Back to home

Privacy Policy

Last updated: 11 February 2026

Thank you for choosing Board Paper Scraper (“we,” “us,” or “our”). This Privacy Policy outlines how we collect, use, and protect your personal and non-personal information when you use our Service.

The Service is provided by JRER Tech Holdings Ltd (Company No. 17026241), registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are the data controller for your personal data and are responsible for deciding how we hold and use your information.

1. Information We Collect

1.1 Personal Data

Essential Information:

  • Full name
  • Email address
  • Company and job title
  • Payment information (processed securely via Stripe)

Usage Information:

  • Service interaction patterns
  • Feature usage statistics
  • Search queries and analysis requests

1.2 Publicly Available Data

The Service processes publicly available NHS board papers and related documents that are published by NHS trusts and Integrated Care Boards on their public websites. This data is not personal data.

1.3 User-Provided Content

You may provide additional content to the Service, such as company descriptions, product information, or custom prompts used to generate analysis. This content is processed solely to deliver the Service to you.

1.4 Non-Personal Data

  • Device information
  • IP addresses
  • Browser type
  • Operating system
  • Usage patterns and analytics
  • Cookie data
  • Geographic location (where permitted)

2. How We Use Your Information

Primary Purposes:

  • Providing AI-powered board paper analysis
  • Generating sales intelligence and insights
  • Personalising search results and recommendations
  • Improving AI response accuracy
  • Enhancing service functionality
  • Processing payments and managing subscriptions

Communication Purposes:

  • Sending service updates
  • Important announcements
  • Customer support

3. Data Storage and Security

We implement robust security measures to protect your data:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure, access-controlled cloud infrastructure
  • Role-based access controls
  • Authentication via secure OAuth providers (Google, Microsoft Azure AD)
  • Compliance with UK GDPR and Data Protection Act 2018

Data Retention:

  • Account data is retained for the duration of your subscription and for up to 30 days after account deletion
  • Analysis results and generated content are retained while your account is active
  • Payment records are retained for 7 years as required by UK tax law
  • Inactive accounts may be archived or deleted after 12 months of inactivity
  • You may request data deletion at any time, subject to legal retention requirements

4. Data Sharing and Sub-Processors

We use the following third-party service providers (sub-processors) to deliver the Service. Each processes data only as necessary for their stated purpose:

ProviderPurposeLocation
Google (Gemini API)AI-powered document analysisUnited States
SupabaseDatabase, authentication, and storageEU (Frankfurt)
StripePayment processingUnited States
PostHogProduct analyticsEU (Frankfurt)
ResendTransactional email deliveryUnited States

5. Artificial Intelligence and Your Data

The Service uses Google Gemini (via the paid API) to analyse board papers and generate insights. When you use the Service, document content and your prompts are sent to Google's Gemini API for processing.

Important safeguards:

  • Under Google's paid API terms, your data is not used to train or improve Google's AI models
  • Data sent to the Gemini API is processed solely to generate a response and is not retained by Google for model training purposes
  • Google may temporarily log data for abuse monitoring and policy enforcement only
  • We do not use any other AI providers to process your data

We do not:

  • Sell your personal data
  • Use your data to train our own AI models
  • Share your data for marketing purposes
  • Provide data to unauthorised third parties

6. Your Data Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate information
  • Request data deletion
  • Opt-out of certain data processing
  • Export your data
  • Lodge complaints with supervisory authorities

7. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect or process data from minors.

8. Cookies and Tracking

We use cookies and similar technologies to:

  • Improve service functionality
  • Analyse usage patterns
  • Enhance user experience
  • Maintain service security
  • Remember preferences

9. International Data Transfers

Some of our sub-processors are based in the United States (see Section 4). Where we transfer data outside the UK/EEA, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • The EU-US Data Privacy Framework, where applicable
  • Binding contractual commitments from our sub-processors

10. Changes to Privacy Policy

We may update this Privacy Policy to reflect service changes, legal requirements, or operational needs.

We will notify you of significant changes via email, service notifications, and website updates.

11. Contact Information

For privacy-related enquiries:

  • Email: support@boardpaperscraper.com
  • Website: boardpaperscraper.com
  • Postal address: JRER Tech Holdings Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

12. Legal Basis for Processing

We process your data based on:

  • Contract performance
  • Legal obligations
  • Legitimate interests
  • Your consent (where required)

13. Data Protection Rights

Under UK data protection law, you have rights including:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making

14. Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data in accordance with the law.

15. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

16. Data Processing Agreements

If your organisation requires a Data Processing Agreement (DPA) or has specific data protection requirements, please contact us at support@boardpaperscraper.com. We are happy to enter into appropriate data processing arrangements with enterprise customers.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.