Privacy Policy

Prevoice Ltd (“Prevoice”, “we”, “us”) is the data controller for personal data processed through the Prevoice platform at prevoice.co.uk.

Registered address: [To be inserted upon incorporation], England & Wales.
Contact: privacy@prevoice.co.uk

We collect the following categories of personal data:

• Account data: Your name, email address, and hashed password.
• Usage data: Company lookup history — company numbers searched, scores returned, timestamps.
• Billing data: Subscription tier and Stripe customer ID (full card details are held by Stripe, not Prevoice).
• Technical data: IP address, browser type, and session metadata collected automatically when you use the service.

We do not collect special category data (health, biometric, etc.) and we do not use cookies for advertising or tracking beyond essential session management.

• Contract performance (Art. 6(1)(b)): Processing your email and billing data to provide the subscription service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Analysing aggregated usage patterns to improve the product; fraud and abuse prevention.
• Legal obligation (Art. 6(1)(c)): Retaining business records including lookup audit logs for 7 years as required by UK financial record-keeping rules.
• Consent (Art. 6(1)(a)): Marketing communications — only where you have opted in explicitly.

• To create and manage your account
• To perform company risk lookups on your behalf
• To process subscription payments via Stripe
• To send transactional emails (account confirmation, password reset, payment receipts)
• To detect fraud and enforce our Acceptable Use Policy
• To improve our scoring algorithm using anonymised, aggregated data

• Account data: Retained while your account is active, then deleted within 30 days of account closure.
• Lookup history: Retained for 3 years after account closure, then permanently deleted.
• Audit logs: Retained for 7 years for business record-keeping purposes.
• Payment records: Retained for 7 years as required by UK HMRC rules.

What we collect. When you submit a community experience, we collect: the company's name and Companies House number; the structured details of your experience (payment outcome, lateness band if applicable, invoice value band if provided, whether a written contract existed, and the month and year of engagement); your optional short comment (up to 150 characters); the date and time of submission; and a record of your acceptance of the submission attestation. We link this data to your Prevoice account so that you can manage and delete your own reports.

Legal basis. We process community report data on the basis of our legitimate interests in operating a payment-intelligence platform that helps freelancers make informed decisions before entering commercial relationships (Article 6(1)(f) UK GDPR). Community reports concern UK limited companies only — not sole traders or individuals — which keeps personal data to a minimum.

Who can see reports. Paid Prevoice members can see individual reports and aggregate statistics. Free users can see only the count of reports for a company, not their contents. We do not display your name alongside reports you submit; other members see only the experience details.

How we use the data. Reports are used to provide the community-experiences feature to other Prevoice members. We may use aggregate, anonymised statistics from community reports in product analytics, marketing materials, or published research.

How long we keep reports. We keep your active reports for as long as they are published. You can delete your reports at any time from the My Reports page, which removes them from public view. We may retain a minimal record of retracted or moderated reports — stripped of identifying content — where necessary for legal, audit, or anti-abuse purposes, for up to 12 months.

Your rights. You can view, edit, or delete your own reports at any time from the My Reports page. You can also contact us at privacy@prevoice.co.uk to request access to your personal data, correction of inaccuracies, or erasure of your data, subject to any legal retention obligations.

What we collect. To prevent unfair use of free lookups and automated abuse, we process a hashed version of your IP address and a browser fingerprint (a non-unique hash derived from publicly available browser properties). We use these solely to count searches per device per day. We do not store your raw IP address at any point.

How hashing works. Your IP address is hashed with a cryptographic salt before being stored, making it impossible to reverse the hash back to your original address. The fingerprint is a one-way hash of general browser properties (screen size, browser type, language settings) and does not uniquely identify you as an individual.

Legal basis. We process this data on the basis of our legitimate interests in preventing abuse of the free tier and protecting the integrity and availability of the service (Article 6(1)(f) UK GDPR).

Retention. Device usage records are retained for a rolling 30-day period and then deleted.

We share personal data with the following third parties only where necessary:

• Stripe — payment processing (data transferred under Stripe's DPA)
• Railway — cloud hosting of backend infrastructure (EU data residency available)
• Vercel — web app hosting
• Resend — transactional email delivery
• Anthropic — AI contract clause generation (no personal data is sent; only company-level public data)

We do not sell personal data to third parties. We do not use personal data for advertising.

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your account and associated data viaAccount → Data & Privacy → Delete account, or by emailing us.
• Right to portability (Art. 20): Request a machine-readable export of your data. Email privacy@prevoice.co.uk.
• Right to restrict processing (Art. 18): In certain circumstances, request we limit how we use your data.
• Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise any right, contact privacy@prevoice.co.uk. We will respond within one calendar month as required by UK GDPR Art. 12.

• Passwords are hashed using bcrypt before storage. We never store plain-text passwords.
• Refresh tokens are hashed (SHA-256) before database storage.
• All data in transit is encrypted via HTTPS/TLS 1.2+.
• Access tokens expire after 15 minutes. Refresh tokens expire after 30 days.
• All score lookups are audit-logged with user ID and timestamp.

We use a minimal set of cookies strictly necessary for the service to function (authentication session). We do not use advertising, analytics, or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under the UK PECR.

Some of our third-party processors (Stripe, Vercel, Anthropic) operate outside the UK. Transfers are covered by UK GDPR adequacy decisions or standard contractual clauses where required.

Prevoice is a B2B service intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If we become aware a minor has registered, we will delete their account promptly.

We will update this policy when our practices change. Significant changes will be notified by email. The effective date at the top of this page reflects the most recent revision.

Prevoice Ltd is registered with the UK Information Commissioner's Office. Registration number: [ICO_REG_NUMBER] (to be inserted once obtained — see Task 3.2).

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

For all data-protection enquiries: privacy@prevoice.co.uk