5. How long we keep it

We keep different categories of data for different periods, driven by either a legal requirement or a sensible operational need.

What	How long	Why
Fire Risk Assessment reports + findings	10 years from delivery	Professional indemnity, regulatory enforcement, evidence in dispute
Inspection photos, video, voice notes	10 years	Supporting evidence for the FRA
Pre-inspection form responses	10 years	Audit trail of assessor context
Client contact + billing records	7 years	HMRC tax retention requirement
Portal account (if inactive)	2 years after last login	Account hygiene
Server access logs	30 days	Security and diagnostics

When the retention period for a category ends, we either delete the data or anonymise it so it can no longer identify you.

6. Your rights

UK GDPR gives you several rights over the personal data we hold about you. You can exercise any of them by emailing marco.fiore@cambsfiresafe.com. We'll respond within 30 days (sometimes faster for simple requests).

Right of access — ask for a copy of the personal data we hold about you
Right to rectification — ask us to correct anything inaccurate
Right to erasure ("right to be forgotten") — ask us to delete your data, where we don't have a legal reason to keep it
Right to restrict processing — ask us to pause processing while a question is resolved
Right to data portability — ask for a machine-readable copy of data you've given us
Right to object — to processing based on legitimate interests or for direct marketing
Right to withdraw consent — wherever we rely on it
Right to complain to the UK Information Commissioner's Office at any time

Practical note: a fully self-service "delete my account" and "download my data" portal is on our roadmap. For now, please email the address above and we'll handle the request manually within the 30-day window.

7. How we protect your data

We take a layered approach to keeping your data safe. Some of the controls we have in place today:

Encryption in transit — all traffic to and from our tools uses HTTPS
Encryption at rest — Supabase encrypts the database and file storage at rest
Mandatory two-factor authentication for everyone on the assessor team
Webhook verification — incoming SmartHub events are authenticated with a shared secret
Server-side rate limiting on cost-sensitive endpoints (AI calls, transcription)
Secrets in environment configuration, never in source code
Regular review of who has access to data, with the principle of least privilege

We document our current security posture in more detail on our Security page.

8. Cookies

We only use cookies that are strictly necessary to run our tools — primarily to keep you signed in and protect against forgery. We don't use analytics, advertising, or third-party tracking cookies. See our Cookies notice for the full list.

9. International transfers

Several of our processors are based in the United States (see section 4). Following the Schrems II decision, transfers of personal data to the US require additional safeguards. We rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses with each processor, supplemented by technical measures (encryption, access controls). If you're concerned about a specific transfer, get in touch and we'll talk you through it.

10. Children

Our service is for businesses and building owners, not for individuals under 18. We don't knowingly collect personal data from children. If you become aware that we have, please tell us and we'll delete it.

11. Updates to this policy

If we change how we handle data, we'll update this policy and change the "In force from" date at the top. For substantive changes, we'll also email portal account holders.

12. How to contact us

Email marco.fiore@cambsfiresafe.com.

If you'd rather take a complaint straight to the regulator, the Information Commissioner's Office handles UK data protection complaints — though we'd hope you'd give us a chance to resolve it first.

Hub · Terms · Cookies · Security · FAQ