LEGAL & PRIVACY
Privacy Notice
Privacy Notice
Version: 1.0
Last updated: April 2026
Effective date: April 2026
1. Who We Are
Data controller: Gatewaychecker Ltd
Registered address: United Kingdom
Contact: privacy@gatewaychecker.co.uk
Gatewaychecker Ltd ("Gatewaychecker", "we", "us", "our") operates the Gatewaychecker platform at gatewaychecker.co.uk — a SaaS tool for BSA Gateway 2 pre-submission review.
This notice explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you are using Gatewaychecker under a contract with your employer or organisation, your organisation is also a data controller for your account data. Please refer to your organisation's privacy notice for information about how your employer processes your personal data.
2. What Personal Data We Collect
Account data
When you create an account or are invited to join an organisation on Gatewaychecker, we collect:
- Email address
- Organisation name
- User role within your organisation (owner, admin, member)
- Date and time of account creation
- Authentication event logs (sign-in dates, IP addresses)
Usage data
When you use the platform, we automatically collect:
- IP address (used for rate limiting and security monitoring)
- Browser and operating system type (included in HTTP headers)
- Pages accessed and features used
- Analysis events (submission created, report downloaded, override applied)
- Timestamps of all significant actions
Document content
When you upload documents for Gateway 2 analysis, we process:
- The text extracted from your PDF documents
- Document type (fire strategy, structural strategy, competence declaration, change control log)
- Project name
- AI-generated findings, risk scores, evidence text, and remediation recommendations
Document content may include names of duty holders, addresses of buildings, technical specifications, and other commercially sensitive information. This information is processed as described in section 4 (Why We Process Your Data) and the Data Flows page.
Collaboration data
When you invite team members to collaborate on a submission:
- Email address of the invitee
- Role assigned to the collaborator
- Invitation acceptance status and timestamp
Payment data
When you subscribe to a paid plan:
- Billing name and email address
- Billing address (for invoicing)
Payment card details are entered directly into Stripe's PCI-DSS Level 1 compliant payment interface and are never processed or stored by Gatewaychecker.
Microsoft 365 integration data (optional)
If you choose to connect your Microsoft 365 account:
- Your Microsoft account email address
- OAuth access and refresh tokens (encrypted at application layer before storage)
- SharePoint file metadata browsed during document import sessions
This integration is entirely opt-in and can be revoked at any time from Settings.
3. Why We Process Your Data
| Purpose | Personal data involved | Legal basis | UK GDPR reference |
|---|---|---|---|
| Providing and operating the Gatewaychecker service | Account data, document content, usage data | Performance of a contract | Article 6(1)(b) |
| Authentication and account security | Email address, IP address, authentication logs | Performance of a contract | Article 6(1)(b) |
| Sending transactional communications (magic links, notifications) | Email address | Performance of a contract | Article 6(1)(b) |
| Processing subscription payments | Billing name, email, address | Performance of a contract | Article 6(1)(b) |
| Managing team collaboration | Collaborator email addresses | Performance of a contract | Article 6(1)(b) |
| Issuing VAT-compliant invoices | Billing name, email, address | Compliance with a legal obligation (VAT Act 1994) | Article 6(1)(c) |
| Security monitoring, fraud prevention, and rate limiting | IP address, usage logs | Legitimate interests | Article 6(1)(f) |
| Internal analytics to improve the service | Aggregated, anonymised usage data | Legitimate interests | Article 6(1)(f) |
| Responding to data subject rights requests | Any personal data held | Compliance with a legal obligation | Article 6(1)(c) |
| Maintaining AI accuracy logs (correction flywheel) | Human override notes, BSR outcomes | Legitimate interests | Article 6(1)(f) |
Legitimate interests balancing test: Where we rely on legitimate interests, we have assessed that our interest in operating a secure, high-quality service is not outweighed by your privacy interests. You may object to processing based on legitimate interests at any time (see section 7).
4. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Account data (email, organisation) | Duration of active account; deleted within 30 days of account closure | Service provision |
| Extracted document text | Duration of active account; deleted within 30 days of account closure | Service provision |
| AI findings and risk scores | Duration of active account; deleted within 30 days of account closure | Service provision |
| Human override notes | Duration of active account; deleted within 30 days of account closure | Service provision |
| Usage and audit event logs | 24 months from creation | Security and fraud prevention |
| Authentication logs (IP addresses) | 90 days | Security monitoring |
| Billing records | 7 years from transaction date | UK VAT and accounting obligations |
| Microsoft OAuth tokens | Until you disconnect the integration | Operational requirement |
When your account is closed, all data except billing records (which we are legally required to retain) is deleted from our active database within 30 days. Billing records are retained for 7 years in accordance with UK VAT legislation.
Backups are retained for 7 days; after deletion from the active database, your data will be purged from backups within 7 days.
5. Who We Share Your Data With
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
We share personal data only with the sub-processors listed on the Sub-processors page, for the purpose of delivering the Gatewaychecker service. These include:
- Supabase — database, authentication, email delivery infrastructure
- Vercel — application hosting
- Resend — transactional email delivery
- Anthropic (via OpenRouter) — AI document analysis (document text only; transient; no training)
- Stripe — subscription billing (payment card data handled exclusively by Stripe)
- Microsoft — SharePoint integration (optional; only when you have connected your Microsoft 365 account)
We may also share personal data where legally required — for example, in response to a court order, lawful request by a public authority, or to comply with applicable law. We will notify you of such requests where legally permitted to do so.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of access (Article 15): You may request a copy of all personal data we hold about you.
Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
Right to erasure (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (where consent is the legal basis).
Right to restriction of processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data.
Right to data portability (Article 20): Where processing is based on contract or consent and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21): You may object at any time to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds.
Rights related to automated decision-making (Article 22): Gatewaychecker uses AI to generate risk scores and findings. These AI outputs are advisory only and do not constitute automated decisions with legal or similarly significant effects. Every AI finding is subject to mandatory human review. You may contact us if you wish to understand how any AI output was generated.
Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact privacy@gatewaychecker.co.uk. We will respond within one calendar month. We may ask you to verify your identity before processing a request.
7. Transfers Outside the UK and EU
All primary customer data is stored and processed within the European Union (AWS eu-west-1, Ireland).
The only transfers of personal data outside the EU/UK are:
Anthropic (via OpenRouter) — United States: Extracted document text is transmitted to Anthropic's API for AI inference. This transfer is covered by:
- Our Data Processing Agreement with OpenRouter, which includes appropriate safeguards under UK GDPR Article 46.
- Anthropic's API terms of service, which prohibit retention or training use of submitted data.
Stripe — United States: Stripe processes billing information in the EU and US under its GDPR DPA, which includes Standard Contractual Clauses as a transfer mechanism.
We do not transfer personal data to any other country outside the UK/EU.
8. Cookies
Gatewaychecker uses the minimum number of cookies necessary to provide the service:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
sb-auth-token |
Supabase authentication session | Strictly necessary | Session / rolling expiry |
ms_oauth_state |
CSRF protection for Microsoft OAuth flow | Strictly necessary | 15 minutes |
We do not use advertising cookies, cross-site tracking cookies, or any analytics cookies. We do not use Google Analytics or similar third-party analytics tools.
9. Changes to This Notice
We may update this privacy notice from time to time to reflect changes in our practices or applicable law. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will record the change in the Trust Documents Changelog.
- For significant changes, we will notify account holders by email at least 14 days before the change takes effect.
The version history of this document is available in the Trust Documents Changelog.
10. Contact and Complaints
Privacy enquiries and data subject rights requests:
privacy@gatewaychecker.co.uk
We aim to respond to all privacy enquiries within 5 business days and all data subject rights requests within one calendar month.
Complaints: If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, welcome the opportunity to address your concerns before you approach the ICO. Please contact us first at privacy@gatewaychecker.co.uk.
Questions about this document?
Contact privacy@gatewaychecker.co.uk