RequireFlow← Back to site

Privacy Policy

Last updated · 30 April 2026

RequireFlow Ltd (\u201CRequireFlow\u201D, \u201Cwe\u201D, \u201Cus\u201D) is committed to protecting your personal data. This policy explains what we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

We are the data controller for personal data we collect about visitors to our website and account holders. RequireFlow Ltd is registered in England & Wales. You can reach our Data Protection contact at privacy@requireflow.co.uk.

2. Personal data we collect

  • Account data: name, work email, organisation, hashed password, role.
  • Workspace content: stakeholder lists, interview responses, requirements, documents you upload or generate.
  • Usage data: pages viewed, features used, IP address, browser, timestamps.
  • Communications: support requests, email replies, feedback you send us.
  • Billing data: limited data passed to our payment processor; we do not store full card details.

3. How we use your data and the legal basis

PurposeLegal basis (UK GDPR Art. 6)
Provide, secure and maintain the platformPerformance of a contract
Send service emails (auth, billing, transactional)Performance of a contract
Comply with legal, tax and accounting obligationsLegal obligation
Improve the product and detect abuseLegitimate interests
Marketing emails & analytics cookiesConsent (you can withdraw at any time)

4. Sharing & sub-processors

We share data only with vetted sub-processors needed to run the service:

  • Lovable Cloud / Supabase — managed database, authentication and storage (UK / EU regions).
  • Resend — transactional email delivery.
  • Stripe — payment processing (when billing is enabled).
  • OpenAI / Google AI Gateway — large-language-model processing of requirements content; data is not used to train their models.

5. International transfers

Your data is hosted in UK and EU regions wherever possible. Where transfers outside the UK/EEA are necessary (for example to a US-based AI provider), we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

6. Retention

We retain account and workspace data for as long as your workspace is active and for up to 90 days after deletion to allow recovery, after which it is permanently erased from primary systems. Backups are rotated on a 30-day cycle. Billing records are kept for 6 years to meet UK accounting law.

7. Your rights

You have the right to: access, rectify, erase, restrict, port and object to processing of your data, and to withdraw consent at any time. Email privacy@requireflow.co.uk to exercise any right. You may also lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

8. Security

We use TLS in transit, encryption at rest, row-level security in our database, least-privilege access controls, audit logs, and regular penetration testing. No system is perfectly secure — please report suspected vulnerabilities to security@requireflow.co.uk.

9. Changes

We will notify account holders by email of material changes at least 30 days before they take effect.