Who We Are
Kontrak operates the website kontrak.co.uk and provides an AI-powered JCT subcontract review service for UK SME subcontractors.
For the purposes of UK GDPR and the Data Protection Act 2018, Kontrak is the data controller — meaning we are responsible for deciding how and why your personal data is used.
Our contact details are set out at the end of this policy. If you have any questions about how we handle your data, please get in touch.
What Data We Collect
We only collect data that is necessary for the purpose stated. At this stage of our service, we collect the following:
| Data Type | What We Collect | When |
|---|---|---|
| Contact details | Your name, company name, and email address | When you join our waiting list |
| Usage data | Pages visited, time on site, browser type, device type | Automatically when you visit our website |
| Contract documents | The JCT subcontract you upload for review | When you use our review service (at launch) |
| Communications | Any messages you send us via email or contact forms | When you contact us |
We do not collect any special category data (such as health information, political opinions, or financial data beyond what is contained in any contract you choose to upload).
Why We Collect It
We use your personal data only for the following purposes:
- Waiting list management — to notify you when Kontrak launches and to send you founding member information and early access details.
- Service delivery — when our review service launches, to process your contract upload, generate your report, and deliver it to you.
- Communication — to respond to any enquiries or messages you send us.
- Service improvement — to understand how people use our website so we can improve the experience. This is done using anonymised analytics data only.
- Legal compliance — to comply with any legal obligations that apply to us as a business.
We will never use your data for unsolicited marketing beyond communications you have explicitly signed up for. You can unsubscribe from waiting list emails at any time using the link in any email we send.
Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
- Consent — when you submit your email address to join our waiting list, you are giving us your consent to contact you about the Kontrak launch. You can withdraw this consent at any time.
- Contract performance — when you use our review service, processing your data is necessary to deliver the service you have paid for.
- Legitimate interests — we use anonymised analytics data to understand how our website performs. This does not involve identifying individual users.
- Legal obligation — we may need to process certain data to comply with our legal obligations, such as financial record-keeping requirements.
How Long We Keep Your Data
We only retain your personal data for as long as is necessary for the purpose it was collected. Our retention periods are:
- Waiting list data — kept until you unsubscribe or until 12 months after Kontrak's launch, whichever comes first.
- Contract documents — when our review service launches, uploaded contract documents will be processed to generate your report and then deleted immediately. We will not store your contract documents beyond your review session.
- Review reports — stored in your account for as long as you maintain an active account, plus 30 days after account closure.
- Communications — retained for up to 2 years from the date of the last communication.
- Financial records — retained for 6 years as required by HMRC regulations.
Who We Share Your Data With
We do not sell your personal data to any third party. We share data only with the following categories of trusted third parties, and only to the extent necessary to deliver our service:
- Netlify — our website hosting provider, which processes form submission data on our behalf. Netlify is based in the USA and is covered by appropriate data transfer safeguards.
- Anthropic — the AI provider whose technology powers our contract analysis. Contract text is processed by Anthropic's Claude API. Anthropic's privacy policy applies to this processing.
- Stripe — our payment processor when our paid service launches. Stripe handles payment data directly and we do not store card details ourselves.
- Email service providers — we use a third party email platform to send waiting list and launch communications. These providers act as data processors under our instruction.
- Legal or regulatory authorities — we may share data if required to do so by law, court order, or regulatory authority.
All third parties we work with are required to handle your data securely and in accordance with applicable data protection law.
Your Rights
Under UK GDPR you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us using the details at the end of this policy.
✅ Right of Access
You can request a copy of all personal data we hold about you.
✏️ Right to Rectification
You can ask us to correct any inaccurate data we hold about you.
🗑️ Right to Erasure
You can ask us to delete your personal data in certain circumstances.
⏸️ Right to Restriction
You can ask us to restrict how we use your data in certain circumstances.
📦 Right to Portability
You can request your data in a portable, machine-readable format.
🚫 Right to Object
You can object to us processing your data based on legitimate interests.
↩️ Right to Withdraw Consent
Where we rely on consent, you can withdraw it at any time.
📢 Right to Complain
You have the right to complain to the ICO if you are unhappy with how we handle your data.
We will respond to all requests within one calendar month. If you wish to make a complaint to the Information Commissioner's Office (ICO), you can do so at ico.org.uk or by calling 0303 123 1113.
Cookies
Our website uses a small number of cookies — small text files stored on your device — to help the site function and to understand how it is used.
- Essential cookies — necessary for the website to function. These cannot be disabled.
- Analytics cookies — used to understand how visitors use our site, such as which pages are most visited. This data is anonymised and does not identify individual users.
We do not use advertising or tracking cookies. You can control cookie settings through your browser settings at any time. Note that disabling certain cookies may affect how the website functions.
Security
We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include:
- HTTPS encryption on all pages of our website
- Secure, access-controlled systems for storing personal data
- Limiting access to personal data to those who need it to deliver the service
- Regular review of our security practices
No method of transmission over the internet is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you believe your data has been compromised, please contact us immediately.
Children
Kontrak is a business-to-business service intended for use by adults operating construction businesses. Our service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time — for example as our service develops, as we add new features, or as legal requirements change. When we make significant changes we will notify waiting list members by email and update the "Last updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of our website following any changes constitutes your acceptance of the updated policy.
Contact Us
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or want to raise a concern about how we handle your data, please contact us: