Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller for your personal data is:
- Oshylabs Ltd
- Registered in England and Wales (Company No. 16883720)
- Email: support@oshylabs.eu
2. Data We Collect
We collect the following categories of personal data:
- Account data: Email address, full name — collected during registration via email sign-up or Google OAuth through Supabase Auth.
- Business profile data: Business name, state, business type, industry, owner name, business address — provided by you during onboarding to generate documents.
- Payment data: Processed securely by Stripe. Oshylabs Ltd does not store your credit card numbers or full payment details. We retain Stripe customer IDs and subscription status.
- Generated documents: The content of documents you generate is stored in our Supabase database so you can access, edit, and download them.
- Usage data: Document generation counts, subscription status, account activity timestamps.
- Technical data: IP address, browser type, device information, and operating system — collected automatically through standard web server logs.
3. Legal Basis for Processing (UK GDPR Article 6)
We process your personal data on the following legal bases:
- Contract performance: Processing your account data, business profile data, and generated documents is necessary to provide you with the DBADocs document generation service.
- Legitimate interests: We process usage and technical data for service improvement, fraud prevention, and platform security. These interests do not override your fundamental rights and freedoms.
- Consent: Where we send marketing communications, we do so based on your explicit consent, which you may withdraw at any time.
4. Third-Party Processors (Sub-processors)
We share your data with the following third-party service providers who process data on our behalf:
| Provider | Location | Purpose |
|---|---|---|
| Supabase | United States | Database, authentication, file storage |
| Stripe | United States | Payment processing, subscription management |
| Anthropic | United States | AI document generation (Claude API) |
| Vercel | United States | Application hosting and deployment |
| Resend | United States | Transactional email delivery |
5. International Data Transfers
Your personal data is transferred to and processed in the United States by the sub-processors listed above. These transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US and UK-US Data Privacy Framework where applicable, ensuring an adequate level of data protection as required by UK GDPR.
6. Data Retention
- Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery.
- Generated documents: Retained while your account is active. Deleted upon account deletion.
- Payment records: Retained for 7 years after the transaction to comply with legal and tax requirements.
- Consent records: Retained for a minimum of 3 years or 1 year after cancellation, whichever is longer, as required by California's Automatic Renewal Law.
7. Your Rights (UK GDPR)
Under the UK General Data Protection Regulation, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restriction: Request that we restrict processing of your data in certain circumstances.
- Right to data portability: Request your data in a structured, commonly used, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
To exercise any of these rights, please email support@oshylabs.eu. We will respond within 30 days of receiving your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, at ico.org.uk.
8. Cookies
DBADocs uses only essential cookies that are strictly necessary for the operation of the service:
- Authentication session cookies: Set by Supabase Auth to maintain your login session. These cookies are essential for the service to function and do not require consent under UK PECR.
We do not use any analytics, advertising, or tracking cookies. If this changes in the future, we will update this policy and obtain your consent before setting any non-essential cookies.
9. Contact for Data Protection Queries
For any questions about how we handle your personal data, or to exercise your data protection rights, please contact us at: