Privacy Policy

How we collect, use, and protect your personal information

Version 1.0 | Last Updated: 1 February 2026 | Effective Date: 1 February 2026
ICO Registration Number: ZC087276

Data Controller Information

This Privacy Policy is provided by:

Magna Spero Ltd

Company Registration Number: 16649166

ICO Registration Number: ZC087276

Registered Office: 1 Harland Road, Lincoln, LN2 4GW, United Kingdom

Website: compliancetoolkit.co.uk

Email: privacy@compliancetoolkit.co.uk

Data Protection Contact: privacy@compliancetoolkit.co.uk

Magna Spero Ltd operates Compliance Toolkit, a comprehensive employment compliance assessment platform. We are committed to protecting your privacy and ensuring the security of your personal information. This policy applies to all users of our platform, including individual subscribers, consultants, and enterprise clients.

Introduction and Scope

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use Compliance Toolkit. It applies to all processing activities we undertake as a data controller and describes our practices when handling employee or client data on behalf of our enterprise and consultant customers.

This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUA Act 2025).

Information We Collect

Personal Information You Provide

When you create an account or use our services, we collect:

  • Name, email address, and contact information
  • Company name and job title (for member accounts)
  • Account credentials and authentication data
  • Communication preferences

Employment Contract Processing

  • Secure Document Upload: Employment contracts are uploaded through encrypted connections and temporarily stored for analysis
  • AI-Powered Analysis: Contract content is processed by OpenAI's secure API to identify compliance gaps and legal risks
  • Report Generation: Professional compliance reports are generated and made available for download
  • Automatic Deletion: Original contracts are permanently deleted from our systems immediately after report generation

Assessment Data

  • Health & Safety questionnaire responses and compliance evaluation data
  • Performance & Operational survey responses and maturity assessments
  • Charity Governance survey responses

Usage Information

  • Platform usage patterns and feature interactions
  • Device information and browser details
  • IP address and general location data
  • Login activity for security purposes
  • Cookies and similar tracking technologies (see our Cookie Policy)

Analytics Data (With Consent)

With your consent, we use Microsoft Clarity to analyze how users interact with our platform. This includes page views, session duration, user behavior patterns, and navigation paths. You can control analytics cookies through our cookie consent banner.

How We Use Your Information

We process your personal information for the following purposes, based on the legal grounds specified:

Purpose Data Processed Legal Basis (UK GDPR)
Service provision and account management Name, email, phone, account credentials Contract (Article 6(1)(b))
Contract analysis and report generation Uploaded documents, assessment responses Contract (Article 6(1)(b))
Account verification and security Email, IP address, login activity Legitimate Interest (Article 6(1)(f))
Platform improvement and analytics Usage patterns, feature interactions, analytics cookies Consent (Article 6(1)(a)) - via cookie consent
Legal compliance and dispute resolution All relevant personal data as required Legal Obligation (Article 6(1)(c))

AI Processing and Automated Decision-Making

How We Use AI

Compliance Toolkit uses artificial intelligence to provide compliance guidance, contract analysis, and report recommendations. When you interact with our AI features:

  • Your query and document data are sent to OpenAI via encrypted API connection
  • OpenAI processes your data to generate analysis and recommendations
  • We use OpenAI's Enterprise API with data protection guarantees
  • OpenAI does not use your data to train their models

Important: Our AI provides advisory guidance only - it does not make automated decisions that have legal or similarly significant effects on you. All compliance assessments are recommendations that should be reviewed by qualified professionals.

Data Sharing

We may share your personal information with:

  • Service Providers: OpenAI (AI processing), AWS (hosting and storage), SendGrid (email), Neon (database hosting)
  • Partner Integrations: When you access via partner SSO (e.g., SwiftHR.ai), limited data is shared as described in the partner's privacy policy
  • Legal Requirements: When required by law, court order, or regulatory authority

We do not sell your personal data to third parties.

International Data Transfers

Some of our service providers process data outside the UK. We ensure appropriate safeguards are in place:

  • OpenAI (USA): UK-US Data Bridge certification and Standard Contractual Clauses (SCCs)
  • AWS (EU-West-2 London): Data stored in UK region by default

All international transfers comply with UK GDPR Chapter V requirements.

Data Retention

Data Type Retention Period Reason
Account information Duration of account + 12 months Service provision and legal compliance
Assessment reports 12 months from generation User access and audit trail
Uploaded contracts Deleted immediately after analysis Data minimization
Security and audit logs 12 months Security monitoring
Cookie consent records 12 months Demonstrate compliance

Your Rights Under UK GDPR

Right to Be Informed

Clear information about how we use your data (this policy)

Right of Access

Request a copy of personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data

Right to Restrict Processing

Limit how we use your data in certain situations

Right to Data Portability

Receive your data in a machine-readable format

Right to Object

Object to processing for marketing or profiling

Rights Related to Automated Decisions

Our AI provides advisory suggestions only - all decisions are made by you

To exercise your rights: Contact us at privacy@compliancetoolkit.co.uk with "GDPR Data Rights Request" in the subject line. We will respond within 30 days.

Complaints Procedure

Under the Data (Use and Access) Act 2025, we have a formal procedure for handling data protection complaints:

Step 1: Contact Us

Email: privacy@compliancetoolkit.co.uk with subject "Data Protection Complaint"

Step 2: We Will Investigate

We will acknowledge your complaint within 5 working days and provide a substantive response within 30 days.

Step 3: Escalate to the ICO (If Unsatisfied)

If you are not satisfied with our response, you can lodge a complaint with:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Cookies

We use cookies and similar tracking technologies. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, new features, or legal requirements. When we make material changes, we will update the "Last Updated" date and notify you via email or platform notification where appropriate.

Contact Us

Magna Spero Ltd

Company Registration Number: 16649166

Registered Office: 1 Harland Road, Lincoln, LN2 4GW, United Kingdom

Email: privacy@compliancetoolkit.co.uk

We will respond to your inquiry within 30 days.