Privacy Policy

Business Legal Rating Ltd. ("we", "us", "our") is the data controller responsible for your personal data. We operate the Business Legal Rating platform, which provides AI-powered legal preparedness assessments for businesses.

Our Data Protection Officer (DPO) can be contacted at [email protected]. For UK GDPR purposes, we are registered with the Information Commissioner's Office (ICO). For EU users, we have appointed a representative in the European Economic Area.

We collect the following categories of personal data:

Special Categories: We do not intentionally collect special category data (e.g., health, race, religion, political opinions). If you inadvertently include such data in your assessment answers, please contact us immediately for removal.

We use your personal data for the following purposes:

• Providing the Service: Creating and managing your account, generating your legal rating, and displaying your results dashboard.
• AI Analysis: Processing your assessment answers and scraped website data through our AI engine to produce a legal preparedness rating.
• Website Scraping: Automatically retrieving publicly available information from the company website URL you provide, to supplement your assessment.
• Payment Processing: Processing payments for premium features via Stripe.
• Communications: Sending service-related emails (account confirmation, rating completion, payment receipts). We do not send marketing emails without your explicit consent.
• Platform Improvement: Aggregated, anonymised analytics to improve our rating methodology and service quality.
• Legal Compliance: Meeting our obligations under applicable laws and responding to lawful requests from authorities.
• Fraud Prevention: Detecting and preventing fraudulent use of the platform.

Under UK GDPR and EU GDPR, we rely on the following lawful bases:

We do not sell your personal data. We share data only in the following circumstances:

• Stripe: Payment processing. Stripe's privacy policy governs their handling of payment data. We never receive or store full card numbers.
• AI / LLM Provider: Your assessment data is sent to our AI processing service to generate your rating. Data is processed under a data processing agreement and not used to train third-party models.
• Cloud Infrastructure: Our hosting and database providers process data on our behalf under data processing agreements with appropriate safeguards.
• Legal Requirements: We may disclose data if required by law, court order, or to protect the rights and safety of our users or the public.
• Business Transfer: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before such a transfer takes effect.

All third-party processors are contractually bound to process data only on our instructions and in compliance with applicable data protection law.

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

• Account and Profile Data: Retained for the duration of your account plus 3 years after account closure, unless you request earlier deletion.
• Assessment and Rating Data: Retained for 7 years to support rating history, dispute resolution, and regulatory compliance.
• Payment Records: Retained for 7 years in accordance with financial record-keeping requirements.
• Cookie Consent Records: Retained for 3 years as evidence of consent.
• Technical / Log Data: Retained for 90 days for security and debugging purposes.

Upon expiry of the applicable retention period, data is securely deleted or anonymised.

Under UK GDPR and EU GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Right to Lodge a Complaint: You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk (UK) or your local supervisory authority (EU).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request, contact us at [email protected] with the subject line "CCPA Request". We will respond within 45 days.

Your data may be transferred to and processed in countries outside the UK or European Economic Area (EEA), including the United States. Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission;
• Adequacy decisions where the recipient country provides equivalent data protection; or
• Other lawful transfer mechanisms under UK GDPR Chapter V.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS 1.2+) and at rest;
• Access controls limiting data access to authorised personnel only;
• Regular security assessments and penetration testing;
• Secure session management with signed, HTTP-only cookies.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

The Business Legal Rating platform is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by displaying a prominent notice on the platform. The "Effective Date" at the top of this page will be updated accordingly. Your continued use of the platform after changes take effect constitutes acceptance of the revised policy.

For any privacy-related questions, requests, or complaints, please contact our Data Protection Officer: