Privacy Policy

1. Who We Are

ComplianceAgent UK ("we", "us", "our") provides an AI-powered compliance scanning service for Microsoft 365 and Google Workspace users. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

ComplianceAgent UK acts as the data controller for the personal data we collect through our service. For enquiries, contact us at hello@complianceagent.uk.

3. What Data We Collect

We collect and process the following categories of personal data:

• Account Information: Email address, display name, and OAuth provider (Microsoft or Google) when you sign in.
• OAuth Tokens: Access and refresh tokens from your Microsoft or Google account, encrypted at rest using Fernet (AES-128-CBC), used solely to access your workspace data for compliance scanning.
• Scanned Content Metadata: Email subject lines, file names, and snippets of content analysed during compliance scans. We do not store full email bodies or full file contents.
• Compliance Findings: Results of our AI analysis, including identified risks, severity levels, and remediation recommendations.
• Compliance Scores: Aggregated numerical scores and regulatory compliance status.
• Usage Data: Scan timestamps, session information, and basic service interaction logs.

4. Lawful Basis for Processing

We process your personal data under the following lawful bases (UK GDPR Article 6):

• Consent (Art. 6(1)(a)): When you sign in via OAuth and authorise access to your workspace.
• Contract (Art. 6(1)(b)): To provide the compliance scanning service you have requested.
• Legitimate Interest (Art. 6(1)(f)): To improve our service, prevent fraud, and ensure security.

5. How We Use Your Data

Your data is used to:

• Authenticate you and maintain your session.
• Access your Microsoft 365 or Google Workspace data (read-only) for compliance scanning.
• Run AI-powered analysis to detect PII exposure, phishing threats, and data handling risks.
• Generate compliance scores and reports mapped to UK GDPR, NIS2, and DORA.
• Provide you with actionable remediation recommendations.

6. AI Processing

We use Anthropic's Claude AI models to analyse your workspace content for compliance risks. Content snippets are sent to Anthropic's API for analysis. Anthropic does not use your data to train their models. Analysis results are stored in our database; the raw content sent to the AI is not persisted after analysis completes.

7. Data Storage & Security

• All data is stored in PostgreSQL databases with encrypted connections (TLS).
• OAuth tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC).
• Our application is hosted on Render.com with HTTPS enforced.
• We implement rate limiting, security headers (HSTS, CSP, X-Frame-Options), and audit logging.
• Database backups are encrypted and retained for disaster recovery purposes.

8. Data Sharing

We do not sell your personal data. We share data only with:

• Anthropic (AI provider): Content snippets for analysis. Governed by Anthropic's data processing terms.
• Render.com (hosting): Infrastructure provider operating our servers.
• Stripe (payments): If you subscribe to a paid plan, billing information is processed by Stripe.

9. International Transfers

Some of our service providers (Anthropic, Render, Stripe) may process data outside the UK. Where this occurs, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) as appropriate.

10. Data Retention

• Account data: Retained while your account is active, deleted upon account deletion.
• OAuth tokens: Retained while your account is active, immediately deleted upon account deletion or token revocation.
• Findings & scores: Retained while your account is active. Historical scores are kept for trend analysis.
• Scan logs: Retained for 90 days for troubleshooting, then automatically purged.

11. Your Rights (UK GDPR)

Under the UK GDPR, you have the right to:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate data.
• Erasure (Art. 17): Request deletion of your data. You can delete your account and all associated data instantly via the "Delete Account" feature in the app.
• Restriction (Art. 18): Request we limit how we process your data.
• Portability (Art. 20): Request your data in a machine-readable format.
• Object (Art. 21): Object to processing based on legitimate interest.
• Withdraw Consent: Withdraw consent at any time by revoking OAuth access or deleting your account.

To exercise any of these rights, email hello@complianceagent.uk or use the "Delete Account" button in the application dashboard.

12. Cookies

We use minimal, essential cookies only:

• oauth_csrf_state: A temporary cookie used during OAuth login to prevent cross-site request forgery. Expires after login completes.

We do not use tracking cookies, analytics cookies, or advertising cookies.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk · Tel: 0303 123 1113

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the application. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact Us

For privacy-related enquiries, please contact:
hello@complianceagent.uk