Privacy Policy

Last updated: May 2026

Introduction

This privacy policy explains how we collect, use, and protect your personal data when you use companyIQ. It applies to anyone who visits the site, creates an account, or subscribes to a paid plan.

Who We Are

companyIQ is operated by Aptflow Ltd, a company registered in England and Wales (company number 17236387), with registered office at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF.

We are the data controller for the personal data described in this policy. We are registered with the Information Commissioner's Office under registration number ZC154360.

Data We Collect

Account Information

  • Email address
  • Name (if provided)
  • Payment information (processed securely via Stripe; we do not store card details)
  • Marketing consent preference (if given at signup)

Usage Data

  • Companies you search for and analyse
  • Login times, IP address, and activity logs
  • Browser type and device information
  • Pages visited and interactions with the platform

Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

  • Contract performance: processing required to provide the service you have signed up for, including account management, running analyses, and processing payments
  • Legitimate interests: security, fraud prevention, service improvement, and protecting our business interests, balanced against your rights
  • Consent: marketing emails, where you have opted in
  • Legal obligation: retaining payment records for tax and accounting purposes

How We Use Your Data

  • To provide company intelligence services
  • To process payments and manage subscriptions
  • To send service updates and account notifications
  • To improve our platform and user experience
  • To send marketing emails where you have consented
  • To comply with legal obligations

Marketing Emails

We send marketing emails only to users who have actively opted in at signup or through their account settings. You can withdraw consent at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Toggling marketing preferences on your account page
  • Emailing support@company-iq.co.uk

Withdrawing marketing consent does not affect transactional emails (account notifications, payment receipts, security alerts), which we send as part of providing the service.

Personal Data in Company Analysis

CompanyIQ analyses publicly available data from Companies House. This data includes information about company directors and officers (names, partial dates of birth, partial addresses, appointment history) which is personal data under UK GDPR.

We process this data under our legitimate interests basis, balanced against the rights of those individuals. The data is already public, the processing is reasonably expected given the public register, and the purpose (commercial intelligence on UK companies) is a recognised legitimate use.

If you are a director or officer and have a concern about how your information appears in a CompanyIQ report, contact us at support@company-iq.co.uk.

Cookies and Analytics

We use the following cookies and similar technologies:

Strictly Necessary

  • Authentication and session management
  • Security and fraud prevention

These cookies are required for the service to function and cannot be disabled.

Analytics

We use Google Analytics to understand how visitors use the platform so we can improve it. Google Analytics sets cookies that track page views, session duration, and traffic sources. Analytics cookies are loaded only after you accept them via our cookie banner. You can withdraw consent at any time by clearing your cookies or using the cookie controls on the site.

We also use Vercel Analytics, which collects aggregated traffic data without setting cookies or tracking individuals across sites.

We do not use advertising cookies or sell data to advertisers.

Data Sharing

We do not sell your personal data. We share data only with the following processors:

  • Stripe: payment processing and subscription management
  • Supabase: database hosting and authentication
  • Resend: transactional and marketing email delivery
  • Anthropic: AI analysis via the Claude API (documents and analysis prompts sent for processing, no user account data shared)
  • Google Analytics: usage analytics (with your consent)
  • Vercel: hosting and infrastructure
  • Companies House: source of public company data (no personal user data shared)

All third-party processors are bound by data processing agreements and handle data in accordance with UK GDPR requirements.

International Transfers

Some of our processors are based outside the UK. In particular, Anthropic processes data in the United States, and Google and Vercel may process data in multiple regions including the US.

Where personal data is transferred outside the UK, we rely on appropriate safeguards including UK Standard Contractual Clauses (the UK International Data Transfer Agreement or Addendum) and the adequacy decisions made under UK GDPR. Copies of these safeguards are available on request.

Data Retention

We retain your data as follows:

  • Account data: until account deletion, then purged within 30 days
  • Analysis history: 24 months after last account activity
  • Payment records: 7 years (statutory requirement)
  • Marketing consent records: until withdrawn, plus 12 months for evidence

Your Rights Under UK GDPR

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request data deletion (right to erasure)
  • Export your data (data portability)
  • Object to data processing
  • Restrict processing in certain circumstances
  • Withdraw consent at any time (for processing based on consent)
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, contact us at support@company-iq.co.uk. We will respond within 30 days.

To delete your account, email support and we will purge your data within 30 days. Payment records are retained for 7 years regardless, as required by UK financial regulations.

Automated Decision-Making

CompanyIQ uses automated processing to analyse company data and produce CIQ Scores. These analyses are about companies, not about you as a user.

We do not make automated decisions about you that produce legal or similarly significant effects on you. Your interactions with the service do not result in automated decisions about your access, pricing, or treatment.

Security

We use industry-standard security measures including encryption at rest and in transit, row-level access controls, and secure authentication. No internet transmission is 100% secure, but we take all reasonable steps to protect your data.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, and notify affected users without undue delay where the risk is high.

Changes to This Policy

We may update this privacy policy periodically. Changes will be posted on this page with an updated revision date. Material changes will be communicated via email.

Contact Us

Questions about this privacy policy or how we handle your data?
Email: support@company-iq.co.uk