Privacy Policy

Last updated: 2 April 2026  ·  Effective from: 1 January 2026

Summary in plain English

  • We only access your workspace in read-only mode for scanning.
  • We never sell your data to third parties.
  • We use essential cookies for sign-in and security; optional GA4 analytics loads only if you accept it in the banner (no ad cookies).
  • Raw content sent for AI analysis is not stored after the scan completes.
  • You can request deletion of your account and data at any time (from the dashboard or by email).
  • We comply with UK GDPR and the Data Protection Act 2018.

1 Who We Are

ComplianceAgent UK ("we", "us", "our") is an AI-powered compliance scanning service for organisations using Microsoft 365 or Google Workspace. We help businesses identify regulatory risks across their digital workspace and take action to meet obligations under UK GDPR, NIS2, and DORA.

We are committed to protecting your privacy and handling all personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2 Data Controller

ComplianceAgent UK is the data controller for personal data collected through our service. As data controller, we determine the purposes and means of processing your personal data.

Contact for data matters:
Email: hello@complianceagent.uk
Website: complianceagent.uk

3 What Data We Collect

We collect and process the following categories of personal data. We apply the principle of data minimisation - we only collect what is strictly necessary to provide the service.

3.1 Account Information

  • Email address and display name from your OAuth provider (Microsoft or Google).
  • OAuth provider identifier (e.g. your Microsoft object ID or Google subject ID).
  • Account creation timestamp and last login timestamp.

3.2 OAuth Tokens

  • Access and refresh tokens issued by Microsoft or Google when you authorise our application.
  • Tokens are encrypted at rest using Fernet symmetric encryption with a key stored securely as an environment variable.
  • Tokens are used solely to access your workspace data for compliance scanning and are never used for any other purpose.

3.3 Scanned Content Metadata

  • Email subject lines, sender/recipient metadata, and content snippets (not full bodies) used during compliance analysis.
  • File names, file types, sharing permissions, and content snippets from your cloud storage (OneDrive/Google Drive).
  • We do not store full email bodies or full file contents - only the minimum required for analysis.

3.4 Compliance Results

  • Compliance scores (0–100) and historical score trends.
  • Identified findings: risk type, severity, regulation mapping, and remediation recommendations.
  • Scan timestamps and scan job metadata.

3.5 Usage & Technical Data

  • Session information and authentication logs.
  • Basic service interaction logs (scans run, reports downloaded).
  • IP address and browser user-agent for security and rate-limiting purposes.

4 Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR Article 6:

Processing activity Lawful basis
Sign-in and OAuth authorisationConsent - Art. 6(1)(a)
Performing compliance scansContract - Art. 6(1)(b)
Processing subscription paymentsContract - Art. 6(1)(b)
Security, fraud prevention, rate limitingLegitimate Interest - Art. 6(1)(f)
Service improvement and analyticsLegitimate Interest - Art. 6(1)(f)

5 How We Use Your Data

Your personal data is used exclusively to:

  • Authenticate you and maintain a secure session.
  • Access your Microsoft 365 or Google Workspace data in read-only mode to perform compliance scans.
  • Run AI-powered analysis to detect PII exposure, phishing threats, insecure file sharing, and other data handling risks.
  • Generate scan-based posture scores and reports mapped to UK GDPR, NIS2, and DORA frameworks.
  • Deliver actionable, prioritised remediation recommendations.
  • Process subscription payments and manage your account plan.
  • Send transactional emails (e.g. account verification, billing receipts) - no marketing emails without explicit consent.
  • Investigate security incidents and protect against abuse.

We do not use your data for advertising, profiling, or marketing to third parties.

6 AI Processing

We use Anthropic's Claude AI models to analyse workspace content for compliance risks. The following safeguards are in place:

  • Only the minimum content required for analysis (snippets, not full documents) is transmitted to Anthropic's API.
  • Anthropic processes data under its Privacy Policy and does not use your data to train its models under the standard API terms.
  • Raw content sent to the AI is not persisted in our system after the analysis completes. Only the structured findings (scores, risk labels, recommendations) are stored.
  • AI-generated findings are presented as informational guidance only - final compliance decisions remain with your organisation.

7 Billing & Subscription Data

If you subscribe to a paid plan, payments are processed by Stripe. We do not store full card numbers or payment credentials on our systems. Stripe handles all payment card data and is PCI-DSS Level 1 certified.

We store the following billing-related data in our systems:

  • Your Stripe customer ID (a reference token, not payment details).
  • Your current subscription plan and status (active, cancelled, past due).
  • Subscription start date and renewal date.
  • Billing event logs (subscription created, upgraded, cancelled) for account management purposes.

Billing data is retained for up to 7 years after account closure to comply with UK financial record-keeping obligations (HMRC requirements).

8 Data Storage & Security

We implement a layered security approach:

  • Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS enforced, HSTS enabled).
  • Encryption at rest: OAuth tokens and sensitive fields are encrypted using Fernet. The database itself uses encrypted storage.
  • Infrastructure: Hosted on Render.com, a UK/EU-region-capable platform with SOC 2 compliance and automated security patching.
  • Application security: Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options), rate limiting on all API endpoints, and CSRF protection on OAuth flows.
  • Access controls: Production database access is restricted to the application server and authorised personnel only.
  • Audit logging: Key security events (login attempts, token usage, plan changes) are logged for investigation purposes.
  • Backups: Database backups are encrypted and retained on a rolling basis for disaster recovery.

No security measure is 100% guaranteed. In the event of a breach, we will follow the notification procedure described in Section 14.

9 Data Sharing

We do not sell your personal data. We share data only with the following sub-processors, each engaged under a data processing agreement or equivalent contractual safeguards:

Sub-processor Purpose Data shared Location
Anthropic AI compliance analysis Content snippets only USA
Render.com Application hosting & database All application data USA / EU
Stripe Payment processing Billing data, email USA / EU
Microsoft OAuth authentication (if M365 user) Auth tokens only EU / Global
Google OAuth authentication (if Workspace user) Auth tokens only USA / EU

We may also disclose personal data if required to do so by law, regulation, or a valid court order - and only to the extent strictly required.

10 International Transfers

Some of our sub-processors operate outside the UK. Where personal data is transferred to a country not deemed adequate by the UK ICO, we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved under UK law.
  • Anthropic's API data processing terms, which include processor commitments regarding data protection.
  • Stripe's and Render's Data Processing Agreements, which include SCCs for transfers to the USA.

You may request details of the specific safeguards in place by contacting us at hello@complianceagent.uk.

11 Data Retention

We retain data only for as long as necessary for the stated purpose or as required by law:

Data type Retention period
Account data (email, name)While account is active; deleted upon account deletion
OAuth tokensWhile account is active; deleted immediately upon deletion or revocation
Compliance findings & scoresWhile account is active; deleted upon account deletion
Scan logs & technical logs90 days, then automatically purged
Billing records7 years (UK financial record-keeping obligation)
Security incident logsUp to 2 years for investigation purposes

When you request account deletion, we remove access immediately and permanently delete associated personal data (except billing records required by law) within 30 days.

12 Your Rights (UK GDPR)

Under the UK GDPR, you have the following rights. We will respond to all valid requests within 30 days (extendable to 60 days for complex requests with notice).

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17 - "Right to be Forgotten"): Request deletion of your data. You can request deletion via the app dashboard or by emailing us.
  • Right to Restriction (Art. 18): Request that we limit our processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Request your personal data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Withdraw consent at any time by revoking OAuth access via your Microsoft or Google account settings, or by deleting your ComplianceAgent account.
  • Rights related to automated decision-making (Art. 22): See Section 15.

To exercise any of these rights, email hello@complianceagent.uk with the subject line "Data Rights Request", or use the dashboard deletion option.

Requests are free of charge. We may ask you to verify your identity before processing your request.

13 Cookies

We use essential cookies for authentication and security. If you opt in via the cookie banner, we may load Google Analytics (GA4) to understand aggregate site usage (no advertising cookies). See our Cookie Policy.

Cookie name Purpose Duration
oauth_csrf_state Prevents cross-site request forgery during OAuth login Session (deleted after login completes)
ca_cookie_prefs Stores your cookie banner choice (essential-only vs including analytics) in browser local storage Until cleared

Where we load optional analytics, we ask for your consent first. Essential cookies are strictly necessary for the service. You may delete or block cookies via your browser settings (some features may stop working).

14 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34).
  • Notifications will include: the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

If you believe your data has been compromised, please contact us immediately at hello@complianceagent.uk.

15 Automated Decision-Making

Our AI-powered compliance analysis generates scores and findings automatically. However, these outputs are informational recommendations only - they are not binding decisions and do not produce legal or similarly significant effects on you or your organisation without human review.

UK GDPR Article 22 rights regarding fully automated decisions do not apply here, as our outputs require interpretation and action by a human user before any consequence arises. We nonetheless commit to transparency about how our scoring works; please contact us if you wish to understand a specific finding.

16 Children's Data

Our service is intended for business and professional use only. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at hello@complianceagent.uk and we will delete it promptly.

17 Complaints

If you are dissatisfied with how we handle your personal data, please contact us first at hello@complianceagent.uk - we aim to resolve all complaints within 30 days.

If you remain unsatisfied, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

ico.org.uk  ·  Tel: 0303 123 1113  ·  Make a complaint online

18 Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you by email (to the address on your account) at least 14 days before the changes take effect.
  • Display a notice within the application dashboard.

Continued use of the service after the effective date constitutes acceptance of the updated policy.

19 Contact Us

For any privacy-related enquiries or to exercise your data rights:

ComplianceAgent UK

hello@complianceagent.uk

complianceagent.uk

We aim to respond to all enquiries within 2 business days.