Privacy Policy · GDPR Article 25 by design · last updated 2026-04-25

Privacy policy

CharmEngine Ltd (UK), the controller of charmengine.uk and operator of the CharmEngine platform, processes personal data only as described below. We are designed for GDPR Article 25 compliance — every claim here is enforceable in code, not just on paper.

1. Who we are

Controller: CharmEngine Ltd, registered in England & Wales. Data Protection Officer: dpo@charmengine.uk. EU representative + UK ICO registration on request.

2. What we collect

  • Account data — your email, name, organisation, role.
  • Tenant settings — brand canon, offer angles, agent configuration you upload.
  • Audit log — every operator action, every governed agent decision, signed and append-only.
  • AI provider usage telemetry — model name, token counts, cost — never the prompt content unless you opt in.
  • Technical data — IP address (truncated), user-agent, request ID. Used for security + diagnostics, retained 90 days max.

We do not collect special-category data (Article 9) without your explicit lawful basis recorded in the audit log.

3. Lawful basis

  • Contract (Art. 6(1)(b)) — to provide the platform you've subscribed to.
  • Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and aggregated platform analytics. Balanced via a documented LIA.
  • Consent (Art. 6(1)(a)) — for any optional marketing or training-data opt-in. Withdrawable at any time.

4. Sub-processors

The complete list lives at /legal/subprocessors and is reviewed annually. Current categories:

  • Hosting: Vercel (frontend), Railway (backend), Cloudflare (CDN + WAF + R2 storage).
  • Database: Neon (Postgres) — Frankfurt (EU) + us-east-1.
  • AI providers: Anthropic, OpenAI, Google, OpenRouter — all under SCCs Module 2 + Transfer Impact Assessment, with the do_not_train flag set on every call.
  • Email: Resend, Amazon SES (EU).
  • Billing: Stripe.

5. Cross-border transfers

EU-tagged tenants route through Frankfurt only. US sub-processors operate under SCCs Module 2 (Controller-to-Processor) + per-vendor Transfer Impact Assessments. Schrems II compliant; transfers are practically mitigated by E2E encryption and pseudonymisation where applicable.

6. Retention

  • Account data: lifetime of subscription + 6 months.
  • Audit log entries: 7 years (financial / SOC-2 requirement).
  • AI provider call telemetry: 90 days.
  • Raw prompts/responses: 30 days unless you've opted into longer retention.
  • Backups: 35-day rolling, encrypted at rest with KMS-wrapped DEKs.

7. Your rights

Under GDPR you have the right to access, rectify, erase, port, object, restrict, and withdraw consent. We've built a one-form interface at /policies#dsr. SLA is 30 days per Article 12; usually fulfilled within 72 hours.

8. Security

Tier-3 multi-tenant isolation (per-tenant Postgres role with Row-Level Security + per-tenant KMS scope for DEK wrapping). Application firewall + WAF. Hippocrates auto-heal pulse. Append-only audit ledger. Annual third-party penetration test. Article 32 controls fully implemented.

9. Breach notification

Per Articles 33-34, we will notify the ICO within 72 hours of confirmed awareness of a personal data breach. Affected data subjects are notified directly with what was exposed and what we did. Automated detection on Neon audit log, R2 access patterns, and Cloudflare WAF anomalies.

10. Cookies + analytics

See the Cookie Policy. We use only essential cookies plus, with your consent, privacy-respecting analytics (no cross-site tracking, no ad-tech).

11. Children

CharmEngine is not directed at children under 16. We do not knowingly collect data from minors.

12. Changes

Material changes are announced 30 days in advance via email + a prominent banner. The version history of this policy is published in the audit log.

13. Contact

Questions, concerns, or DSRs: dpo@charmengine.uk or use the structured DSR form. UK ICO: ico.org.uk/concerns.

← Back to homepage View all policies + DSR