Privacy policy.

ParaplanAI (the “Service”) is operated by Harry Donnelly, trading as ParaplanAI, in the United Kingdom. We are the data controller for the personal data we collect from you when you create an account. We are a joint data processor (with your firm, as controller) for personal data your firm uploads about its end clients.

ICO data-controller registration: [TBC — pending registration]. Once filed, the registration number will appear here and in the footer of every page.

Contact: hello@paraplanai.co.uk.

2.1 · Account data (controller)

When you sign up:

• Email address (used for sign-in and notifications).
• Firm name + the role you hold (owner / adviser / paraplanner).
• Optional: firm branding (a logo and brand colour, stored inline against your firm record).
• Billing data — handled by Stripe, see §4. We never see your card details.
• Authentication events (sign-ins, OAuth callbacks) — kept by Supabase Auth for 90 days for security forensics.

2.2 · Client data (processor)

When your firm runs a calculation for an end client, the firm uploads or types in figures about that client. ParaplanAI does not require the client’s name, NI number, address, or any other directly-identifying field to function. We strongly recommend you use only an anonymised client reference (e.g. JS-2026-04-12).

Where your firm chooses to upload identifying information into free-text fields or via document upload, that information is encrypted at rest using AES-256-GCM with a key your firm shares only with our application boundary. The calculation engine and generated PDFs operate on the anonymised reference only — they never see PII.

2.3 · Uploaded documents

P60s, pension scheme statements, chargeable-event certificates, and other source documents you upload for figure-extraction are stored in UK-region encrypted object storage. We use Anthropic’s Claude API to extract structured figures; the source PDF is sent to Anthropic for that single call only. See §5.

Document retention: 30 days. A daily automated job permanently deletes uploaded PDFs older than 30 days. The structured figures extracted from them (and the calculation that consumed those figures) are retained for audit per §6.

Our lawful bases under UK GDPR Article 6:

• Performance of contract (Art 6(1)(b)) for providing the calculator, audit trail, and PDF outputs you have subscribed to.
• Legitimate interests (Art 6(1)(f)) for operational security logs, abuse prevention, and aggregated non-identifying usage telemetry. Our legitimate interests assessment is on file; available on request.
• Legal obligation (Art 6(1)(c)) for retention of calculation audit records per FCA SYSC 9 (six-year minimum for records produced for regulated advice).

The following organisations process personal data on our behalf under written Data Processing Agreements (Article 28). They are bound by the same standards we are.

• Supabase Inc. — Postgres database, authentication, file storage. Data hosted in our UK / EU region.
• Vercel Inc. — application hosting + CDN. Application served from European edge nodes; database calls go to UK / EU.
• Anthropic PBC — document figure-extraction (Claude API). Source PDFs sent for the duration of the extraction call only. Anthropic’s API does not train on customer prompt data.
• Stripe, Inc. — subscription billing. Stripe is independently regulated and acts as a controller for card-payment data.
• Resend — transactional email (sign-in links, member invites). Email metadata only.
• Sentry (Functional Software Inc.) — server-side error reporting. Email, client references, and financial figures are stripped client-side before transmission per our scrubber configuration. Hosted in the EU region.
• Vercel Web Analytics — anonymous page-view counters (no cookies, no IP retention beyond 30 days).

DPAs with Supabase and Anthropic are linked from supabase.com/legal/dpa and anthropic.com/legal/dpa respectively.

Anthropic is a US company. When you submit a document for extraction, the PDF is processed in the United States under the UK Extension to the EU–US Data Privacy Framework (Anthropic is DPF-certified). Standard Contractual Clauses apply as a fallback mechanism. All other sub-processors operate within the UK / EU.

• Uploaded source documents — 30 days from upload, then permanently deleted.
• Calculation records (inputs, intermediate steps, configured tax-year rules, output) — six years from creation, per FCA SYSC 9.
• Account email + firm record — for the lifetime of the subscription, plus six years after cancellation. After that, anonymised.
• Billing records — held by Stripe per their retention policy; we retain a six-year record of paid invoices for HMRC.
• Sign-in logs — 90 days, then purged.

Under UK GDPR you have the right to:

• Ask what data we hold about you (Article 15 — subject access).
• Have inaccurate data corrected (Article 16).
• Have your data erased (Article 17 — “right to be forgotten”), subject to our regulatory retention obligations under §6.
• Have processing restricted (Article 18).
• Take your data elsewhere in a machine-readable format (Article 20 — portability).
• Object to processing based on legitimate interests (Article 21).
• Withdraw consent at any time, where we are relying on it (Article 7).

Self-serve deletion. Firm owners can delete the firm and its client PII directly from Settings → Firm → Danger zone. Client PII is hard-deleted immediately on submission; the calc-run audit trail is retained for six years (FCA SYSC 9). For any other request — subject access, correction, portability, restriction — email hello@paraplanai.co.uk and we will respond within 30 days. We will not charge for the first request in any 12-month period.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk/concerns · 0303 123 1113.

All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256). Application-layer encryption is applied to free-text client fields before storage; the encryption key is held outside the database. Database row-level security policies enforce firm-level isolation on every read and write. Two-factor authentication is available on every account via OAuth providers.

In the event of a data breach affecting personal data, we will notify the ICO within 72 hours per Article 33, and affected individuals without undue delay per Article 34.

We set essential cookies only by default: the Supabase authentication session cookie that keeps you signed in. This is required for the Service to function.

We do not load third-party advertising trackers. Vercel Web Analytics uses a cookie-free fingerprint and does not retain IP addresses beyond 30 days.

If we later add an analytics product that requires consent (e.g. PostHog session-replay), a cookie banner will be shown on first paint and your choice persisted. For now, the cookie banner simply informs you of the essential cookie above.

ParaplanAI is a professional tool for UK financial advisers and accountants. It is not designed for or marketed to people under 18.

We may update this policy. Material changes will be flagged on your dashboard for at least 14 days before they take effect, and we will email account owners. The “Last updated” date at the top of this page is the canonical version date.