Privacy Policy

fairead ("we", "us", "our"), operating at fairead.co.uk, is the data controller responsible for your personal data. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about how we handle your personal data, or wish to exercise your rights, please contact our privacy team at business@fairead.co.uk.

Account & Identity Data

• Full name and email address (provided at registration)
• Encrypted password (we never store passwords in plain text)
• Account creation date and last login timestamp
• Subscription tier and account type (Free, Pro, or Pay-As-You-Go)

Document Data

• Documents you upload for analysis (PDF, DOCX, RTF, TXT formats)
• Extracted text content from your documents for AI processing
• Original files stored in your personal vault (authenticated users only)
• Analysis results, including clause breakdowns and risk assessments

Payment Data

• Billing name and email address
• Stripe customer ID and subscription/payment intent IDs (references only)
• Transaction history and subscription status

We do not store your full payment card details. All card data is handled directly by Stripe, Inc. under their own PCI-DSS compliant systems.

Usage & Technical Data

• Number of analyses performed and remaining usage quota
• Browser type, operating system, and device type (via standard server logs)
• IP address and approximate geographic location
• Pages visited and features used within the Service
• Error logs and performance data to maintain service quality

Data We Do NOT Collect

• We do not collect special category data (race, health, political opinions, etc.) intentionally
• We do not collect biometric data
• We do not build advertising profiles or sell your data to advertisers
• We do not use your documents to train or improve AI models

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

Contract Performance (Article 6(1)(b))

Processing your account data, documents, and payment information is necessary to provide the Service you have contracted us to deliver.

Legitimate Interests (Article 6(1)(f))

We process usage and technical data to maintain, secure, and improve the Service. We have assessed that this processing does not override your fundamental rights and freedoms.

Legal Obligation (Article 6(1)(c))

We may process certain data where required to comply with applicable laws, including tax and financial record-keeping obligations.

Consent (Article 6(1)(a))

Where we send you optional marketing communications, we do so only with your explicit consent. You may withdraw this consent at any time by clicking "unsubscribe" in any email or by contacting business@fairead.co.uk.

• To create and manage your account and authenticate your identity
• To process uploaded documents and deliver AI-generated analysis results
• To store documents securely in your personal vault
• To process payments and manage your subscription
• To send transactional emails such as account confirmations and receipts
• To respond to your support and legal enquiries
• To detect, prevent, and investigate fraud, abuse, or security incidents
• To comply with our legal and regulatory obligations
• To generate aggregated, anonymised statistics about Service usage (no individual identification)
• To send optional service updates or product announcements where you have consented

To operate the Service, we share your data with a small number of carefully selected third-party processors. Each processor is contractually bound to process your data only on our instructions and in compliance with UK GDPR.

Supabase (Database & File Storage)

• Purpose: Account data, analysis records, and vault document storage
• Data shared: Account information, analysis results, uploaded documents
• Location: EU (with standard contractual clauses in place)
• Privacy policy: supabase.com/privacy

Anthropic (AI Analysis Engine)

• Purpose: Processing document text to generate AI analysis
• Data shared: Extracted text content from your uploaded documents
• Location: United States (with appropriate transfer safeguards)
• Important: Anthropic processes your document text to generate the analysis. Their API usage policies prohibit training on API data by default.
• Privacy policy: anthropic.com/privacy

Stripe (Payment Processing)

• Purpose: Processing subscription and one-time payments
• Data shared: Billing name, email, and transaction details
• Location: United States (EU-US Data Privacy Framework certified)
• Privacy policy: stripe.com/privacy

Account Data

We retain your account data for as long as your account remains active. If you close your account, we will delete your personal data within 30 days, except where retention is required by law.

Documents & Analysis Results

Documents stored in your vault and analysis results are retained for as long as your account is active. You may delete individual documents at any time from your dashboard. On account closure, all documents are permanently deleted within 30 days.

Payment Records

Transaction records are retained for 7 years to comply with HMRC financial record-keeping requirements, even after account closure.

Server Logs

Technical logs containing IP addresses and usage data are retained for a maximum of 90 days for security and debugging purposes.

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of Access: Request a copy of all personal data we hold about you (Subject Access Request)
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations
• Right to Restriction: Request that we restrict processing of your data in certain circumstances
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests at any time
• Rights related to Automated Decision-Making: We do not make solely automated decisions with legal or similarly significant effects
• Right to Withdraw Consent: Withdraw any previously given consent at any time

Complaints

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We encourage you to contact us first so we can attempt to resolve your concern.

Some of our third-party processors are located outside the UK and European Economic Area (EEA), including Anthropic and Stripe in the United States. Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses
• Transfers to countries with UK adequacy decisions
• Transfers to US organisations certified under relevant data privacy frameworks

You may request details of specific transfer mechanisms in place by contacting business@fairead.co.uk.

Essential Cookies

We use strictly necessary cookies to maintain your authenticated session and ensure the Service functions correctly. These cookies cannot be disabled without breaking the Service.

What We Do NOT Use

• We do not use third-party advertising cookies or tracking pixels
• We do not use analytics services that build cross-site profiles (e.g. Google Analytics)
• We do not use fingerprinting or other covert tracking technologies

Our session cookies are set by Supabase for authentication purposes and expire at the end of your browser session or after 7 days, whichever is sooner.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction, including:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Documents in your vault are stored with per-user access controls enforced at the database level
• Passwords are hashed using industry-standard algorithms and never stored in plain text
• Row-Level Security (RLS) policies ensure each user can only access their own data
• Payment data is handled entirely by Stripe and never passes through our servers
• Access to production systems is restricted to authorised personnel only
• We conduct regular security reviews of our infrastructure

Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.

The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If you are under 18, you must not use the Service.

If we become aware that we have collected personal data from a person under 18 without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at business@fairead.co.uk.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify registered users by email at least 14 days before the changes take effect.

The "Last Updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

For any privacy-related enquiries, Subject Access Requests, or to exercise your rights:

• Email: business@fairead.co.uk
• Response time: Within 30 days (as required by UK GDPR)
• Subject line for SAR: "Subject Access Request — [Your Name]"
• Subject line for erasure: "Erasure Request — [Your Name]"