Privacy Policy

Last updated:

1. Introduction

We (“we”, “us”, “our”) provides a subscription integrity monitoring service (“Service”) designed to compare Stripe subscription data with internal entitlement data to detect mismatches and revenue drift.

We are committed to protecting personal data in accordance with UK GDPR and the Data Protection Act 2018. This Privacy Policy explains how we process personal data when you use our Service.

2. Who We Are

For data protection purposes:

• We act as Data Controller for account and administrative data.
• We act as Data Processor for customer data processed through the Service.

3. Information We Collect

A. Account & Administrative Data (Controller)

We collect:

• Name
• Company name
• Business email address
• Workspace identifiers
• Login metadata
• Billing information (if applicable)

Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).

B. Service Data (Processor)

When you connect Stripe or upload data via CSV or Agent, we may process:

• Customer email addresses
• Subscription identifiers
• Stripe subscription status
• Payment status
• Internal entitlement identifiers
• Timestamps
• Monetary amounts
• Internal user IDs

We do not:

• Access or store card numbers
• Modify Stripe data
• Modify internal systems
• Enforce entitlements
• Perform automated write-back actions

The Service operates in a strictly read-only capacity.

Legal basis: Performance of a contract with the Customer.

4. Purpose of Processing

We process personal data solely to:

• Compare subscription records across systems
• Detect mismatches
• Generate integrity reports
• Provide audit visibility

We do not sell data, use data for advertising, train AI models using customer data, or profile end users.

5. Data Retention

We retain:

• Account data for the duration of your subscription
• Workspace data while active
• Archived reports as long as the workspace remains active

Upon termination or upon request, workspace data may be deleted subject to legal obligations and operational requirements necessary to provide the Service.

6. Subprocessors

We use infrastructure providers such as cloud hosting providers, database providers, and monitoring providers. All subprocessors are subject to contractual data protection obligations consistent with UK GDPR.

A list of current subprocessors is available upon request.

7. International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• UK Addendum to Standard Contractual Clauses
• Adequacy decisions

8. Security

We implement appropriate technical and organisational measures, including:

• Encryption in transit (TLS)
• Encrypted storage of API keys
• Access controls
• Least-privilege internal access
• Deterministic, read-only architecture

No system can guarantee absolute security, but we apply commercially reasonable safeguards.

9. Data Subject Rights

Where applicable, individuals have rights to access, rectification, erasure, restriction, and objection.

Where we act as Data Processor, requests should be directed to the relevant Data Controller (our Customer). Individuals may also complain to the Information Commissioner’s Office (ICO).

10. Changes

We may update this policy from time to time. Material changes will be communicated via the Service.