Privacy Policy

Guram Bedoidze, trading as UKContracts.uk ("we", "us", "our"), is the controller of your personal data under the UK GDPR and the Data Protection Act 2018.

• Sole trader: Guram Bedoidze
• Trading name: UKContracts.uk
• Address: Shartava Street 43, Tbilisi 0160, Georgia
• ICO registration: ZC133755
• UK Representative (Art. 27 UK GDPR): We are in the process of designating an Article 27 UK Representative. Until then, address all UK GDPR enquiries to privacy@ukcontracts.uk.
• Contact for data requests: privacy@ukcontracts.uk

We collect the following categories of personal data:

• Account data: name, email address, password (hashed), billing address, country. If you sign in with Google we additionally receive your Google profile picture URL, your Google account ID, and the locale Google has on file for you.
• Document data: the information you enter into our forms to generate documents (this may include personal details of third parties).
• Payment data: we use Paddle to process payments; we do not store full card details.
• Usage data: IP address, device information, pages visited, timestamps, referrer.
• Email signups: your email if you sign up for launch notifications or newsletters.

We process your data for the following purposes:

• To provide the service — generating, storing, and delivering documents you request. Lawful basis: performance of a contract.
• To take payment — via Paddle. Lawful basis: performance of a contract.
• To communicate with you — service announcements, password resets, security alerts. Lawful basis: legitimate interest.
• For marketing — newsletters and product updates. Lawful basis: consent. You can unsubscribe at any time.
• To comply with legal obligations — tax records, anti-money-laundering checks. Lawful basis: legal obligation.
• To improve the service — analytics, debugging. Lawful basis: legitimate interest.

We use a small number of essential cookies to operate the service. Where we use analytics cookies, we ask for your consent first. See our Cookie Policy for the full list.

If you enter information about other people (such as employees, tenants, or counterparties) into our forms, you must have a lawful basis to do so under the UK GDPR. UKContracts.uk processes that data on your behalf as a data processor; you are the data controller in respect of that data.

We share your data only with:

• our hosting and infrastructure providers (Vercel, Supabase) — to run the service;
• Anthropic Inc. (Claude API) — to power AI generation, with no use of your data for model training;
• Paddle.com Market Limited — to process payments;
• Resend — to deliver transactional emails;
• Google LLC — only when you choose to sign in with Google. We share your sign-in request with Google's OAuth service; in return we receive the basic profile fields listed in section 2. We do not share your document content or any other personal data with Google.
• HMRC, regulators, courts — where legally required;
• professional advisors (accountants, solicitors) — under confidentiality obligations.

Some of our processors are based outside the UK (notably the United States). Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (with UK Addendum), or applicable adequacy decisions. Google LLC is certified under the UK extension to the EU-US Data Privacy Framework and we rely on that certification together with the UK IDTA for transfers in respect of Google Sign-In.

• Account data: while you have an account and for 6 years after closure (for tax/legal records).
• Generated documents: while stored in your account, until you delete them.
• Payment records: 6 years (HMRC requirement).
• Email signups: until you unsubscribe.
• Server logs: 30 days.

Under the UK GDPR you have the right to:

• access your personal data;
• have inaccurate data corrected;
• have data erased (right to be forgotten);
• restrict or object to processing;
• data portability;
• withdraw consent at any time;
• complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@ukcontracts.uk. We will respond within 30 days.

We use encryption in transit (TLS 1.3) and at rest, role-based access controls, audit logging, and regular security reviews. No system is 100% secure; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify you and the ICO within 72 hours as required by law.

We may update this policy from time to time. Material changes will be notified to you by email or in-app.