Data Subject Access Request

You have the right to obtain confirmation as to whether we are processing personal data about you and, if so, to receive a copy of that data along with the following information:

• The purposes for which we process your personal data.
• The categories of personal data we hold (e.g. account data, generated policies, billing records, usage logs).
• The recipients or categories of recipients to whom we have disclosed or will disclose your data.
• The retention period, or criteria used to determine that period.
• Your other rights under UK/EU GDPR (rectification, erasure, restriction, objection).
• The right to lodge a complaint with a supervisory authority.
• Where data was not collected from you directly, information about its source.
• Whether automated decision-making (including profiling) is used and, if so, what logic is involved.

Timeline: We respond within 30 calendar days of confirming your identity. This can be extended by up to 2 months (giving a total of 3 months) for complex or numerous requests, with notice provided to you explaining the reason for the extension.

Cost: Access requests are provided free of charge as standard. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly where requests are repetitive.

You have the right to have inaccurate personal data corrected, and to have incomplete personal data completed, having regard to the purposes of the processing.

Self-service: You can correct most of your personal data directly in your account without contacting us:

• Name: Update in Dashboard → Settings → Profile.
• Email address: Update in Dashboard → Settings → Account.
• Billing name/email: Update via the billing portal accessible from Dashboard → Settings → Billing.
• Generated policy content: You can edit any generated policy directly within the platform editor.

For data that cannot be updated via self-service (e.g. historical log records, Stripe billing records), email [email protected] with details of what needs to be corrected and why.

You have the right to request that we delete your personal data where one of the following grounds applies:

• The personal data is no longer necessary for the purposes for which it was collected or processed.
• You withdraw consent on which processing was based (and there is no other legal ground for processing).
• You object to processing based on legitimate interests and there are no overriding legitimate grounds.
• The personal data has been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation.

• Your account credentials (email address, password hash, OAuth tokens) — deleted immediately from the live database.
• All generated policies stored against your account — deleted immediately from the live database.
• Your site keys and embed configurations — deleted immediately.
• Policy files in storage (Supabase Storage) — purged within 30 days.
• Analytics event data attributed to your account in PostHog — deleted within 30 days on request.

• Financial records (invoices, payment logs, subscription history): Retained for 7 years to comply with HMRC requirements under the Taxes Management Act 1970. These are held in Stripe and our billing record system only.
• Encrypted database backups: May retain your data for up to 30 days after live database deletion, within our normal backup rotation cycle. These are not accessible for ordinary use and are destroyed automatically.
• Aggregate, anonymised analytics: Aggregate website traffic statistics in Google Analytics are not personal data and are not deleted. They cannot be attributed to you individually.
• Legal proceedings: Data required to establish, exercise, or defend legal claims may be retained for the duration of any relevant proceedings.

Self-service: You can delete your account at any time from Dashboard → Settings → Delete Account. This is the fastest route. For partial data deletion (e.g. specific policies or analytics data only), email [email protected].

You have the right to request that we restrict (i.e. pause) the processing of your personal data in the following circumstances:

• Contesting accuracy: You contest the accuracy of the personal data we hold, for a period allowing us to verify the accuracy.
• Unlawful processing: The processing is unlawful and you request restriction rather than deletion.
• No longer needed by us: We no longer need the data for our purposes, but you need it for the establishment, exercise, or defence of legal claims.
• Pending objection: You have objected to processing based on legitimate interests and we are assessing whether our legitimate grounds override your interests.

Where processing is restricted, we will only process your personal data (other than for storage) with your consent or for the establishment, exercise, or defence of legal claims. We will inform you before lifting the restriction.

Practically, restriction means we will mark your account with a restriction flag in our database, preventing your data from being used for any purpose other than storage. This does not affect your ability to log in or access the platform.

Where we process your personal data by automated means on the basis of your consent or a contract with you, you have the right to receive that data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance.

Self-service export: A full export of your personal data (account information, generated policies, site keys, and subscription data) in JSON format is available immediately via Dashboard → Settings → Export Data. The export includes:

• Account profile data (email, name, profile photo URL if applicable)
• All generated policies (title, content, creation date, last modified date, jurisdiction, status)
• Site key configurations (key name, domain, creation date)
• Subscription history summary (plan, billing dates, amounts)

If you require the export in a different machine-readable format (e.g. CSV, XML), or if you need assistance transferring your data to another service, email [email protected].

The right to portability applies to personal data you have provided to us directly (account data, policy inputs) and does not extend to data we have derived or inferred (e.g. usage analytics, security logs).

You have the right to object to processing of your personal data in two specific circumstances:

Where we rely on legitimate interests (Art 6(1)(f)) as our legal basis for processing, you may object to that processing. We rely on legitimate interests to process technical metadata (IP addresses, user-agents, access logs) for security and fraud prevention. If you object, we must cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims.

Where we process your personal data for direct marketing purposes (including profiling for marketing), you have an absolute right to object at any time, and we must stop processing for that purpose immediately upon receipt of your objection. There are no exceptions to this right.

To object to marketing: use the one-click unsubscribe link in any marketing email, or manage preferences in Dashboard → Settings → Notifications, or email [email protected].

Where we process your personal data on the basis of your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The processing activities we carry out on the basis of consent are:

• Analytics cookies (Google Analytics 4 and PostHog): You can withdraw consent at any time by updating your cookie preferences via the cookie settings link in the footer, or by emailing [email protected]. Withdrawing consent prevents future analytics data collection; it does not delete historical analytics data (which is anonymised and not linked to your identity).
• Marketing emails (where consent was the legal basis): Use the unsubscribe link in any marketing email or update your preferences in Dashboard → Settings → Notifications.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

PolicifyAI's position: We do not make solely automated decisions that produce legal or similarly significant effects on users. Specifically:

• AI-generated policy documents are drafts for your review — they are not decisions made about you. You are the decision-maker about whether to publish, adopt, or modify any generated content.
• Subscription plan limits and quota enforcement are automated, but these are pre-agreed contractual terms, not decisions that significantly affect your legal rights.
• Account suspension decisions for Terms of Service violations are reviewed by a human before being made permanent.

If you have any concerns about automated processing that you believe significantly affects you, please contact [email protected].