Privacy Policy

CompliDocs Ltd ("CompliDocs", "we", "us") is the data controller for personal data collected through this website and our services. We are registered in England and Wales (Company No. 12345678).

Contact details:
CompliDocs Ltd
Email: hello@complidocs.co.uk
Data protection enquiries: dpo@complidocs.co.uk

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (complidocs.co.uk) and services. It is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We collect the following categories of personal data:

Account and identity data: Your name, email address, and company name, provided when you register for an account or purchase a document.

Business information: Business name, address, business type, assessor name, and employee numbers provided when generating a document. This information appears in your generated documents.

Payment data: Payment transactions are processed by Stripe. We do not receive or store your full card details. We receive confirmation of payment, transaction amount, and Stripe customer and subscription IDs.

Usage data: Information about how you use our website, including pages visited, documents generated, and time spent on the site. Collected via analytics cookies (with your consent).

Communications: Content of any messages you send us via the contact form or by email, for the purpose of responding to your enquiry.

Technical data: IP address, browser type, device type, and operating system, collected automatically as part of normal server operations.

We process your personal data on the following legal bases under UK GDPR:

• Contract performance (Article 6(1)(b)): To provide our services — generating documents, processing payments, and delivering downloads — we must process your name, email, and business details. Without this data we cannot provide the service.
• Legitimate interests (Article 6(1)(f)): We have a legitimate interest in maintaining the security of our systems, preventing fraud, improving our service, and sending relevant service updates to existing customers. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): Where you have given consent — such as agreeing to analytics cookies — we process data on that basis. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal obligation (Article 6(1)(c)): We retain certain financial records as required by HMRC and other applicable law.

• To generate and deliver health and safety documents based on your inputs
• To process payments and manage subscriptions
• To send transactional emails (order confirmations, document delivery, subscription updates)
• To provide customer support and respond to enquiries
• To improve our templates and services (using aggregated, anonymised data)
• To comply with legal and regulatory obligations
• To detect and prevent fraud and abuse

We retain personal data for the following periods:

• Account data: For the duration of your account plus 7 years after account closure, to comply with financial record-keeping requirements.
• Generated document data: Document inputs (business name, address, etc.) are retained for 3 years, to allow you to re-download documents and for audit purposes.
• Payment records: 7 years from the date of transaction, as required by HMRC.
• Server logs: 90 days, then automatically deleted.
• Contact form messages: 2 years from the date of the last communication in a thread.
• Marketing consent records: Until you withdraw consent plus 3 years.

When retention periods expire, data is securely deleted or anonymised.

We share data with the following sub-processors to operate our service. Each is bound by a data processing agreement:

We do not sell your personal data to any third party. We do not share your data with any party not listed above without your explicit consent, except where required by law.

You have the following rights regarding your personal data. To exercise any of these rights, contact us at dpo@complidocs.co.uk. We will respond within 30 days.

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You may ask us to delete your data, subject to legal retention requirements.
• Right to data portability: You may request your data in a machine-readable format (where technically feasible).
• Right to restrict processing: You may ask us to restrict processing of your data in certain circumstances.
• Right to object: You may object to processing based on our legitimate interests.
• Rights related to automated decision-making: We do not make decisions about you solely through automated means that have legal or significant effects.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data lawfully.

We use cookies and similar technologies as described in our Cookie Policy. A summary:

• Strictly necessary cookies: Required for the site to function. No consent required.
• Analytics cookies: Used to understand how visitors use the site. Only set with your consent via our cookie banner.

You can manage your cookie preferences at any time by clicking "Manage Preferences" in the cookie banner at the bottom of the page.

We take data security seriously. Our measures include:

• Encryption in transit (HTTPS/TLS) for all data between your browser and our servers
• Encryption at rest for databases hosted on Supabase
• Row-Level Security on our database ensuring users can only access their own data
• No storage of payment card details (handled entirely by Stripe)
• Access controls limiting who within CompliDocs can access personal data

No system is completely secure. In the event of a data breach that poses risk to your rights, we will notify you and the ICO in accordance with our legal obligations.

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email (if you have an account) or by a prominent notice on our website. The "last updated" date at the top of this page will always reflect the current version.