Privacy Policy
Last updated: 28 May 2026
1. Who we are
RightsReady ("we", "us", "our") is the data controller for personal data processed through this website and service. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Legal entity: RightsReady (trading name). Companies House incorporation is in progress; the registered company name and number will be published here upon completion.
ICO Registration: ICO registration is in progress and will be completed prior to commercial-scale data processing. The registration reference will be published here upon completion.
Contact: For any data protection enquiries, please email info@rightsready.co.uk
2. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, name | You, at registration |
| Property & tenancy data | Addresses, tenant names, rent amounts, dates | You, when generating documents |
| Generated documents | AI-generated document text | Our service |
| Billing data | Subscription status, Stripe customer ID | Stripe |
| Usage data | Page views, feature usage (aggregated, no personal identifiers) | Vercel Analytics |
3. Lawful basis for processing
| Processing activity | Lawful basis |
|---|---|
| Creating and managing your account | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Generating compliance documents | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Processing subscription payments | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Sending transactional emails | Legitimate interests (UK GDPR Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interests (UK GDPR Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (UK GDPR Art. 6(1)(c)) |
4. Sub-processors
We share your data with the following third-party sub-processors to deliver our service. All transfers to the USA are conducted under the UK International Data Transfer Agreement (UK IDTA) or equivalent safeguards.
| Sub-processor | Purpose | Location | Privacy information |
|---|---|---|---|
| Supabase Inc. | Authentication, database storage | USA (EU region available) | supabase.com/privacy |
| Stripe Inc. | Payment processing and billing | USA | stripe.com/privacy |
| Anthropic PBC | AI-assisted document generation — currently used only for the Compliance Checklist document type | USA | anthropic.com/privacy |
| Vercel Inc. | Web hosting and CDN | USA | vercel.com/legal/privacy-policy |
Note on Anthropic: Only the Compliance Checklist document type uses AI generation. When you generate a Compliance Checklist, the property address, tenant name, and other input data you provide are sent to Anthropic to produce the document text. All other document types are generated from statutory templates and your data is notsent to Anthropic. Do not include sensitive personal data beyond what is needed. Anthropic does not use your data to train its models by default — see Anthropic's privacy policy for details.
5. Data retention
| Data type | Retention period |
|---|---|
| Account & profile data | Until account deletion |
| Generated documents | Until you delete them or delete your account |
| Payment records | As required by Stripe and UK tax/accounting law (typically 7 years) |
| Aggregated analytics | Rolling 12 months |
6. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your data ("right to be forgotten"). You can exercise this from your account settings, or email us. Note: we may retain certain data required by law (e.g. financial records).
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to restriction: Request we restrict processing in certain circumstances.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any right, email info@rightsready.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
We use strictly necessary session cookies for authentication only. We use Vercel Analytics, which is cookieless and collects no personally identifiable information. No consent banner is required.
8. Security
All data is encrypted in transit (TLS 1.2+) and at rest. Database access is restricted by row-level security policies. Stripe handles all payment card data and we never store card numbers.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or via a notice on the service. Continued use after changes constitutes acceptance.