GDPR & Privacy Policy

Last updated: 6 July 2026

Zest Assure is a compliance platform that helps organisations manage ISO 9001, ISO 27001, Cyber Essentials and Cyber Essentials Plus certification — from compliance workspaces and evidence management through to reviews, assessor collaboration, staff training and audit-ready exports. Because trust is the foundation of what we sell, we take the privacy of the people who use our platform and visit our website seriously. This policy explains what personal data we collect, why we collect it, who we share it with and the rights you hold under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

Zest Assure, a trading name of Juicy Media Ltd, is the controller of personal data collected through www.zestassure.com and the data processor for content our customers place in the platform. Juicy Media Ltd is registered in England & Wales under company number 05514688 and is registered with the Information Commissioner's Office under registration number Z1589829. Our registered office is DiSH, Heron House, 47 Lloyd Street, Manchester, M2 5LN.

Questions about data protection, including anything you would raise with a Data Protection Officer, can be sent to hello@zestassure.com or posted to the registered office above. Juicy Media Ltd holds ISO 9001 and ISO 27001 certification, and the controls described in this policy sit within that certified management system. Further detail on our processing commitments is set out in our Data Protection Policy.

Information we collect

We collect and process the following categories of personal data:

  • Account data. When you sign in with a Microsoft or Google account we receive your name, email address and an identifier from your identity provider so we can create and secure your account. We do not receive or store your password.
  • Customer compliance content. Organisations using the platform upload policies, control responses, review records, training records and evidence files. This content belongs to the customer; we process it only to provide the service and any personal data it contains is processed on the customer's instructions.
  • Usage and technical data. We record how the platform is used — pages viewed, actions taken, timestamps, IP address, browser and device type — to keep the service reliable and secure and to maintain audit trails.
  • Billing data. Payments are handled by Stripe, our payment provider. We receive billing contact details and transaction records, but full card details never touch our systems.
  • Enquiries. If you contact us by email or through the website, we hold your name, contact details and the content of your message so we can respond.

Cookies and IP addresses

Our website and platform use a small number of cookies. Strictly necessary cookies keep you signed in and protect against fraud; analytics cookies from Google Analytics and Microsoft Clarity are set only after you give consent through our cookie banner. IP addresses and similar technical data are logged for security and system administration and are not used to build profiles of individual visitors. For a full list of the cookies we use, how long they last and how to withdraw consent, see our Cookies Policy.

How we use personal information

We use personal data only where we have a lawful basis to do so, namely to:

  • provide, operate and maintain the Zest Assure platform, including authentication, collaboration features and audit-ready exports (performance of a contract);
  • respond to support requests and enquiries (performance of a contract, or legitimate interests where you are not yet a customer);
  • secure the service, investigate misuse and maintain audit logs (legitimate interests and legal obligation);
  • send service emails such as invitations, review reminders and important account or security notices (performance of a contract);
  • process subscription payments and keep accounting records (performance of a contract and legal obligation);
  • measure and improve the website and platform using consented analytics (consent).

We do not use customer compliance content for advertising, and we do not send marketing emails without your consent.

Disclosing personal information

We never sell personal data. We share it only with the sub-processors listed below, each operating under a data processing agreement, or where the law requires disclosure — for example to a court, regulator or law enforcement body, or to establish or defend legal claims.

Sub-processor Purpose Location
Cloudflare Hosting, storage and content delivery UK/EU, with a global edge network
OpenAI AI drafting features, used only when a customer requests them United States
Stripe Subscription payments and invoicing UK/EU/US
Microsoft and Google Single sign-on identity providers Global
Google Analytics and Microsoft Clarity Website and product analytics, only after consent EU/US

Where a sub-processor is outside the UK, transfers are protected by an adequacy decision or by the International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

How long we keep personal information

Account data is kept for the lifetime of your account and removed within a defined period after closure, subject to short backup windows during which deleted data may persist in encrypted backups before being purged. Customers control their own compliance content: administrators can edit or delete records at any time, and when a customer leaves the platform their workspace content is deleted after export. Billing and accounting records are retained for as long as UK tax and company law requires. Enquiry correspondence is kept only as long as needed to deal with the matter and any follow-up.

Children's privacy

Zest Assure is a business-to-business service. Neither the website nor the platform is directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Security

Personal data is encrypted in transit and at rest. Access within the platform is governed by role-based access controls, so people see only what their role in an organisation permits, and administrative actions are recorded in audit logs. Our own staff access customer content only where needed to provide support, and our security controls are maintained and independently assessed under our ISO 27001 certification.

Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected and incomplete data completed;
  • have your data erased in certain circumstances;
  • restrict or object to particular processing, including any direct marketing;
  • receive the data you provided to us in a portable, machine-readable format;
  • withdraw consent at any time where consent is our lawful basis, without affecting processing that took place before withdrawal.

To exercise any of these rights, email hello@zestassure.com or write to our registered office. We will respond within one month. Where your data sits inside a customer's workspace we may need to refer your request to that organisation, as they act as controller for their own compliance content.

Complaints

If you are unhappy with how we have handled your personal data, please contact us first at hello@zestassure.com and give us the chance to put it right. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or by phone on 0303 123 1113.

Changes to this policy

We review this policy regularly and will update it when our practices, sub-processors or the law change. The date at the top of the page shows when it was last revised, and we will tell account holders about any material change by email or through the platform.

Contact details

Zest Assure, a trading name of Juicy Media Ltd
DiSH, Heron House, 47 Lloyd Street, Manchester, M2 5LN
Email: hello@zestassure.com
Phone: 0161 464 9252
Web: www.zestassure.com

This policy is governed by the laws of England & Wales.