Privacy Notice | Peredur

1. Data controller

The data controller for your personal data is Peredur Ltd, registered in England and Wales. Our registered office is [Address]. You can contact our Data Protection Officer at privacy@peredur.co.uk.

2. What data we collect

We collect the minimum data necessary to provide our services. This includes:

Account data:Email address and password (hashed) when you register. Optional: name, profession, and language preference.
Usage data:Pages visited, features used, and session duration — collected pseudonymously via server logs and analytics.
Triage and form data:Answers you give to triage questions and form guidance tools. This data is associated with your account so you can save and resume progress.
Percy AI conversations:Questions you ask Percy and the responses given. Conversations are pseudonymised; we apply automated PII scrubbing before storage.
Payment data:If you subscribe to the Professional tier, payment is processed by Stripe. We do not store card numbers; we receive only a Stripe customer ID.
Technical data:IP address, browser type, device type, and approximate location (country/region) — used for security and fraud prevention.

3. Lawful basis for processing

We rely on the following lawful bases under Article 6 UK GDPR:

Contract:Processing necessary to provide the services you have signed up for, including account management and triage tools.
Legitimate interests:Improving our platform, preventing fraud, and ensuring security — where our interests are not overridden by your rights.
Legal obligation:Retaining certain records as required by tax law, company law, and HMRC requirements.
Consent:Marketing emails and optional analytics cookies. You can withdraw consent at any time.

Where we process special category data (for example, information about domestic abuse situations that you share voluntarily), we rely on Article 9(2)(a) UK GDPR (explicit consent) and, where applicable, Article 9(2)(f) (legal claims).

4. How we use your data

We use your personal data to:

Provide and personalise our guidance and triage services
Operate Percy, our AI assistant, and improve its accuracy over time
Manage your account, subscriptions, and billing
Send service-related communications (e.g. password reset, subscription receipts)
Send marketing emails, with your consent (you can unsubscribe at any time)
Detect and prevent fraud, abuse, and security incidents
Comply with our legal obligations
Improve our platform based on aggregated, anonymised usage data

5. Who we share your data with

We do not sell your personal data. We share data only with trusted processors who help us deliver our services:

Supabase \u2014 database and authentication hosting (EU region)
Stripe \u2014 payment processing
Anthropic \u2014 AI model provider for Percy (queries are pseudonymised before sending)
Sentry \u2014 error monitoring (pseudonymised data only)
Vercel \u2014 hosting and CDN

We may also disclose data where required by law or to protect the safety of a person (for example, if we receive a court order or if there is a credible immediate risk to life).

6. Data retention

Account data:Retained for the duration of your account plus 2 years after deletion (for dispute resolution and legal obligation compliance).
Percy conversation logs:Retained for 12 months after the conversation, then automatically deleted. Anonymised aggregate statistics may be retained indefinitely.
Triage and form data:Retained for the duration of your account. Deleted when you delete your account.
Billing records:Retained for 7 years in compliance with HMRC requirements for financial records.
Server logs:Retained for 90 days, then automatically purged.

7. Your rights

Under UK GDPR, you have the following rights:

Right of access (Article 15):You can request a copy of the personal data we hold about you. We will respond within one calendar month.
Right to rectification (Article 16):You can ask us to correct inaccurate personal data.
Right to erasure (Article 17):You can request deletion of your personal data in most circumstances. We will delete your account and associated data within 30 days of a verified request.
Right to restriction of processing (Article 18):You can ask us to restrict how we process your data in certain circumstances.
Right to data portability (Article 20):You can request a machine-readable export of the data you have provided to us directly.
Right to object (Article 21):You can object to processing based on legitimate interests, including profiling. You can also opt out of marketing at any time.
Rights related to automated decision-making (Article 22):We do not make solely automated decisions with legal or significant effects on you.

To exercise any of these rights, email privacy@peredur.co.uk. We may need to verify your identity before actioning your request.

8. Cookies

We use essential cookies (for authentication and security) and, with your consent, analytics cookies. You can manage your cookie preferences at any time via the cookie settings link in the footer. Strictly necessary cookies cannot be disabled without breaking the service.

We also set a lang cookie to remember your language preference (English or Welsh). This cookie does not track you and expires after one year.

9. Complaints

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at 0303 123 1113 or at ico.org.uk/make-a-complaint. We would ask that you contact us first at privacy@peredur.co.uk so that we have an opportunity to address your concern.

10. Changes to this notice

We may update this privacy notice from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect. The last updated date at the top of this page will always reflect the current version. Continued use of Peredur after a change takes effect constitutes acceptance of the updated notice.