Privacy Policy

Last updated: 23 March 2026

In short: we process your data to provide the compliance service you signed up for. Your business description and ROPA are processed by Anthropic's API to generate outputs and are not used for any other purpose. We do not sell your data. We do not use advertising or tracking cookies.

1. Who we are

Rowpa is operated by Rowpa Ltd ("we", "us", "our"). We are the data controller for the personal data we collect through the Rowpa platform at rowpa.app and rowpa.app.

If you have questions about this policy or your data, contact us at privacy@rowpa.app.

2. What data we collect

We collect and process the following categories of personal data:

Data category	Examples	Purpose
Account data	Email address	Authentication, account management, billing
Business data	Business name, website, description, business type, employee count	Generating your ROPA, privacy policy, and compliance outputs
Usage data	Pages visited, features used, actions taken within the platform	Improving the product, debugging errors
Payment data	Handled entirely by Stripe. We do not see or store your card number.	Processing subscription payments
Technical data	IP address, browser type, device type	Security, fraud prevention, debugging

We do not collect special category data (health data, biometric data, ethnic origin, etc.) about our users. If your ROPA describes processing activities involving special category data about your customers, that information is stored as part of your compliance documentation and is covered by the data processing arrangements described in section 5.

3. Legal bases for processing

We process your data under the following legal bases under UK GDPR:

Processing activity	Legal basis
Providing the Rowpa service (ROPA generation, policy generation, vendor matching)	Contract performance (Art. 6(1)(b))
Sending transactional emails (magic links, subscription confirmations)	Contract performance (Art. 6(1)(b))
Processing payments via Stripe	Contract performance (Art. 6(1)(b))
Product improvement and error debugging	Legitimate interests (Art. 6(1)(f))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Sending product updates and feature announcements	Legitimate interests (Art. 6(1)(f)), with opt-out

4. AI processing

Rowpa uses Anthropic's Claude API to generate your ROPA, privacy policy, vendor assessments, and other compliance outputs. When you use these features, the following data is sent to Anthropic's API:

Your business name, website, and description
Your business type and employee count
Your ROPA entries (processing activity descriptions, vendors, legal bases)
Publicly available information about your website (technology stack, trackers detected)

Anthropic does not use data sent via their API to train models. Their API data usage policy confirms that inputs and outputs from the API are not used for model training. Data is processed on Anthropic's infrastructure in the United States.

We do not use automated decision-making that produces legal effects concerning you. AI outputs are drafts for your review, and you control what is published or exported.

5. Sub-processors

We use the following sub-processors to deliver the service:

Sub-processor	Purpose	Location
Supabase	Database hosting, authentication, file storage	EU (Frankfurt, Germany)
Vercel	Application hosting and CDN	Global edge network (EU primary)
Anthropic	AI model inference (Claude API)	United States
Stripe	Payment processing and billing	United States / Ireland
Resend	Transactional email delivery	United States

6. International data transfers

Your database is hosted in the EU (Supabase, Frankfurt). Some data is transferred to the United States when processed by Anthropic (AI inference), Stripe (payments), Vercel (hosting), and Resend (email delivery).

These transfers are protected by Standard Contractual Clauses (SCCs) including the UK International Data Transfer Addendum (IDTA), and where applicable by the UK Extension to the EU-US Data Privacy Framework.

7. Data retention

Account and business data: retained while your account is active, plus 30 days after deletion to allow data export.
Payment data: Stripe retains payment records as required by financial regulations. We retain subscription status and plan history.
Usage data: aggregated after 90 days, deleted after 12 months.
Technical logs: deleted after 30 days.

8. Cookies

Rowpa uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics cookies, or tracking pixels.

For full details, see our Cookie Policy.

Cookie	Purpose	Duration
*sb--auth-token**	Supabase authentication session	Session / 7 days
cookie_consent	Records your cookie consent choice	365 days

9. Your rights

Under UK GDPR, you have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate data.
Erasure: ask us to delete your data (subject to legal retention requirements).
Portability: receive your data in a machine-readable format (CSV, JSON, PDF).
Restriction: ask us to limit how we process your data.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@rowpa.app. We will respond within one calendar month.

You can also export your ROPA and compliance data at any time from within the platform using the audit-ready export feature (PDF, CSV, or JSON).

10. Children

Rowpa is a business-to-business service. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by a notice in the platform. The "last updated" date at the top of this page shows when it was last revised.

12. Complaints

If you are unhappy with how we handle your data, please contact us first at privacy@rowpa.app so we can try to resolve it.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113

13. Contact

For any questions about this privacy policy or your personal data:

Email: privacy@rowpa.app
General enquiries: Contact page