Privacy Policy

Last updated: 10 April 2026

This policy explains how PHD Interactive Ltd ("we", "us", "PolicyDiary") collects, uses and protects your personal data when you use policydiary.co.uk.

Data controller: PHD Interactive Ltd, Monomark House, 27 Old Gloucester Street, London, WC1N 3AX
ICO registration number: Z1046419
Contact: hello@policydiary.co.uk

1. What data we collect

Account data: Your name, email address, practice name, website URL, professional body, ICO registration number.

Intake answers: Your responses to our onboarding questions about your practice.

Website scan data: Technical information about third-party tools detected on your website.

Payment data: Payment is processed by Stripe. We do not store your card details. We retain records of transactions for accounting purposes.

Usage data: Standard server logs including IP addresses, browser type, and pages visited.

Complaints data: If you submit a data protection complaint about our service, we retain the complaint and our response.

2. How we use your data

Article 6 lawful basis: Article 6(1)(b) UK GDPR — contract. Processing is necessary to provide the PolicyDiary service you have subscribed to.

We use your data to: generate your compliance documents, host your compliance page, send you service emails (login codes, renewal reminders, complaint notifications), and improve the PolicyDiary service.

We do not use your data for advertising. We do not sell your data to third parties. PolicyDiary is ad-free.

3. AI document generation

Your practice details and intake answers are sent to Anthropic's Claude API to generate your compliance documents. Anthropic processes this data as a data processor on our behalf. Anthropic's servers are located in the USA. We rely on Standard Contractual Clauses (SCCs) as the transfer safeguard. For more information see Anthropic's privacy policy.

4. Third-party processors

We use the following third-party services to operate PolicyDiary:

• Stripe (USA) — payment processing
• Resend (USA) — transactional email delivery
• Anthropic (USA) — AI document generation
• Cloudflare (USA) — DNS, CDN, and Turnstile spam protection
• DigitalOcean (UK/London) — cloud hosting

Where data is transferred to the USA, we rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs). The USA does not currently have a UK adequacy decision.

4a. Analytics

We use Google Analytics and Google Tag Manager on policydiary.co.uk to understand how visitors use our website. Google Analytics collects anonymised usage data including pages visited, time on site, and browser type. Google Tag Manager is used to manage scripts. Both tools are operated by Google LLC (USA). Data is transferred to the USA under Standard Contractual Clauses. Under the Data (Use and Access) Act 2025, statistical analytics cookies do not require prior consent. You may opt out at any time via tools.google.com/dlpage/gaoptout.

5. How long we keep your data

• Account data: for the duration of your subscription plus 6 years (accounting/legal requirements)
• Generated documents: for the duration of your subscription
• Financial records: 6 years (HMRC requirement)
• Server logs: 90 days
• Data protection complaints: 6 years

6. Your rights

Under UK GDPR you have the right to: access your data, correct inaccuracies, request erasure (subject to legal retention requirements), restrict or object to processing, and data portability.

To exercise any right, contact us at hello@policydiary.co.uk. We will conduct a reasonable and proportionate search in response to subject access requests, in accordance with the Data (Use and Access) Act 2025.

7. Data protection complaints

Under the Data (Use and Access) Act 2025, you have the right to complain directly to us about how we handle your data. Contact us at hello@policydiary.co.uk. We will acknowledge your complaint within 30 days.

You may also complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint / 0303 123 1113 / ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

8. Cookies

We use essential session cookies to keep you logged in. We do not use advertising or tracking cookies.