Privacy Policy
Last updated: 12 April 2026This Privacy Policy explains how Datavex Labs Ltd ("we", "us", "our"), company number 17036825, registered at Unit A3, Castle Road, Sittingbourne, England, ME10 3EW, collects, uses, and protects your personal data when you use mdisbetter.com ("the Service").
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable to users in the EU/EEA.
1. Data Controller
The data controller is Datavex Labs Ltd. For any data protection inquiries, contact us at mdisbetter.ai@gmail.com.
We are not required to appoint a Data Protection Officer (DPO) under Article 37 of the UK GDPR, as we do not carry out large-scale processing of special category data or systematic monitoring of individuals. If this changes, we will update this policy with DPO contact details.
2. What Data We Collect
a) Account Data
When you create an account, we collect your email address and authentication credentials (managed by Supabase Auth). If you sign in via a third-party provider (Google, GitHub), we receive your name and email from that provider.
b) Billing Data
When you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription ID in our database, but we never see, store, or have access to your full credit card number, CVV, or bank account details. Stripe handles all payment card data in accordance with PCI-DSS Level 1 standards.
c) Usage Data
We record which features you use, how many credits you consume, and basic metadata (file type, page count, duration) for billing accuracy and to help us improve the Service. We do not store the content of your converted files.
d) Files You Upload
Files you upload are processed in real time to perform the requested conversion. They are transmitted to our servers and, where necessary, to third-party AI services for processing (see Section 4). Files are not stored permanently — they are deleted from our servers once the conversion is complete and the result has been delivered to you, or within one hour at most to allow you to download the result. We do not use your files to train AI models.
e) Technical Data
We automatically collect standard technical data including your IP address, browser type, operating system, referring URL, and pages visited. This data is collected through server logs to maintain security and improve the Service. We do not use third-party analytics services such as Google Analytics.
3. How We Use Your Data
| Purpose | Legal Basis (UK/EU GDPR) |
|---|---|
| Provide and operate the Service (account, conversions, credits) | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (receipts, password resets, renewal reminders) | Performance of contract (Art. 6(1)(b)) |
| Prevent fraud, abuse, and enforce our Terms of Service | Legitimate interest (Art. 6(1)(f)) |
| Analyse aggregated usage patterns to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal and tax obligations (e.g., HMRC records) | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data. We do not use your files to train AI models. We do not engage in profiling or automated decision-making that produces legal or similarly significant effects on you.
4. Third-Party Data Processors
We use the following third-party services to operate the Service. Each processes data only on our behalf and under Data Processing Agreements (DPAs) that meet the requirements of Article 28 of the UK GDPR:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (AWS) | Authentication, database | Email, account data, usage logs | US |
| Stripe | Payment processing | Email, payment details | US/EU |
| Vercel | Hosting, serverless functions | IP address, request data, uploaded files (in transit) | US/EU |
| Google (Gemini API) | AI-powered file conversion, OCR | File content (during processing only, not retained) | US |
| Deepgram | Audio/video transcription | Audio/video content (during processing only, not retained) | US |
| Brevo (Sendinblue) | Transactional emails | Email address | EU (France) |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request data | Global |
5. International Data Transfers
Some of our processors are based outside the UK and EEA, primarily in the United States. For these transfers, we rely on one or more of the following safeguards as required by Chapter V of the UK GDPR and Chapter V of the EU GDPR:
- The EU-US Data Privacy Framework and UK Extension, where the processor is a certified participant.
- Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA).
- The processor's binding corporate rules, where applicable.
You may request a copy of the relevant safeguards by emailing us.
6. Data Retention
- Account data: retained for as long as your account is active. Upon account deletion, your personal data is erased within 30 days, except where retention is required by law.
- Billing and transaction records: retained for 7 years as required by UK tax law (HMRC).
- Usage logs: retained for 12 months for billing accuracy and service improvement, then anonymised or deleted.
- Uploaded files: deleted immediately after conversion is complete, or within 1 hour at most. Not stored long-term under any circumstances.
- Server logs (IP, request data): retained for up to 30 days for security monitoring.
7. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data, subject to legal retention requirements.
- Right to restrict processing (Art. 18) — limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent (Art. 7) — at any time, where processing is based on consent.
To exercise any of these rights, email us at mdisbetter.ai@gmail.com. We will respond within 30 days (or sooner where required by law). We may ask you to verify your identity before processing your request. Exercising your rights is free of charge.
8. Security
We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS/HTTPS on all connections), access controls and least-privilege principles, regular dependency updates and security reviews, and separation of sensitive credentials from application code. All payment data is handled by Stripe under PCI-DSS Level 1 and never touches our servers.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without valid parental consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as defined in Article 22 of the UK GDPR. Credit deduction and billing are calculated mechanically based on your usage and are not based on profiling.
12. Cookies
We use a minimal number of strictly necessary cookies to operate the Service (authentication session, security). We do not use analytics or marketing cookies. Please see our Cookie Policy for full details.
13. Supervisory Authority
If you are a UK resident and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
If you are an EU/EEA resident, you may lodge a complaint with the data protection authority in your country of residence. A list of EU DPAs is available at edpb.europa.eu.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes (such as adding new categories of data collection or new third-party processors), we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
15. Contact
Datavex Labs Ltd
Company number: 17036825
Registered in England and Wales
Unit A3, Castle Road, Sittingbourne, England, ME10 3EW
Email: mdisbetter.ai@gmail.com
© 2026 Datavex Labs Ltd · Company No. 17036825 · Registered in England and Wales