Privacy Policy
Last updated: 13 April 2025
1. Who we are
Litigo Limited (“we”, “us”, “our”) is the data controller for personal data collected through Company Reporter at companyreporter.ai. We are registered in England and Wales.
You can contact our data controller at: privacy@companyreporter.ai
This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.
2. Data we collect
Account data
- Email address and name (provided during sign-up or via Google OAuth);
- Encrypted password hash (if using email/password sign-up);
- Subscription status and billing tier.
Usage data
- Companies searched and reports generated (associated with your account if logged in);
- Saved reports and folders you create;
- API keys you generate and their usage.
Technical data
- IP address and approximate location (used for rate limiting and fraud prevention);
- Browser type, device type, and operating system;
- Pages visited and features used (via anonymised analytics).
Payment data
- Payment card details are collected and processed directly by Stripe. We do not store card numbers. We hold a Stripe customer ID associated with your account.
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Providing and operating the Service | Contract (Art. 6(1)(b) UK GDPR) |
| Processing payments and managing subscriptions | Contract (Art. 6(1)(b) UK GDPR) |
| Sending transactional emails (password reset, billing receipts) | Contract (Art. 6(1)(b) UK GDPR) |
| Rate limiting and fraud prevention | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Improving the Service through anonymised analytics | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Sending product updates or marketing emails (where you have opted in) | Consent (Art. 6(1)(a) UK GDPR) |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Data sharing and third parties
We share your data with the following categories of third-party processors:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and storage | EU (AWS eu-west-2) |
| Stripe | Payment processing | USA (SCCs / adequacy) |
| Cloudflare | API hosting, CDN, DDoS protection | USA / EU PoPs |
| Anthropic | AI report generation (query content only) | USA (SCCs) |
| Vercel | Frontend hosting | USA / EU PoPs |
| Formspree | Waitlist form submissions | USA (SCCs) |
All processors are bound by data processing agreements. Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions.
We do not sell your personal data to third parties. We do not share your data with advertisers.
5. Data retention
We retain your data for as long as your account is active. On account deletion:
- Account data and saved reports are deleted within 30 days;
- Billing records are retained for 7 years as required by UK tax law;
- Anonymised, aggregated usage data may be retained indefinitely.
6. Cookies and tracking
We use cookies and similar technologies to operate the Service. For full details, see our Cookie Policy.
7. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you;
- Rectification — ask us to correct inaccurate or incomplete data;
- Erasure — request deletion of your data (“right to be forgotten”), subject to legal retention obligations;
- Restriction — ask us to limit processing in certain circumstances;
- Portability — receive your data in a structured, machine-readable format;
- Objection — object to processing based on legitimate interests;
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email privacy@companyreporter.ai. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), encrypted storage, and access controls. No system is completely secure; we will notify you and the ICO of any breach that affects your rights and freedoms within 72 hours of becoming aware of it.
9. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the Service. The “last updated” date at the top reflects the most recent revision.
11. Contact
For any privacy-related queries, contact us at privacy@companyreporter.ai.