Privacy policy.

ParaplanAI (the “Service”) is operated as a sole trader in the United Kingdom under the trading name ParaplanAIby a working UK paraplanner at a regulated UK firm. The operator’s identity is available to professional bodies and prospective firms on request via info@paraplanai.co.uk; contracts and data-protection agreements are entered into under the trading name ParaplanAI. We are the data controller for the personal data we collect from you when you create an account. We are a joint data processor (with your firm, as controller) for personal data your firm uploads about its end clients.

Contact: info@paraplanai.co.uk.

2.1 · Account data (controller)

When you sign up:

• Email address (used for sign-in and notifications).
• Firm name + the role you hold (owner / adviser / paraplanner).
• Optional: firm branding (a logo and brand colour, stored inline against your firm record).
• Billing data — handled by our payments processor, see §4. We never see your card details.
• Authentication events (sign-ins, OAuth callbacks) — retained for security forensics then purged.

2.2 · Client data (processor)

When your firm runs a calculation for an end client, the firm uploads or types in figures about that client. ParaplanAI does not requirethe client’s name, NI number, address, or any other directly-identifying field to function. We strongly recommend you use only an anonymised client reference (e.g. JS-2026-04-12).

Where your firm chooses to upload identifying information into free-text fields or via document upload, that information is encrypted at rest and in transit. The calculation engine and generated PDFs operate on the anonymised reference only — they never see PII.

2.3 · Uploaded documents

P60s, pension scheme statements, chargeable-event certificates, and other source documents you upload for figure-extraction are stored in UK/EU-region encrypted object storage. To lift the structured figures off each document we use a large language model hosted on Amazon Web Services (AWS) in the EU (AWS Bedrock). The document is processed in-region; it is not transmitted outside the UK / EU.

What the AI provider does with the document. The model runs as a managed, stateless service. Your document and the figures returned from it are not stored by the model provider after the request completes, and are never used to train any model. The same applies to Pan, our read-only query assistant — it runs on the same EU-hosted service and computes nothing itself. Processing is covered by a Data Processing Agreement with the provider.

Retention on our side: 24 hours. An hourly automated job permanently deletes uploaded source PDFs from our UK/EU-region object storage 24 hours after upload. The structured figures extracted from them (and the calculation that consumed those figures) are retained for audit per §6. The output PDF (the compliance annex you download) is held for 30 days by default and can be re-fetched without re-running the calc.

See /data-minimisation for the full picture — what we hold, what we deliberately don't hold (NINO, address, employer, scheme references), and how the three retention buckets fit together.

Our lawful bases under UK GDPR Article 6:

• Performance of contract (Art 6(1)(b)) for providing the calculator, audit trail, and PDF outputs you have subscribed to.
• Legitimate interests (Art 6(1)(f)) for operational security logs, abuse prevention, and aggregated non-identifying usage telemetry. Our legitimate interests assessment is on file; available on request.
• Your firm's instructions as controller(Art 28) for keeping calculation records for the retention period your firm chooses (six years by default). Your firm holds its own FCA SYSC 9 record-keeping obligation; we retain on its behalf and delete when it tells us to or the period lapses.
• Legal obligation (Art 6(1)(c)) for our own records — e.g. a six-year record of paid invoices for HMRC.

We use sub-processors under written Data Processing Agreements (UK GDPR Article 28). Categories of recipients:

• Hosting and infrastructure — application server, database, and file storage, hosted on UK / EU infrastructure (AWS and EU-region managed services).
• AI document-extraction — source PDFs are sent to an EU-hosted AI provider (AWS Bedrock) for figure-extraction only (see §2.3). The provider does not retain documents after the request or train on customer data.
• Payments — subscription billing handled by a PCI-compliant payments processor. It receives billing data only — never your client data — and we never see your card details.
• Transactional email — sign-in links and member invitations, via an EU-resident email provider. Email addresses only.
• Analytics — anonymous product analytics by default (no IP, no person profile); identified analytics only after consent. Hosted in the EU.
• Error monitoring — server-side error reporting, EU-hosted. Financial figures and client references are stripped before transmission.

We host on UK / EU infrastructure throughout. The full named list of the sub-processors we currently engage — with the purpose and data location of each — is set out below. This is our UK GDPR Article 30 record of processing activities, disclosed under Article 28(2). The same list is reproduced in our Data Processing Agreement. The ParaplanAI–to–your-firm DPA is at /legal/dpa.

We do not transfer client personal data outside the UK / EU. Everything in the client-data path — the database, file storage, AI figure-extraction (AWS Bedrock), PDF rendering, analytics, and error monitoring — is hosted and processed within the UK and EU.

The only data that touches a non-UK/EU service is billing: our payments processor operates internationally under its own approved transfer safeguards, and it receives subscription and billing details only — never the client data your firm uploads.

• Uploaded source documents — 24 hours from upload, then permanently deleted by an hourly automated job. Tightened from the previous 30-day window: the structured figures extracted from each document are the canonical artefact, the raw bytes don't need to linger.
• Parsed extractions (the structured figures lifted from each document) — part of the client record, which is yours to delete on demand. Otherwise kept for the period your firm sets (see “Calculation records”).
• Output PDFs (the compliance annex you download) — kept alongside the calculation they belong to, and deleted with it (or whenever you delete the record). Any PDF can be re-rendered from the calculation record while it exists.
• Calculation records (inputs, intermediate steps, configured tax-year rules, output) — you can delete these on demand. Finalised (signed) calculations you keep are retained for the window your firm configures — six years by default — then deleted automatically. Drafts you never finalise are removed after 90 days.
• Account email + firm record — for the lifetime of the subscription. On closure we return or delete your firm's client data on its instruction (UK GDPR Art 28); account/billing identifiers are then anonymised.
• Billing records — held by Stripe per their retention policy; we retain a six-year record of paid invoices for HMRC (our own legal obligation).
• Sign-in logs — 90 days, then purged.

Under UK GDPR you have the right to:

• Ask what data we hold about you (Article 15 — subject access).
• Have inaccurate data corrected (Article 16).
• Have your data erased (Article 17 — “right to be forgotten”); you can delete your client records yourself at any time (see below).
• Have processing restricted (Article 18).
• Take your data elsewhere in a machine-readable format (Article 20 — portability).
• Object to processing based on legitimate interests (Article 21).
• Withdraw consent at any time, where we are relying on it (Article 7).

Self-serve deletion. Any firm member can delete a client, policy, calculation or draft on demand — it is hard-deleted, along with any stored documents and PDFs. Firm owners can delete the whole firm and its client PII from Settings → Firm → Danger zone. We don't hold your records beyond what you choose: finalised calculations are kept only for the window your firm configures (six years by default), and you can export anything you want to keep before deleting.

Self-serve data export. Subject access (Art. 15) and portability (Art. 20) are available at Settings → Account → Export my data. The ZIP arrives by email within a few minutes (signed download link valid for 7 days). For corrections, restriction, or anything else, email info@paraplanai.co.uk and we will respond within 30 days. We will not charge for the first request in any 12-month period.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk/concerns · 0303 123 1113.

All personal data is encrypted in transit (TLS 1.3) and at rest. Client PII is encrypted at the application layer (AES-256-GCM) before storage, so the database alone is not sufficient to decrypt it, and the calculation engine never sees it. Database row-level security policies enforce firm-level isolation on every read and write — your firm cannot read another firm’s rows. Sign-in is passwordless (magic-link + Google / Microsoft OAuth); we store no passwords.

In the event of a data breach affecting personal data, we will notify the ICO within 72 hours per Article 33, and affected individuals without undue delay per Article 34.

The full control set — encryption, tenant isolation, data residency, auditability and continuity — is documented on our security page.

We set essential cookies only without consent: the Supabase authentication session cookie that keeps you signed in. This is required for the Service to function.

Analytics (EU-hosted). We use a product analytics tool hosted in the EU for product analytics. By default we capture anonymous page-views only — no IP retention, no person profile, no fingerprinting — which is permitted under PECR and UK GDPR because no individual is identified. Identified product analytics (calc-runs, billing events, settings changes, tied to your account) flow only after you accept on the cookie banner shown on first paint. Rejecting keeps you on the anonymous-only path. We do not load third-party advertising trackers and we do not sell data. Our analytics provider is listed as a sub-processor in §4.

ParaplanAI is a professional tool for UK financial advisers and accountants. It is not designed for or marketed to people under 18.

We may update this policy. Material changes will be flagged on your dashboard for at least 14 days before they take effect, and we will email account owners. The “Last updated” date at the top of this page is the canonical version date.