Privacy Policy
Version 1.2 — Last updated: 1 July 2026
1. Identity and Contact Details
The data controller responsible for your personal data is:
We are registered in England and Wales. References in this policy to "we", "us", or "our" refer to Agent Platoon Ltd.
2. What Data We Collect
We collect and process the following categories of personal data:
- Account data — your name and email address, collected when you create an account.
- Service data — the information you provide through our service forms, including personal details required to generate your requested documents (for example, names, addresses, dates of birth, and details specific to each service).
- Portfolio and workforce data — if you use our lettings or HR services, the records you create about properties, tenancies, and employees (for example, tenant names and contact details, rent and deposit information, employee names, roles, and start dates) together with the compliance deadlines we calculate from them.
- Uploaded documents and templates — documents you upload for analysis or as reusable templates. These may contain personal data; we recommend uploading blank templates wherever possible.
- Payment data — payment transactions are processed securely by Stripe. We do not store your full card details on our servers. We retain only a transaction reference and payment status.
- Technical data — browser type and version, collected automatically when you use our platform, solely for the purpose of recording consent.
3. Lawful Basis for Processing
We rely on the following lawful bases under Article 6 of the UK GDPR:
- Contract performance (Article 6(1)(b)) — processing your personal data is necessary for us to deliver the services you have requested and paid for.
- Explicit consent (Article 9(2)(a)) — where we process special category data (see section 4 below), we do so only with your explicit, informed consent.
- Legitimate interests (Article 6(1)(f)) — we process certain data for the purposes of platform security, fraud prevention, and service improvement, where those interests are not overridden by your rights and freedoms.
4. Special Category Data
Some of our services require us to process special category personal data as defined under Article 9 of the UK GDPR. We are transparent about what we collect and why:
- Religious beliefs — our Islamic will drafting service collects information about your madhab (school of Islamic jurisprudence) to ensure your will is drafted in accordance with your faith.
- Criminal record data — our visa assessment service may ask whether you have any criminal convictions or immigration breaches, as this information is relevant to assessing your visa eligibility.
- Health data — our Lasting Power of Attorney (LPA) service for health and welfare collects your preferences regarding medical treatment and life-sustaining treatment decisions.
We will always ask for your explicit consent before processing any special category data. You may withdraw your consent at any time, although this may mean we are unable to provide the relevant service.
5. Information You Provide About Other People
Many of our services involve you providing personal data about people other than yourself — for example, your tenants, your employees, beneficiaries of a will, or family members. Where you do so:
- You confirm that you are entitled to share that information with us for the purpose of generating the requested documents and tracking the related legal obligations — for example, because it is necessary for your tenancy agreement or employment relationship with them.
- We process that information only to provide the service to you, applying the same safeguards described in this policy (including pseudonymisation before AI processing).
- The people whose data you provide have the same rights set out in section 10 of this policy. If they contact us to exercise those rights, we may need to inform you as the account holder.
6. AI Processing Disclosure
Your data is processed by artificial intelligence systems to generate your requested documents. Specifically:
- We use Anthropic's Claude AI to analyse the information you provide and generate documents, legal information, and contract reviews.
- Where possible, personally identifiable information (PII) is redacted and replaced with anonymous tokens before being sent to the AI for processing. Real names and identifying details are restored in the final document only after AI processing is complete.
- When you upload a document or template for analysis, email addresses, phone numbers, and National Insurance numbers detected in the text are replaced with anonymous tokens before the content is sent for AI analysis, and restored only on our own systems.
- Your data is not used to train AI models. Anthropic does not use data submitted through our API for model training purposes.
7. Data Sharing
We share your personal data only with the following third parties, and only to the extent necessary to provide our services:
- Anthropic (AI processing) — your service data (with PII redacted where possible) is sent to Anthropic for AI document generation. This is governed by a Data Processing Agreement.
- Stripe (payment processing) — your payment details are processed by Stripe in accordance with their privacy policy. We do not have access to your full card details.
- Supabase (hosting and database) — your account data, service data, and consent records are stored in our database hosted by Supabase.
We do not sell your personal data to any third party. We do not share your data for marketing purposes.
8. Data Security
We take the security of your personal data seriously and apply a range of technical and organisational measures to protect it:
- UK hosting — your account data and service data are stored in a database hosted in the United Kingdom (London region), operated on our behalf by Supabase.
- Encryption in transit and at rest — all data transmitted between your device and our platform is encrypted using HTTPS/TLS, and data stored in our database is encrypted at rest.
- Tenant isolation — we use database row-level security (RLS) so that each account can only access its own data. Authentication is handled by Supabase (email and password, or Google sign-in), and access tokens are verified on our servers.
- Pseudonymisation before AI processing — where possible, personally identifiable details (such as names, email addresses, phone numbers, and National Insurance numbers) are replaced with anonymous tokens before your text is sent to our AI provider, and restored only on our own systems. See section 6 for more detail.
- Payment security — card payments are handled by Stripe, a PCI DSS compliant payment processor. We never store your full card details; we retain only a transaction reference and payment status.
- Access controls — access to administrative functions is restricted to a limited allowlist of authorised platform operators.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, or you have a concern about the security of your data, please contact us at dpo@agentplatoon.com so we can investigate.
9. Data Retention
We retain your personal data only for as long as is necessary for the purposes set out in this policy:
- Order data — retained for 2 years from the date of the order, after which it is automatically deleted.
- Account data — retained until you delete your account. You may request account deletion at any time through your account settings or by contacting us.
- Consent records — retained for 6 years to demonstrate compliance with our legal obligations under the UK GDPR.
10. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access (Article 15) — you have the right to obtain a copy of the personal data we hold about you.
- Right to rectification (Article 16) — you have the right to request correction of inaccurate personal data.
- Right to erasure (Article 17) — you have the right to request deletion of your personal data, subject to any legal obligations requiring us to retain it.
- Right to restriction of processing (Article 18) — you have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Article 20) — you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Article 21) — you have the right to object to the processing of your personal data where we rely on legitimate interests as the lawful basis.
11. How to Exercise Your Rights
You may exercise your data protection rights by:
- Emailing us at support@agentplatoon.com with the subject line "Data Rights Request".
- Using the self-service options on your account page, where you can download a copy of your data or delete your account.
We will respond to all data rights requests within one month of receipt, as required by the UK GDPR. In exceptional circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.
12. Cookies
We use only strictly necessary cookies. We do not use any tracking, analytics, or advertising cookies.
The only cookies set by our platform are:
- Supabase authentication session cookie — this is a strictly necessary cookie required to keep you logged in to your account. It is essential for the functioning of the service and does not track your behaviour.
Because we use only strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations 2003 (PECR). However, we provide a notice informing you of our cookie usage for transparency.
13. International Transfers
Some of our third-party processors are based outside the United Kingdom. Where your personal data is transferred internationally, we ensure appropriate safeguards are in place:
- Anthropic (United States) — transfers are protected by the International Data Transfer Agreement (IDTA) and Standard Contractual Clauses (SCCs) approved by the ICO.
- Supabase (United States / European Union) — transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Each version will be numbered and dated. When we make material changes, we will update the version number and date at the top of this page and, where appropriate, notify you by email or through the platform.
Your continued use of the services after any changes constitutes acceptance of the updated policy. If you do not agree with the updated policy, you should stop using the services and, if you wish, request deletion of your account.
15. Complaints to the ICO
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at support@agentplatoon.com in the first instance.
Contact
If you have any questions about this Privacy Policy, please contact us: