Home Pricing Documentation Terms of use Privacy policy
Back to home

Last updated: 20 March 2026

Privacy Policy

1. Who we are

  1. PolicyHQ ("we", "us", "our") is the data controller responsible for your personal data processed through the PolicyHQ service, website (policyhq.co.uk), MCP server, API, and compliance dashboard (the "Service").
  2. Contact: hello@policyhq.co.uk
  3. We are registered with the Information Commissioner's Office (ICO). Our ICO registration number will be published here once issued.

2. What data we collect

  1. Account data. When you register, we collect your email address, name (optional), firm name (optional), and SRA number (optional). This is collected to create and manage your account.
  2. Payment data. If you subscribe to a paid plan, payment is processed by Stripe. We do not store your full card details. Stripe provides us with a truncated card number and billing address for record-keeping. Stripe's privacy policy applies to payment processing.
  3. Query logs. When your AI assistant calls PolicyHQ, we record the query text, the tool called, the results returned, the timestamp, and the API key used. This data powers your compliance dashboard.
  4. Verification data. When you use the verification tool, we process the text of your document to extract citations. We record the extracted citations and their verification status. We do not store the full text of your document after processing is complete. Document text is processed in memory and discarded once the verification report is generated.
  5. Technical data. We collect IP addresses, client identifiers, and request metadata for security, rate limiting, and abuse prevention. This data is retained for 30 days and then deleted.
  6. Website data. We do not use cookies for analytics or advertising. We use only strictly necessary cookies for session management if you are logged into the dashboard. We do not use Google Analytics or any third-party tracking scripts.

3. Cookies

  1. PolicyHQ uses strictly necessary cookies only. These are session cookies required to maintain your logged-in state when using the compliance dashboard. They are deleted when you close your browser or log out.
  2. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. We do not require a cookie consent banner because we use only strictly necessary cookies.
  3. If you do not have a dashboard account, no cookies are set when you visit the PolicyHQ website or use the MCP server.

4. Lawful basis for processing

  1. Account and payment data: processed on the basis of contractual necessity (UK GDPR Article 6(1)(b)) — we need this data to provide the Service to you.
  2. Query logs and verification data: processed on the basis of contractual necessity (Article 6(1)(b)) — this data is part of the Service (the compliance dashboard) and is generated as a necessary part of providing search and verification functionality.
  3. Technical data: processed on the basis of legitimate interests (Article 6(1)(f)) — our legitimate interest in maintaining security, preventing abuse, and ensuring service availability. We have conducted a legitimate interests assessment and concluded that this processing does not override your rights and freedoms.

5. How we use your data

  1. To provide the Service: processing search queries, generating verification reports, maintaining the compliance dashboard.
  2. To manage your account: authentication, billing, and customer support.
  3. To maintain security: detecting and preventing abuse, fraud, and unauthorised access.
  4. To communicate with you: service notifications, billing confirmations, and material changes to Terms or this Privacy Policy. We will not send marketing communications unless you have explicitly opted in.
  5. We do not sell your personal data. We do not share your personal data with third parties for their marketing purposes.

6. Data sharing

  1. Stripe: payment processing. Data shared: email, billing address, payment method details. Legal basis: contractual necessity.
  2. Hosting provider: our infrastructure is hosted on servers located in the United Kingdom. Our hosting provider processes data on our behalf as a data processor under a data processing agreement that includes appropriate technical and organisational measures.
  3. We may disclose your data if required by law, regulation, legal process, or governmental request.
  4. We do not transfer your personal data outside the United Kingdom unless required for the specific sub-processors listed above, in which case appropriate safeguards (such as Standard Contractual Clauses or UK adequacy decisions) are in place.

7. Data retention

  1. Account data: retained for the duration of your account plus 12 months after closure, after which it is deleted.
  2. Query logs and verification reports: retained for the duration of your account plus 12 months, unless you request earlier deletion via the dashboard or by contacting us.
  3. Payment records: retained for 7 years after the transaction date to comply with HMRC record-keeping requirements.
  4. Technical/security logs: retained for 30 days and then automatically deleted.
  5. Document text submitted for verification: not retained. Processed in memory and discarded after the verification report is generated.

8. Your rights

  1. Under UK GDPR, you have the following rights:
    • Right of access: you may request a copy of the personal data we hold about you.
    • Right to rectification: you may request correction of inaccurate personal data.
    • Right to erasure: you may request deletion of your personal data, subject to our legal obligations to retain certain records.
    • Right to restrict processing: you may request that we limit how we use your data in certain circumstances.
    • Right to data portability: you may request your data in a structured, commonly used, machine-readable format.
    • Right to object: you may object to processing based on legitimate interests.
    • Rights related to automated decision-making: PolicyHQ does not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
  2. To exercise any of these rights, contact us at hello@policyhq.co.uk. We will respond within one month.
  3. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint if you believe your data protection rights have been violated.

9. Security

  1. We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.2 or higher), access controls, and regular security reviews.
  2. API keys are stored using one-way hashing. We cannot retrieve your API key after it is generated — if lost, you must generate a new one via the dashboard.
  3. We will notify you and the ICO without undue delay if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms.

10. Children

  1. The Service is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected personal data from a minor, please contact us and we will delete it promptly.

11. Changes to this policy

  1. We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email at least 14 days before the changes take effect. The "last updated" date at the top of this page will always reflect the most recent version.

12. Contact us

  1. For any questions about this Privacy Policy or our data processing practices, please contact us at: hello@policyhq.co.uk
  2. PolicyHQ, London, England.
  3. To exercise your data subject rights, please email us with the subject line "Data Subject Request" and describe your request. We will acknowledge receipt within 3 working days and respond within one calendar month.
Terms of use Documentation Home