Skip to main content

Data Protection Policy

Last updated: April 7, 2026

1. Data Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption. Database backups are encrypted and stored in geographically distributed locations. API keys and sensitive credentials are stored using industry-standard vault solutions and are never logged or exposed in application code.

2. Storage Security

Our infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 Type II and ISO 27001 certifications. We employ network segmentation, firewalls, and intrusion detection systems to protect our infrastructure. All servers are regularly patched and monitored for vulnerabilities. Production data is isolated from development and testing environments.

3. Access Controls

Access to user data is restricted to authorized personnel on a need-to-know basis. We enforce multi-factor authentication for all internal systems, role-based access controls, and audit logging of all data access events. Employee access is reviewed quarterly and revoked promptly upon role changes or departure. Third-party access to systems is governed by contractual obligations and security assessments.

4. Third-Party Processors

We work with a limited number of third-party data processors to deliver the Service, including cloud infrastructure providers, payment processors, and analytics services. All processors are vetted for security compliance and bound by data processing agreements that require them to protect your data to the same standards we maintain. We regularly audit our processors and maintain an up-to-date list of sub-processors.

5. Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in compliance with GDPR and applicable regulations. Notifications will include details of the breach, the data affected, steps we are taking to mitigate the impact, and recommended actions you can take to protect yourself. We will also notify relevant supervisory authorities as required by law.

6. User Data Rights

You have the right to request access to, correction of, or deletion of your personal data at any time. You may also request a machine-readable export of your data (data portability). We will respond to all valid requests within 30 days. In certain circumstances, we may need to retain specific data to comply with legal obligations or to protect our legitimate interests, but we will inform you of any such exceptions.

7. Data Deletion Requests

You may request deletion of your account and all associated data at any time by contacting us or through your account settings. Upon receiving a deletion request, we will permanently remove your personal data, AI-generated reports, and associated analytics within 30 days. Certain anonymized or aggregated data that cannot be traced back to you may be retained for analytical purposes. Backup copies are purged within 90 days of the deletion request.

8. Compliance

We are committed to complying with applicable data protection regulations, including the UK GDPR, EU GDPR, and other relevant privacy laws. We conduct regular data protection impact assessments for new features and processing activities. Our team receives annual training on data protection best practices. We maintain comprehensive documentation of our data processing activities and cooperate fully with supervisory authorities.

9. Contact

For data protection inquiries, deletion requests, or to exercise your data rights, please contact us at [email protected].