Privacy Policy
Last updated: April 2026
1. Data Controller
Grand Tower Technologies LTD, trading as Filing Ant, ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For privacy-related enquiries, contact us at [email protected].
2. Information We Collect
Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Profile picture (if signing in with Google or Microsoft)
- Password (stored as a cryptographic hash — we never store your password in plain text). If you sign in with Google or Microsoft, no password is stored.
Billing Information
Payment processing is handled by Stripe. We do not collect, store, or have direct access to your payment card details or bank account information. Stripe processes this information in accordance with their own Privacy Policy.
Usage Data
We collect information about how you use the Service, including:
- Pages visited and features used
- Search queries performed
- Companies viewed and saved
- Documents accessed and Document Intelligence jobs requested
Technical Data
We automatically collect certain technical information when you access the Service:
- IP address
- Browser type and version
- Operating system
- Device type
- Referring URL
AI Chat Data
When you use the AI chat assistant, we collect:
- Messages you send to the assistant
- AI-generated responses
- Token usage and model information
- Tool calls made during conversations (e.g. document searches, company lookups)
Your messages and AI responses are stored on our servers so you can access your conversation history and resume past conversations. Messages are sent to our AI provider (Google Vertex AI) to generate responses. We do not use your conversations to train AI models.
Documents
Company documents accessed through the Service are publicly available filings from Companies House. When you request Document Intelligence processing, the document is sent to our processing providers and the resulting searchable text is stored to provide the Service.
3. How We Use Your Information
We use your personal data for the following purposes, each paired with its lawful basis under UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Providing and maintaining the Service, including account management | Contract performance (Art. 6(1)(b)) |
| Processing Document Intelligence requests and storing results | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (verification, password reset) | Contract performance (Art. 6(1)(b)) |
| Product analytics and Service improvement | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Responding to support enquiries | Legitimate interest (Art. 6(1)(f)) |
| AI chat assistant (generating responses, storing conversation history) | Contract performance (Art. 6(1)(b)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest at any time.
4. Third-Party Processors
We share your data with the following third-party service providers who process data on our behalf. We have Data Processing Agreements in place with each processor.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing, billing, invoicing | Payment details, billing address, email | US / EU |
| PostHog | Product analytics, LLM observability | Usage data, technical data, AI model performance metrics | EU |
| Resend | Transactional email delivery | Email address, message content | US |
| Microsoft Azure | Document intelligence processing | Document content | UK |
| Self-hosted storage | Document and file storage | Documents, analysis results | EU |
| Google Cloud (Vertex AI) | AI chat assistant | Chat messages, document context | EU |
| Autumn | Usage metering and billing | Customer ID, feature usage, credit balance | US |
We do not sell your personal data to any third party.
5. International Data Transfers
Some of our processors are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place:
- Stripe (US / EU) — transfers are protected by Standard Contractual Clauses and Stripe's Global Privacy Policy.
- Resend (US) — transfers are protected by the UK International Data Transfer Agreement (IDTA) and Standard Contractual Clauses.
- Google Cloud (EU) — AI processing is configured to use EU regions. Google's Data Processing Terms and Standard Contractual Clauses apply.
- Autumn (US) — transfers are protected by Standard Contractual Clauses.
All other processors either operate within the UK or EU, or process data in regions covered by UK adequacy decisions.
6. Cookies and Tracking
Essential Cookies
We use essential cookies that are strictly necessary for the Service to function. These include authentication session cookies and user preference cookies (such as sidebar state). These cookies do not require consent under PECR as they are essential for the Service.
Analytics
We use PostHog for product analytics. PostHog operates in cookieless mode — it does not set any cookies or write to your browser's local storage. Analytics data is held in memory only for the duration of your browser session and helps us understand how the Service is used and identify areas for improvement.
We do not use any third-party advertising or marketing cookies.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, name) | Retained while account is active; deleted within 30 days of account deletion |
| Analysis results and processed documents | Retained while account is active; deleted within 30 days of account deletion |
| Analytics data | Retained for up to 12 months, then automatically deleted |
| Transactional email logs | Retained for up to 30 days by Resend |
| Billing and invoice records | Retained by Stripe for as long as required by tax and accounting law (typically 6–7 years) |
| Chat conversations (unpinned) | Automatically deleted after 60 days of inactivity |
| Chat conversations (pinned) | Retained while account is active; deleted within 30 days of account deletion |
| Server and security logs | Retained for up to 90 days |
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of Access. You can request a copy of the personal data we hold about you.
- Right to Rectification. You can correct inaccurate data via your account settings, or contact us for assistance.
- Right to Erasure. You can delete your account and all associated personal data from your account settings, or request deletion by contacting us.
- Right to Restrict Processing. You can request that we limit how we use your data in certain circumstances.
- Right to Data Portability. You can request an export of your data in a machine-readable format.
- Right to Object. You can object to processing based on legitimate interest, including analytics.
- Rights Related to Automated Decision-Making. We do not make solely automated decisions that produce legal or similarly significant effects on you.
To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by UK GDPR.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) for all data transmitted to and from the Service
- Encryption at rest for stored data
- Access controls restricting production system access to authorised personnel only
- Passwords stored using industry-standard cryptographic hashing
10. Document Processing
When you request Document Intelligence processing of a document:
- The document is sent to Microsoft Azure Document Intelligence for text extraction.
- The extracted text and searchable document are stored on our self-hosted infrastructure in the EU.
- Document content is used solely for delivering Document Intelligence to you. We do not use your document content for training models, marketing, or any purpose beyond providing the Service.
- When you delete your account, all associated Document Intelligence results and processed documents are deleted in accordance with our retention policy.
11. Children's Data
The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect, either by email or through a notice in the Service.
The "Last updated" date at the top of this policy indicates when the most recent changes were made.
13. Complaints
If you have a complaint about how we handle your personal data, please contact us first at [email protected]. We will do our best to resolve your concern.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Telephone: 0303 123 1113
14. Contact
For privacy-related enquiries, contact us at:
- Email: [email protected]