PoliclyPolicly

Privacy

Your documents, your control.

Last updated: 15 June 2026

Compliance professionals deserve to know exactly what happens to the files they upload. Here is the short version, followed by the full notice required under UK GDPR.

Processed in-memory

Uploads go directly into a server function as a byte buffer. We do not write the file to disk or any third-party storage. When the function returns, the buffer is garbage-collected with the request.

30-minute maximum retention

For any transient artefact we may briefly hold (for example, a generated labelled PDF awaiting your download), we enforce a hard 30-minute purge ceiling. Most are gone within seconds.

We store findings, not text

We retain the AI's structured findings (quote snippets, framework, citations) so you can revisit a report later. We do not retain the full body of your document, and you can delete any saved report from your dashboard at any time.

No model training on your uploads

We use the Lovable AI Gateway with providers whose terms prohibit training on customer data. Your documents are never used to improve any model.

1. Who is the controller

Policly is operated as a sole trader by Callum Lewis Hendry, based in the United Kingdom. Callum Lewis Hendry is the data controller for personal data processed through Policly. Contact: privacy@policly.io.

2. What we collect and why

Account data

  • Name, email address, hashed password (or Google sign-in identifier).
  • Purpose: create and secure your account, sign you in, contact you about the service.
  • Legal basis: performance of our contract with you.

Usage data

  • Page views, session identifier, country (from IP), referrer, broad device class (mobile / desktop / bot).
  • Per-document metadata: filename, finding count, timestamp.
  • Purpose: quota enforcement, abuse prevention, product analytics.
  • Legal basis: legitimate interests in running a secure, improving service.

Document content

  • The text you submit for classification, processed in-memory only (see above).
  • Structured findings derived from it (quotes, framework references, citations) are stored against your account so you can revisit reports.
  • Purpose: provide the service you've asked for.
  • Legal basis: performance of our contract with you.

Payment data

  • We do not store card details. Paddle (our Merchant of Record) collects and processes payment information directly.
  • We receive purchase confirmations, subscription status, and a Paddle customer/subscription ID.
  • Legal basis: performance of our contract with you; compliance with tax and accounting law.

Support & feedback

  • Anything you send through the feedback form or by email.
  • Legal basis: legitimate interests in providing support.

3. Who we share data with

We only share personal data with the following categories of recipient:

  • Paddle — our Merchant of Record. Handles checkout, payments, subscription management, invoicing, and tax compliance. See Paddle's privacy notice.
  • Supabase — managed database, authentication, and storage hosting (EU region).
  • Cloudflare — edge hosting and DDoS protection for the application.
  • Lovable AI Gateway — routes prompts to AI providers (OpenAI, Google) under terms that prohibit training on customer data.
  • Email delivery — Resend, for transactional emails (auth, receipts).
  • Professional advisers — accountants, legal advisers, where strictly needed.
  • Authorities — where required by law (court order, regulatory request).

We do not sell your personal data and we do not share it for third-party advertising.

4. International transfers

Some of our providers process data outside the UK/EEA (notably US-based AI providers reached via the Lovable AI Gateway). Where this happens, transfers are protected by appropriate safeguards — UK IDTA, EU Standard Contractual Clauses, or an adequacy decision.

5. How long we keep data

  • Document text: discarded on response (always under 30 minutes; usually within seconds).
  • Saved findings and reports: until you delete them or close your account.
  • Account data: while your account is active, plus 30 days after closure.
  • Billing records: 6 years, to comply with UK tax and accounting law.
  • Usage / analytics logs: 13 months, then aggregated or deleted.

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased (subject to legal retention obligations).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing relies on it.
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these, email privacy@policly.io. We aim to respond within one month.

7. Security

We use TLS in transit, hosted infrastructure with encryption at rest, strict role-based access, and row-level security on application data. Passwords are hashed using industry-standard algorithms. No system is perfectly secure — please notify us promptly of any suspected vulnerability.

8. Cookies

We use only essential cookies and local storage required to keep you signed in and to remember your session for our internal analytics. We do not use third-party advertising or cross-site tracking cookies.

9. Limitations to know

  • Policly is decision-support — not a substitute for a classifying authority or qualified counsel.
  • For UK defence work involving SECRET or above material, do not upload here; use your authority's accredited tools.
  • We log minimal usage metadata (timestamp, filename, finding count) for quota enforcement and abuse prevention.

10. Changes

We'll update this notice when our practices change. Material changes will be notified by email or in-app notice at least 14 days before they take effect.