Privacy Notice
1. Who We Are and How to Contact Us
Warser is a product of SWYFTHQ LTD, a private limited company incorporated in England and Wales (company number 15873284), with its registered office at 3rd Floor, 86-90 Paul Street, London, EC2A 4NE.
We operate as a data controller in respect of personal data we collect directly from you when you register for and use Warser — for example, your name, email address, and account activity.
We operate as a data processor in respect of personal data that your organisation submits to the Service about its employees and contractors. If you are an employee or contractor whose details have been added to Warser by your employer, your employer is the data controller for that data. Please contact your employer for information about how they use your data.
For any questions about this Privacy Notice or to exercise your rights, contact us at privacy@warser.ai.
2. What Personal Data We Collect and Why
We collect and process personal data in the following categories:
Account and Registration Data
When you register for Warser, we collect your name, work email address, organisation name, job title, and the password you create (stored in hashed form). We use this data to create and manage your account, authenticate you when you log in, and communicate with you about the Service.
Access Request and Workflow Data
When you or your colleagues use Warser to submit access requests, approve or deny them, or trigger joiner, mover, or leaver workflows, we store records of those actions including the identity of the requester and approver, the system or resource requested, the decision taken, and the timestamp. This data forms the audit trail that is central to the purpose of the Service.
The free-text descriptions that users type when submitting access requests may contain personal information about themselves or third parties. We process this data solely to interpret and route the request.
Directory and Identity Data
Where your organisation connects an identity provider — such as Microsoft Entra ID or Google Workspace — we synchronise user profile data from that provider, including names, email addresses, job titles, and group memberships. This data is used to keep Warser's user directory up to date and to automate joiner workflows.
Usage and Technical Data
We collect technical data about how the Service is used, including IP addresses, browser type and version, session identifiers, pages visited, and actions taken within the application. We use this data to provide and improve the Service, to diagnose technical problems, and to ensure the security of the platform.
Communications Data
If you contact us by email or through the Service, we retain records of those communications in order to respond to your enquiry and to improve our support.
3. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR:
Performance of a contract: Processing necessary to provide the Service you have subscribed to, including account management, access request workflows, and provisioning automation.
Legitimate interests: Processing necessary for our legitimate interests, including maintaining the security of the Service, improving our product, detecting and preventing fraud and abuse, and managing our business. We have assessed that our legitimate interests do not override your fundamental rights and freedoms.
Legal obligation: Processing necessary to comply with our legal obligations, including tax and accounting requirements and our obligations under applicable data protection law.
Consent: Where we ask for your consent — for example, for marketing communications — we will only process your data for that purpose if you have given your consent. You may withdraw consent at any time by contacting privacy@warser.ai.
4. How Long We Keep Your Data
We apply the following retention periods:
| Data type | Retention period | Reason |
|---|---|---|
| Access requests (structured records) | 6 years | Audit evidence and potential legal claims |
| Audit log entries | 6 years | Regulatory compliance |
| JML event records | 6 years | Employment law compliance |
| Free-text request descriptions | 1 year | Data minimisation |
| Email notification logs | 90 days | Operational purposes |
| Session and authentication data | 30 days | Security monitoring |
| Account data | For the duration of the subscription, plus 30 days | To allow data export on termination |
| Deleted organisation data | 30 days, then permanently deleted | To allow recovery from accidental deletion |
Where we are required by law to retain data for longer than the periods above, we will do so for the minimum period required and will restrict processing to the purpose for which retention is required.
5. Who We Share Your Data With
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
We share personal data with the following categories of recipients:
Service providers and subprocessors: We engage third-party companies to help us provide the Service, including cloud infrastructure providers, email delivery services, and AI processing providers. These companies act as data processors on our behalf and are contractually bound to process data only as instructed by us and in accordance with applicable data protection law. A full list of our subprocessors is set out in our Data Processing Agreement.
Integrations enabled by your organisation: Where your organisation connects third-party tools — such as Slack, Microsoft Entra ID, GitHub, or Jira — we share data with those services to the extent necessary to provide the integration. Your organisation controls which integrations are enabled.
Legal and regulatory authorities: We may disclose personal data to law enforcement agencies, regulators, or courts where we are required to do so by law, or where we believe disclosure is necessary to protect our rights, the rights of others, or the safety of any person.
Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and of any choices you may have.
6. International Transfers
Some of our subprocessors are based in, or process data from, countries outside the United Kingdom that are not subject to an adequacy decision. Where personal data is transferred to such countries, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK ICO under the International Data Transfer Agreement (IDTA) framework. Further details of the safeguards applied to each subprocessor are set out in our Data Processing Agreement.
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
Right to rectification: You have the right to request that we correct any inaccurate personal data we hold about you without undue delay.
Right to erasure: You have the right to request that we delete your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other lawful basis for processing.
Right to restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we are investigating a complaint about accuracy.
Right to data portability: Where processing is based on your consent or on the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to object: You have the right to object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defence of legal claims.
Rights in relation to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Warser does not make automated decisions that have legal or similarly significant effects on individuals without human review.
To exercise any of these rights, please contact us at privacy@warser.ai. We will respond to your request within 30 days. We may need to verify your identity before processing your request.
Please note that some of these rights are not absolute and may be subject to exemptions under applicable law. Where we are unable to comply with a request, we will explain why.
8. Cookies and Tracking
Warser uses cookies and similar technologies solely for essential operational purposes:
Session cookies: Used to maintain your authenticated session while you are logged in to the Service. These cookies are deleted when you close your browser.
Security cookies: Used to protect against cross-site request forgery and other security threats.
We do not use advertising cookies, tracking pixels, or any technology designed to track your behaviour across third-party websites. We do not share data with advertising networks.
You can control cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Service.
9. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Row-level security ensuring each organisation's data is logically isolated
- Multi-factor authentication available for all users
- Access controls restricting data access to authorised personnel on a need-to-know basis
- Append-only audit logs that cannot be modified or deleted
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay as required by applicable law.
10. Children
The Service is intended solely for use by businesses and their authorised employees and contractors. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected personal data from a minor, please contact us at privacy@warser.ai and we will delete it promptly.
11. Links to Other Websites
The Service may contain links to third-party websites or services. This Privacy Notice does not apply to those websites or services. We encourage you to review the privacy notices of any third-party services you access through links in our Service.
12. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, the Services we offer, or applicable law. Where changes are material, we will notify you by email to the address associated with your account at least 14 days before the changes take effect. The date at the top of this page indicates when this Notice was last updated.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Notice. If you do not agree to the updated Notice, you must stop using the Service.
13. How to Complain
If you have a concern about how we handle your personal data, please contact us first at privacy@warser.ai. We will investigate your concern and respond within 30 days.
If you are not satisfied with our response, or if you believe we are processing your personal data in breach of applicable law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Web: ico.org.uk