Legal

UK GDPR Compliance Summary

Fit Out Insider is a trading name of Dariusz Kubies Services ("we", "us", "our"). For data protection enquiries, contact: hello@fitoutinsider.com. As the data controller, we are responsible for any personal data processed by this Service.

We collect minimal data: • Account data: When you subscribe, Stripe collects your email and payment details. We receive only your email address to create your account. • Registration IP address: We record your IP address at the point of account creation as part of our terms-of-service acceptance record. This is retained solely as legal evidence that you agreed to our Terms of Service at a specific time and place, in accordance with our legitimate interests under UK GDPR Article 6(1)(f). It is never used for tracking or marketing, is not surfaced in your account, and is accessible only via a restricted internal compliance export. • Session authentication: A single encrypted session cookie is set when you log in. This cookie contains only a session token - no name, email, or personal data. • Tool inputs: Text and data you enter into tool forms are sent to the Anthropic Claude API to generate AI responses. This data is transmitted securely but is not stored by FitOut Insider after the response is generated. • Usage tracking: We record the number of AI requests used per month (no content, just counts) to enforce your plan allowance. • Feedback and support messages: If you submit feedback or contact support, the message content may be stored to help us improve the Service. • Technical error logs: When a technical error occurs in the platform, we automatically record the error message, the page URL where the error occurred, your browser type, and (if you are signed in) your user account identifier. This data is used exclusively to diagnose and fix technical issues affecting the Service. It is stored in our Supabase database (EU region) and is never shared with any third party.

Tool inputs are processed by Anthropic's Claude API to generate outputs. Anthropic may process inputs in accordance with their own privacy policy and API terms of service. By Anthropic's policy, API inputs are not used to train AI models. We do not retain copies of your tool inputs after the response is generated. We recommend you do not input sensitive personal data (e.g. employee names, National Insurance numbers, or medical information) into tool forms unless necessary for the specific document being generated.

Account data and tool outputs you choose to save are stored in Supabase (PostgreSQL), hosted in the EU (Frankfurt, Germany). All connections are encrypted end-to-end (TLS 1.3). Your data is never used to train AI models. We do not share or sell your data with any third party. Our hosting infrastructure runs on Vercel for serverless functions and global CDN delivery.

We use one essential cookie: • fitout-snonce: A session authentication cookie. Essential for Service access. No personal data. HttpOnly, Secure, SameSite=Strict. Duration: session-based (expires on sign-out or browser close). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. See our Cookie Policy for full details.

Our legal bases for processing are: • Contract performance (Article 6(1)(b)): Processing account and usage data to deliver the subscription service you have paid for. • Legitimate interests (Article 6(1)(f)): Session authentication, quota enforcement, and transient processing of tool inputs to deliver AI-generated outputs. Recording your IP address at registration to maintain an auditable record of terms-of-service acceptance (fraud prevention and legal compliance). Automatic technical error logging to identify and resolve platform issues affecting service delivery. • Consent (Article 6(1)(a)): For any optional feedback or support messages submitted.

Session cookies: Deleted on sign-out or browser close. Tool inputs: Not retained after AI response generation. Account data: Retained for the duration of your subscription plus 90 days after cancellation, then deleted. Registration IP address: Retained for the duration of your account plus 90 days after deletion, then permanently removed. Retained solely as part of the terms-of-service acceptance record. Usage records: Retained for 13 months for billing and dispute purposes. Feedback messages: Retained for up to 12 months to support Service improvement, then deleted. Technical error logs: Retained for 90 days to support issue diagnosis and resolution, then automatically deleted.

You have the right to: • Access: Request a copy of any personal data we hold about you • Rectification: Correct any inaccurate personal data • Erasure: Request deletion of your personal data ("right to be forgotten") • Restriction: Request we limit processing of your data • Portability: Receive your data in a portable format • Objection: Object to processing based on legitimate interests To exercise any of these rights, contact: hello@fitoutinsider.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect data, including: HTTPS/TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest (Supabase); HttpOnly and Secure flags on authentication cookies; Row Level Security (RLS) ensuring users can only access their own data. However, no system is entirely secure, and we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where the breach is likely to result in a high risk.

We use the following third-party sub-processors to deliver the Service: • Supabase (EU region) - Database and authentication. Your account data stays in the EU. • Anthropic (USA) - AI processing of tool inputs via API. Inputs are processed transiently and not retained. Anthropic operates under standard contractual clauses. • Vercel (USA/EU) - Hosting and serverless function delivery. EU region used where possible. • Stripe (USA/EU) - Payment processing. We receive only your email; Stripe holds payment card data. • SignWell (USA) - E-signature processing for documents sent for signing via the E-Signatures tool. SignWell processes signatory email addresses and document content. Governed by standard contractual clauses. Data transfers to the USA (Anthropic, Vercel, Stripe, SignWell) are governed by standard contractual clauses (SCCs) or equivalent adequacy mechanisms under UK GDPR and EU GDPR.

Data Processing Agreements (DPAs) are in place with each sub-processor via their standard contractual terms. We do not share personal data with any processor that does not provide adequate data protection guarantees. A formal DPA with Fit Out Insider is available on request for Professional and Enterprise plan subscribers. Contact hello@fitoutinsider.com to request one.

Fit Out Insider is a trading name of Dariusz Kubies Services, established in Poland (EU). As such, we are also subject to EU GDPR - known in Poland as RODO (Rozporządzenie Parlamentu Europejskiego i Rady (UE) 2016/679). UK GDPR and EU GDPR are substantively identical and we apply the higher standard where any difference exists. FitOut Insider is operated by a company established in Poland and is therefore an EU-established entity. UK users may raise complaints with the ICO. EU users may raise complaints with the UODO as the lead supervisory authority under the one-stop-shop mechanism. Both authorities apply because the Service processes data from both UK and EU-based users. Our lead supervisory authority for EU matters is the Polish data protection authority: UODO (Urząd Ochrony Danych Osobowych). EU-based data subjects may lodge complaints with UODO at uodo.gov.pl. UK-based data subjects may lodge complaints with the ICO at ico.org.uk.

We may update this Privacy Policy from time to time. Where changes are significant, we will notify subscribers by email at least 14 days before the changes take effect. The date of the most recent revision is noted at the top of this page.

Data controller: Dariusz Kubies Services (trading as Fit Out Insider) Email: hello@fitoutinsider.com Privacy enquiries: hello@fitoutinsider.com ICO complaints: ico.org.uk UODO complaints (EU): uodo.gov.pl UK Article 27 representative: We are in the process of appointing a UK GDPR Article 27 representative. Details will be updated here once confirmed.