Privacy Policy

1. Introduction

PolicyPlus ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our policy management software service (the "Service").

We are the data controller for the purposes of UK data protection legislation. If you have any questions about this Privacy Policy, please contact us at privacy@policyplus.com.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Name, email address, password, and studio/organization details
• Member Information: Names, email addresses, and contact details of your members that you input into the Service
• Policy Content: Policies, waivers, and other documents you create or upload
• Payment Information: Billing details processed securely through Stripe (we do not store complete payment card details)
• Communications: Information you provide when contacting our support team

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Usage Data: Pages visited, features used, time spent on pages, and interaction with the Service
• Device Information: Browser type, operating system, device identifiers, and IP address
• Log Data: Server logs including access times, errors, and system activity
• Cookies: Session cookies for authentication and functional cookies for user preferences

2.3 Policy Acceptance Data

When members accept policies through the Service, we record:

• Digital signature (typed name)
• Date and time of acceptance
• IP address
• User agent (browser/device information)
• Policy version accepted

This information is collected to provide a legally defensible audit trail and is essential for the Service's core functionality.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

• To provide, maintain, and improve the Service
• To process and complete transactions
• To send policy acceptance requests to members
• To generate audit reports and maintain acceptance records
• To provide customer support

3.2 Communication

• To send administrative information, updates, and security alerts
• To respond to your inquiries and requests
• To send marketing communications (with your consent, where required)

3.3 Legal Compliance and Security

• To comply with legal obligations
• To detect, prevent, and address fraud, security issues, and technical problems
• To protect the rights, property, and safety of PolicyPlus, our users, and the public

3.4 Legal Basis (UK GDPR)

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you've requested
• Legitimate Interests: To improve our Service, prevent fraud, and ensure security
• Legal Obligation: To comply with applicable laws and regulations
• Consent: For marketing communications and non-essential cookies (where applicable)

4. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers:

• Supabase: Database and authentication services (EU servers)
• Stripe: Payment processing (PCI-DSS compliant)
• Resend: Transactional email delivery
• Vercel: Application hosting and infrastructure

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Policy Recipients

When you send policies for acceptance, we share the policy content and acceptance request with the email addresses you specify (your members). This is essential to the Service's functionality.

4.3 Legal Requirements

We may disclose information if required by law or in response to:

• Legal process or government requests
• Enforce our terms and conditions
• Protect the rights, property, or safety of PolicyPlus, our users, or others

4.4 Business Transfers

If PolicyPlus is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your information for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations (e.g., audit trail requirements)
• Resolve disputes and enforce our agreements

Policy Acceptance Records: Due to their legal importance, acceptance records (including digital signatures, timestamps, and IP addresses) are retained for 7 years after account closure unless you request earlier deletion and we have no legal obligation to retain them.

Account Data: When you close your account, we delete or anonymize your personal data within 90 days, except where retention is required by law.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication with industry-standard protocols
• Regular security assessments and updates
• Access controls and principle of least privilege
• Database backups and disaster recovery procedures

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights (UK GDPR)

Under UK data protection law, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Restrict Processing: Request limitation on how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for marketing purposes
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us at privacy@policyplus.com. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data properly: ico.org.uk

8. International Data Transfers

Your data is primarily stored within the UK/EU. Where we use service providers located outside the UK/EU, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Adequacy decisions recognizing equivalent data protection standards
• Other lawful transfer mechanisms as permitted by UK GDPR

9. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

Note for Studio Operators: When collecting policy acceptances from minors (under 18), ensure you have appropriate parental/guardian consent as required by law.

10. Cookies and Tracking

We use cookies and similar technologies:

Essential Cookies

Required for the Service to function (authentication, security). These cannot be disabled.

Analytics Cookies

Help us understand how users interact with the Service (if implemented, with appropriate consent mechanisms).

You can control cookies through your browser settings. Disabling essential cookies may impact Service functionality.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes

Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: