Legal

Privacy Policy

Last updated: March 2026

1. Who we are

Groundwork ("we", "us", "our") is a UK-based service providing AI-powered due diligence reports for company research. Our contact email is hello@usegroundwork.co. References to "GDPR" mean the UK GDPR as retained in UK law.

2. Data we collect

  • Account data: your email address when you register. We use passwordless authentication — no password is stored.
  • Usage data: reports you generate, including the company numbers searched and timestamps.
  • Profile data: your subscription tier and monthly usage count.
  • Payment data: processed by Stripe. We do not store card numbers or payment credentials — Stripe handles this as a PCI-compliant processor.
  • Technical data: IP address, browser type, and access logs for security and rate limiting.

3. Lawful basis for processing

We process your personal data on the following lawful bases under UK GDPR:

  • Contract performance: to provide the service you have signed up for (account creation, report generation, subscription management).
  • Legitimate interests: to improve the service, prevent abuse, enforce rate limits, and maintain security. We have assessed that these interests do not override your rights and freedoms.
  • Legal obligation: to comply with applicable laws, including financial and data protection regulations.
  • Consent: where you have explicitly opted in (e.g. marketing communications). You may withdraw consent at any time.

4. How we use your data

  • To provide and improve the Groundwork service.
  • To enforce usage limits (3 reports/month on Free tier).
  • To send service-related communications (OTP codes, account notices).
  • To process payments and manage subscriptions.
  • To prevent abuse and ensure security.

5. Report data and caching

When a report is generated, the results are cached for up to 14 days. During this period, other users who search for the same company will receive the cached report rather than generating a new one. Cached reports contain publicly available company data and AI-generated analysis — they do not contain personal data of the user who originally generated the report.

6. Third-party services

We use the following third-party services to operate Groundwork:

  • Supabase (database and authentication) — data stored in EU (eu-west-1).
  • Anthropic (Claude AI) — company data is sent to Anthropic's API for analysis. Anthropic's API does not train on API data.
  • Stripe (payment processing) — handles subscription billing. See Stripe's privacy policy at stripe.com/privacy.
  • Resend (transactional email) — delivers authentication and service emails.
  • Vercel (hosting and analytics) — serves the application and collects anonymised, cookieless performance data. No personal data is processed.
  • Google Ads (advertising) — measures ad conversions with your consent. See Google's privacy policy at policies.google.com/privacy.
  • Companies House API — publicly available UK company data.
  • FCA Register — publicly available financial services data.
  • ICO Register — publicly available data protection registration data.
  • Individual Insolvency Register — publicly available insolvency data.

7. Data retention

We retain your account data for as long as your account is active. Report data is cached for up to 14 days to improve performance and reduce costs. If you delete your account, your personal data is deleted within 30 days. Payment records may be retained for up to 7 years to comply with HMRC requirements. Aggregate, anonymised usage statistics may be retained indefinitely.

8. Your rights (GDPR)

Under UK GDPR, you have the right to: access your personal data, correct inaccurate data, request deletion ("right to be forgotten"), object to processing, restrict processing, and request data portability. To exercise these rights, contact us at hello@usegroundwork.co. We will respond within 30 days.

9. Cookies

We use the following cookies:

  • Essential cookies: Supabase authentication session cookies. These are strictly necessary for the service to function and do not require consent.
  • Advertising cookies (optional): Google Ads (gtag.js) sets cookies to measure ad conversions and optimise campaign performance. These are only set with your consent.
  • You can manage your cookie preferences at any time via the cookie banner. Rejecting optional cookies does not affect your ability to use the service. Your preference is stored in your browser's local storage.

10. Security

We use industry-standard security measures including TLS encryption in transit, secure session management via Supabase Auth, row-level security on all database tables, and PCI-compliant payment processing via Stripe.

11. International transfers

Your data is primarily stored in the EU (Supabase, eu-west-1). Some data is processed by US-based services (Anthropic, Stripe, Resend) under appropriate safeguards including Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users. Continued use of the service after changes constitutes acceptance.

13. Contact

For privacy-related queries, contact us at hello@usegroundwork.co.