Privacy Policy

Barkaday Ltd trading as RiskBuddy (“We”) are committed to protecting and respecting your privacy This policy (together with our Terms and Conditions) sets out the basis on which any Personal Information we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your Personal Information and how we will treat it. For the purpose of the Data Protection Act 2018 (the “Act”), the data controller is Barkaday Ltd

We may collect and process the following Personal Information about you:

• Personal Information that you provide by filling in forms on the Website https://www.riskbuddy.io/ (the “Website”) including, but not limited to:- name; email address and telephone number. This is information provided at the time of registering with the Website or posting or downloading material. We may also ask you for information when you report a problem with Website.
• If you contact us, we may keep a record of that correspondence.
• We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
• Details of your visits to Website [including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise] and the resources that you access.
• When you use the Website or the RiskBuddy platform, we use Google Analytics to collect usage and technical data as described in the section “Website analytics (Google Analytics)” below.
• If your organisation connects Google Workspace to RiskBuddy, we collect and process Google user data as described in the section “Google user data (Google Workspace integration)” below.
• If your organisation connects Microsoft 365 to RiskBuddy, we collect and process Microsoft user data as described in the section “Microsoft 365 user data (Microsoft 365 integration)” below.
• We will not sell, distribute or lease your Personal Information to third parties unless we have your permission; are required to do so by law; and/or to operate our systems properly, administer the Website, or protect ourselves or other Website users. We do not sell Google or Microsoft user data.

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns and does not identify any individual. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve Website and to deliver a better and more personalised service. They enable us:

• To estimate our audience size and usage pattern.
• To store information about your preferences, and so allow us to customise Website according to your individual interests.
• To speed up your searches.
• To recognise you when you return to the Website. You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting, you may be unable to access certain parts of the Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to the Website.
• Google Analytics sets first-party and third-party cookies (for example `_ga` and related identifiers) to distinguish users and sessions, remember traffic-source information, and measure how visitors use the Website and platform. See “Website analytics (Google Analytics)” below for details and how to opt out.

We use Google Analytics 4 (provided by Google Ireland Limited / Google LLC, depending on your region) on the public marketing website and the authenticated RiskBuddy platform to understand how the service is used, improve content and product experience, and measure marketing effectiveness.

• Data collected: Google Analytics may process information such as pages viewed, approximate geographic region (derived from IP address), device and browser type, screen resolution, referral URL, session duration, and interactions with features (aggregated). We configure Google Analytics not to send advertising identifiers from our application code. We do not use Google Analytics to read the contents of your Microsoft 365 or Google Workspace directory data.
• Legal basis and purpose: We process this information for our legitimate interests in operating, securing, and improving RiskBuddy, and where applicable with your consent for non-essential cookies in line with applicable law. We do not use Google Analytics data to make automated decisions about you.
• Cookies: Google Analytics uses cookies and similar technologies stored on your device. You can block or delete cookies in your browser settings; some site features may still work, but analytics measurement will be reduced. You can also install the Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout) or use browser “Do Not Track” settings where supported.
• International transfers: Google may process analytics data on servers outside the UK. Where required, Google provides appropriate safeguards (such as Standard Contractual Clauses). See Google’s privacy policy at https://policies.google.com/privacy and Google Analytics terms at https://marketingplatform.google.com/about/analytics/terms/.
• Retention: Analytics data is retained in Google Analytics for the period configured in our Google Analytics property (typically up to 14 months for standard reports unless a shorter period is set).
• Your rights: You may contact hello@riskbuddy.io to ask about analytics processing or to exercise data-protection rights. You may also complain to the UK Information Commissioner’s Office (ICO) if you believe processing is unlawful.

We are committed to ensuring that your Personal Information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the Personal Information we collect online. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to the Website; any transmission is at your own risk. Once we have received your Personal Information, we will use strict procedures and security features to try to prevent unauthorised access. Your Personal Information will not be transferred outside the UK, unless you are based outside the UK and we need to contact you using the Personal Information you have provided.

We use Personal Information held about you in the following ways:

• To ensure that content from the Website is presented in the most effective manner for you and for your computer.
• To provide you with information that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
• To allow you to participate in interactive features of the Website, when you choose to do so.
• To notify you about changes to the Website.

You have the right to ask us not to process your Personal Information for marketing purposes. We will usually inform you (before collecting your Personal Information) if we intend to use your Personal Information for such purposes or if we intend to disclose your Personal Information to any third party for such purposes. You can exercise your right to prevent such processing by ticking certain boxes on the forms we use to collect your Personal Information. You can also exercise the right at any time by contacting us at hello@riskbuddy.io The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Information to these websites.

The Act gives you the right to access Personal Information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the Personal Information we hold about you.

This section applies when an authorised administrator connects your organisation’s Google Workspace account to RiskBuddy (Barkaday Ltd trading as RiskBuddy). It describes how we access, use, store, share, and protect Google user data in line with Google’s API Services User Data Policy and OAuth verification requirements.

• Data we collect: When an administrator completes the Google OAuth connect flow, we receive that administrator’s Google account email address and basic profile information (via openid, email, and profile scopes), and read-only Google Workspace customer metadata (such as organisation name, primary domain, and customer ID). After you authorise domain-wide delegation in Google Admin, RiskBuddy uses a service account to access read-only Admin SDK and Google Workspace Alert Center APIs for your domain. Depending on your sync settings, this may include: user directory records (for example name, primary email address, account status, administrator flags, and 2-Step Verification enrollment status); Google Groups and membership; domain information; security and audit-related signals used to build posture summaries; and Alert Center alerts. If directory sync is enabled, selected user and group data is stored in your RiskBuddy tenant to provision security awareness training.
• How we use Google user data: We use Google user data only to provide and improve user-facing features of RiskBuddy for your organisation, including: displaying Google Workspace security posture dashboards and recommendations; synchronising users and groups you select into RiskBuddy; operating, securing, and supporting the service; and troubleshooting integration issues. We do not use Google user data for advertising, interest-based or retargeted advertising, selling to data brokers or information resellers, credit-worthiness or lending decisions, or training machine-learning or artificial-intelligence models unrelated to delivering RiskBuddy’s security features for your organisation.
• Sharing and disclosure: We do not sell or rent Google user data. We may share Google user data only with service providers that help us operate RiskBuddy, and only to provide or improve the application’s functionality for you. These include Google (for sign-in and Workspace APIs, as configured by your administrator), our cloud hosting and database providers (including Google Firebase/Firestore for tenant configuration and stored sync data), and our security-awareness training partner (uSecure) when you enable directory sync to create or update learners and groups. We do not transfer or disclose Google user data to third parties for advertising, data brokerage, or purposes unrelated to providing or improving RiskBuddy.
• Protection: We protect Google user data using measures including encryption in transit (HTTPS/TLS), access controls and authentication within RiskBuddy, role-based permissions, and the physical, electronic, and managerial safeguards described in “Where we store your Personal Data” above. Access to Google APIs uses read-only scopes where supported and is limited to what is needed to deliver the connected features.
• Retention and deletion: We retain Google Workspace connection settings and posture-related data while the integration remains active for your tenant. When an administrator deactivates the Google Workspace integration in RiskBuddy, we remove connection metadata (including customer ID, delegated admin email, tenant details, and sync configuration) from your tenant record; synced learner and group records already created in RiskBuddy are not automatically deleted unless you remove them or close your account. We retain other personal information for as long as needed to provide the service, meet legal obligations, and resolve disputes. You may request access to or deletion of personal information, including data originating from Google Workspace, by contacting hello@riskbuddy.io. We will respond in line with applicable data-protection law.

This section applies when an authorised administrator connects your organisation’s Microsoft 365 (Microsoft Entra ID) tenant to RiskBuddy (Barkaday Ltd trading as RiskBuddy). It describes how we access, use, store, share, and protect Microsoft user data obtained through Microsoft Graph and related Microsoft services.

• Data we collect: When an administrator signs in with Microsoft to connect your tenant, we identify your organisation’s Microsoft Entra tenant ID and store connection metadata (such as organisation display name and tenant ID). RiskBuddy then uses server-side Microsoft Graph API access, authorised by your administrator in Microsoft Entra, to read directory and security information for your tenant. Depending on your settings, this may include: user directory records (for example display name, user principal name or email address, account status, and licensing status); Microsoft 365 Groups and membership; device inventory summaries; Microsoft Secure Score, control profiles, and recommendations; security alerts; and aggregated security insights (such as identity risk indicators, sign-in health, privileged role assignments, OAuth application grants, and email-threat trends). Secure Score and most cloud-security dashboard data are fetched when you use those features and are not stored long-term in our database; if directory sync is enabled, selected user and group data is stored in your RiskBuddy tenant to provision security awareness training. RiskBuddy does not write to or delete data in your Microsoft 365 tenant through this integration.
• How we use Microsoft user data: We use Microsoft user data only to provide and improve user-facing features of RiskBuddy for your organisation, including: displaying Microsoft 365 security posture dashboards and recommendations; synchronising users and groups you select into RiskBuddy; operating, securing, and supporting the service; and troubleshooting integration issues. We do not use Microsoft user data for advertising, interest-based or retargeted advertising, selling to data brokers or information resellers, credit-worthiness or lending decisions, or training machine-learning or artificial-intelligence models unrelated to delivering RiskBuddy’s security features for your organisation.
• Sharing and disclosure: We do not sell or rent Microsoft user data. We may share Microsoft user data only with service providers that help us operate RiskBuddy, and only to provide or improve the application’s functionality for you. These include Microsoft (for administrator sign-in and Microsoft Graph, as configured by your organisation), our cloud hosting and database providers (including Google Firebase/Firestore for tenant configuration and stored sync data), and our security-awareness training partner (uSecure) when you enable directory sync to create or update learners and groups. We do not transfer or disclose Microsoft user data to third parties for advertising, data brokerage, or purposes unrelated to providing or improving RiskBuddy.
• Protection: We protect Microsoft user data using measures including encryption in transit (HTTPS/TLS), access controls and authentication within RiskBuddy, role-based permissions, and the physical, electronic, and managerial safeguards described in “Where we store your Personal Data” above. Microsoft Graph access uses read-only application permissions where supported and is limited to what is needed to deliver the connected features.
• Retention and deletion: We retain Microsoft 365 connection settings and sync configuration while the integration remains active for your tenant. When an administrator deactivates the Microsoft 365 integration in RiskBuddy, we remove connection metadata (including Entra tenant ID, organisation details, and sync configuration) from your tenant record; synced learner and group records already created in RiskBuddy are not automatically deleted unless you remove them or close your account. We retain other personal information for as long as needed to provide the service, meet legal obligations, and resolve disputes. You may request access to or deletion of personal information, including data originating from Microsoft 365, by contacting hello@riskbuddy.io. We will respond in line with applicable data-protection law.

We store personal information for a period consistent with the purposes described in this policy, including operating RiskBuddy, maintaining security, and meeting legal and regulatory requirements. When data is no longer needed for those purposes, we delete or anonymise it within a reasonable period, unless a longer retention period is required or permitted by law.

You may ask us to delete personal information we hold about you where we are not required to retain it. Contact hello@riskbuddy.io. Deleting your RiskBuddy account or disconnecting an integration may not immediately remove all copies from backup systems; we will complete deletion in line with our technical and legal obligations.

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to hello@riskbuddy.io