Draft. This document is a first draft pending review by our legal advisers. If you have questions about it, email hello@premly.co.uk. Last reviewed by: pending.

Privacy Policy

Last updated: 14 May 2026

About this policy

This policy explains how Premly handles personal data. It applies to anyone who visits premly.co.uk, signs up for Premly, uses our service, or whose data is processed by us as part of a customer's account.

Premly is operated by Mirae Advisory Ltd, a company registered in England and Wales (company number: TBC), trading as Premly. Our registered office is TBC. You can contact us at hello@premly.co.uk for any privacy matters.

We are registered with the Information Commissioner's Office under registration number TBC. If you have a complaint about how we handle your data and you have not been able to resolve it with us, you can contact the ICO at ico.org.uk.

Two roles: controller and processor

Premly handles personal data in two distinct ways.

For our own business (signing customers up, taking payment, sending account emails, improving the service), we are the data controller. We decide what data to collect and what to do with it.

When a customer uses Premly to manage their compliance, the customer uploads data about their responsible person and staff. For this data, the customer is the data controller and we are a data processor acting on the customer's instructions.

This policy covers both roles. The "Data we collect about you directly" section covers our role as a controller. The "Data we process on your behalf as a processor" section covers our role as a processor.

Data we collect about you directly

When you visit premly.co.uk, we collect: your IP address, browser type and version, operating system, the pages you visit, the time of your visit, and information about how you got to our site. We use this for security and to understand how the site is being used.

When you sign up for Premly, we collect: your name, business name (where given), email address, and any contact details you provide.

When you pay for Premly, our payment processor Stripe handles your payment details. We do not store your card number or other payment credentials. We receive a transaction reference, the amount, the date, and the outcome (succeeded, failed, refunded).

When you contact us, we keep records of your messages and our replies.

Why we process this data, and our lawful basis

We process your account data because we need to in order to provide the service you have signed up for. Our lawful basis is performance of a contract with you.

We process payment data because we are required to keep accurate financial records under UK accounting law. Our lawful basis is compliance with a legal obligation.

We process visitor data (IP, browser, page visits) on the basis of our legitimate interest in keeping the site secure and understanding how it is used. We do not use third-party advertising trackers.

We send you account emails (welcome, activation reminders, document ready, annual review) because we need to in order to provide the service. Our lawful basis is performance of a contract.

We do not send marketing emails by default. If we later introduce marketing communications, we will ask for your consent and you will be able to opt out at any time.

Data we process on your behalf as a processor

When you use Premly to manage your compliance, you upload data about your premises and staff. This includes: the responsible person's name, role, and contact details; staff names, email addresses, and roles; and details of the premises itself (which generally do not include personal data, but might in some cases).

For this data, you are the data controller and we are your data processor. The processing terms are governed by these conditions (which form part of the contract between us under UK GDPR Article 28):

Subject matter and duration of processing: the processing is the operation of the Premly service for the duration of your subscription, plus a reasonable wind-down period after cancellation.

Nature and purpose of processing: we process personal data to generate procedure documents, send acknowledgment links to staff, record acknowledgments, and maintain audit trails.

Types of personal data: contact information (names, email addresses, roles, phone numbers), staff acknowledgment records (timestamps, IP addresses, browser information), and any personal data the customer chooses to include in their wizard answers.

Categories of data subjects: the customer's responsible person, the customer's staff, and any other named individuals the customer chooses to include.

We will process the data only on your documented instructions, except where required by law to do otherwise. We will ensure people authorised to process the data are subject to confidentiality obligations. We will take appropriate technical and organisational security measures (described in the "Security" section below). We will only engage sub-processors with your authorisation (the current list of sub-processors is in the "Sub-processors" section below); we will impose equivalent data protection obligations on them; we remain liable for their performance.

We will assist you in responding to data subject rights requests, in notifying breaches, and in carrying out data protection impact assessments to the extent reasonably required.

At the end of the contract, we will, at your choice, delete or return all personal data we hold on your behalf, except where retention is required by law. The default is deletion after 30 days from cancellation if you have not requested return.

You may audit our processing on reasonable notice and at reasonable intervals, with reasonable scope, no more than annually unless there is good reason.

Sub-processors

We use the following third-party sub-processors to deliver Premly:

Supabase Inc (database and authentication, hosted in the EU): for storing customer data and managing accounts.

Stripe Payments Europe Ltd (payment processing, hosted in the EU/UK): for taking and managing payments.

Anthropic PBC (AI text generation, US-based): for generating procedure document content from customer wizard answers. Data sent to Anthropic for processing is not used by Anthropic for training their models.

Resend Inc or equivalent (transactional email, US-based): for sending account emails, document notifications, and staff acknowledgment links. To be confirmed when wired.

Cloudflare Inc (CDN and infrastructure): for delivering the site quickly and securely.

Lovable AB (hosting platform): for the application infrastructure.

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent UK Addendum to ensure the data has equivalent protection.

We will give 30 days notice before adding or changing sub-processors. If you object to a new sub-processor on reasonable grounds, you can cancel your subscription and we will refund a reasonable proportion of any pre-paid fees for unused service.

How long we keep your data

Account data: for as long as you have an active subscription, plus 7 years after your last activity (for UK accounting and tax record purposes).

Customer-uploaded data (responsible person and staff details, generated documents, audit logs): for the duration of your subscription, plus 30 days after cancellation, unless you have requested earlier deletion or return.

Payment data: for 7 years from the date of the transaction, as required by UK accounting law.

Visitor data (logs, analytics): for 90 days unless required longer for security investigations.

Marketing communications data (if any): until you opt out.

Security

We use industry-standard security measures including: HTTPS encryption for all data in transit, encryption at rest for data stored in our databases, role-based access controls (we use the principle of least privilege internally), row-level security on customer data in the database so customers can only access their own data, and audit logs of access to customer data.

We restrict access to customer data to staff with a business reason for access. As of writing, this is a one-person operation; access is restricted to Nick Hardy as the sole operator of Mirae Advisory Ltd. As we grow, we will maintain the same access principles.

If a personal data breach occurs that risks individuals' rights or freedoms, we will notify affected customers without undue delay and assist them in notifying the ICO within 72 hours where required.

Your rights

You have the following rights under the UK GDPR:

The right to be informed (this policy fulfils part of that obligation).

The right of access. You can request a copy of the personal data we hold about you.

The right to rectification. You can ask us to correct inaccurate data.

The right to erasure. You can ask us to delete your data, subject to our legal retention obligations.

The right to restrict processing. You can ask us to limit how we process your data while we investigate an issue.

The right to data portability. You can ask for a copy of your data in a machine-readable format.

The right to object. You can object to processing where our basis is legitimate interest.

The right not to be subject to automated decision-making with legal effect. We do not make automated decisions with legal effect; the AI-assisted document generation is a tool you review and approve.

To exercise any of these rights, email hello@premly.co.uk. We will respond within one month (or sooner where reasonably practicable).

Where you are the data subject of a customer's account (for example, a staff member at a premises that uses Premly), please direct rights requests to the customer (your employer or the responsible person), who is the data controller. We will assist them in responding.

Cookies and similar technologies

We use a small number of essential cookies to make the site work. These are:

Session cookies: required to keep you logged in.

Security cookies: required to protect against cross-site request forgery and similar attacks.

These cookies are exempt from consent requirements under UK PECR because they are strictly necessary for the service you have requested.

We do not currently use third-party analytics cookies, advertising cookies, or tracking pixels. If we add any non-essential cookies in future, we will update this policy and ask for your consent in line with the ICO's 2026 guidance.

Changes to this policy

We may update this policy from time to time. Material changes will be notified to existing customers by email at least 30 days before they take effect. The current version is always available at premly.co.uk/privacy.

Contact

For any privacy-related questions or to exercise your rights, email hello@premly.co.uk.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk.