GoFirm

Legal

Privacy Policy

Last updated: June 2026

This Privacy Statement explains how GoFirm, trading as gofirm.io, collects, uses, and protects personal data when you access or use the GoFirm platform and related services (collectively, the Services). GoFirm is the Data Controller and determines the purposes and means of processing your data. We are responsible for compliance with applicable data protection law, including the UK GDPR and the Data Protection Act 2018.

GoFirm is an execution-layer authority confirmation platform. Its core function is to require verified human confirmation before critical organisational actions are executed. Personal data, including authority confirmation records, is central to how the platform operates. We take that responsibility seriously.

1. Data We Collect and Why

We collect personal data that is necessary to provide the Services and fulfil GoFirm's core function. The categories of data we collect, and the purpose for each, are set out below.

1.1 Account and Identity Data

Name, email address, organisation name, job title, and login credentials. Collected to create and manage your account and to identify you as an authorised user within your organisation.

1.2 Authority Confirmation Data

Records of every authority confirmation event you are party to: the action presented for confirmation, your decision (confirmed or declined), the timestamp of your response, and the identity of other named authorities where multi-party confirmation is configured. This data forms the immutable audit trail that is GoFirm's core function. It is processed on the legal basis of contract performance and legitimate interests (see Section 2).

1.3 Biometric Verification

Where biometric confirmation is enabled by your organisation, GoFirm uses device-native biometric authentication (such as Face ID or Touch ID) to verify your identity at the point of confirmation. This verification is performed entirely on your own device using your device's secure enclave. GoFirm does not receive, process, or store your biometric data. Only a pass or fail signal is transmitted to the GoFirm platform. GoFirm is therefore not a processor of biometric data and Article 9 UK GDPR does not apply to this verification step.

1.4 Device and Technical Data

IP address, device type, browser or application identifier, and session metadata. Collected to secure the platform, detect unauthorised access, and maintain service integrity.

1.5 Usage Data

Information about how you interact with the GoFirm platform, including actions presented for confirmation, response times, and workflow activity. Used to maintain service reliability and support legitimate interests in security and fraud prevention.

1.6 Billing and Commercial Data

Where applicable, payment information required to process subscriptions. Processed on the basis of contract performance.

We do not collect physical addresses, phone numbers, or contact lists unless you explicitly provide them. We do not knowingly collect personal data from individuals under 18. Our services are not directed at children.

2. Legal Bases for Processing

We process your personal data under the following legal bases:

  • Performance of Contract: To provide and maintain your account and the Services, including enabling your access to the platform and delivering authority confirmation functionality.
  • Legitimate Interests: To secure the platform, detect fraud and unauthorised access, maintain the integrity of the audit trail, and improve service delivery. We ensure these interests do not override your fundamental rights and freedoms.
  • Consent: For optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal Compliance: To comply with applicable laws and respond to lawful government or judicial requests.

3. The Immutable Audit Trail

GoFirm's audit trail is designed to be immutable. This is not a technical limitation: it is the core value proposition of the platform. An authority confirmation record that can be altered or deleted after the fact cannot serve as proof of authorised execution.

This creates a genuine tension with the right to erasure under Article 17 UK GDPR. We address it as follows:

  • Where audit trail data constitutes a legal record of an organisational action, retention is justified under Article 17(3)(b) (legal obligation) or Article 17(3)(e) (establishment, exercise, or defence of legal claims).
  • Where no such legal basis applies, we will work with your organisation to assess whether and how erasure can be fulfilled consistent with the integrity of the record.
  • Retention periods for audit trail data are governed by your organisation's Data Processing Agreement with GoFirm. Default retention is seven years unless otherwise agreed.

If your organisation requires supporting documentation to complete a Data Protection Impact Assessment for GoFirm deployment, including our Record of Processing Activities, Technical and Organisational Measures, or Data Processing Agreement template, contact us at [email protected].

4. How We Use Your Data

We use your data to:

  • Deliver and operate the GoFirm authority confirmation platform.
  • Generate and maintain immutable confirmation records and audit trails.
  • Verify your identity and authority at the point of execution.
  • Secure the platform and detect unauthorised or anomalous activity.
  • Communicate with you about your account and the Services.
  • Comply with legal obligations and protect our rights and the rights of your organisation.
  • Send optional marketing communications, with your consent.

GoFirm does not use your confirmation data to train public-facing AI models without explicit, separately obtained consent.

5. Sharing Your Data

We do not sell your personal data.

We may share your data with:

  • Your Organisation: Authority confirmation records are accessible to designated administrators within your organisation as configured. This is a core feature of the platform.
  • Other Named Authorities: Where your organisation has configured multi-party confirmation, the identity of authorities and their confirmation decisions are visible to other named authorities in the same confirmation event.
  • Service Providers: Trusted third-party partners who assist us in operating the platform, including hosting, security, and payment processing. They access your data only to perform specific tasks and are contractually bound to our data protection standards.
  • Legal Authorities: Where required by law, or to protect safety, prevent fraud, or enforce our rights. See Section 9 for our approach to government requests.

6. Your Rights

Under UK GDPR and applicable privacy law, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate or incomplete information.
  • Erasure: Request deletion of your personal data, subject to the audit trail considerations set out in Section 3 and any applicable legal retention obligations.
  • Restriction: Limit the processing of your data in specific circumstances.
  • Data Portability: Receive your data in a commonly used, machine-readable format.
  • Object: Object to certain processing, including direct marketing.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or with your local supervisory authority if you are located in the EEA.

7. Data Retention

We retain personal data only as long as necessary to provide the Services and fulfil legal obligations.

  • Account data is retained for the duration of your account and deleted within 30 days of account closure, except where retention is required by law or for legitimate business purposes.
  • Authority confirmation and audit trail data is retained in accordance with your organisation's Data Processing Agreement. Default retention is seven years.
  • Biometric verification data is not processed or retained by GoFirm. Verification occurs on-device only.
  • Technical and usage data is retained for up to 12 months unless earlier deletion is required.

8. Security

We implement appropriate technical and organisational measures to protect your data from unauthorised access, loss, or misuse. These include:

  • Encryption of data in transit and at rest.
  • Out-of-band confirmation architecture, which by design separates the confirmation channel from the execution environment, limiting the attack surface.
  • Access controls ensuring data is accessed only by authorised personnel on a need-to-know basis.
  • Regular security assessments and vulnerability testing.
  • Device-native biometric verification architecture, ensuring GoFirm never receives or stores biometric data.

9. Government and Law Enforcement Requests

We apply principles of transparency and user protection when responding to government or law enforcement requests for data. We will:

  • Notify you of any request unless prohibited by law.
  • Challenge overly broad, unlawful, or disproportionate requests where possible.
  • Provide only the minimum data necessary to satisfy a lawful request.

10. International Data Transfers

Your data may be processed and stored in the UK and in other countries where GoFirm or its service providers operate.

  • Transfers to or from the UK: The UK maintains its own adequacy framework following the UK-EU Trade and Cooperation Agreement. Data transfers between the UK and EEA are not subject to additional safeguards requirements at this time.
  • Transfers to other countries: Where data is transferred to countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) or equivalent approved safeguards, and conduct transfer impact assessments where required.

11. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and analyse platform usage to improve security and reliability. Non-essential cookies, including any used for marketing, are only placed with your consent.

You can manage cookie settings through your browser. Disabling essential cookies may affect platform functionality. A full Cookie Policy is available at gofirm.io/cookies.

12. Changes to This Statement

We may update this Privacy Statement from time to time. If we make material changes affecting your rights, we will notify you by email or by prominent notice on the platform at least 14 days before the changes take effect.

The current version and effective date are shown at the top of this document.

13. Contact and Data Protection Officer

If you have questions or concerns about this Privacy Statement or how we handle your data, please contact our Data Protection Officer:

Data Protection Officer, GoFirm

Email: [email protected]

Website: gofirm.io

For ICO complaints: ico.org.uk