This Privacy Policy explains how credit-hire.ai collects, uses, and protects personal data when you use this platform. We are committed to handling your data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
credit-hire.ai is operated by Steve Evans (“we”, “us”, “our”). We are the data controller for personal data processed through this platform.
We collect and process only a minimal amount of personal data:
Data
Purpose
Legal Basis
Full name
Account registration and identification
Performance of a contract (UK GDPR Art. 6(1)(b))
Email address
Account authentication, email confirmation, and account approval notifications
Performance of a contract (UK GDPR Art. 6(1)(b))
Research query text
The text of questions submitted to the AI research and tutor features, retained for quality assurance of the answers the platform gives (see the box below)
Legitimate interests (UK GDPR Art. 6(1)(f)) — maintaining the accuracy and quality of the service
How research queries are handled. When you submit a question to the AI research or tutor feature, the text of your question is transmitted to Anthropic's Claude API (see section 5) and a response is returned to your screen. To let us check the quality and accuracy of answers, the question text (capped at 2,000 characters) is also logged on our servers. The log records the question, its subject scope, and result counts only — it is not linked to your name, email address, or account. Logged queries are automatically deleted after 60 days. Please do not include client names, addresses, claim references, or other personal data in free-text research questions — the platform never needs this information to answer a question of law or rate methodology.
3. Document Analysis Tools (BHR Rebuttal Suite)
The BHR rebuttal tools (car/van, motorcycle, taxi, and witness-response variants) are designed so that the documents you analyse stay on your computer:
Local processing. When you load a witness statement (PDF or Word), the document is opened, text-extracted, and analysed entirely within your web browser. The document is never uploaded to our servers, and the rebuttal analysis does not send the statement to any AI model.
Session-only storage. Extracted statement data is held in your browser's session storage and is deleted automatically when you close the tab. We keep no copy.
Postcode distance checks. To test a rate surveyor's branch-distance claims, the tool sends the relevant postcodes (and their map coordinates) to two geocoding services: Postcodes.io (UK) and OpenRouteService (Germany, EU). Only the postcode or coordinates are sent — never names, claim references, or any other statement content.
Template-integrity diagnostics. If a loaded statement does not match the expected template for its provider (which can indicate the provider has changed their report format), the tool sends us a diagnostic alert so we can update the templates and contact the user if their analysis may have been affected. This alert contains the provider name, the rate surveyor's name, the identifiers of the template paragraphs that did not match, a short excerpt of the expected template text (drawn from our own reference data, not from the statement), the file name of the uploaded document, and the email address of the signed-in user. It does not contain the content of the witness statement or claimant details, and is retained for no longer than 6 months.
Crowd-sourced rate intelligence. The witness-response tool contributes anonymised market data back to the platform (provider, report date, hire dates, vehicle group, search location, and conviction/surcharge terms found). This contains no claimant-identifying information.
4. What We Do Not Collect
We do not collect, store, or process:
Witness statements or other documents analysed with the BHR rebuttal tools (these are processed in your browser and never reach our servers)
Client names, addresses, or claim references — the platform does not ask for them and does not need them
IP addresses or device identifiers beyond those automatically handled by our hosting infrastructure
Payment information (the platform currently operates without payment processing)
Cookies beyond those set by the authentication service for session management
5. How We Use Your Data
Your name and email address are used solely to:
Create and manage your account
Send you an email confirmation when you register
Notify you when your account access is approved
Display your email address within the application as confirmation you are signed in
We do not use your personal data for marketing, profiling, automated decision-making, or any purpose beyond the operation of your account. No data you submit is used to train any AI model — ours or anyone else's.
6. Third-Party Data Processors
We use the following third-party services to operate the platform. Each acts as a data processor on our behalf:
Processor
Role
Data involved
Server location
Vercel Inc. vercel.com
Application hosting and delivery
Standard web traffic data (IP address, request logs) handled by Vercel's infrastructure. We do not separately log or store this data.
United Kingdom (London). Our deployment is pinned to Vercel's London region (lhr1), so application hosting and server-side request processing remain within the UK.
Supabase Inc. supabase.com
Authentication, user account storage, and platform databases
United Kingdom — our Supabase project is hosted in AWS London (eu-west-2).
Anthropic PBC anthropic.com
AI processing for the research and tutor features only
The text of questions submitted to the AI research feature and messages exchanged with the AI tutor are sent to Anthropic's Claude API to generate a response. Anthropic does not use API inputs to train its models. Documents analysed with the BHR rebuttal tools are not sent to Anthropic.
United States. Data is transferred under the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”) and standard contractual clauses. See Anthropic's Privacy Policy.
Twilio SendGrid sendgrid.com
Transactional email delivery
Your email address (registration, approval, and notification emails) and the template-integrity diagnostic summaries described in section 3.
United States. Transfers rely on the UK-US Data Bridge and standard contractual clauses.
Driving-distance calculation for branch-distance checks
Map coordinates only — no names or other data.
Germany (EU). The EU is covered by UK adequacy regulations.
The application also loads open-source JavaScript libraries (for PDF and document handling) from the jsDelivr content delivery network; this involves no personal data beyond the standard IP-level web traffic inherent in loading any web page.
We do not share your personal data with any other third parties, sell your data, or use it for purposes unrelated to the operation of this platform.
7. International Data Transfers
The platform is hosted on Vercel's London (UK) infrastructure and our databases are held in Supabase's London (UK) region, so hosting and storage do not involve international transfers. Limited transfers occur only for the specific functions above:
Anthropic (US) — text submitted to the AI research and tutor features, under the UK-US Data Bridge and UK GDPR standard contractual clauses
Twilio SendGrid (US) — email delivery, under the UK-US Data Bridge and standard contractual clauses
OpenRouteService (Germany) — coordinate-only distance lookups, within the EU under UK adequacy regulations
Documents analysed with the BHR rebuttal tools are processed in your browser and are not transferred anywhere. You can request further information about transfer mechanisms by contacting us at the address in section 1.
8. Data Retention
We retain personal data as follows:
Account data (name, email) — for as long as your account remains active. If you request deletion, we will delete your personal data from the Supabase authentication database within 30 days, except where retention is required by law.
Research query log — anonymised question text is deleted automatically after 60 days.
Template-integrity diagnostics — deleted no later than 6 months after receipt.
Documents analysed in the BHR rebuttal tools — never stored by us; browser session data is deleted when you close the tab.
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
Right of access — to request a copy of the personal data we hold about you
Right to rectification — to request correction of inaccurate data
Right to erasure — to request deletion of your account and associated data
Right to restriction — to request that we restrict processing in certain circumstances
Right to data portability — to receive your data in a structured, machine-readable format
Right to object — to object to processing based on legitimate interests
To exercise any of these rights, contact us at sae@credithire.org.uk. We will respond within one calendar month.
10. Security
We take reasonable technical and organisational measures to protect your personal data, including:
All connections to the platform are encrypted via HTTPS/TLS
Authentication is handled by Supabase, which stores passwords using bcrypt hashing and provides secure token-based sessions
Server-side API endpoints require a valid authenticated session token and restrict cross-origin requests to the platform's own domain
Account registration requires email confirmation and manual approval by the platform administrator before access is granted
Our hosting and database providers (Vercel and Supabase) maintain SOC 2 Type II certification for their infrastructure
11. Children
This platform is intended for professional use by legal practitioners and claims professionals. It is not directed at children under the age of 18 and we do not knowingly collect data from minors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The effective date at the top of this page will reflect the date of the most recent revision. Continued use of the platform after any update constitutes acceptance of the revised policy.
13. Complaints
If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):