OnshoEIE

Legal

Privacy Policy

Last updated: 7 May 2026

1. What We Collect

We collect only what is necessary to provide the service:

  • Email address — used for authentication via magic link. We do not use it for marketing or share it with third parties for marketing purposes.
  • Consultation count — the number of consultations purchased and remaining, stored in your profile.
  • Invite tokens — tokens you have generated and whether they have been used, to enforce the invite-only access model.
  • Payment records — handled entirely by Stripe. We store only the outcome (consultations credited) not card details or billing information.

2. What We Do NOT Store

We deliberately do not store your consultation questions or the AI responses you receive. Each consultation is stateless — once the session ends, the content is gone. There is no chat history, no conversation log, and no record of what you asked or were told.

We store only a status record per consultation (pending, complete, or failed) for accounting and refund purposes. This contains no content.

3. How Your Data Is Used

Your data is used exclusively for:

  • Authenticating you when you sign in
  • Tracking consultation credits so we can enforce limits and process refunds
  • Enforcing the invite system
  • Processing payments via Stripe

We do not sell, share, or use your data for advertising or profiling of any kind.

4. Third-Party Processors

We use a small number of third-party services to operate the platform. Each receives only the minimum data necessary for its function.

Supabase

Database and authentication. Stores your email, session tokens, consultation count, and invite records.

Stripe

Payment processing. Receives billing information you enter directly on their checkout page. We never see or store your card details.

Resend

Transactional email for magic link and OTP delivery. Receives your email address solely to send the sign-in message.

AI Processing Services

We use third-party AI services to generate consultation responses. These services receive the text of your question only, with no identifying information attached. Questions are processed in memory for that session only and are not retained. The providers we use comply with standard data processing agreements.

5. International Data Transfers

Some of our service providers are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, including standard contractual clauses where applicable.

6. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

  • Access — request a copy of the data we hold about you
  • Deletion — request that we delete your account and associated data
  • Portability — receive your data in a machine-readable format
  • Rectification — correct any inaccurate data we hold
  • Objection — object to processing where we rely on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

7. Data Retention

We retain your account data for as long as your account is active. If you request deletion, we will remove your email, profile, invite records, and consultation status records within 30 days.

Stripe payment records are retained for 7 years as required by financial regulations.

8. Cookies

We use a single session cookie to keep you signed in. This cookie contains an encrypted session token and is required for the service to function. It is set when you sign in and expires when you sign out or your session ends.

We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

9. Contact

For privacy-related enquiries, contact us at [email protected].

Our data controller is Onsho, based in England and Wales. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.