Privacy Policy
Last updated: March 2026
CDS (Custom Development Solutions) Ltd ("we", "us", "our") operates the Complaiance platform (complaiance.co.uk). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.
We are the data controller for the personal data we process about you. We are registered in England and Wales.
Contact: privacy@complaiance.co.uk
1. What Personal Data We Collect
Data you provide directly
- Account information: Full name, email address, password (hashed, never stored in plain text)
- Company information: Company name, registered address, industry, employee count
- HR settings: Holiday entitlement, probation period, notice periods, pension provider, and other employment-related settings you configure
- Document data: Information you enter when generating documents (employee names, job titles, salaries, dates, and other details entered into questionnaire forms and merge fields)
- Chat messages: Questions you ask the AI HR assistant and the responses generated
- Payment information: Processed by our payment provider Stripe. We do not store your full card details — only the last four digits and card type for your reference.
Data we collect automatically
- Usage data: Pages visited, features used, documents generated, session duration
- Device and browser information: IP address, browser type and version, operating system, screen resolution
- Cookies: See Section 8 (Cookies) below
Data we do not collect
- We do not collect special category data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation) unless you voluntarily include such information in document fields or chat messages.
- We do not collect data about your employees directly. Any employee information you enter (names, salaries, etc.) is provided by you as the data controller for your employees' data.
2. How We Use Your Data
We process your personal data for the following purposes and on the following lawful bases under UK GDPR:
| Purpose | Lawful Basis (Article 6) |
|---|---|
| Creating and managing your account | Performance of contract |
| Generating HR documents (policies, contracts, letters) | Performance of contract |
| Providing AI HR assistant responses | Performance of contract |
| Processing payments and managing your subscription | Performance of contract |
| Sending essential service communications (password resets, account changes, subscription confirmations) | Performance of contract |
| Monitoring and improving the platform's performance and reliability | Legitimate interest |
| Detecting and preventing fraud and security threats | Legitimate interest |
| Responding to your support enquiries | Legitimate interest |
| Sending marketing communications about Complaiance features and updates | Consent (you can withdraw at any time) |
| Complying with legal obligations (tax records, regulatory requirements) | Legal obligation |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. The AI HR assistant provides guidance based on your questions but does not make decisions about you or your employees.
3. How We Share Your Data
We share your personal data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication | EU (London region) |
| Anthropic PBC | AI processing for the HR assistant and document generation | United States (with appropriate safeguards) |
| OpenAI Inc. | Text embedding for search functionality | United States (with appropriate safeguards) |
| Vercel Inc. | Application hosting | EU (London region) |
| Stripe Inc. | Payment processing | United States (with appropriate safeguards) |
For transfers to the United States, we rely on the UK Extension to the EU-US Data Privacy Framework where the recipient is certified, or Standard Contractual Clauses (UK Addendum) where they are not.
We do not sell your personal data to third parties. We do not share your data with advertisers. We do not allow third parties to use your data for their own marketing purposes.
4. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Encryption at rest: Database is encrypted at rest
- Access controls: Row-Level Security (RLS) ensures you can only access your own company's data. No other user can see your documents, chat history, or company information.
- Authentication: Secure password hashing, session management via secure HTTP-only cookies
- Infrastructure: Hosted on Vercel and Supabase with enterprise-grade security, SOC 2 compliance, and regular security audits by the hosting providers
- Minimal access: Only authorised CDS personnel can access production systems, and only for support and maintenance purposes
5. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account and company information | For the duration of your subscription, plus 30 days after account deletion |
| Generated documents | For the duration of your subscription. Deleted within 30 days of account deletion. |
| Chat conversations | For the duration of your subscription. Deleted within 30 days of account deletion. |
| Payment records | 7 years after the transaction (required by UK tax law) |
| Usage and analytics data | 12 months, then anonymised |
| Server logs | 90 days |
After the retention period, data is securely deleted or irreversibly anonymised.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@complaiance.co.uk.
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data (subject to legal retention requirements).
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to data portability: Request your data in a structured, commonly used, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Right to complain: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.
We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will inform you if this is necessary.
7. Data You Enter About Your Employees
When you use Complaiance to generate employment contracts, letters, or other HR documents, you may enter personal data about your employees (names, addresses, job titles, salaries, etc.).
You are the data controller for your employees' personal data. We process this data on your behalf as a data processor, solely for the purpose of generating the documents you request.
We recommend that you:
- Inform your employees that you use Complaiance to generate HR documents
- Include appropriate data processing information in your own employee privacy notice
- Only enter the minimum employee data necessary for the document being generated
If you require a formal Data Processing Agreement (DPA), please contact us at privacy@complaiance.co.uk.
8. Cookies
We use cookies and similar technologies on our platform. Here is what we use and why:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Keeps you logged in | Essential | Session (deleted when you close your browser) |
| Supabase auth token | Authentication | Essential | 1 hour (refreshed automatically) |
| Cookie consent preference | Remembers your cookie choice | Essential | 1 year |
We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
If we introduce analytics in the future, we will update this policy and request your consent before setting any non-essential cookies.
9. AI Processing
Our AI HR assistant uses the Anthropic Claude API to generate responses to your questions and to assist in document generation.
When you use the AI assistant:
- Your question and relevant context (company name, employee count, industry) are sent to Anthropic's API
- Anthropic processes the data to generate a response and returns it to us
- We do not use your data to train AI models. Anthropic's API terms confirm that API inputs and outputs are not used for model training.
- AI responses are stored in your chat history within your account
The AI assistant provides general HR guidance, not legal advice. We recommend consulting a qualified solicitor for complex legal matters.
10. Children's Data
Complaiance is a business service intended for use by adults in a professional capacity. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the platform at least 14 days before the changes take effect.
The "Last updated" date at the top of this policy indicates when it was last revised.
12. Contact Us
If you have questions about this Privacy Policy or want to exercise your data protection rights:
- Email: privacy@complaiance.co.uk
- Post: CDS (Custom Development Solutions) Ltd, [registered address]
- ICO: If you are not satisfied with our response, you can contact the Information Commissioner's Office at ico.org.uk or call 0303 123 1113.