Legal

UK GDPR Compliance Summary

FitOut Insider is operated by Dariusz Kubies ("we", "us", "our"). For data protection enquiries, contact: hello@fitoutinsider.com. As the operator, we act as the data controller for any personal data processed by this Service.

We collect minimal data: • Account data: When you subscribe, Stripe collects your email and payment details. We receive only your email address to create your account. • Session authentication: A single encrypted session cookie is set when you log in. This cookie contains only a session token — no name, email, or personal data. • Tool inputs: Text and data you enter into tool forms are sent to the Anthropic Claude API to generate AI responses. This data is transmitted securely but is not stored by FitOut Insider after the response is generated. • Usage tracking: We record the number of AI requests used per month (no content, just counts) to enforce your plan allowance. • Feedback and support messages: If you submit feedback or contact support, the message content may be stored to help us improve the Service.

Tool inputs are processed by Anthropic's Claude API to generate outputs. Anthropic may process inputs in accordance with their own privacy policy and API terms of service. By Anthropic's policy, API inputs are not used to train AI models. We do not retain copies of your tool inputs after the response is generated. We recommend you do not input sensitive personal data (e.g. employee names, National Insurance numbers, or medical information) into tool forms unless necessary for the specific document being generated.

Account data and tool outputs you choose to save are stored in Supabase with EU-region servers in Ireland (eu-west-1). All connections are encrypted end-to-end (TLS 1.3). Your data is never used to train AI models. We do not share or sell your data with any third party. Our hosting infrastructure runs on Vercel (EU region) for serverless functions and CDN delivery.

We use one essential cookie: • fitout-session: A session authentication cookie. Essential for Service access. No personal data. HttpOnly, Secure, SameSite=Strict. Duration: session-based (expires on sign-out or browser close). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. See our Cookie Policy for full details.

Our legal bases for processing are: • Contract performance (Article 6(1)(b)): Processing account and usage data to deliver the subscription service you have paid for. • Legitimate interests (Article 6(1)(f)): Session authentication, quota enforcement, and transient processing of tool inputs to deliver AI-generated outputs. • Consent (Article 6(1)(a)): For any optional feedback or support messages submitted.

Session cookies: Deleted on sign-out or browser close. Tool inputs: Not retained after AI response generation. Account data: Retained for the duration of your subscription plus 90 days after cancellation, then deleted. Usage records: Retained for 13 months for billing and dispute purposes. Feedback messages: Retained for up to 12 months to support Service improvement, then deleted.

You have the right to: • Access: Request a copy of any personal data we hold about you • Rectification: Correct any inaccurate personal data • Erasure: Request deletion of your personal data ("right to be forgotten") • Restriction: Request we limit processing of your data • Portability: Receive your data in a portable format • Objection: Object to processing based on legitimate interests To exercise any of these rights, contact: hello@fitoutinsider.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect data, including: HTTPS/TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest (Supabase); HttpOnly and Secure flags on authentication cookies; Row Level Security (RLS) ensuring users can only access their own data. However, no system is entirely secure, and we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where the breach is likely to result in a high risk.

We use the following third-party sub-processors to deliver the Service: • Supabase (Ireland, EU) - Database and authentication. Your account data stays in the EU. • Anthropic (USA) - AI processing of tool inputs via API. Inputs are processed transiently and not retained. Anthropic operates under standard contractual clauses. • Vercel (USA/EU) - Hosting and serverless function delivery. EU region used where possible. • Stripe (USA/EU) - Payment processing. We receive only your email; Stripe holds payment card data. • SignWell (USA) - E-signature processing for documents sent for signing via the E-Signatures tool. SignWell processes signatory email addresses and document content. Governed by standard contractual clauses. Data transfers to the USA (Anthropic, Vercel, Stripe, SignWell) are governed by standard contractual clauses (SCCs) or equivalent adequacy mechanisms under UK GDPR and EU GDPR.

A Data Processing Agreement (DPA) is available on request for Professional and Enterprise plan subscribers. Contact dpo@fitoutinsider.com to request a DPA.

FitOut Insider is operated by Dariusz Kubies, established in Poland (EU). As such, we are also subject to EU GDPR — known in Poland as RODO (Rozporządzenie Parlamentu Europejskiego i Rady (UE) 2016/679). UK GDPR and EU GDPR are substantively identical and we apply the higher standard where any difference exists. Our lead supervisory authority for EU matters is the Polish data protection authority: UODO (Urząd Ochrony Danych Osobowych). EU-based data subjects may lodge complaints with UODO at uodo.gov.pl. UK-based data subjects may lodge complaints with the ICO at ico.org.uk.

We may update this Privacy Policy from time to time. Where changes are significant, we will notify subscribers by email at least 14 days before the changes take effect. The date of the most recent revision is noted at the top of this page.

Data controller: Dariusz Kubies Email: hello@fitoutinsider.com DPO enquiries: dpo@fitoutinsider.com ICO complaints: ico.org.uk UODO complaints (EU): uodo.gov.pl Note: We are in the process of appointing a UK GDPR Article 27 representative. Details will be updated here once confirmed.