Privacy Policy

TN Labs Ltd (trading as Complyer) is the data controller for personal data collected through Complyer. If you have any data protection queries, contact us at hello@complyer.law.

We are registered with the Information Commissioner's Office (ICO). Our ICO registration number is available on request.

Account data: Your name, email address, and password (stored as a secure hash — we never store your password in plain text) when you register.

Organisation data: Company name, sector, headcount, working model, and address — provided during onboarding and used to personalise your documents and tailor AI outputs.

Employee data: Names, job titles, start dates, employment types, salaries, and other HR details you choose to enter about your team members. This data is entered by you and used to generate HR documents and track compliance deadlines. You control what you enter and can delete it at any time.

Document data: HR documents you generate using Complyer, documents you upload to the Document Vault, and AI analysis results associated with those documents.

Usage data: Log data including IP address, browser type, device type, pages visited, features used, and request timestamps — collected automatically for security monitoring, debugging, and service improvement.

Payment data: Billing information is collected and processed directly by Stripe. We receive and store your subscription status, plan type, and payment history, but we do not store your full card number, CVV, or bank details.

Communications: Any emails or messages you send to us, including support requests.

We process your personal data only where we have a lawful basis to do so under UK GDPR:

• Performance of contract (Art 6(1)(b)): To provide the Complyer service — generating documents, tracking your team, monitoring law changes, managing your account, processing payments, and delivering documents by email.
• Legal obligation (Art 6(1)(c)): To comply with applicable law, including financial record-keeping, tax obligations, and responding to lawful requests from authorities.
• Legitimate interests (Art 6(1)(f)): To improve the Service, ensure security and prevent fraud, send transactional service emails (account alerts, law monitoring notifications, weekly digests) that you would reasonably expect to receive as part of the Service, and to analyse aggregate usage patterns. We have carried out a balancing test and are satisfied our interests do not override your rights and freedoms in these cases.
• Consent (Art 6(1)(a)): For optional marketing communications. You may withdraw consent at any time by clicking "unsubscribe" or contacting us at hello@complyer.law.

When you enter personal data about your employees into Complyer (names, job titles, salaries, start dates, etc.), you are the data controller for that employee personal data. Complyer processes it on your behalf as a data processor.

As the data controller, you are responsible for:

• Having a valid lawful basis to share employee personal data with Complyer (typically Art 6(1)(b) — performance of the employment contract, or Art 6(1)(c) — compliance with employment law obligations)
• Informing your employees that their data is being processed by Complyer, either in your employee handbook, privacy notice, or employment contracts
• Responding to any subject access requests or other data subject rights requests made by your employees in relation to data held in Complyer

A data processing agreement (DPA) is available on request at hello@complyer.law. We will provide a DPA within 5 business days of a request. The DPA sets out the obligations of each party in accordance with UK GDPR Article 28.

We never use employee data you enter to train, fine-tune, or improve AI models.

When you generate a document, use the HR chat feature, or analyse an uploaded document, the relevant input data is transmitted to Anthropic PBC ("Anthropic"), the provider of the Claude AI model, for processing.

Key safeguards in place:

• We use Anthropic's API under terms that prohibit Anthropic from using your inputs or our outputs to train their models
• Data sent to Anthropic is processed transiently and is not retained by Anthropic after your request is fulfilled
• Anthropic is certified under applicable data protection frameworks and standard contractual clauses apply to any international transfers

You should be aware that when you include specific employee details in a prompt or document, those details are transmitted to Anthropic for processing. You should only include personal data that is necessary for the document you are generating.

We share your data only with trusted third-party service providers necessary to operate the Service. Each provider is bound by contractual data protection obligations:

• Supabase — database hosting and file storage (EU servers, Frankfurt)
• Anthropic — AI model processing for document generation, chat, and document analysis (US — protected by SCCs and Anthropic's zero-retention API policy)
• Stripe — payment processing (EU and US — certified under EU-US Data Privacy Framework)
• Resend — transactional email delivery
• Vercel — hosting and content delivery infrastructure

We do not sell your data to any third party. We do not share your data with advertisers. We do not use your data for any purpose other than providing the Service.

We may disclose your data if required by applicable law, a court order, or a regulatory authority, or where necessary to protect the rights, property, or safety of Complyer, our users, or third parties.

Some of our third-party providers process data outside the United Kingdom, including in the United States (Anthropic, Stripe, Vercel). All such transfers are protected by one or more of the following safeguards:

• UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved for use under UK GDPR
• Adequacy decisions by the UK Secretary of State
• Certification under recognised data protection frameworks (e.g. the EU-US Data Privacy Framework for Stripe)

You may request a copy of the relevant transfer safeguards by contacting us at hello@complyer.law.

• Account and profile data: Retained while your account is active, plus 30 days after account closure to allow data export. After 30 days, account data is permanently deleted.
• Documents you generate: Retained while your account is active. You can delete individual documents at any time from the Service.
• Uploaded documents: Retained while your account is active. You can delete them at any time. Deleted files are removed from storage within 24 hours.
• Employee data: Retained while your account is active, or until you delete it.
• Usage and security logs: Retained for up to 12 months.
• Payment records: Retained for 7 years as required by UK accounting and tax law.
• Communications with us: Retained for up to 3 years.

Where we are required by law to retain data for longer than the periods above, the legal retention period takes precedence.

You have the following rights in relation to your personal data. To exercise any right, contact us at hello@complyer.law. We will respond within one calendar month.

• Right of access (SAR): Request a copy of the personal data we hold about you
• Right to rectification: Ask us to correct inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): Ask us to delete your personal data where there is no compelling reason to continue processing it
• Right to restrict processing: Ask us to pause processing of your data in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes
• Rights relating to automated decisions: Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal

We will not charge you for exercising your rights except in limited circumstances permitted by law (e.g. manifestly unfounded or excessive requests).

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We encourage you to contact us first so we can try to resolve your concern.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• Encryption in transit using TLS
• Encryption at rest for database storage
• Role-based access controls limiting who can access personal data
• Secure authentication using hashed credentials
• Regular security reviews

No method of transmission or storage is 100% secure. If you become aware of any security issue relating to your account, please contact us immediately at hello@complyer.law.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will notify you without undue delay.

We use cookies and similar technologies to operate the Service. See our Cookie Policy for full details of what cookies we use and how to control them.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at hello@complyer.law and we will take steps to delete it.

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service.

For material changes, we will notify you by email at least 30 days before the change takes effect and update the "Last updated" date above. For minor changes, we will update the date only.

We encourage you to review this policy periodically.

For any privacy-related queries, data subject rights requests, or DPA requests, please contact us at:

TN Labs Ltd (trading as Complyer)
hello@complyer.law

We aim to respond to all queries within 5 business days and to all formal data subject rights requests within one calendar month.