Privacy Policy

Last updated: 29 April 2026

In short: we process your data to provide the compliance service you signed up for. Your business description and ROPA are processed by Anthropic's API to generate outputs and are not used for any other purpose. We do not sell your data. We do not use advertising or tracking cookies.

1. Who we are

Rowpa is operated by TeZe Ltd ("we", "us", "our"), a company registered in England and Wales (company number 17137231), with its registered address at 66 Paul Street, London, EC2A 4NA. We are the data controller for the personal data we collect through the Rowpa platform at rowpa.app. You can learn more about TeZe at teze.app.

If you have questions about this policy or your data, contact us at compliance@rowpa.app.

2. What data we collect

We collect and process the following categories of personal data:

Data category	Examples	Purpose
Account data	Email address	Authentication, account management, billing
Business data	Business name, website, description, business type, employee count	Generating your ROPA, privacy policy, and compliance outputs
Usage data	Pages visited, features used, actions taken within the platform	Improving the product, debugging errors
Payment data	Handled entirely by Stripe. We do not see or store your card number.	Processing subscription payments
Technical data	IP address, browser type, device type	Security, fraud prevention, debugging

We do not collect special category data (health data, biometric data, ethnic origin, etc.) about our users. If your ROPA describes processing activities involving special category data about your customers, that information is stored as part of your compliance documentation and is covered by the data processing arrangements described in section 5.

3. Legal bases for processing

We process your data under the following legal bases under UK GDPR:

Processing activity	Legal basis
Providing the Rowpa service (ROPA generation, policy generation, vendor matching)	Contract performance (Art. 6(1)(b))
Sending transactional emails (magic links, subscription confirmations)	Contract performance (Art. 6(1)(b))
Processing payments via Stripe	Contract performance (Art. 6(1)(b))
Product improvement and error debugging	Legitimate interests (Art. 6(1)(f))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Sending product updates and feature announcements	Legitimate interests (Art. 6(1)(f)), with opt-out

4. AI processing

Rowpa uses Anthropic's Claude API to generate your ROPA, privacy policy, vendor assessments, and other compliance outputs. When you use these features, the following data is sent to Anthropic's API:

Your business name, website, and description
Your business type and employee count
Your ROPA entries (processing activity descriptions, vendors, legal bases)
Publicly available information about your website (technology stack, trackers detected)

Anthropic does not use data sent via their API to train models. Their API data usage policy confirms that inputs and outputs from the API are not used for model training. Data is processed on Anthropic's infrastructure in the United States.

We do not use automated decision-making that produces legal effects concerning you. AI outputs are drafts for your review, and you control what is published or exported.

5. Sub-processors

We use the following sub-processors to deliver the service:

Sub-processor	Purpose	Location
Supabase	Database hosting, authentication, file storage	EU (Frankfurt, Germany)
Vercel	Application hosting and CDN	Global edge network (EU primary)
Anthropic	AI model inference (Claude API)	United States
Stripe	Payment processing and billing	United States / Ireland
Resend	Transactional email delivery	United States

6. International data transfers

Your database is hosted in the EU (Supabase, Frankfurt). Some data is transferred to the United States when processed by Anthropic (AI inference), Stripe (payments), Vercel (hosting), and Resend (email delivery).

These transfers are protected by Standard Contractual Clauses (SCCs) including the UK International Data Transfer Addendum (IDTA), and where applicable by the UK Extension to the EU-US Data Privacy Framework.

7. Data retention

Account and business data: retained while your account is active, plus 30 days after deletion to allow data export.
Payment data: Stripe retains payment records as required by financial regulations. We retain subscription status and plan history.
Usage data: aggregated after 90 days, deleted after 12 months.
Technical logs: deleted after 30 days.

8. Cookies

Rowpa uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics cookies, or tracking pixels.

For full details, see our Cookie Policy.

Cookie	Purpose	Duration
*sb--auth-token**	Supabase authentication session	Session / 7 days
cookie_consent	Records your cookie consent choice	365 days

9. Your rights

Under UK GDPR, you have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate data.
Erasure: ask us to delete your data (subject to legal retention requirements).
Portability: receive your data in a machine-readable format (CSV, JSON, PDF).
Restriction: ask us to limit how we process your data.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email compliance@rowpa.app. We will respond within one calendar month.

You can also export your ROPA and compliance data at any time from within the platform using the audit-ready export feature (PDF, CSV, or JSON).

10. Children

Rowpa is a business-to-business service. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by a notice in the platform. The "last updated" date at the top of this page shows when it was last revised.

12. Complaints

If you believe we have mishandled your personal data or breached UK data protection law, you have the right to make a complaint. We maintain a formal complaints procedure under Section 164A of the Data Protection Act 2018 (as inserted by Section 103 of the Data Use and Access Act 2025).

You can submit a complaint in any of the following ways:

Online: use our electronic complaints form
Email: compliance@rowpa.app
Post: Data Protection Complaint, TeZe Ltd, 66 Paul Street, London, EC2A 4NA

We will acknowledge your complaint within 30 days and investigate without undue delay. You will be informed of the outcome, including any remedial steps taken. Full details of our process, timelines, and your escalation rights are set out in our Data Protection Complaints Procedure.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113

13. Contact

For any questions about this privacy policy or your personal data:

TeZe Ltd, 66 Paul Street, London, EC2A 4NA
Email: compliance@rowpa.app
General enquiries: Contact page