Privacy Policy
Effective date: 21 March 2026 · Last updated: 21 March 2026
1. Introduction
Borsch.AI (“we”, “us”, “our”) operates the Borsch.AI platform (the “Service”), an AI-powered business intelligence platform for UK company research, risk scoring, and due diligence.
This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
We are the data controller for all personal data processed through the Service. For questions about data protection, contact us at the email address above.
3. Personal Data We Collect
3.1 Account Data (provided by you)
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, notifications | Contract |
| Display name | Profile personalisation | Contract |
| Password (bcrypt hash) | Authentication | Contract |
| 2FA secret (if enabled) | Two-factor authentication | Consent |
3.2 Technical Data (collected automatically)
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Security, rate limiting, fraud prevention | Legitimate interest |
| User-Agent string | Session management, security | Legitimate interest |
| Authentication tokens | Session management | Contract |
3.3 Subscription & Billing Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Subscription plan | Service delivery, entitlements | Contract |
| Stripe Customer & Subscription IDs | Payment processing | Contract |
| Usage statistics (token counts) | Billing, fair use enforcement | Contract |
We do not store credit card numbers, bank details, or other financial instruments. All payment processing is handled by Stripe, Inc. in accordance with PCI DSS standards.
3.4 AI Chat Data
When you use the AI chat feature, your queries and conversation context are sent to Anthropic (Claude API) for processing. Conversations may be stored to enable cross-session memory and conversation history. You can delete your conversations at any time from your account settings.
3.5 Data We Do Not Collect
- We do not use analytics or tracking services (no Google Analytics, Mixpanel, etc.)
- We do not use advertising cookies or tracking pixels
- We do not sell, rent, or trade personal data to third parties
- We do not profile users for marketing purposes
4. Public Register Data (Third-Party Personal Data)
The Service aggregates publicly available information from over 50 official UK government data sources, including Companies House, the Financial Conduct Authority, the Information Commissioner's Office, HM Treasury sanctions lists, and others.
This data may include names, dates of birth (partial — month and year only), postcodes, and appointment details of company directors, persons of significant control (PSCs), and other officeholders. This information is sourced from statutory public registers and is processed under the following legal bases:
- Public task — processing is necessary for a task carried out in the public interest (Art. 6(1)(e) UK GDPR)
- Legitimate interest — business due diligence, risk assessment, and compliance (Art. 6(1)(f) UK GDPR)
Data from public registers is available to all authenticated users of the Service. We do not publish private addresses, full dates of birth, or other sensitive personal data beyond what is already publicly available in the source registers.
5. Cookies & Local Storage
We use only essential cookies and local storage items required for the Service to function. We do not use any tracking, analytics, or advertising cookies.
| Item | Type | Purpose | Duration |
|---|---|---|---|
| auth_authenticated | Cookie | Authentication state hint | Session |
| Access token | Local storage | API authentication (JWT) | 30 minutes |
| Refresh token | Local storage | Session renewal | 30 days |
| cookie_consent | Local storage | Remember cookie consent choice | Permanent |
| Cloudflare Turnstile | Cookie | Bot protection during authentication | Session |
Under PECR (Privacy and Electronic Communications Regulations 2003), consent is not required for strictly necessary cookies. All cookies and storage items listed above are essential for the operation of the Service.
6. Third-Party Processors
We share personal data with the following third-party service providers (sub-processors), each bound by data processing agreements:
| Sub-processor | Data shared | Location | Purpose |
|---|---|---|---|
| Anthropic | Chat queries, conversation context | United States | AI analysis (Claude API) |
| Stripe | Email, subscription details | United States / EU | Payment processing |
| Resend | Email address | United States | Transactional emails |
| Cloudflare | IP address, browser fingerprint | Global (CDN) | Bot protection (Turnstile) |
| OAuth token (if Google login used) | United States | Authentication (optional) |
7. International Data Transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreement (UK IDTA)
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions where available
8. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion |
| Chat conversations | Until deleted by user or account deletion |
| Refresh tokens | 30 days (auto-expired) |
| Email verification tokens | 24 hours (single-use) |
| Password reset tokens | 1 hour (single-use) |
| API usage logs | Monthly aggregates retained; detailed logs 90 days |
| Public register data | Updated periodically from source; retained indefinitely as public record |
9. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate personal data
- Right to erasure — request deletion of your account and personal data
- Right to data portability — receive your data in a machine-readable format
- Right to restrict processing — request limitation of data processing
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time (e.g., 2FA)
To exercise any of these rights, contact us at privacy@borsch.ai. We will respond within 30 days.
Note on public register data: Rights to erasure and rectification may not apply to data sourced from statutory public registers (e.g., Companies House), as we are not the original data controller for this information. Requests should be directed to the relevant public authority.
10. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS/TLS 1.2+ encryption for all data in transit
- Bcrypt password hashing with salt
- JWT-based authentication with short-lived access tokens
- Rate limiting on authentication endpoints
- Input validation and SQL injection prevention
- Prompt injection protection for AI features
- CORS restrictions and security headers (HSTS, CSP, X-Frame-Options)
- PII redaction in AI processing pipeline
11. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.
13. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Contact
For privacy-related enquiries: privacy@borsch.ai
For general support: Contact Us