Privacy Policy

PolicifyAI is operated by L. Bone, trading as PolicifyAI, a UK-based sole trader registered in England and Wales. We are the data controller for all personal data you provide when visiting our website at policifyai.com or using any of our services.

As data controller, we determine the purposes and means of processing your personal data. Our email addresses for privacy-related correspondence are:

• Privacy enquiries & data subject requests: [email protected]
• Legal notices: [email protected]
• Security incidents: [email protected]
• General enquiries: [email protected]

Our registered contact address is kept on file with our payment processor (Stripe) and is available to relevant authorities or verified parties upon written request to [email protected].

This Privacy Policy applies to all personal data we process in connection with:

• Your use of the PolicifyAI website at policifyai.com
• Your account registration and ongoing use of the PolicifyAI platform
• Policy generation, management, and embed services
• Our marketing emails, product update emails, and transactional communications
• Your use of the PolicifyAI REST API and embed script

We process personal data in compliance with the following laws and regulations:

• UK GDPR — the UK General Data Protection Regulation as retained by the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018
• EU GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council, to the extent we process personal data of individuals in EEA member states
• PECR — the Privacy and Electronic Communications Regulations 2003 (UK)
• EU ePrivacy Directive — Directive 2002/58/EC as implemented in applicable member states
• CAN-SPAM Act (United States) — for commercial email communications
• CASL (Canada) — Canada's Anti-Spam Legislation
• CCPA/CPRA (California) — the California Consumer Privacy Act and California Privacy Rights Act

We collect only what is necessary to provide the Service. The following categories of personal data are collected:

• Email address — required to create an account, authenticate your identity, and send you transactional communications.
• Full name — collected when you sign in with Google OAuth. Optional for email/password accounts.
• Profile photo — collected from Google OAuth if you sign in via Google. Stored to personalise your dashboard.
• Password hash — if you sign up with email/password, we store a bcrypt hash of your password. We never store plaintext passwords.

• Business/company name — the name of the business for which a policy is being generated.
• Website URL — used to tailor the generated policy to your specific domain.
• Industry/sector — used to produce industry-appropriate language and clauses.
• Jurisdiction selections — which countries or regions your business operates in, used to include or exclude jurisdiction-specific clauses.
• Additional context — any free-text information you enter into the generation wizard to customise your policy. This may include descriptions of your data practices, products, or services.
• Generated policy text — the AI-produced policy document, stored against your account for retrieval, editing, and embedding.

• IP address — logged by Vercel edge infrastructure and Supabase for security, fraud prevention, and abuse detection, and recorded against each sign-in and browsing session (see “Login and session history” below). Anonymised for analytics.
• Browser user-agent string — collected to maintain service compatibility and detect automated abuse, and stored alongside login and session records.
• Session identifiers (JWT tokens) — issued by Supabase Auth to maintain authenticated sessions. Stored in secure, HttpOnly cookies.
• Login and session history — to secure your account and detect unauthorised access, we record each login (and each failed login attempt), logout, and signup together with the date and time, the IP address used, your browser user-agent, and a coarse, IP-derived location (country/region/city). For signed-in and visiting sessions we also record which pages you visit, the number of pages viewed, and the duration of the session. These records are held in our Supabase database under our legitimate interest in keeping the Service secure.
• Referrer URL — the URL of the page that referred you to PolicifyAI, used for aggregated traffic analysis only.

• Pages visited and features used — collected via Google Analytics 4 (ID: G-HJZPJ8BDC5) and PostHog (EU region). Used only in anonymised, aggregated form.
• Generation counts and subscription events — tracked in our Supabase database to enforce plan limits and identify product usage patterns.
• Click events and UI interactions — captured by PostHog to understand how users navigate the product and where friction occurs.

• Stripe customer ID — a tokenised reference to your billing record in Stripe. We store this to manage your subscription and resolve billing queries.
• Subscription tier and billing history — the plan you are on, billing amounts, and invoice dates. Stored to provide customer support and comply with HMRC requirements.
• Billing name and billing email — the name and email on your Stripe billing record, used for invoicing. May differ from your account email.

We never see, store, or process your full card number, CVV, expiry date, or bank account details. These go directly to Stripe under PCI-DSS Level 1 standards.

• Site keys (pk_*) — unique keys issued to your account for the embed script. Stored in Supabase. Do not contain personal data.
• Embed script access logs — standard server logs generated when your published policies are served to your website visitors. Contains IP addresses and timestamps. Retained for 30 days.

Under UK GDPR Article 6 and EU GDPR Article 6, we must have a lawful basis for processing your personal data. The legal bases we rely on are:

We process your account data, policy generation inputs, generated policies, and technical session data because it is necessary to perform our contract with you — specifically, to provide you with the PolicifyAI platform and generate the policy documents you request. Without this processing, we cannot deliver the Service.

We retain financial records (invoices, payment logs, subscription history) for 7 years to comply with HMRC record-keeping requirements under the Taxes Management Act 1970 and related legislation.

We process technical metadata (IP addresses, user-agents, access logs) and anonymised usage data to detect and prevent fraud, abuse, and security threats. This processing is in our legitimate interest to operate a secure and stable service. We have conducted a Legitimate Interests Assessment (LIA) and concluded that this processing does not override users' rights.

We also rely on legitimate interests (specifically, the "soft opt-in" under PECR Regulation 22(3)) to send product update emails to existing customers about similar products and services, where you have not opted out.

Analytics cookies (Google Analytics 4 and PostHog) are set only with your explicit consent, obtained via our cookie consent banner on first visit. You may withdraw consent at any time via your cookie preferences or by emailing [email protected].

We do not process any special category personal data (Art 9 UK/EU GDPR) — the platform is not designed to collect or process health, biometric, ethnic, political, religious, or other sensitive data.

We use your personal data for the following specific purposes:

• Authenticating your identity and maintaining secure sessions via Supabase Auth.
• Generating AI-powered policy documents based on your inputs.
• Storing, displaying, and serving your generated policies within the platform and via the embed script.
• Enforcing your subscription plan's generation limits and quotas.

• Processing subscription upgrades, downgrades, and cancellations.
• Sending transactional emails: payment receipts, subscription confirmations, password reset links, account security alerts, and policy update notifications.
• Providing customer support and responding to queries.

• Detecting and blocking automated abuse, credential stuffing, and other malicious activity.
• Monitoring for unusual account activity or generation patterns that may indicate fraud.
• Responding to security incidents and notifying affected users where required.

• Analysing aggregated, anonymised usage data to identify which features are most used and where users encounter friction.
• Understanding which policy types, jurisdictions, and industries are most commonly generated, to prioritise product development.
• Conducting A/B tests on UI flows to improve conversion and user experience.

• Sending product update emails and feature announcements to users who have opted in, or to existing customers under PECR soft opt-in rules.
• We do not send cold outreach to purchased or rented lists. PolicifyAI does not build advertising profiles or sell your data to ad networks for our own purposes. Note that Google Analytics 4 (used with your consent) is operated by Google LLC as an independent controller and may process data for Google's own purposes — see Section 7.2 for details.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

When you generate a policy, your inputs (company name, website URL, industry, jurisdiction selections, and any additional context) are transmitted to an AI provider to produce a draft. The following safeguards apply:

• Anthropic (Claude API) — primary AI provider, based in the United States. We hold a Data Processing Agreement with Anthropic that prohibits your inputs and generated outputs from being used to train their foundation models.
• OpenRouter — US-based AI model routing service used as a fallback provider. Subject to the same no-training-use contractual restrictions.

Only your generation wizard inputs are sent to AI providers. We do not transmit your email address, name, billing information, or account credentials. The inputs sent are limited to: business name, website URL, industry, jurisdiction selections, and any additional context you enter.

Our agreements with Anthropic and OpenRouter explicitly prohibit the use of your prompt inputs or model outputs to train, fine-tune, or improve their foundation models. Where technically supported, we route requests with zero-retention headers, meaning your inputs are not logged or retained by the provider beyond the duration of the API call.

After generation, the resulting policy text is stored in your Supabase account under Row-Level Security (RLS). This means only you (and PolicifyAI staff with your explicit support consent) can access your generated content. No other user or process can read your policies.

AI-generated policy documents are templates. They may not reflect the latest legal developments in every jurisdiction and are not a substitute for legal advice. You remain solely responsible for reviewing and validating generated content before relying on it or publishing it.

We use the following categories of cookies and tracking technologies on policifyai.com:

These are essential for the platform to function. They are set automatically when you access the Service and cannot be disabled without preventing you from logging in or using core features.

• sb-*-auth-token — Supabase JWT session token. Keeps you logged in. Expires after 7 days of inactivity.
• sb-*-code-verifier — Supabase PKCE code verifier for OAuth flows. Session-scoped.
• __stripe_mid — Stripe merchant identifier. Used for financial fraud prevention. Expires after 1 year.
• __stripe_sid — Stripe session identifier. Used for payment session continuity. Expires after 30 minutes.

These are only set with your explicit consent via our cookie banner. They allow us to understand how users interact with the platform. PolicifyAI does not build advertising profiles, sell your data, or share it with advertising networks for our own purposes.

Important — Google Analytics dual-controller notice:Google Analytics 4 is operated by Google LLC as an independent (or joint) data controller. When you consent to analytics cookies, anonymised usage data is transmitted to Google's servers in the United States. Google may process this data for its own purposes under Google's Privacy Policy, which may include improving Google's products and services and, depending on your Google account settings, personalised advertising. PolicifyAI does not control Google's independent processing. You can opt out of Google Analytics tracking globally via the Google Analytics Opt-out Browser Add-on.

• _ga — Google Analytics 4 (G-HJZPJ8BDC5). Distinguishes unique visitors. IP addresses are anonymised before transmission to Google. Expires after 2 years.
• _ga_HJZPJ8BDC5 — Google Analytics session tracker. Expires after 2 years.
• ph_* — PostHog product analytics (EU Frankfurt region). Captures feature usage events. Data stays within the EU. Expires after 1 year.

• policify-theme — Stores your Dark/Light mode preference in browser localStorage.
• policify-cookie-consent — Records whether you have accepted or declined non-essential cookies.

You can manage your cookie preferences at any time via the cookie settings link in the footer. You may also use your browser settings to block or delete cookies. Blocking strictly necessary cookies will prevent you from logging into your account. We respect the Global Privacy Control (GPC) signal — if your browser sends a GPC header, we will disable all non-essential cookies automatically.

See our Cookie Policy for the full list of cookies and detailed management instructions.

We share your personal data only with the sub-processors necessary to operate the Service. We do not sell, rent, or trade your personal data. Below is a summary of each sub-processor and what data they receive:

• Vercel (US, global edge network) — hosts the PolicifyAI web application and serverless functions. Receives request metadata including IP addresses, user-agents, and request paths. Also provides Vercel Analytics and Vercel Speed Insights for aggregate performance monitoring.
• Supabase / AWS eu-west-2 (EU, London) — our primary database, authentication provider, and file storage. Holds your account data, generated policies, site keys, and subscription records. All data is encrypted at rest (AES-256) and protected by Row-Level Security.
• Anthropic (US) — receives your policy generation inputs (business name, industry, jurisdiction, context) via the Claude API to produce AI-generated policy drafts. Subject to a zero-retention / no-training-use agreement.
• OpenRouter (US) — used as a fallback AI model routing service. Receives the same generation inputs under the same data protection terms as Anthropic.
• Stripe (US) — processes all subscription payments. Receives your billing name, email address, and tokenised card details. PCI-DSS Level 1 certified. We store only your Stripe customer ID and billing history summary.
• Resend (US) — delivers all transactional and marketing emails. Receives your email address and the content of the emails we send (receipts, alerts, announcements).
• Google LLC — Google Analytics 4 (US) — collects anonymised page-view and usage event data with IP anonymisation enabled (consent-gated). Google acts as an independent (or joint) data controller and may process data for its own purposes under Google's Privacy Policy, including product improvements and (depending on user account settings) advertising personalisation. PolicifyAI does not control Google's independent processing. Analytics cookies are only set with your explicit consent.
• PostHog (EU, Frankfurt) — collects anonymised product usage events and feature interaction data. Hosted on PostHog Cloud EU to keep analytics data within the EU.

We may also disclose personal data if required by applicable law, court order, or valid legal process, or to protect the rights, property, or safety of PolicifyAI, its users, or the public.

See our full sub-processors list for complete details including transfer mechanisms.

Some of our sub-processors (Anthropic, OpenRouter, Stripe, Resend, Google Analytics, Vercel) are based in or process data in the United States, which does not have an EU/UK adequacy decision covering all commercial transfers. The following safeguards govern these transfers:

• EU Standard Contractual Clauses (SCCs)— for transfers from the EEA to the US, we rely on the SCCs approved by the European Commission under Decision 2021/914 (Module 2: controller-to-processor, or as incorporated into each provider's standard DPA).
• UK International Data Transfer Agreement (IDTA)— for transfers from the UK to the US, we rely on the IDTA issued by the ICO under Section 119A of the Data Protection Act 2018, or the ICO's International Data Transfer Addendum to the EU SCCs.
• Supabase / AWS eu-west-2— our database is hosted on Supabase's EU region, backed by AWS in the eu-west-2 (London) region. Data stored in Supabase remains within the EU/UK except where transferred to AI providers during generation, as described in section 6.
• PostHog— we use PostHog's EU Cloud (Frankfurt) to keep analytics data within the EEA.

On request, copies of the applicable SCCs, IDTA, or transfer impact assessments can be provided by emailing [email protected].

All payments are processed by Stripe, Inc.(US), a PCI-DSS Level 1 certified payment processor. When you enter your payment details on PolicifyAI, those details are transmitted directly to Stripe's secure servers. PolicifyAI never sees, processes, or stores your full card number, CVV, expiry date, or bank account details.

The billing data we store in our own database is limited to:

• Your Stripe customer ID (a reference token, not your card details)
• Your subscription plan (free, one-time-pro, monthly-unlimited, yearly-unlimited, agency-starter, agency-growth, agency-pro, or enterprise)
• Your subscription status (active, cancelled, past-due)
• Your billing history — invoice amounts and dates, used for customer support and HMRC compliance
• Your billing email address — the email used for Stripe invoices

For any billing queries, including requesting copies of invoices or raising a dispute, email [email protected]. Stripe's own Privacy Policy is available at stripe.com/privacy.

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. The following retention periods apply:

You can delete your account at any time from your Dashboard → Settings page. Upon deletion, your account data and generated policies are removed from the live database immediately. Policy files in storage are purged within 30 days. Financial records required by HMRC are retained for 7 years regardless of account deletion — these are stored in Stripe and our billing record system only.

You have the following rights in relation to your personal data. To exercise any of these rights, email [email protected] or visit our DSAR page. We respond within 30 calendar days (extendable to 3 months for complex requests).

• Right of access (Art 15 UK/EU GDPR) — You may request a copy of all personal data we hold about you, including what categories of data, for what purposes, who it has been shared with, and retention periods.
• Right to rectification (Art 16) — You may correct inaccurate or incomplete personal data. Most account data can be updated directly in your Dashboard → Settings.
• Right to erasure / "right to be forgotten" (Art 17) — You may request deletion of your personal data. Exceptions apply where we are required to retain data by law (e.g. HMRC financial records for 7 years).
• Right to restriction of processing (Art 18) — You may request that we pause processing your data while a rights request is assessed or a dispute is being resolved.
• Right to data portability (Art 20) — You may request a machine-readable export of your personal data in JSON format. Available via Dashboard → Settings → Export.
• Right to object (Art 21) — You may object to processing based on our legitimate interests or where processing is for direct marketing purposes. Objections to direct marketing are always honoured.
• Right to withdraw consent (Art 7(3)) — Where processing is based on consent (e.g. analytics cookies), you may withdraw that consent at any time via cookie settings or by emailing [email protected].
• Rights related to automated decision-making (Art 22) — We do not make solely automated decisions that produce legal or similarly significant effects on individuals.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk, telephone 0303 123 1113. In the EU, you may contact the supervisory authority in your member state of habitual residence.

We apply industry-standard technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, or destruction. These include:

• At rest: All database volumes are encrypted using AES-256 via Supabase, which is backed by AWS eu-west-2.
• In transit: TLS 1.3 is enforced between your browser and our servers, between our servers and sub-processors, and between sub-processors where supported.
• Password hashing: Account passwords are hashed with bcrypt before storage. Plaintext passwords are never stored.

• Row-Level Security (RLS): Supabase RLS policies ensure that no user can access another user's data at the database level.
• Minimal access: PolicifyAI personnel cannot read your generated policies without explicit support access granted by you.
• OAuth 2.0 / PKCE: Authentication flows use industry-standard OAuth 2.0 with PKCE to prevent token interception attacks.

• Vercel: Application hosting with automatic DDoS protection, edge-level WAF, and SOC 2 Type II certification.
• Supabase: SOC 2 Type II certified, with automatic backups, point-in-time recovery, and private networking.
• Dependency management: We apply regular dependency updates and security patches.

We maintain a written incident response procedure. In the event of a personal data breach, we will notify affected individuals and the ICO (or relevant supervisory authority) within 72 hours of becoming aware, as required by UK/EU GDPR.

To report a suspected security vulnerability, email [email protected]. See our Security page for our responsible disclosure programme.

The PolicifyAI Service is intended exclusively for users who are at least 18 years old. By creating an account or using the Service, you confirm that you are 18 years of age or older. We do not knowingly collect personal data from individuals under 18 years of age.

If you believe that a person under the age of 18 has created an account with us, please contact us at [email protected] and we will take prompt action to investigate and delete the account and all associated personal data.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights in relation to your personal information.

In the preceding 12 months, we have collected the following CCPA categories of personal information:

• Identifiers — email address, account ID, IP address
• Internet or electronic network activity — pages visited, features used, session data
• Commercial information — subscription plan, billing history
• Professional or employment-related information — company name, industry (entered by you as business context)

We do not sell your personal information to third parties for money or other valuable consideration. We do not share your personal information with third parties for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA.

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of your personal information (subject to exceptions).
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale/sharing — we do not sell or share, so this right is not applicable, but you may still make a request.
• Right to limit use of sensitive personal information — see our Limit Sensitive Information page.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To exercise your California rights, email [email protected] with the subject line "CCPA Request" or visit our DSAR page. We respond within 45 calendar days (extendable by a further 45 days for complex requests).

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or supervisory authority guidance. We will notify you of any material changes by:

• Sending an email notice to the address on your account at least 30 days before changes take effect.
• Displaying a prominent notice within the PolicifyAI platform at least 30 days before changes take effect.
• Updating the "Last updated" date at the top of this page.

Continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not accept the changes, you may delete your account before the effective date.

For any privacy questions, data subject access requests, or concerns about how we handle your personal data:

• Privacy & DSAR: [email protected]
• General enquiries: [email protected]
• Legal notices: [email protected]

We aim to respond to all privacy enquiries within 5 business days of receipt and to fulfil verified data subject requests within 30 calendar days.

• UK — Information Commissioner's Office (ICO): ico.org.uk, telephone 0303 123 1113, live chat available on the ICO website.
• EU — your national supervisory authority: A list of EU data protection authorities is available at edpb.europa.eu.
• California (CCPA): The California Privacy Protection Agency (CPPA) at cppa.ca.gov.