Last updated: 6 May 2026
Privacy Policy
This policy explains how Thesmios Ltd, company number 17150638, trading as Deadline Engine, handles personal data when you use Deadline Engine. Thesmios Ltd is the controller for UK GDPR purposes. Contact: hello@deadlineengine.com.
1. Who we are
Deadline Engine is operated by Thesmios Ltd, a company registered in England and Wales. We comply with the UK GDPR and the Data Protection Act 2018.
2. We collect as little as possible
We deliberately collect the minimum personal data necessary to operate Deadline Engine. Specifically:
- Account: email address, optionally a name, and hashed password.
- Subscription: handled by Stripe. We store a reference ID and subscription status, not card details.
- Calculations: the trigger date and parameters you enter. We do not require client names, court references, party names, or matter details. If you choose to enter such information in optional fields, it is stored under the security measures described below.
We do not collect, and we do not want, any of the following:
- Solicitor-client privileged information.
- Documents. We do not accept file uploads.
- IP addresses as product data. Security infrastructure may process them temporarily.
- Browser fingerprints.
- Tracking pixels from third parties.
- Marketing consent we do not need.
If you accidentally submit privileged information in a calculator field, contact hello@deadlineengine.com and we will delete it where we lawfully can.
3. Lawful basis
- Performance of contract for account, calculation, export, and billing data.
- Legitimate interests for security logs, abuse prevention, uptime monitoring, and audit defensibility.
- Legal obligation for accounting, tax, and compliance records.
- Consent for optional analytics and optional marketing communications.
4. How we use your data
- To authenticate you and manage your account.
- To calculate deadlines and show citations.
- To save calculations and maintain a calculation audit log.
- To send transactional emails and reminder emails you request.
- To process subscriptions through Stripe.
- To detect abuse, investigate errors, and keep the service available.
5. Sub-processors and international transfers
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database, authentication, and row level security | London, eu-west-2 | UK data residency commitment |
| Vercel | Application hosting | Multi-region with EU primary | DPA signed |
| Stripe | Payment processing | US with EU subsidiary | UK IDTA and SCCs |
| Resend | Transactional email | United States | UK IDTA and SCCs |
| Sentry | Error monitoring | EU region | UK IDTA and SCCs where required |
| Plausible | Analytics | Germany | UK adequacy decision |
| BetterStack | Uptime monitoring | European Union | UK IDTA and SCCs where required |
| Namecheap | Domain registration | United States | No customer personal data intentionally processed |
| GitHub | Code hosting | United States | No customer personal data intentionally processed |
Where a sub-processor transfers data outside the UK, transfers are covered by UK adequacy regulations, Standard Contractual Clauses, or the UK International Data Transfer Addendum.
We will give 30 days advance written notice by email to your account email before adding a new sub-processor. You may terminate your subscription within that 30 days if you object to the new sub-processor and we cannot reach an acceptable arrangement.
6. How long we keep your data
| Data type | Retention | Reason |
|---|---|---|
| Account information | While account is active, plus 30 days after deletion | Account recovery |
| Saved calculations | While account is active, plus 30 days after deletion | User access |
| Calculation log | 7 years from calculation date | Audit defensibility |
| Subscription records | 7 years from cancellation | UK tax law. HMRC requires 6 years, plus 1 year safety margin |
| Email logs | 90 days | Deliverability troubleshooting |
| Sentry error logs | 90 days | Operational debugging |
| Uptime logs | 30 days | Operational monitoring |
| Backup data | 30 days rolling | Disaster recovery |
When the retention period expires, we delete or anonymise the data within 30 days of expiry.
7. Your rights
- Access: request a copy of your personal data. Use `/account/data-export` for instant access.
- Rectification: correct inaccurate data. Use `/account` for self-service or contact us.
- Erasure: delete your account and associated personal data. Use `/account/delete` for self-service.
- Portability: receive your data in a machine-readable format. Use `/account/data-export`.
- Restriction: ask us to limit processing.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: use the cookie preferences link in the footer for cookie consent.
We will respond to all rights requests within 30 days. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk.
8. Cookies
We use strictly necessary cookies for authentication, security, and consent records. Optional analytics only loads after consent where consent is required. See the Cookie Policy.
9. Changes to this policy
Material changes will be notified by email or in-app notice. Non-material changes are reflected here with an updated date at the top.