Privacy Policy
Last updated: 26 May 2026
This policy explains how Blackfortz Capital Ltd (trading as MergedClaimed) handles personal data when you use our website (mergedclaim.com) or our product (app.mergedclaim.com). We're committed to handling your data lawfully, transparently, and only for the purposes set out here.
Who we are
Data Controller: Blackfortz Capital Ltd, a private company limited by shares, registered in England and Wales under company number 16153268. Registered office: Unit F Winston Business Park, Churchill Way, Chapeltown, Sheffield, S35 2PS, United Kingdom.
Contact for data matters: [email protected]
ICO registration: Application submitted. Public registration number will appear here once issued by the Information Commissioner's Office. You can verify our status on the ICO public register.
What we collect, and why
1. Account data
- Email address — to identify you and send sign-in links. Lawful basis: contract performance (Art. 6(1)(b) UK GDPR).
- Optional GitHub profile (login, avatar URL, primary email) — only if you connect GitHub. Lawful basis: contract performance.
- Encrypted OAuth tokens — Fernet-encrypted at rest; rotated on each login. Lawful basis: contract performance.
2. Company data (you provide during onboarding)
- Company number, name, registered office, SIC codes (most of this from Companies House public data).
- UTR, VAT number, PAYE reference — required for HMRC submission.
- Senior officer name and contact details.
- Competent professional names, roles, qualifications.
Lawful basis: contract performance.
3. Engineering metadata (when you install our GitHub App)
- Commit metadata: SHA, author login + email, timestamp, message, +/- line counts, files-changed count.
- Pull-request metadata: number, title, body, state, dates, author, additions/deletions/changed_files.
- Issue metadata: number, title, body, labels, comment count.
- Repository metadata: name, default branch, language, visibility flag.
Lawful basis: contract performance. We never read source code by default. See our Security & data page.
4. AI conversation data
Messages exchanged between you and the AI claim agent are stored alongside your projects for audit purposes. Lawful basis: contract performance. You can clear the transcript at any time.
5. Billing data (when you subscribe)
We use Stripe as our payment processor. Card data is handled directly by Stripe — we never receive or store it. We store the Stripe customer ID and subscription status.
6. Service logs
Request logs (IP address, user-agent, URLs accessed) are retained for 30 days for security and debugging. Lawful basis: legitimate interests in keeping the service secure.
Who we share data with (sub-processors)
We use the following third parties to deliver the service. Each is contractually bound to process data only on our instructions.
- Cloudflare — CDN + edge protection (UK / EU). Receives request metadata.
- GitHub (Microsoft) — source of engineering metadata. We hold an OAuth token to access only the repositories you permit.
- Anthropic — large-language-model API used by our drafting and validation pipeline. Receives only the engineering text we send it (PR titles, descriptions, issue text). Anthropic's commercial API plan does not retain inputs for model training.
- Microsoft Azure AI — large-language-model API used by our drafting and validation pipeline. Receives the same engineering text as Anthropic. Azure's enterprise terms do not retain inputs for model training.
- SendPulse — transactional email delivery (sign-in links). Receives your email address.
- Companies House — public data lookups for company verification. Receives only the company number you search.
- Stripe — billing. Receives card data directly from your browser.
- Hetzner / Contabo (Germany, EU) — server hosting. Holds all data we control.
Where data is stored
All data we control is stored on servers physically located in Germany (EU). UK GDPR + EU GDPR apply. Disk-level encryption is enabled at the OS layer; OAuth tokens are additionally encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256).
How long we keep it
- Account, company, project data: for as long as your subscription is active, plus 6 years after closure (matching HMRC's record-keeping requirements for tax claims).
- Encrypted OAuth tokens: rotated on each login; old tokens are overwritten.
- AI conversation transcripts: until you clear them or your account is closed.
- Request logs: 30 days.
- Stripe billing records: 7 years (UK accounting law).
Your rights under UK GDPR
You have the right to:
- Access the data we hold about you (data subject access request)
- Correct inaccurate data
- Have your data deleted (right to erasure)
- Restrict or object to certain processing
- Receive your data in a portable format (data portability)
- Withdraw consent at any time (where consent is the lawful basis)
- Lodge a complaint with the Information Commissioner's Office (ico.org.uk · 0303 123 1113)
To exercise any of these rights, email [email protected]. We respond within 30 days.
Cookies
We use two essential cookies — see our Cookie Policy for details. No third-party tracking, no advertising cookies.
Changes to this policy
Material changes will be communicated by email at least 30 days before they take effect. Minor wording fixes are updated here without notice.
Contact
Email: [email protected]
Post: Blackfortz Capital Ltd, Unit F Winston Business Park, Churchill Way, Chapeltown, Sheffield, S35 2PS, UK
MergedClaimed is a trading name of Blackfortz Capital Ltd (UK company number 16153268).