How we collect, use, and protect your personal information
Last Updated: 3 March 2026 | Effective Date: 3 March 2026
ICO Registration Number: ZC087276
This Privacy Policy is provided by Magna Spero Ltd, the company that owns and operates Compliance Toolkit.
| Detail | Information |
|---|---|
| Company Name | Magna Spero Ltd |
| Company Registration Number | 16649166 |
| ICO Registration Number | ZC087276 |
| Registered Office | 1 Harland Road, Lincoln, LN2 4GW, United Kingdom |
| Website | compliancetoolkit.co.uk |
| Data Protection Contact | privacy@compliancetoolkit.co.uk |
When you create an account and use Compliance Toolkit directly, Magna Spero Ltd is the data controller responsible for your personal information.
Where you access Compliance Toolkit through a referring partner organisation (for example, a professional services firm directing its clients to a specific tool), that referring organisation is the data controller. In those cases, Magna Spero Ltd acts as a data processor on their behalf, governed by a separate Data Processing Agreement. Your referring organisation's own privacy policy will also apply to how they handle your data.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use Compliance Toolkit. It applies to all processing activities we undertake and covers all users of our platform, including individual subscribers, consultants, and enterprise clients.
This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUA Act 2025).
When you create an account or use our services, we collect:
Our platform includes a range of compliance assessment tools. When you complete a questionnaire or survey, we collect your responses for the purpose of generating your compliance report. This includes:
Assessment responses are stored securely and retained in accordance with our Data Retention schedule (see Section 10).
Our Employment Contract Clause Checker allows you to upload an employment contract for AI-powered statutory compliance analysis. This tool operates on a transient processing basis:
Important: You are advised not to upload documents containing personal identifiable information such as employee names, addresses, or salary details. If personal data is inadvertently included in an uploaded document, it will be processed transiently as described above and will not be retained. However, please note that our AI analysis provider (OpenAI) may retain API inputs for up to 30 days for safety and abuse monitoring purposes before permanent deletion (see Section 7 for further detail).
With your consent, we use Microsoft Clarity to analyse how users interact with our platform. This includes page views, session duration, user behaviour patterns, and navigation paths. You can control analytics cookies through our cookie consent banner.
We process your personal information for the following purposes, based on the legal grounds specified:
| Purpose | Data Processed | Legal Basis (UK GDPR) |
|---|---|---|
| Service provision and account management | Name, email, phone, account credentials | Contract (Article 6(1)(b)) |
| Assessment report generation | Survey and questionnaire responses | Contract (Article 6(1)(b)) |
| Employment contract analysis (transient) | Uploaded document content (not retained) | Contract (Article 6(1)(b)) |
| Account verification and security | Email, IP address, login activity | Legitimate Interest (Article 6(1)(f)) |
| Platform improvement and analytics | Usage patterns, analytics cookies | Consent (Article 6(1)(a)) |
| Legal compliance and dispute resolution | All relevant personal data as required | Legal Obligation (Article 6(1)(c)) |
Compliance Toolkit uses artificial intelligence to provide compliance guidance, contract analysis, and report recommendations. When you interact with our AI features:
Important: Our AI provides advisory guidance only. It does not make automated decisions that have legal or similarly significant effects on you. All compliance assessments are recommendations that should be reviewed by qualified professionals.
Our application logs may record metadata relating to API requests (such as timestamps, response codes, and error messages) for the purposes of system monitoring and debugging. These logs do not capture the substantive content of documents uploaded for analysis or survey responses submitted by users. Logs are retained in accordance with our Data Retention schedule.
We do not sell your personal data to third parties. We may share your personal information with the following categories of service provider, each of whom is engaged under appropriate contractual terms.
Different tools on our platform engage different sub-processors. The table below sets out which sub-processors are relevant to each processing activity:
| Sub-Processor | Purpose | Applicable Tools | Data Location |
|---|---|---|---|
| OpenAI | AI-powered analysis and report generation | All assessment tools; Contract Clause Checker | USA |
| AWS (S3) | Secure storage of generated reports | Assessment tools (reports only) | EU-West-2 (London, UK) |
| Neon | Database hosting (accounts and platform data) | Account management and platform operations | EU |
| SendGrid | Transactional email delivery | Account notifications and report delivery | USA |
| Microsoft Clarity | Website analytics (with consent) | Platform-wide (anonymised) | USA |
Note: The Employment Contract Clause Checker engages only OpenAI as a sub-processor. Uploaded documents are not stored in AWS S3, Neon, or any other persistent storage.
When you access Compliance Toolkit via a partner single sign-on (for example, SwiftHR.ai), limited account data may be shared as described in the partner's own privacy policy.
We may disclose personal data when required by law, court order, or regulatory authority.
Some of our service providers process data outside the United Kingdom. We ensure appropriate safeguards are in place for all international transfers in compliance with UK GDPR Chapter V:
| Provider | Transfer Destination | Safeguard |
|---|---|---|
| OpenAI | USA | UK-US Data Bridge adequacy certification and Standard Contractual Clauses (SCCs) |
| SendGrid | USA | Standard Contractual Clauses (SCCs) |
| Microsoft Clarity | USA | Standard Contractual Clauses (SCCs) |
| AWS | UK (EU-West-2, London) | No international transfer — data stored in UK region |
| Neon | EU | UK adequacy decision for the EEA |
OpenAI may retain API inputs for up to 30 days for safety and abuse monitoring purposes. During this retention period, the data is subject to the safeguards described above. After 30 days, all input data is permanently deleted by OpenAI.
When you access the Charity Governance assessment tool via a referring organisation (such as a law firm or professional advisor), the following applies:
When you use the Employment Contract Clause Checker:
Compliance Toolkit is used by some organisations to provide compliance tools to their own clients. Where you access a tool on our platform at the direction of a professional services firm, charity advisor, or other referring organisation:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 12 months | Service provision and legal compliance |
| Assessment reports (stored) | 12 months from generation | User access and audit trail |
| Uploaded employment contracts | Not retained (transient processing only) | Data minimisation |
| Survey and questionnaire responses | 12 months from submission | Report generation and audit trail |
| Security and audit logs | 12 months | Security monitoring and incident response |
| Application logs (metadata only) | 12 months | System monitoring and debugging |
| Cookie consent records | 12 months | Demonstrate compliance |
You have the following rights in relation to your personal data:
Clear information about how we use your data (this policy)
Request a copy of personal data we hold about you
Request correction of inaccurate or incomplete data
Request deletion of your personal data
Limit how we use your data in certain situations
Receive your data in a machine-readable format
Object to processing for marketing or profiling purposes
Our AI provides advisory suggestions only — all decisions are made by you
To exercise your rights: Contact us at privacy@compliancetoolkit.co.uk with "GDPR Data Rights Request" in the subject line. We will respond within 30 days.
If you access Compliance Toolkit through a referring partner organisation, please direct your data rights request to that organisation in the first instance, as they are the data controller for your information.
Email privacy@compliancetoolkit.co.uk with the subject line "Data Protection Complaint".
We will acknowledge your complaint within 5 working days and provide a substantive response within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We use cookies and similar tracking technologies. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.
We may update this Privacy Policy periodically to reflect changes in our practices, new features, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this document and notify you via email or platform notification where appropriate.
Magna Spero Ltd
Company Registration Number: 16649166
ICO Registration Number: ZC087276
Registered Office: 1 Harland Road, Lincoln, LN2 4GW, United Kingdom
We will respond to your enquiry within 30 days.