Flagged

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how Flagged collects, uses and protects personal data when you use our website and services. We are committed to handling your data in line with the UK GDPR, the Data Protection Act 2018 and the EU GDPR where applicable. This policy was last updated in June 2026. We will notify you of material changes by email before they take effect.

1. Data controller

The data controller is Jack Doherty, trading as Flagged, based in the United Kingdom. You can contact us at jack@flagged.co.uk.

2. What data we collect

  • Email address and name (provided when you create an account)
  • Website URLs you submit for scanning
  • Scan results and reports generated for your account
  • Billing information (processed by Stripe — we do not store card details)
  • Usage data — including pages visited, features used, scan history, session duration, browser type, device type, and IP address. This is collected automatically when you use the service.

3. Lawful bases for processing

  • Contract performance — to provide the service you have signed up for
  • Legitimate interests — to improve the product, secure the service and prevent abuse
  • Legal obligation — to retain certain billing records and respond to lawful requests

4. Third-party processors

We use the following processors to deliver the service:

  • Supabase — database and authentication
  • Stripe — payment processing
  • Anthropic, Inc. (Claude API) — used to analyse the content of URLs submitted for scanning and generate policy documents. Data processed: URL content and page text submitted for scanning. Anthropic's privacy policy: anthropic.com/privacy
  • Lovable — application hosting

You should not submit URLs whose content contains special category data (for example health, racial or ethnic origin, religious beliefs, biometric data) — the AI processing notice below applies to all submitted content.

5. International transfers

Where processors operate outside the UK, transfers are protected by the UK International Data Transfer Addendum (UK IDTA) to the EU Standard Contractual Clauses, or by UK adequacy regulations where applicable.

6. Retention

  • Account data — held while your account is active, then deleted within 90 days of account closure
  • Anonymous scan data (from public scans without an account) — held for 48 hours
  • Billing records — held for 7 years to meet UK tax and accounting obligations

7. Your rights

You have the right to access, rectification, erasure, portability, restriction and objection in respect of your personal data. To exercise any of these rights, email jack@flagged.co.uk. We will respond within 30 days.

If you are based in the EU, you have the right to lodge a complaint with your local supervisory authority. A full list of EU data protection authorities is available at edpb.europa.eu. If you are based in the UK, you may complain to the Information Commissioner's Office at ico.org.uk.

8. Cookies

We use essential session cookies only, to keep you signed in. We do not set any advertising or tracking cookies. See our Cookie Policy for details.

9. AI processing notice

Content from URLs you submit is processed by AI to generate scan results, gap analysis and policy drafts. Do not submit URLs containing special category data or confidential third-party information. You are responsible for ensuring you have the right to submit any URL you scan.

Children's Data

Flagged is intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact jack@flagged.co.uk and we will delete it promptly.

10. Contact

Questions about this policy or your data? Email jack@flagged.co.uk.