Privacy Policy — PolicyAI
Last updated: 30 March 2026
Data Controller: CeciArt Consulting Ltd
1. Introduction
PolicyAI ("we", "us", or "our") operates the AI privacy policy generator at policyai.dev ("Service"). This Privacy Policy explains how we collect, use, and protect your information.
2. Information We Collect
2.1 Code Submitted for Analysis
Code submitted for policy generation is processed in real-time. On the free tier, submitted code is not retained beyond processing. On paid tiers, generation results and metadata (not raw code) may be stored for your history. We never use submitted code to train AI models.
2.2 Account Information
Email and profile data. Lawful basis: Performance of contract (Article 6(1)(b) UK GDPR).
2.3 Payment Information
Processed by Stripe. We do not store card details. Lawful basis: Performance of contract.
2.4 Usage Data
Anonymised usage data to improve the Service. Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR).
3. Third-Party Processors
| Processor | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI analysis & generation | Submitted code (transient) |
| Vercel | Hosting | Usage data, IP addresses |
| Supabase | Database | Account data, generation metadata |
| Stripe | Payments | Billing information |
| Microsoft Clarity | Analytics | Anonymised usage data |
4. Data Retention
- Submitted code: Not retained beyond processing
- Generation results (free): Not stored server-side
- Generation results (paid): Duration of subscription + 90 days
- Account data: Until deletion + 30 days
- Server logs: Up to 30 days
5. International Transfers
Data may be processed in the US and EU. Appropriate safeguards (SCCs and adequacy decisions) are in place for all international transfers.
6. Your Rights (UK GDPR)
You have the right to: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Contact privacy@ceciart.io. We respond within one month. Complaints may be lodged with the ICO (ico.org.uk).
7. Your Rights (CCPA/CPRA)
California residents: right to know, delete, and opt out of sale. We do not sell personal information. Contact privacy@ceciart.io.
8. Children's Privacy
The Service is not directed to individuals under 16 years of age.
9. Cookies
We use essential cookies for Service functionality and analytics cookies (Microsoft Clarity) to understand usage patterns. Where required by law, analytics cookies are served with consent.
10. Security
We implement industry-standard security measures including TLS encryption, access controls, and regular security reviews.
11. Changes to This Policy
We will provide at least 30 days' notice for material changes to this Privacy Policy.
12. Contact
privacy@ceciart.io — CeciArt Consulting Ltd