Privacy Policy

Last updated: 29 April 2026

1. Who we are

Bracton is operated by Blackwell Advisory Ltd (Company No. 17067535).

Registered office: Advantage House, Stowe Court, WS13 6AQ, United Kingdom.

Privacy contact: support@bracton.org

2. Personal data we process

We process account information (name, email), document workflow data (questionnaire answers, generated document content, file metadata), support communications, and technical/security data (IP address, device data, browser, authentication and audit logs).

Payment card details are processed by Stripe and are not stored by Bracton. We receive limited billing and transaction records (for example payment status, amount, and Stripe customer/subscription identifiers).

3. How we use your data and lawful bases

We use personal data to provide the service you purchase (account access, document generation, subscription administration), to process payments, to respond to support requests, to secure and improve the platform, and to comply with legal obligations.

Our UK GDPR lawful bases are:

• Contract (Article 6(1)(b)) to deliver paid digital content and subscriptions.

• Legal obligation (Article 6(1)(c)) for tax, accounting, and compliance records.

• Legitimate interests (Article 6(1)(f)) for fraud prevention, platform security, and service analytics.

• Consent (Article 6(1)(a)) where required, including non-essential cookies/analytics.

4. Processors and third parties

We use specialist service providers to operate Bracton, including:

• Stripe (payment processing and billing operations)

• Supabase (database, authentication, and storage infrastructure)

• Vercel (application hosting and delivery infrastructure)

• Microsoft Clarity (usage analytics/session insights, subject to consent for non-essential tracking)

• Resend (transactional email delivery for account sign-in links and purchase confirmations; processes your email address and transactional message content; hosted in the EU (Ireland); privacy policy: https://resend.com/legal/privacy-policy)

We share only data required for each provider's function and use contractual and technical safeguards to protect it.

5. International transfers

Some providers may process data outside the UK. Where this occurs, we rely on recognised transfer safeguards (such as UK International Data Transfer Agreement/addendum mechanisms or equivalent lawful measures).

6. Retention

We keep personal data only as long as reasonably necessary for service delivery, security, legal, and accounting purposes. Retention periods vary by record type.

Typical periods include:

• Account and document records: while your account remains active and for a reasonable post-closure period.

• Billing and transaction records: up to 6 years where required for UK tax/accounting compliance.

• Security and technical logs: retained for proportionate security and abuse-prevention periods.

7. Your UK GDPR rights

Subject to legal conditions and exemptions, you may request access, correction, erasure, restriction, objection, portability, and withdrawal of consent (where processing is consent-based).

To exercise rights, contact support@bracton.org. We may request verification information before completing your request.

You also have the right to complain to the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully.

8. Security

We apply proportionate technical and organisational measures designed to protect data against unauthorised access, loss, misuse, or alteration. No internet service can be guaranteed as completely secure.

9. Marketing and service messages

We may send service and transactional communications necessary to run your account and purchases. Any optional marketing communications are managed in accordance with applicable consent and opt-out rules.

10. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page with the updated date.