Privacy Policy

1. Introduction

This Privacy Policy explains how Compliance Autopilot ("we", "us") collects, uses, stores, and protects personal data when you use our platform. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

[Company Name], registered in England and Wales, is the data controller for personal data processed through the Service. Contact: [email protected]

3. Data We Collect

3.1 Account Data

When you register, we collect your name, email address, company name, and company number. This data is necessary to provide the Service.

3.2 Usage Data

We collect information about how you use the Service, including pages visited, features used, documents generated, and login timestamps. This helps us improve the Service and provide support.

3.3 Client Data

You may input data about your own clients (prospects, client portal users). You are the data controller for this data; we process it on your behalf as a data processor.

3.4 Payment Data

Payment information is collected and processed by Stripe. We do not store full card numbers. We retain Stripe customer and subscription identifiers for billing management.

3.5 Technical Data

We collect IP addresses, browser type, and device information for security, fraud prevention, and service optimisation.

4. Legal Basis for Processing

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interests: Service improvement, security, fraud prevention, and analytics
• Legal obligation: Where required by law, regulation, or court order
• Consent: For optional communications such as marketing emails

5. How We Use Your Data

• Providing and maintaining the Service
• Processing subscriptions and payments
• Sending transactional emails (document delivery, account notifications)
• Monitoring regulatory feeds relevant to your sectors
• Maintaining audit logs for accountability
• Improving the Service through usage analysis
• Responding to support enquiries

6. Data Sharing

We do not sell personal data. We share data only with:

• Stripe: Payment processing
• Hosting providers: Infrastructure services (data remains in the UK/EEA)
• Law enforcement: Where required by law

7. Data Retention

Account data is retained while your account is active and for 30 days after termination. Audit logs are retained for 7 years to satisfy regulatory requirements. Payment records are retained as required by HMRC. You may request earlier deletion subject to legal retention obligations.

8. Data Security

We implement appropriate technical and organisational measures including encryption in transit (TLS), hashed passwords (bcrypt), role-based access controls, and regular security reviews.

9. International Transfers

We endeavour to keep all data within the UK and EEA. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

10. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data (subject to legal retention requirements)
• Restrict processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent at any time

To exercise these rights, contact [email protected]. We will respond within one month.

11. Complaints

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been infringed.

12. Changes

We may update this policy periodically. Material changes will be communicated via email or in-app notification.

13. Contact

Data Protection enquiries: [email protected]