Privacy Policy
How Contexta collects, uses, and protects your data.
Last updated: 21 May 2026. Data controller: Contexta Services Ltd, a company registered in England and Wales, company number 16971692, registered office 112-114 Whitegate Drive, Blackpool, FY3 9XH, United Kingdom. ICO registration: pending. Contact for privacy requests: [email protected].
Contents
Data Collection Data Usage Data Storage AI Processing & Residency Data Sharing Your Rights ContactData Collection
We collect the following information to provide the Contexta service:
Account Information
- Full name and email address
- Company name and organization details
- Login credentials (password is hashed, never stored in plain text)
- Account creation date and last login timestamp
Document Data
- Uploaded documents (RFPs, technical specifications, diagrams)
- File names, sizes, and upload timestamps
- Document metadata (project association, upload user, status)
- Extracted text and image content from documents
Analysis Data
- Extracted requirements across all 10 requirement types
- Confidence scores, reliability ratings, gap analysis
- User answers to clarification questions
- Cost estimates and infrastructure sizing calculations
- AI overrides and custom prompt statements
Usage Data
- Activity logs (page views, actions, timestamps)
- Feature usage statistics (which tools you use most)
- Error logs and diagnostic information
- Browser type, device type, IP address
Data Usage
Your data is used exclusively for the following purposes:
Service Provision
- Process documents through Azure OpenAI for requirement extraction
- Store and manage your projects, analyses, and exported reports
- Provide gap detection and iterative improvement features
- Calculate infrastructure costs and team sizing estimates
Service Improvement
- Improve AI model accuracy and extraction quality
- Identify common usage patterns to enhance features
- Debug errors and fix technical issues
- Develop new requirement types and analysis capabilities
Customer Support
- Respond to bug reports and feature requests
- Troubleshoot analysis errors or upload failures
- Provide guidance on best practices for extraction
Data Storage
Infrastructure
All data is stored securely on Microsoft Azure infrastructure in the UK South region. We use Azure-managed services with enterprise-grade security:
Document Storage
- Azure Blob Storage: Documents stored with encryption at rest (AES-256)
- Private containers: Company-specific containers with access control
- Retention: Documents retained for project lifetime + 90 days after deletion
Database Storage
- Azure SQL Server: All structured data (projects, requirements, gaps, users)
- TLS encryption: All database connections encrypted in transit (TLS 1.2+)
- Backups: Daily automated backups with 30-day retention
Security Measures
- Passwords hashed using bcrypt (industry-standard algorithm)
- Role-based access control (RBAC) - users only see their company data
- Multi-tenant isolation at database and storage level
- Regular security audits and vulnerability scanning
AI Processing & Data Residency
Where AI Processing Occurs
The Contexta uses Azure OpenAI for AI-assisted requirement extraction and gap analysis. AI processing is performed in the Azure region where our Azure OpenAI resource is deployed.
UK-Based AI Inference
For production environments, the Azure OpenAI resource is deployed in UK South. This means:
- AI inference (prompt processing and response generation) occurs in the UK
- Your document text and images are processed within UK data centers
- AI responses are generated within UK infrastructure
- Data does not leave the UK for AI processing
Model Training Assurance
When using Azure OpenAI:
- Customer data is not used to train foundation models
- Prompts and completions are processed only for your analysis
- No sharing of your content with other customers or for model improvement
- Strict isolation by tenant (CompanyID) within our database
Regional Configuration
The system treats the AI provider endpoint as configuration, not code. This means:
- Production can be pinned to UK South for data residency compliance
- Non-production environments may use alternate regions for testing if specific models are temporarily unavailable in UK South
- Region selection is a deployment decision, not an architectural constraint
Multi-Tenant SaaS Architecture
The Contexta follows a multi-tenant SaaS architecture:
- Single logical application serving multiple customers
- Strict data isolation using CompanyID as the tenant boundary
- Separate database schemas and blob storage containers per company
- No cross-tenant data access or sharing
Enterprise Options
For organizations with stricter isolation requirements, enterprise options are available:
- Dedicated Azure OpenAI resource: Your own Azure OpenAI instance, not shared with other customers
- Dedicated deployment: Separate subscription, resource group, and infrastructure
- Region pinning: Guarantee AI inference and storage in specific Azure region
- Private deployment: Run on your own Azure subscription with full infrastructure control
Contact [email protected] for enterprise deployment options.
Data Sharing
We do not sell or share your data with third parties, except in these specific cases:
Azure OpenAI
Document text and images are sent to Azure OpenAI (GPT-4o) for AI processing. This is a Microsoft-managed service with the same enterprise security standards as Azure.
- Data is not used to train OpenAI base models (opt-out by default for Azure OpenAI)
- Processing occurs within Microsoft infrastructure
- No data leaves Microsoft ecosystem
Legal Requirements
We may disclose data if required by:
- Court orders, subpoenas, or legal process
- Law enforcement requests with valid legal authority
- Compliance with UK GDPR or other applicable laws
Business Transfers
If the Contexta is acquired or merged, your data may be transferred to the new owner. You will be notified in advance with options to export or delete your data.
With Your Consent
We may share anonymized, aggregated usage statistics (e.g., "customers extract average 150 requirements per RFP") for marketing or research purposes. Individual user data is never shared without explicit consent.
Your Rights
Under UK GDPR, you have the following rights regarding your data:
Right to Access
Request a copy of all data we hold about you. We will provide this within 30 days in machine-readable format (CSV/JSON).
Right to Deletion
Request permanent deletion of your account and all associated data. This includes:
- All uploaded documents removed from Blob Storage
- All projects, analyses, and requirements deleted from database
- Account information and activity logs purged
Note: Backups are retained for 30 days for disaster recovery, then permanently deleted.
Right to Export
Export all your data in portable format:
- Requirements: CSV export (all requirement types, confidence scores, source references)
- Projects: JSON export (metadata, status, creation dates)
- Documents: Download original files from Projects page
Right to Opt-Out
Opt-out of AI model training - your documents will be used for extraction but not for improving AI models. Available in Settings > Privacy Preferences.
Right to Rectification
Correct inaccurate data. You can update your profile, company name, or contact information directly in Settings.
Contact
For privacy-related questions or to exercise your data rights, contact:
Email: [email protected]
Subject Line: Privacy Request - Contexta
Response Time: Within 30 days (UK GDPR requirement)
Data Protection Officer: Paul Lewis
Last Policy Update: December 27, 2025
We reserve the right to update this privacy policy. Material changes will be communicated via email with 30 days notice before taking effect.