Privacy Notice
Last updated: 5/5/2026
1. Who we are
SecPolicy is operated by Arnav Sharma (trading as SecPolicy). For the personal data described in this notice, Arnav Sharma is the data controller. You can contact us via arnav.au.
2. Personal data we collect
- Account data: email address, hashed password or OAuth identifier, display name.
- Organisation profile: organisation name, industry, size, jurisdiction, and other context you submit to generate policies.
- Generated content: the prompts you submit and the policies generated for you.
- Purchase data: products purchased, plan tier, transaction identifiers, and a customer reference returned by our payment provider. Card details and billing address are collected and stored by Paddle, not by us.
- Support communications: messages, attachments, and metadata when you contact support.
- Technical data: IP address, device and browser identifiers, log timestamps, and usage telemetry.
- Cookies: strictly necessary cookies for authentication and session management. We do not currently set advertising cookies.
3. Why we use it and our legal basis
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Create and manage your account | Performance of a contract |
| Generate policies from your inputs | Performance of a contract |
| Process payments and provide receipts (via Paddle) | Performance of a contract; legal obligation |
| Provide customer support | Performance of a contract; legitimate interests |
| Detect, investigate, and prevent fraud, abuse, and security incidents | Legitimate interests; legal obligation |
| Improve and debug the service | Legitimate interests |
| Comply with tax, accounting, and other legal obligations | Legal obligation |
| Send service-related emails (e.g. account, billing) | Performance of a contract |
4. AI processing
When you generate a policy set, your organisation profile, selected frameworks, and prompts are sent to our AI providers to produce the tailored output. We do not deliberately include personal data beyond the organisation name and other fields you supply. Please do not submit sensitive personal data, secrets, or confidential information you are not authorised to share.
5. Who we share data with
- Paddle — our Merchant of Record. Paddle handles checkout, payments, tax compliance, invoicing, subscription management, refunds, and chargebacks. Paddle acts as an independent controller for the personal data it processes for those purposes. See Paddle's privacy notice.
- Cloud hosting and database providers — to host the application and store data on our behalf.
- AI providers — to produce generated outputs from your prompts.
- Email and support tooling — to send transactional email and respond to enquiries.
- Professional advisers — accountants and legal advisers, where needed.
- Authorities — where required by law, regulation, or valid legal process.
We do not sell your personal data.
6. International transfers
Our service providers may process personal data outside your country of residence, including in the United States and the European Economic Area. Where personal data is transferred from the UK or EEA to a country without an adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) put in place by our processors.
7. Data retention
- Account data: kept while your account is active and for up to 12 months after closure, then deleted or anonymised.
- Generated policies and prompts: kept while your account is active; you can delete them at any time from the app.
- Purchase records: kept for up to 7 years to meet tax and accounting obligations.
- Support communications: kept for up to 24 months after the matter is resolved.
- Security and access logs: kept for up to 12 months.
8. Your rights
Depending on where you live, you may have the right to: access your personal data; correct inaccurate data; erase your data; restrict or object to processing; data portability; withdraw consent (where processing is based on consent); and lodge a complaint with your local data protection authority. To exercise these rights, contact us via arnav.au. We aim to respond within one month.
9. Security
We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, least-privilege administration, regular updates, and audit logging. No system is perfectly secure; please use a strong unique password and keep your credentials confidential.
10. Cookies
We use strictly necessary cookies and similar technologies to keep you signed in and to remember basic preferences. You can control cookies through your browser settings. Blocking essential cookies will prevent the service from working correctly.
11. Changes to this notice
We may update this notice from time to time. Material changes will be highlighted in the service or notified by email. The "Last updated" date above reflects the most recent revision.