§ Trust centreHow we protect your dataUpdated 23 June 2026

Built UK/EU. Encrypted, isolated, audited.

The short version: your clients’ data stays in the UK and EU, it’s encrypted, each firm is walled off from every other, and every calculation is reproducible. Expand any area for more.

— 01

Security controls

What we have in place.

Grouped by area. Each item is something the product does today. Expand a card to read the detail.

01Access & authenticationIn place

Sign-in is passwordless and access follows least privilege.

Passwordless sign-in — magic-link and single sign-on (Google / Microsoft). No passwords are stored.
Role-based access: only firm owners manage billing, team seats and deletion.
Sensitive actions are rate-limited to deter abuse.
Production access is tightly scoped, and non-production test paths cannot run in production.

02Encryption & data protectionIn place

Client data is encrypted everywhere it lives and moves.

Encrypted in transit with modern TLS, and encrypted at rest.
Sensitive client information is additionally encrypted at the application layer (AES-256) before it reaches the database.
The calculation engine and the PDFs it produces work from an anonymised client reference — never the underlying personal data.
Uploaded documents are held in encrypted storage.

03Tenant isolationIn place

Your firm’s data is strictly separated from every other firm’s.

Per-firm isolation is enforced at the database layer, so one firm can never read another firm’s records.
The application independently re-checks ownership on every request, as defence in depth.
Isolation is verified automatically and continuously.

04Data handling & GDPRIn place

We hold the minimum a defensible calculation needs, and delete the rest quickly.

Uploaded source documents are automatically and permanently deleted within 24 hours.
You control retention: delete any client, policy or calculation on demand, and set how long finalised calculations are kept (six years by default). You are the controller of your client data; we are the processor.
One-click erasure of a firm and its client data.
Data-minimisation by design — we never require client names, NI numbers or addresses to run a calculation.
Machine-readable data export on demand.
Consent-gated, privacy-respecting analytics; anonymous by default.
Personal-data breaches notified within 72 hours (UK GDPR Art. 33).
Written Data Processing Agreements in place with our providers.

05Application securityIn place

The application is built so untrusted input can’t do harm.

All input is validated against strict schemas at the boundary.
Database access is parameterised — no injection through string-built queries.
Uploaded files and firm branding are sanitised before they are ever rendered.
Payment webhooks are signature-verified.
Secrets are never stored in source code, and secret comparisons are timing-safe.

06Auditability & integrityIn place

Every figure we produce can be reproduced — that’s the core of the product.

Sensitive actions are recorded in an append-only audit log.
Every calculation is replayable: the full inputs, the versioned rules and each step are stored with the result.
The calculation engine is deterministic and tested to the penny against HMRC’s worked examples — see /trust.

07Reliability & continuityIn place

Deliberate about recovery, export, and what happens if we ever stop.

Managed database with point-in-time recovery.
Portable data export at any time.
Any output PDF can be re-generated from its audit record.
A minimum six-month wind-down commitment, with the deterministic calc engine published as open source if we ever close down.

— 02

Where your data lives

UK/EU, end to end.

All client data is stored and processed entirely within the UK and EU — at every stage, from upload through calculation to the finished PDF. It is never transferred outside the UK or EU.

Billing is handled by our payments provider, which receives subscription details only and never your client data. A current list of named sub-processors is available on request and in our Data Processing Agreement.

— 03

Retention

Three buckets, you in control.

Source documents are deleted fast; the structured figures and the calc that consumed them are yours to keep or delete; the output PDF is held with its record so it can be re-fetched. You are the controller — we don’t impose a retention period on you.

— 01 · Source documents

24 hours

Uploaded PDFs (P60, PSS, chargeable-event certificates) are parsed, then permanently deleted from UK-region object storage 24 hours later. An hourly cron enforces the cutoff; nothing carries over between paraplanner sessions.

— 02 · Your records

You decide

Clients, policies and calculations are yours to delete — one click, whenever you want. You hold your own FCA record; we never force a period on you. Finalised calculations you keep are auto-retained for the window your firm sets (six years by default), then deleted. Drafts you never finalise are removed after 90 days.

— 03 · Output PDFs

With the record

The compliance annex you download stays available so it can be re-fetched without re-running the calc. It is kept alongside its calculation under your firm’s retention policy, and goes the moment you delete the record — export it first if you need a copy.

Finalised calculations are kept for the period your firm sets — six years by default — then deleted automatically; delete any of them sooner whenever you want. See the data-minimisation page →

— 04

Questions

Security FAQs.

Where is our client data held?

Everything in the client-data path stays within the UK and EU — from upload, through document extraction and calculation, to the finished PDF. Nothing in that path leaves the UK or EU.

Is client data encrypted?

Yes. Client data is encrypted in transit with modern TLS and at rest, and the most sensitive fields are additionally encrypted at the application layer (AES-256) so the database alone cannot read them.

How long do you keep uploaded documents?

Uploaded source documents are automatically and permanently deleted within 24 hours. Only the structured figures you confirm are kept — and those are yours to delete on demand, or to retain for the period your firm sets (six years by default) before they are deleted automatically.

Who can see our client data?

Only your firm. Data is strictly isolated per firm, and the calculation engine itself only ever works from an anonymised client reference — never the underlying personal data.

Does the AI provider store or train on our documents?

No. Document extraction runs within the EU as a stateless service: your document is processed and then discarded — never retained after the request, and never used to train any model.

— 05

Documents + contact

The paperwork, and how to reach us.

Privacy notice → — what we collect, how long we keep it, who else sees it.
Data Processing Agreement → — UK GDPR Art. 28 contract for firms; named sub-processor list on request.
Data minimisation → — what we deliberately don’t hold.
Terms of service → — commercial terms, liability, billing.
Trust & accuracy → — the HMRC corpus and replayability story.

Breach notification. Under UK GDPR Art. 33 we notify the ICO of any personal-data breach within 72 hours of detection, and affected firms directly within the same window where the risk is high.

Responsible disclosure. Report a suspected security issue to info@paraplanai.co.uk. We acknowledge within one business day and will not pursue good-faith research that respects client data.