Privacy Policy

1. Who we are

inContact is a service operated by Kompass Education (UK) Limited, a company registered in England and Wales. Kompass Education (UK) Limited (“we”, “us”, “our”) is the data controller for personal data collected through this service and is registered with the UK Information Commissioner's Office.

Contact: darren@coxon.ai

2. What data we collect and why

3. Data processors

• Neon — PostgreSQL database (United Kingdom, AWS eu-west-2). DPA: neon.com/dpa
• Vercel — hosting, serverless functions, blob storage (USA). DPA: vercel.com/legal/dpa
• Stripe Payments UK Ltd — payment processing (global infrastructure, primarily USA/Ireland). DPA: stripe.com/gb/legal/dpa
• Postmark — transactional email delivery (USA). DPA: postmarkapp.com/dpa

Each processor's Data Processing Agreement is incorporated by reference into their terms of service. Where data is transferred outside the UK, transfers are protected by Standard Contractual Clauses with the UK International Data Transfer Addendum.

4. Data retention

• Account data: retained while your account is active
• Posts and comments: retained until deleted by you or account closure
• Direct messages: retained until deleted or account closure
• Analytics events: retained for 2 years
• Audit logs: retained for 2 years (ISO 27001 requirement)
• Payment records: retained for 7 years (legal obligation)
• After account deletion: 30-day grace period, then permanent erasure of all PII

5. Your rights (GDPR Articles 15-22)

• Access — download all your data from Settings > Privacy
• Rectification — edit your profile and content at any time
• Erasure — request account deletion from Settings > Privacy (30-day grace period)
• Portability — export your data as JSON
• Object — opt out of analytics tracking in Settings > Privacy
• Restrict processing — contact us to restrict specific processing

To exercise any right, visit Settings > Privacy or email darren@coxon.ai.

6. Cookies and local storage

We use only essential storage. See our Cookie Policy for full details.

7. AI content moderation

Posts and comments are assessed by an automated system that estimates the probability of AI-generated content. This produces a score used to flag content for review. No personal data is shared with third-party AI providers for this purpose — scoring uses a local heuristic model.

Under UK GDPR Article 22, where a moderation decision (such as content removal or account suspension) significantly affects you, you have the right to request human review. To contest an automated decision, email darren@coxon.ai and a human will reassess.

8. Security

We implement appropriate technical measures including encryption in transit (TLS), encrypted database storage at rest (AES-256 via Neon), security headers (CSP, HSTS, X-Frame-Options), input sanitisation, and audit logging.

9. International transfers

Your account, profile, posts, comments, and messages are stored in the United Kingdom (Neon, AWS eu-west-2). Some processing occurs outside the UK: hosting and serverless execution (Vercel, USA), payment processing (Stripe Payments UK Ltd, with global infrastructure primarily in the USA and Ireland), and transactional email delivery (Postmark, USA). These transfers are protected by Standard Contractual Clauses with the UK International Data Transfer Addendum.

10. Changes to this policy

We will notify you of material changes via email or an in-app notice at least 30 days before they take effect.

11. Complaints

You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.