SupportOS
Sign in

Privacy Policy

Last updated: 2 April 2026

1. Introduction

SupportOS is operated by Brain Thunder Enterprises Ltd (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, and protect personal data when you use the SupportOS platform (“Service”).

2. Data We Collect

We process the following categories of data:

  • Account data: name, email address, role, and tenant association for platform operators.
  • Support ticket data: ticket content, metadata, and classification data submitted by tenants' end users or imported via webhooks.
  • Safety case data: reports, evidence metadata, risk indicators, and enforcement action records.
  • Audit logs: timestamps, actor identifiers, and action descriptions for all state-changing operations.
  • Usage data: structured server logs (request method, path, status code, response time) for operational monitoring.

3. How We Use Data

  • To provide the Service: ticket management, AI classification, safety case handling, and compliance reporting.
  • To detect and report priority offences as required by the UK Online Safety Act 2023.
  • To generate transparency reports for regulatory submission.
  • To improve AI classification accuracy through aggregated, anonymised metrics.
  • To maintain security and prevent abuse of the platform.

4. Legal Basis

We process personal data on the following legal bases under UK GDPR:

  • Contract: processing necessary to provide the Service to our tenants.
  • Legal obligation: processing required to comply with the Online Safety Act, including CSEA detection and NCA referral obligations.
  • Legitimate interest: security monitoring, fraud prevention, and service improvement.

5. Data Retention

Evidence records are retained for a minimum of 7 years in compliance with regulatory requirements (stored with S3 Object Lock in Compliance mode). Audit logs are retained for the lifetime of the tenant account. Support ticket data is retained according to each tenant's configured retention policy, with a minimum of 12 months.

6. Data Sharing

We do not sell personal data. We share data only in the following circumstances:

  • Law enforcement referrals: CSEA and priority offence reports submitted to the National Crime Agency or other designated bodies as required by law.
  • Tenant access: each tenant accesses only their own data, enforced by row-level security.
  • Infrastructure providers: AWS (eu-west-2 London region) for hosting, storage, and database services.

7. Security

All data is encrypted at rest and in transit. Database access is scoped by tenant using PostgreSQL row-level security. Evidence storage uses S3 Object Lock (Compliance mode) to prevent tampering. All access to evidence is logged with chain-of-custody records including IP address, timestamp, and purpose.

8. Your Rights

Under UK GDPR, you have the right to access, rectify, or erase your personal data, subject to our legal retention obligations. Note that evidence records subject to regulatory retention requirements cannot be deleted. To exercise your rights, contact your platform administrator or email privacy@support-os.net.

9. Contact

Brain Thunder Enterprises Ltd
Email: privacy@support-os.net