Privacy Policy

Last updated 7 July 2026 · Debiaser.ai is operated by Global Diversity Practice Ltd (“GDP”, “we”), a company registered in England and Wales.

Debiaser.ai analyses workplace documents for unconscious bias. Because the documents you upload may be commercially sensitive, this policy is deliberately plain about one thing above all: we keep your content only as long as the service needs it — 7 days after a review completes — and then delete it automatically from active service storage.

1. What we collect

  • Account data — your email address (we use passwordless one-time email codes, so we never hold a password), and your organisation membership if your employer manages your credits.
  • Content you submit — documents you upload or text you paste, the text we extract from them, the analysis we produce (findings, rewording, revised documents), and any context notes you add to a review.
  • Billing data — credit purchases, balances and usage. Card details are handled entirely by Stripe; we never see or store card numbers.
  • Service data — sign-in events and operational logs needed to run and secure the service, including error diagnostics.

Debiaser.ai is a business service for adults: you must be at least 18 to hold an account, and we do not knowingly collect personal data from children.

2. How long we keep it

  • Review content: 7 days after completion. Uploaded files, extracted text, analysis output and revised documents are deleted from active service storage 7 days after a review completes. Failed reviews and abandoned drafts also receive deletion deadlines. The deletion date is shown on every review. Deletion is enforced by automated jobs, not a manual process. You can also delete a review early at any time.
  • Billing records (review name, dates, word counts, credits spent — never document content) are retained for accounting and tax purposes.
  • Account data is kept while your account is active and removed when you close it, except where law requires retention. You can close a personal account from the account page; organisation admins should transfer admin access or contact support first.
  • Operational logs and error diagnostics are retained for up to 90 days and then deleted or aggregated.

3. How we use your data

We use your data solely to provide the service: to run the bias analysis you explicitly confirm, to operate credits and billing, to send service emails (sign-in codes, receipts, completion and pre-deletion reminders), and to keep the service secure. We do not sell your data, use it for advertising, or use your documents to train AI models. Anthropic states that API inputs and outputs are not used to train models; depending on account settings and abuse-review needs, API data may be retained by Anthropic for up to 30 days for trust and safety.

Legal bases (UK/EU GDPR)

Performance of a contract (running reviews you request, billing); legitimate interests (service security, abuse prevention); legal obligation (accounting records).

Automated decision-making

Debiaser.ai provides advisory document review only. We do not make automated decisions about individuals that have legal or similarly significant effects (UK/EU GDPR Article 22), and we do not profile, rank or score people.

4. Who processes your data

We use a small number of subprocessors, each bound by data-processing terms:

ProviderPurposeProcessing locationTransfer mechanism
ConvexBackend, database and file storageEU — AWS eu-west-1 (primary application data)Application data is hosted in the EU. Provider data-processing terms incorporate the EU Standard Contractual Clauses (2021/914) with the UK Addendum for any residual transfer (for example US-based support access).
AnthropicAI analysis of submitted document contentUnited StatesAnthropic Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. API inputs and outputs are not used to train models; Anthropic may retain API data for up to 30 days for trust-and-safety purposes.
VercelWeb application hosting and edge deliveryGlobal edge network; server functions pinned to London (lhr1)Vercel Data Processing Agreement incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum.
StripePayments, tax calculation, invoices and receiptsGlobal payment infrastructureStripe Data Processing Agreement incorporating Standard Contractual Clauses and the UK Addendum. Stripe is the sole holder of card details and acts as an independent controller for certain payment, fraud-prevention and regulatory data under its own privacy terms.
ResendTransactional email: sign-in codes, receipts and service noticesUnited States / global email deliveryResend Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Resend delivers mail through Amazon Web Services (Amazon SES, EU region endpoints) as its infrastructure sub-provider.
CloudflareTurnstile bot protection for trial-credit claimsGlobal security networkCloudflare Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Turnstile processes a security token and connection metadata only.
SentryError and performance diagnostics for the applicationUnited StatesSentry Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and the UK Addendum. Sentry is configured not to send personal data by default (sendDefaultPii disabled); it receives technical error diagnostics, not submitted documents.

Your application data is hosted in the EU; transfers between the EEA and the UK are covered by the European Commission’s adequacy decisions for the UK (renewed December 2025). Where a transfer outside the UK/EEA occurs — for example to the United States for AI analysis or email delivery — it is protected by the safeguard listed above for that provider (EU Standard Contractual Clauses with the UK Addendum, the UK IDTA, or an adequacy framework). We will post material subprocessor changes on this page, and customers with a signed DPA receive at least 30 days’ advance notice with a right to object.

5. Your rights

Under UK/EU GDPR you may request access, correction, deletion, restriction, portability, or object to processing. Most of these are self-serve, with no need to contact anyone: you can download a complete export of your data (account profile, credit ledger and retained reviews) from the account page, delete any review early, and close your account — which deletes your content immediately — at any time. California residents have analogous rights under the CCPA/CPRA, including the right to know and delete (we do not sell or share personal information as defined there). For anything the product does not cover, contact us at the address below; we respond within the statutory deadlines. You may also complain to the UK ICO or your local supervisory authority.

6. Security

All traffic is encrypted in transit; content is stored encrypted at rest by our infrastructure providers; access is restricted to authenticated server functions with per-user isolation; download links are short-lived and signed; sign-in is by single-use email links. The short retention window is itself a security measure: data we no longer hold cannot be exposed. See the Trust and Security page for subprocessors, vulnerability disclosure and AI transparency details.

7. Cookies — and why there is no cookie banner

We use only the cookies the service cannot work without: a session cookie that keeps you signed in, and a short-lived security token set by Cloudflare Turnstile when you claim trial credits (it exists to keep bots out and does not track you). There are no analytics cookies, no advertising cookies, and no cross-site tracking of any kind.

UK and EU law only requires consent — and therefore a cookie banner — for non-essential cookies. We don’t use any, so we don’t ask. If that ever changes, we will ask you first, plainly, before anything is set.

8. Data processing agreements

If your organisation requires a signed DPA covering its use of Debiaser.ai, your organisation admin can execute our standard DPA electronically from the organisation page: enter your organisation’s details, review the completed agreement, sign, and Global Diversity Practice countersigns — both parties then receive the executed copy for download. The standard terms are published for procurement review: Data Processing Agreement and subprocessor register. For negotiated enterprise agreements, contact us at the address below.

9. Contact

Global Diversity Practice Ltd — globaldiversitypractice.com. For privacy matters, contact our data protection team at data@globaldiversitypractice.com, marked “Data Protection — Debiaser.ai”.

Global Diversity Practice Limited is registered in England and Wales, company no. 06894073. Registered office: 37 Nab Lane, Shipley, BD18 4HQ, United Kingdom. VAT: GB 976147190.

We will post any changes to this policy on this page with an updated date, and for material changes we will notify account holders by email.