Back

Privacy Policy

Last updated:

1. Who We Are

This Privacy Policy applies to the Datum Client Portal, operated by SurvTech Ltd ("we", "us", "our"), a company registered in England and Wales. The Datum portal is provided to clients of surveying companies that use the SurvSync platform.

For questions about this policy, contact us at contact@survsync.com.

2. What Personal Data We Collect

We collect and process the following information about you:

  • Account information: your name and email address, provided by your surveyor when setting up your portal account.
  • Authentication data: a hashed (bcrypt) version of your chosen password. We never store your password in plain text.
  • Session data: a session identifier stored server-side to keep you logged in (see Section 4 — Cookies).
  • Document access records: when you view, download, or sign documents in the portal.
  • Payment records: payment amounts, dates, and Stripe payment reference IDs for any survey fees processed through the portal. We do not store your card details — these are handled entirely by Stripe.
  • E-signature data: if you sign a document electronically, we store a record of your signature event including the date, time, and document reference.

3. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance: to provide you access to your survey documents and process payments you have requested.
  • Legitimate interests: to maintain the security of the portal, prevent fraud, and ensure service continuity.
  • Legal obligation: to retain certain financial and transaction records as required by law.

4. Cookies and Session Technology

The Datum portal uses the following cookies and session technologies:

Our Cookies

Cookie Purpose Duration Type
datum_session_id Keeps you logged in to the portal. Contains only a session token — all session data is stored server-side in our database. Up to 24 hours, or until you sign out Essential
CSRF token cookie (set by nosurf) Protects all form submissions against cross-site request forgery attacks. Session Essential (security)

These cookies are strictly necessary for the portal to function. They are not used for advertising or tracking. No consent banner is required for strictly necessary cookies under UK GDPR and PECR.

Third-Party Cookies — Stripe

When you make a payment through the portal, our payment pages load Stripe's JavaScript library from js.stripe.com. Stripe may set its own cookies or use similar technologies for fraud prevention and secure payment processing. These are governed by Stripe's Privacy Policy. SurvSync does not control, access, or share any data collected by Stripe's scripts.

5. How We Use Your Data

  • To provide you secure access to your survey documents and instructions.
  • To enable you to sign documents electronically.
  • To process survey fee payments on behalf of your surveyor.
  • To send you email notifications related to your account and documents (e.g. password change confirmations, new document alerts).
  • To maintain security logs and audit trails.

We do not use your data for marketing without your explicit consent. We do not sell your data to third parties.

6. Data Sharing

Your data may be shared with:

  • Your surveying company: they are the data controller in respect of your survey and can access your portal records.
  • Stripe: for payment processing only. Stripe is an independent data controller.
  • Backblaze B2: document files are stored in encrypted cloud storage. Backblaze processes data only as our processor.
  • Our hosting provider (Render): the portal runs on Render's cloud infrastructure in the EU/UK region.

We do not share your data with any other third parties unless required to do so by law.

7. Data Retention

We retain your portal account and associated records for as long as your surveying company maintains an active account with SurvSync, and for up to 7 years after that to satisfy legal and financial record-keeping obligations. Session data is automatically deleted from our database when it expires (within 24 hours of your last activity).

8. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations).
  • Restriction — request we limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Object to processing based on legitimate interests.

To exercise any of these rights, email us at contact@survsync.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the ICO (Information Commissioner's Office).

9. Security

We take reasonable technical and organisational measures to protect your data, including: bcrypt password hashing, CSRF protection on all forms, HTTPS enforcement in production, HttpOnly session cookies, and server-side session storage in our database.

10. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the portal after changes constitutes acceptance of the updated policy.