Privacy Policy

Who we are

CompanyPolicies.co.uk is operated by AI Director Ltd, trading as AI-Si.com, a UK-based AI governance and compliance company. Registered in England and Wales. Company No. 17191973. We provide UK compliance policy document generation services to organisations. When we refer to "we", "us" or "our" in this policy, we mean AI Director Ltd as the data controller for this service.

Contact for data matters: sales@companypolicies.co.uk

What data we collect and why

Account data

When you register, we collect your name and email address. We use this to create and manage your account, authenticate you, and send you transactional emails (account confirmation, receipts, briefing notifications). The legal basis is performance of a contract (Article 6(1)(b) UK GDPR).

Questionnaire and organisation data

To generate your policy documents, you complete a questionnaire covering your organisation's name, sector, size, key personnel names and contact details, and operational details (e.g. whether you use AI tools, your DPO contact). This data is used solely to personalise your policy documents. We do not sell this data or use it for any other purpose. The legal basis is performance of a contract (Article 6(1)(b) UK GDPR).

Payment data

We use Stripe to process payments. We do not store your card number or payment credentials — these go directly to Stripe and never touch our servers. We retain a record of your subscription tier, Stripe customer ID, and payment history for billing and support purposes. The legal basis is performance of a contract and compliance with a legal obligation (accounting records).

Usage data

We log standard server access data (IP address, browser type, pages visited, timestamps) to maintain security, diagnose errors, and understand how the service is used. This data is retained for up to 90 days. The legal basis is legitimate interests (Article 6(1)(f) UK GDPR) — maintaining the security and integrity of our service.

Who we share your data with

We use a small number of third-party processors to operate this service:

• Stripe — payment processing. Stripe is PCI-DSS compliant. See Stripe's privacy policy.
• Email delivery — we use Resend to send transactional emails (account confirmation, receipts) and quarterly briefings. See Resend's privacy policy.
• Hosting infrastructure — the application is hosted on Replit, which runs on Google Cloud Platform (GCP) infrastructure in the us-central1 region (Iowa, USA). GCP operates under SOC 2 Type II certification and ISO 27001. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). A standard contractual clause (SCC) transfer mechanism is in place for transfers outside the UK. For UK data subjects, this means your data may be processed in the USA but under safeguards that meet the UK International Data Transfer Agreement standard.

NHS and public sector data sovereignty. NHS bodies, health trusts, and other public sector organisations with specific data sovereignty requirements may request a manually delivered policy suite. In this arrangement, your questionnaire data is used to generate documents in an isolated process, reviewed and delivered directly by the CompanyPolicies team — without being routed through automated cloud infrastructure or third-party hosting. If you require this arrangement, contact us at sales@companypolicies.co.uk before subscribing to confirm the process and data handling applicable to your organisation.

We do not sell, rent, or share your personal data with any third party for marketing purposes.

How long we keep your data

• Account data: for as long as your account is active, plus 12 months after closure.
• Questionnaire/session data: for as long as your account is active. Deleted within 30 days of account deletion.
• Payment records: 7 years (legal requirement for UK accounting records).
• Server logs: up to 90 days.

Your rights under UK GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (subject to legal retention requirements).
• Restriction — ask us to limit how we use your data while a dispute is resolved.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email sales@companypolicies.co.uk. We will respond within one month.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Cookies

We use session storage and local storage in your browser to maintain your login session and save questionnaire progress. We do not use third-party advertising or tracking cookies. Stripe may set cookies in connection with payment processing — see Stripe's cookie policy for details.

You can review or change your cookie preference at any time using the Cookie settings link in the footer, or by clicking here.

Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page reflects when the policy was last revised.