Privacy Policy
1. Introduction
Unbounded Software Ltd ("we", "us", "our") operates Company Intelligence, a company data intelligence platform. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it.
Data Controller: Unbounded Software Ltd
Contact: [email protected]
2. Data We Collect
2.1 Account Information
When you register for an account, we collect:
- Email address
- Password (stored securely using one-way hashing)
- Name (if provided)
- Organisation name (if provided)
2.2 Billing Information
If you subscribe to a paid plan, payment information is collected and processed by our payment partners (Stripe for web payments, Apple via the App Store for iOS). We do not store your full card number or payment credentials on our servers. We may receive and store:
- Subscription tier and status
- Payment history and invoice references
- Last four digits of your card (via Stripe)
2.3 Usage Data
We automatically collect data about how you use the Service, including:
- Pages visited and features used
- Search queries
- Companies and officers viewed
- Timestamps and frequency of access
- Device type, browser, and operating system
- IP address
2.4 Session Recordings
We use PostHog to record anonymised session replays of how users interact with the Service. These recordings help us understand usability issues and improve the product. Session recordings may capture:
- Mouse movements, clicks, and scrolls
- Page navigation
- Form interactions (sensitive fields such as passwords are automatically masked)
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending essential service communications (e.g. password resets, billing alerts) | Performance of contract |
| Analysing usage patterns to improve the Service | Legitimate interest |
| Session replay for UX improvement | Legitimate interest |
| Preventing fraud and enforcing our Terms | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.
4. Cookies and Tracking
4.1 Essential Cookies
We use the following essential cookies that are strictly necessary for the Service to function:
- ci_session — Session authentication cookie. Keeps you logged in.
4.2 Analytics
We use PostHog (self-hosted/cloud) for product analytics and session replay. PostHog may set cookies or use local storage to:
- Assign an anonymous user identifier
- Track page views and feature usage
- Record session replays
PostHog data is used solely by us to improve the Service. We do not share PostHog data with advertisers or other third parties.
4.3 No Advertising Trackers
We do not use advertising cookies, retargeting pixels, or any third-party advertising trackers.
5. Third-Party Services
We share data with the following third-party services, only as necessary to operate the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| PostHog | Product analytics and session replay | Usage data, anonymised session recordings |
| Stripe | Web payment processing | Email, payment details, billing address |
| RevenueCat | Subscription management (iOS) | App user ID, subscription status |
| Companies House | Source of UK company data | API requests (no personal data sent) |
| Railway | Infrastructure hosting | Data stored in our database |
Each third party processes data in accordance with their own privacy policy. We ensure all third parties provide adequate data protection safeguards.
6. Data Retention
- Account data: Retained for the lifetime of your account, plus 30 days after deletion to allow for recovery
- Usage and analytics data: Retained for up to 24 months, then anonymised or deleted
- Session recordings: Automatically deleted after 90 days
- Billing records: Retained for 7 years as required by UK tax law
- Server logs: Retained for 30 days for security and debugging purposes
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) for all connections
- Passwords hashed using industry-standard one-way algorithms
- Per-IP rate limiting to prevent abuse
- Regular security reviews of our infrastructure
- Access to personal data restricted to authorised personnel only
8. Your Rights (UK GDPR)
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data ("right to be forgotten")
- Right to restrict processing — Request that we limit how we use your data
- Right to data portability — Receive your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interest, including analytics and session replay
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. International Transfers
Our infrastructure is hosted on servers that may be located outside the UK. Where personal data is transferred outside the UK, we ensure adequate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in compliance with UK GDPR.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
12. Contact Us
For any questions or concerns about this Privacy Policy or our data practices, please contact:
Unbounded Software Ltd
Email: [email protected]