Privacy Policy
This policy explains what personal data TamRx processes, why, the lawful bases we rely on, who we share it with, and the rights available to you under the UK GDPR and the Data Protection Act 2018. TamRx Ltd is the data controller.
- Version
- 1.0
- Effective
- 28 June 2026
- Last reviewed
- 28 June 2026
- Owner
- TamRx Ltd — Data Protection
1. Who we are
TamRx Ltd (“TamRx”, “we”, “us”) is the controller of personal data processed through the TamRx platform. We are registered in England and Wales under company number 16596160, with registered office at Nexus Innovation Centre, Discovery Way, Leeds, West Yorkshire, LS2 3AA, United Kingdom. For any privacy matter, contact privacy@tamrx.co.uk.
2. Scope
This policy applies to personal data we process when you visit our website, create an account, use the Service, or contact us. It should be read together with our Cookie Policy and Terms of Service.
3. The personal data we process
We process the following categories of personal data:
- Account and identity data — name, email address and authentication identifiers provided via Microsoft, Google or email sign-in.
- Organisation data — company name, role and similar professional details you provide.
- Assessment inputs — the questions, descriptions and text you enter into the Service to generate assessments and documents.
- Billing data — subscription status and transaction records. Full payment card details are handled by Stripe and are not seen or stored by TamRx.
- Usage and technical data — IP address, device and browser information, product analytics events and error diagnostics, used to operate, secure and improve the Service and to enforce usage limits.
- Communications — the content of your correspondence with us and any feedback you submit.
4. How we use assessment inputs
Assessment inputs are processed to generate your requested output and to operate, secure and improve the Service, including improving accuracy and prioritising workflows. To produce output, inputs are transmitted to our AI sub-processors (see clause 7) solely to return your result. We do not use your inputs to train TamRx’s own foundation models, and we contract with our AI providers on terms that restrict their use of input data, as described below.
5. Lawful bases
Under the UK GDPR we rely on the following lawful bases:
- Contract — to create and manage your account, provide the Service and process subscriptions.
- Legitimate interests — to secure, maintain, analyse and improve the Service, prevent abuse and communicate about the Service, balanced against your interests and rights.
- Consent — for non-essential cookies and certain analytics, and for optional marketing communications, where required. You may withdraw consent at any time.
- Legal obligation — to comply with our legal and regulatory obligations, including accounting and tax.
6. Special category data
TamRx is not intended to process special category data, including health data about identifiable individuals. We ask users not to submit such data. Where special category data is nonetheless submitted, we process it only to the extent necessary to provide the Service you requested, and we apply additional care to its handling and retention. We may introduce technical controls to detect and minimise such data over time, as noted in our Trust Centre roadmap.
7. Sub-processors and recipients
We share personal data only with the service providers necessary to operate the Service, under data processing agreements that require appropriate safeguards. Our key sub-processors are:
- Vercel — application hosting and content delivery.
- Supabase — database, authentication and storage.
- Google Cloud — cloud infrastructure services.
- OpenAI and Anthropic — AI processing of assessment inputs to generate output, under terms that restrict use of input data for provider model training.
- Stripe — payment processing.
- Resend — transactional email delivery.
- Sentry — error monitoring and diagnostics.
- PostHog and Microsoft Clarity — product analytics and usage insight.
We do not sell personal data. We may disclose personal data where required by law, to enforce our terms, or to protect the rights, safety and security of TamRx, our users or others.
8. International transfers
Some of our sub-processors are located outside the United Kingdom. Where personal data is transferred internationally, we rely on appropriate safeguards, such as UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary measures where appropriate.
9. Retention
We retain personal data only for as long as necessary for the purposes described in this policy, to provide the Service, to comply with legal obligations, to resolve disputes and to enforce our agreements. Account data is retained for the life of your account and for a limited period afterwards; diagnostic and analytics data are retained for shorter periods. When data is no longer required, it is deleted or anonymised.
10. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls and monitoring. These measures are described in our Security Overview. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Your rights
Subject to conditions and exemptions under the UK GDPR, you have the right to: access your personal data; have inaccurate data rectified; have data erased; restrict or object to processing; data portability; and to withdraw consent where we rely on it. To exercise any right, contact privacy@tamrx.co.uk. We will respond within the statutory timeframe.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk. We would welcome the chance to address your concerns before you approach the ICO.
12. Cookies and similar technologies
We use a minimal set of cookies and similar technologies, including for essential operation, usage-limit enforcement and analytics. See our Cookie Policy for details and choices.
13. Children
The Service is intended for professional use and is not directed at children. We do not knowingly collect personal data from anyone under 18.
14. Changes to this policy
We may update this policy from time to time. Material changes will be reflected on this page with an updated version and effective date, and notified to you where appropriate.
15. Contact
For privacy questions or to exercise your rights, contact privacy@tamrx.co.uk or write to TamRx Ltd, Nexus Innovation Centre, Discovery Way, Leeds, West Yorkshire, LS2 3AA, United Kingdom.
