Privacy Notice

[Your Company Legal Name] (“we”, “us”) operates PolicyMind, a compliance-policy platform. We are the data controller for the personal data described here and are registered with the UK Information Commissioner's Office (ICO), registration number [ICO reg no.]. You can contact us at [privacy@yourcompany.com]; [our Data Protection Officer / lead is contactable at the same address].

This notice is provided under the UK GDPR and the Data Protection Act 2018. We operate in the UK and the ICO is our supervisory authority.

• Account data — your name, email address, and hashed password.
• Organisation & team data — your role, the organisation you belong to, and team invitations.
• Company profile — the business details you enter to drive policy recommendations.
• Content you create — policies, assessments, comments, and acknowledgements.
• Assistant conversations — the messages you exchange with the Compliance Assistant, and a working-memory profile of your stated priorities.
• Usage & audit data — an audit log of significant actions, and security data such as session records and rate-limiting counters (which may include your IP address).
• Billing data — subscription status held by us; card details are handled by Stripe, not stored by us.

• To provide the service (account, organisations, policies, assistant) — performance of a contract.
• To secure the service (authentication, audit logging, abuse prevention) — legitimate interests in keeping the platform and your data safe.
• To take payment — performance of a contract.
• To meet legal obligations (e.g. retaining certain records) — legal obligation.

We use a small number of trusted processors to run the service. We do not sell your personal data. Current sub-processors are listed in our sub-processor register and include: Anthropic (AI), Stripe (payments), Resend (email), Fly.io (hosting), and our managed Postgres provider [provider]. [Update this link to your published register.]

Some processors (e.g. Anthropic and Stripe) process data outside the UK, including in the United States. Where that happens, we rely on appropriate safeguards under Chapter V of the UK GDPR — such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — and UK adequacy regulations where they apply.

We keep your personal data for as long as your account is active. When you (or your organisation owner) delete your account, we erase your personal data — including your assistant conversations — and remove identifiers from retained audit records. We keep an anonymised audit trail for accountability, and automatically remove personal identifiers from audit records older than [24] months.

Under the UK GDPR you have the right to:

• Access a copy of your data and port it — available in-app under Settings → Data & privacy.
• Erase your data (“right to be forgotten”) — delete your account in the same place.
• Rectify inaccurate data — edit it in your profile and account.
• Restrict or object to processing.

To exercise a right you can't complete in-app, email [privacy@yourcompany.com]. We respond within one month.

PolicyMind uses a single strictly-necessary cookie to keep you signed in. It is essential to the service, so under the Privacy and Electronic Communications Regulations (PECR) it does not require consent, and we do not use analytics, advertising, or tracking cookies. If that changes, we will ask for your consent first.

We apply technical and organisational measures appropriate to the risk (UK GDPR Art. 32): encryption in transit, hashed passwords, strict access controls and tenant isolation, security headers, brute-force protection, and audit logging.

If you have a concern, please contact us first at [privacy@yourcompany.com]. You also have the right to complain to the ICO at ico.org.uk/make-a-complaint or 0303 123 1113.