Privacy Policy

Last updated: 19 March 2026

1. Data Controller

[LEGAL ENTITY NAME TO COMPLETE], trading as ComplianceIQ, registered at [REGISTERED ADDRESS TO COMPLETE]. For data protection queries, contact [DPO EMAIL TO COMPLETE].

2. What We Collect

  • Account information: Name, email address, company name, role
  • Uploaded documents: Compliance documents, policies, contracts, and other files you upload for analysis
  • Chat conversations: Questions you ask and AI responses
  • Compliance audit results: Audit scores, issues, and generated compliant documents
  • Usage data: Query counts, page views, feature usage
  • Payment information: Processed by Stripe — we do not store card numbers

3. Why We Collect It

  • Contract performance: To provide the ComplianceIQ compliance AI service
  • Legitimate interests: To improve AI response quality and accuracy
  • Legal obligation: Financial records, fraud prevention
  • Consent: Marketing communications (if applicable)

4. AI Processing Disclosure

Documents and questions are processed by AI models (Anthropic Claude for responses, OpenAI for text embeddings). Document content is sent to these APIs for processing. These providers process data as sub-processors under our data processing agreements. AI outputs are generated content and should not be treated as legal advice.

5. Data Storage

  • Database: Supabase (PostgreSQL), hosted in AWS eu-west-2 (London, UK). Encrypted at rest (AES-256).
  • Application hosting: Vercel (edge functions and static hosting, EU/UK edge nodes)
  • AI processing: Anthropic API (US), OpenAI API (US) — see Section 10 on international transfers
  • Payments: Stripe (PCI DSS compliant)
  • Email: Resend (transactional emails)

6. Data Retention

  • Account data: retained while account is active + 30 days after deletion
  • Documents: retained while account is active
  • Chat history: retained while account is active
  • Audit results: retained while account is active
  • All data deleted within 30 days of account deletion request

7. Data Sharing

We do not sell your data. Sub-processors who may access data in order to provide our service:

  • Supabase — database hosting, file storage, authentication (UK, AWS London eu-west-2). DPA
  • Vercel — application hosting, edge functions (EU/UK edge). DPA
  • OpenAI — text embedding generation only (US). API data excluded from training. DPA
  • Anthropic — AI response generation (US). API data not used for training. DPA
  • Stripe — payment processing (US). PCI DSS compliant. DPA
  • Resend — transactional email delivery (US). DPA
  • Upstash — rate limiting (EU). IP addresses and user IDs only.

No data is shared with third parties for marketing purposes.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data (see account deletion in Settings)
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests

Contact [SUPPORT EMAIL TO COMPLETE] to exercise any of these rights.

9. Cookies

We use essential cookies to keep you signed in. See our Cookie Policy for details.

10. International Data Transfers

Some of our sub-processors are based in the United States. When your data is processed by these services, it leaves the United Kingdom. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) agreed with each US-based sub-processor
  • Data Processing Agreements (DPAs) with all sub-processors
  • Verification that each provider maintains appropriate technical and organisational security measures
  • OpenAI and Anthropic API usage policies that exclude API data from model training

Data transferred internationally:

  • Document text content: sent to OpenAI (US) for embedding generation
  • Questions and context: sent to Anthropic (US) for response generation
  • Payment data: processed by Stripe (US), PCI DSS compliant

Data that remains in the UK:

  • Your original documents (stored in AWS London via Supabase)
  • Your account information
  • Your conversations and compliance data
  • Your audit results and compliance scores

For customers requiring all data to remain in the UK, please contact us about our Enterprise plan options.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email to registered users.

12. Contact

Data protection queries: [DPO EMAIL TO COMPLETE]
General enquiries: [SUPPORT EMAIL TO COMPLETE]