← Back to home

Privacy Policy

Last updated: May 2026

1. Who we are

Deepheem Ltd is an AI-powered investigation and research platform. We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are in the process of registering with the UK Information Commissioner's Office (ICO) in compliance with UK GDPR.

Contact: support@deepheem.com

2. What personal data we collect

We collect and process the following categories of personal data:

  • Account data: Your full name, email address, and password (stored in encrypted form)
  • Subscription and billing data: Payment method details (processed and stored by Stripe — we do not store card details directly), billing address, transaction history, and subscription status
  • Investigation data: Investigation briefs, questions, answers, generated reports, source classifications, evidence status labels, and source assessments that you create on the platform
  • Usage data: Number of investigations run, modules used, investigation depth selected, timestamps, and session activity
  • Technical data: IP address, browser type, device type, operating system, and authentication session data
  • Communications data: Any correspondence you send to us via email or support channels

3. How we collect your data

We collect personal data directly from you when you:

  • Create an account on Deepheem
  • Sign in using Google OAuth
  • Subscribe to a paid plan
  • Submit an investigation brief
  • Contact our support team
  • Update your account settings or preferences

We also collect technical and usage data automatically through your use of the platform via cookies and session management tools provided by Supabase.

4. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance: Processing your account data, subscription, and investigation requests is necessary to provide the service you have contracted with us for
  • Legitimate interests: We process usage and technical data to improve the platform, prevent fraud, and maintain security — balanced against your rights and interests
  • Legal obligation: We may process data where required to comply with applicable law, including tax obligations and regulatory requirements
  • Consent: Where we send optional marketing communications, we rely on your explicit consent, which you may withdraw at any time

5. How we use your data

We use your personal data to:

  • Create and manage your account
  • Process your subscription payments and manage billing
  • Deliver AI-powered investigation reports in response to your briefs
  • Send transactional emails including account confirmation, password resets, and billing notifications
  • Provide customer support
  • Monitor platform usage to detect abuse, fraud, and security incidents
  • Improve the accuracy, performance, and features of the platform
  • Comply with our legal and regulatory obligations

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. Third-party processors

We share your data only with trusted third-party service providers acting as data processors on our behalf, under strict contractual obligations:

  • Supabase: Database hosting and authentication infrastructure.
  • Anthropic: AI processing of investigation briefs via the Claude API.
  • Tavily: Web search and source retrieval. Tavily receives anonymised search queries derived from your investigation brief in order to retrieve relevant sources.
  • Stripe: Payment processing and subscription management. Stripe is PCI DSS compliant.
  • Vercel: Platform hosting and deployment infrastructure.
  • Resend: Transactional email delivery.
  • Google: OAuth authentication (if you choose to sign in with Google) and anonymised usage analytics via Google Analytics.

7. International data transfers

Some of our third-party processors operate outside the UK or European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK ICO or equivalent mechanisms.

8. Data retention

We retain your personal data for as long as your account is active or as necessary to provide the service. Specifically:

  • Account data is retained for the duration of your account and deleted within 30 days of account closure
  • Investigation data is retained according to your plan's history limit and deleted upon account closure
  • Billing records are retained for 7 years to comply with UK tax and financial regulations
  • Support communications are retained for 2 years

9. Cookies and tracking

Deepheem uses the following categories of cookies and tracking technologies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core platform functionality.
  • Analytics cookies: We use Google Analytics to understand how visitors use the platform and website. Google Analytics may set cookies on your device and collects anonymised usage data. You can opt out via our cookie banner or by using the Google Analytics opt-out browser add-on.

We do not use advertising cookies, retargeting cookies, or cookies for behavioural profiling.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, including encrypted data storage, secure HTTPS connections, hashed password storage, and regular security monitoring.

11. Your rights under UK GDPR

As a data subject under UK GDPR, you have the following rights:

  • Right of access: You may request a copy of the personal data we hold about you
  • Right to rectification: You may request correction of inaccurate or incomplete data
  • Right to erasure: You may request deletion of your personal data where there is no legitimate reason for us to retain it
  • Right to restriction: You may request that we restrict processing of your data in certain circumstances
  • Right to data portability: You may request a copy of your data in a structured, machine-readable format
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes

To exercise any of these rights, please contact us at support@deepheem.com. You also have the right to lodge a complaint with the UK ICO at ico.org.uk.

12. Children's privacy

Deepheem is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on the platform.

14. Contact and complaints

Deepheem Ltd

Email: support@deepheem.com

Website: deepheem.com

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk · 0303 123 1113