Privacy Policy — RAMScribe
⚠️ First-pass draft, NOT legal advice. Launched on Jordan's accepted risk (solo operator, no solicitor/data-protection adviser review yet — see Section 8 in particular). Get a qualified review once there's real paying revenue. RAMScribe sells to UK customers, so UK GDPR applies even though the operator is based outside the UK.
Controller: Jordan Mungujakisa, Uganda. Contact: info@ramscribe.co.uk. Effective date: 17 July 2026.
1. What we collect
- Account / contact data: name, email (if you create an account or buy).
- Document inputs: the information you enter to generate a RAMS — company, site name & address, author name & role, client/principal contractor, and any operative/competence details you choose to include. Some of this may be personal data (e.g. named individuals).
- Payment data: handled by Paddle (we do not receive or store card details).
- Usage/technical data: IP, device/browser, pages used, for security and analytics.
2. Why we use it (purposes & lawful bases)
| Purpose | Lawful basis (UK GDPR) | |---|---| | Generate your document & provide the Service | Performance of a contract | | Process payment | Contract / legal obligation (tax) | | Security, fraud prevention, service improvement | Legitimate interests | | Service emails (e.g. receipts) | Contract | | Marketing emails (if any) | Consent (opt-in) |
3. AI processing & sub-processors
To generate documents we send your inputs to third-party processors. We use providers on paid/enterprise tiers that do NOT use your data to train their models:
- Google (Gemini API, paid tier) — AI generation. Confirmed on the paid Google AI Studio tier: inputs are not used to train Google's models.
- Paddle.com Market Ltd — payments / merchant of record.
- Vercel — hosting (frontend and backend). We have or will put data-processing terms in place with each. We do not sell your data.
4. International transfers
The operator and some processors are outside the UK (including Uganda and the providers above). Where we transfer personal data internationally we rely on appropriate safeguards (e.g. the providers' standard contractual clauses / adequacy mechanisms). (Launch-stage position; solicitor to confirm the exact transfer mechanism once there's real revenue.)
5. Retention
We keep document inputs and generated documents for 12 months from generation, then delete them, and payment/tax records for as long as the law requires. You can request earlier deletion at any time (see Section 6).
6. Your rights (UK GDPR)
You may request access, correction, deletion, restriction, portability, or object to processing, and may withdraw consent. Contact info@ramscribe.co.uk. You can complain to the UK Information Commissioner's Office (ICO).
7. Security
We use reasonable technical and organisational measures (encryption in transit, access controls). No system is perfectly secure.
8. UK representative
As a non-UK controller offering services to UK individuals, a UK GDPR Article 27 representative may be required (subject to the occasional-processing exemption for low-risk, non-large-scale processing, which likely applies at launch volume). Genuinely open, not yet resolved — get this confirmed by a solicitor before volume grows beyond occasional processing.
9. Children
The Service is for business users and not directed at children.
10. Changes
We may update this policy; the current version is published on the site.