Privacy Policy

The Archiver — operated by Broadhurst Digital Limited

Effective Date: 21 February 2026 · Last Updated: 21 February 2026

1. Introduction

This Privacy Policy explains how Broadhurst Digital Limited ("we", "us", "our") collects, uses, stores, and protects personal data when you use The Archiver ("Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller:

Broadhurst Digital Limited
18 St Nicholas Place, Derby, DE1 3GD
Company Registration Number: 12503471
Contact: 01332 460 205

2. Data We Collect

2.1. Account Data

When you create an account, we collect:

Data	Purpose	Lawful Basis
Name	Account identification, display in UI	Contractual necessity
Email address	Account login, notifications, password reset	Contractual necessity
Password	Authentication (stored as bcrypt hash)	Contractual necessity
Organisation name	Multi-user collaboration features	Contractual necessity

2.2. Content Data

When you use the Service, you may upload:

Documents (PDFs, images of text)
Photographs
Audio recordings
Video recordings
Artefact photographs

This Content may contain personal data of third parties (e.g., names, addresses, photographs of individuals in archival materials). You are the data controller for any personal data contained in your Content.

2.3. AI-Generated Data

When you use AI Features, we generate and store:

File classifications (photograph/document/artefact)
Extracted metadata (titles, dates, descriptions, people mentioned, etc.)
Transcriptions of documents and audio
Sensitivity assessments (PII detected, content warnings)
Collection analyses and dossier reports
AI confidence ratings and reasoning

2.4. Usage Data

We automatically collect:

Data	Purpose	Lawful Basis
AI usage metrics (model, token counts)	Service operation, billing, cost management	Legitimate interest
Session data (login times, IP implied by session)	Security, fraud prevention	Legitimate interest
Feature usage (uploads, analyses run)	Service improvement, tier enforcement	Legitimate interest

2.5. Data We Do NOT Collect

We do not use third-party analytics or tracking services
We do not set third-party cookies
We do not collect device fingerprints
We do not engage in behavioural advertising or profiling

3. How We Use Your Data

We use your data for the following purposes:

Providing the Service — storing your Content, running AI analysis, generating exports
Account management — authentication, email verification, password resets
Tier enforcement — ensuring usage stays within subscription limits
Security — detecting unauthorised access, protecting against abuse
Service improvement — understanding usage patterns to improve features (aggregate data only)
Legal compliance — responding to lawful requests, maintaining required records

4. AI Processing and Sub-processors

When you use AI Features, your Content is processed by third-party AI providers. This is necessary to provide the core functionality of the Service.

4.1. What Data Is Sent to AI Providers

AI Provider	Data Sent	Purpose
Mistral AI (Paris, France)	Image data, OCR text, transcripts	Classification, metadata extraction, OCR, audio transcription
Google (Gemini) (USA/EU)	Video files, metadata, transcripts, dossier content	Video metadata extraction, collection analysis, dossier analysis, research chat

4.2. AI Provider Commitments

Neither Mistral AI nor Google use your data to train their foundation models
Data is processed transiently for inference and is not retained beyond the API call
Both providers operate under data processing agreements

4.3. International Transfers

Google processes data in the USA and EU. This transfer is covered by Google's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

Mistral AI processes data in the EU (France). As an EU-based processor with UK adequacy, no additional transfer mechanism is required.

5. Data Storage and Security

5.1. Where Your Data Is Stored

Data Type	Provider	Location
Account data, metadata, AI outputs	Neon (Postgres database)	AWS EU (Frankfurt)
Uploaded files (images, documents, audio, video)	Vercel Blob Storage	Edge (nearest region)
Application hosting	Vercel	Edge (nearest region)

5.2. Security Measures

Passwords are hashed using bcrypt (never stored in plaintext)
Session tokens are SHA-256 hashed before storage
Session cookies use httpOnly, secure, and sameSite flags
All data transmitted over HTTPS/TLS
Database connections use SSL
Deny-by-default access control on all API endpoints
Admin functions require explicit admin role verification
Cron jobs authenticated via separate secret

6. Data Retention

Data Type	Retention Period	Deletion Trigger
Account data	Duration of account + 30 days	Account deletion
Uploaded files	Duration of account (tier-dependent retention may apply)	Account deletion or retention policy
AI-generated metadata	Duration of account	Account deletion
Session records	Until expiry (30 days) or logout	Automatic expiry
AI usage logs	12 months	Automatic cleanup

Free-tier accounts may have automatic file retention limits. You will be notified before any automated deletion.

7. Your Rights

Under UK GDPR, you have the following rights:

7.1. Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

7.2. Right to Rectification (Article 16)

You can update your account information at any time via the Service. For other corrections, contact us.

7.3. Right to Erasure (Article 17)

You can delete your account and all associated data. We will complete deletion within 30 days.

7.4. Right to Data Portability (Article 20)

You can export your data at any time using the Service's export features (EAD3, Dublin Core, CSV formats). For a machine-readable copy of all personal data, contact us.

7.5. Right to Restrict Processing (Article 18)

You can request that we restrict processing of your data in certain circumstances.

7.6. Right to Object (Article 21)

You can object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.

7.7. Rights Related to Automated Decision-Making (Article 22)

AI Features produce suggestions for human review — they do not make automated decisions with legal or similarly significant effects. You always have the ability to review, edit, and override AI outputs.

How to Exercise Your Rights

Phone: 01332 460 205
Address: Broadhurst Digital Limited, 18 St Nicholas Place, Derby, DE1 3GD

We will respond to all requests within one month.

8. Cookies

We use a single essential cookie:

Cookie	Purpose	Type	Duration
session_token	Authentication — keeps you logged in	Essential (first-party)	30 days

We do not use analytics cookies, advertising cookies, or third-party cookies. See our Cookie Policy for full details.

9. Children's Data

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

10. Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the Information Commissioner's Office (ICO) within 72 hours
We will notify affected individuals without undue delay where the breach poses a high risk
We maintain an internal breach register

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or via the Service at least 30 days before they take effect. The "Last Updated" date at the top will reflect the most recent revision.

12. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Contact

For any questions about this Privacy Policy or our data practices:

Broadhurst Digital Limited

18 St Nicholas Place, Derby, DE1 3GD

Phone: 01332 460 205

ARCHIVERS.AI