Privacy Policy

Last updated: April 2026

1. Who We Are

Cheqpoint Ltd operates cheqpoint.dev. We are the data controller for personal data processed through the platform. For privacy inquiries, contact us at privacy@cheqpoint.dev. We are registered under applicable UK data protection law and act in accordance with the UK GDPR.

2. What We Collect

We collect: account information you provide (name, email, password hash); usage data generated through your use of the service (approval requests, decisions, audit log entries, timestamps); billing information processed via Stripe (we do not store card details directly); technical data (IP addresses, browser type, session identifiers); and content data submitted through the approval workflow, which is encrypted at rest.

3. How We Use Your Data

We use your data to: provide and operate the Cheqpoint service; process billing and manage your subscription via Stripe; send transactional emails via Resend (signup confirmation, password reset, approval notifications, SLA breach alerts); and produce aggregated, anonymised analytics to improve the product. We do not sell your personal data to any third party.

4. Legal Basis (GDPR Article 6)

We process your personal data on the following legal bases: contract performance - processing necessary to deliver the service you have signed up for; legitimate interests - maintaining security, preventing fraud, and improving the platform; and legal obligation - where required by applicable law, including financial record-keeping requirements.

5. Third-Party Processors

We share data with the following sub-processors to deliver the service: Stripe (payment processing); Resend (transactional email); Vercel (hosting and infrastructure); and Slack (notification delivery, only if you configure the integration). All sub-processors have Data Processing Agreements in place. We conduct due diligence on all processors.

6. Data Retention

We retain your account data while your account is active and for 30 days after deletion. Approval request data is retained based on your plan: 7 days on Starter, 90 days on Growth, 1 year on Pro, and custom retention on Enterprise. Billing records are retained for 7 years as required by UK law.

7. Your Rights Under UK GDPR

You have the right to: access your personal data; request correction of inaccurate data; request deletion of your data; receive your data in a portable format; object to processing based on legitimate interests; and lodge a complaint with the Information Commissioner's Office (ICO). To exercise any of these rights, contact privacy@cheqpoint.dev.

8. Data Transfers

We process and store data within the EU and UK where possible. Where data is transferred outside the UK/EEA - for example to Stripe's US infrastructure - we rely on Standard Contractual Clauses (SCCs) as the appropriate transfer mechanism.

9. Cookies

We use only essential session cookies required to operate the service: cheq_session (authentication), cheqpoint-theme (UI preference), and cheqpoint-cookie-consent (consent record). We do not use any tracking or advertising cookies. No third-party analytics cookies are set without your explicit consent.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify all workspace owners by email of any material changes before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.