Privacy Policy

1. Who We Are

PolicyKit is operated by [COMPANY NAME] ("we", "us", "our"), registered at [ADDRESS]. We are the data controller for personal data collected through this Service.

For UK GDPR purposes, our lawful bases for processing are set out in section 4 below. For questions about this policy or your data rights, contact: privacy@getpolicykit.com

2. Data We Collect

Account data

• Email address, full name, company name (provided at registration)
• Business type, industry, jurisdiction, company size (provided during onboarding)
• Authentication credentials (stored securely by Supabase Auth — passwords are hashed)

Document data

• Compliance documents you generate (content, prompts, metadata)
• Document versions and revision history
• Custom context you provide during generation

Usage data

• Generation events, export actions, feature usage
• IP addresses (for acknowledgment audit trails)
• Subscription and billing information (stored by Stripe — we do not store card data)

Team member data (Compliance Hub users)

• Email addresses and names of team members invited to acknowledge documents
• Acknowledgment timestamps and IP addresses

3. How We Use Your Data

• Providing and operating the Service
• Generating AI-assisted compliance documents based on your inputs
• Processing payments via Stripe
• Sending transactional emails (account confirmation, acknowledgment invites)
• Improving the Service (aggregated, anonymised analytics only)
• Complying with legal obligations

4. Lawful Bases (UK GDPR / GDPR)

• Contract (Article 6(1)(b)): Processing necessary to provide the Service you signed up for — account data, document generation, billing, email delivery
• Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, service improvement, and direct marketing communications related to similar services (you may opt out at any time)
• Legal obligation (Article 6(1)(c)): Tax and financial records (retained 7 years), responding to lawful requests

Team member data (email, name, acknowledgment record, IP address) is processed under the Hub account owner's lawful basis. The account owner operates as controller of their employees' data for compliance-tracking purposes; we act as a data processor on their behalf.

5. Data Retention

• Account data: deleted immediately upon account closure (available via Settings → Security → Delete account)
• Generated documents: retained while your account is active, deletable by you at any time
• Billing records: retained for 7 years for legal/tax purposes
• Audit logs: anonymised (user identifier removed) upon account deletion; raw records purged after 3 years
• Acknowledgment records: retained for 3 years to support compliance audit requirements, then deleted

6. Third-Party Sub-processors

We share data with the following sub-processors to operate the Service:

• Supabase — database, authentication, file storage (US region; EU region available on request)
• AI providers — document generation. Your business context (company name, type, infrastructure details) and any text you enter into generation prompts is sent to the active AI provider to generate documents. The configured provider may be one of: Anthropic, OpenAI, Google (Gemini), or xAI (Grok), accessed via their developer/API tiers (under which prompt inputs are generally not used to train the providers' models, subject to each provider's terms) and processed in the United States. Each provider handles data in accordance with its own privacy and data-handling terms, which you should review. Please do not enter personal data, special-category data, or confidential information into generation prompts beyond what is necessary — describe your business in general terms and use placeholders such as [COMPANY NAME] where possible.
• Stripe — payment processing (subject to Stripe's privacy policy)
• Resend — transactional email delivery (account confirmation, acknowledgment invites)
• Vercel — hosting and edge infrastructure

7. International Transfers

Some sub-processors operate in the United States. Transfers from the UK/EU are protected by Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (UK IDTAs) as appropriate.

8. Your Rights

Under UK GDPR / GDPR, you have the right to:

• Access (Article 15): Request a copy of your personal data
• Rectification (Article 16): Correct inaccurate data
• Erasure (Article 17): Request deletion ("right to be forgotten")
• Portability (Article 20): Receive your data in a machine-readable format — use the "Download your data" button in Settings → Security, or email us
• Objection (Article 21): Object to processing based on legitimate interests
• Restrict processing (Article 18): Request restriction of processing

To exercise any of these rights, email privacy@getpolicykit.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (UK) at ico.org.uk.

9. Cookies

We use essential cookies for session management and authentication. We do not use advertising or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

10. Security

We implement appropriate technical and organisational measures, including: encryption in transit (TLS) and encryption at rest (AES-256) for the underlying database; row-level security and access controls restricting data to the account that owns it; hashed account passwords (managed by Supabase Auth); hashed API keys; and dedicated encryption of service credentials and webhook signing secrets. We do not separately field-encrypt ordinary profile data (such as names and email addresses) within the database — that data is protected by the encryption-at-rest, transport, and access-control measures above. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Business transfers

If [COMPANY NAME] is involved in a merger, acquisition, reorganisation, financing, or sale of all or part of its business or assets, your personal data may be transferred to the successor or acquiring entity as part of that transaction. Where required by law we will notify you, and the recipient will be required to honour this Privacy Policy or to give you notice before materially changing how your personal data is handled.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notice. The date at the top of this page reflects the most recent revision.

13. Contact

Data protection enquiries: privacy@getpolicykit.com
[COMPANY NAME], [ADDRESS]