Privacy Policy

Last updated: 2 June 2026

ComplianceBot ("we", "us", "our") is operated by Caroleo Technology Ltd, a company registered in England and Wales. We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Caroleo Technology Ltd is the data controller responsible for your personal data. If you have questions about this policy, contact us at privacy@compliancebot.uk.

2. What Data We Collect

We collect and process the following personal data:

• Account information: Name, email address, and password (encrypted) when you register.
• Property data: Property addresses, tenant names, and rent due dates you enter.
• Documents: Compliance documents you upload (gas certificates, EICRs, EPCs, etc.) and any text extracted via OCR processing.
• Payment information: Processed securely by Stripe. We do not store your card details — only a Stripe customer reference.
• Usage data: Log data such as IP address, browser type, and pages visited for security and service improvement.

3. How We Use Your Data

We use your data to:

• Provide and maintain the ComplianceBot service, including document storage and expiry tracking.
• Process uploaded documents using Google Cloud Vision OCR to extract expiry dates.
• Process subscription payments via Stripe.
• Send you compliance alerts and service notifications.
• Improve and secure our service.

4. Legal Basis for Processing

We process your data under the following lawful bases:

• Contract: Processing necessary to provide the service you've signed up for.
• Legitimate interest: Service improvement, security, and fraud prevention.
• Consent: Where you've opted in to marketing communications (you can withdraw anytime).

5. Third-Party Processors

We use the following trusted third parties to deliver our service:

• Google Cloud (Vision API): For OCR text extraction from uploaded documents. Data is processed in accordance with Google's data processing terms.
• Stripe: For secure payment processing. Stripe is PCI DSS Level 1 certified.
• 20i: UK-based hosting provider where your data is stored on servers located in the United Kingdom.

6. Data Storage & Security

Your data is stored on secure UK-based servers provided by 20i. We implement appropriate technical and organisational measures including encrypted connections (HTTPS/TLS), encrypted password storage, and access controls. Documents are stored in private directories not accessible via the web.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain it.

8. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten").
• Restrict processing in certain circumstances.
• Port your data to another service.
• Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@compliancebot.uk. We will respond within 30 days.

9. Cookies

We use essential cookies only to maintain your login session and protect against cross-site request forgery. We do not use advertising or tracking cookies.

10. Children's Privacy

ComplianceBot is not intended for individuals under 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email or a notice on our website.

12. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.