Privacy Policy

Your data, our duty.

Last updated 1 May 2026

1. Who we are

RateCalc.io is a trading name of MCR Labs Ltd ("we", "us", "our"), a company registered in England and Wales under company number 17228923, with registered office at Sproston Place, Middlewich, Cheshire, CW10 0FY.

This policy sets out how we collect, use and protect your personal data when you use the RateCalc.io service. We act as data controller for the personal data of our customers (recruitment agencies and their consultants) and as processor for the client and candidate data those agencies enter into the platform.

2. What data we collect

Account data

When you sign up we collect your name, work email address, and a hashed password. If you create an agency we also collect agency name, address, phone, logo, and brand colours.

Subscription and payment data

Payment processing is handled entirely by Stripe. We do not see or store your card details. We store the resulting Stripe customer and subscription identifiers so we can match payments to your account.

Document and proposal data

Rate proposals and Terms of Business documents you create (including client company details, contact names, rate cards, and the contents of any uploaded ToB document) are stored against your agency account. Where a client signs a Terms of Business document, we record their name, role, signature image, IP address, browser user-agent and timestamp as evidence of acceptance.

Usage data

We log basic technical information (IP address, browser type, pages visited) to keep the service running, prevent abuse, and improve the product. We do not use third-party advertising trackers.

3. How we use your data

  • To provide the service you've signed up for (creating, sending and tracking proposals and Terms of Business).
  • To process subscription payments and send billing receipts.
  • To send transactional email (account confirmation, password resets, document responses, signature notifications).
  • To respond to support enquiries and handle problems with the service.
  • To detect and prevent fraud, abuse, or breach of our Terms of Service.
  • To meet our legal and regulatory obligations.

Our legal bases under UK GDPR are: contractual necessity (delivering the service you've subscribed to), legitimate interests (running and securing the service), and consent where required.

4. Who we share data with

We use a small number of carefully chosen sub-processors. Each is bound by a data processing agreement with us:

  • Supabase: database and authentication. Data stored in EU (Ireland).
  • Stripe: payment processing. Subject to its own privacy policy.
  • Resend: transactional email delivery.
  • Vercel: application hosting and edge network.
  • Anthropic: used only when an agency uploads a Word document via the Terms of Business parser; we send the document text to Anthropic's API for clause extraction. The text is processed but not retained for training.

We do not sell or rent personal data to third parties. We disclose data to law enforcement only where required by valid legal process.

5. Where your data is stored

Your data is stored in the European Union (Ireland). Some sub-processors (notably Stripe and Anthropic) may process data outside the UK / EU under appropriate safeguards such as Standard Contractual Clauses or UK adequacy decisions.

6. How long we keep your data

We retain account and document data for as long as your subscription is active and for a reasonable period afterwards, so you can resume your subscription without losing your work. If you delete your account, we delete your account and document data within 30 days, except where we're required to retain records for tax, accounting or legal purposes (typically up to 7 years).

7. Your rights

Under UK GDPR, you have the right to:

  • access a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data deleted ("right to be forgotten");
  • restrict or object to certain processing;
  • port your data to another service;
  • complain to the Information Commissioner's Office (ico.org.uk) if you think we've handled your data improperly.

To exercise any of these rights, email hello@ratecalc.io. We'll respond within one calendar month.

8. Cookies

We use a minimal set of strictly-necessary cookies for sign-in sessions and CSRF protection. We don't use third-party advertising or behavioural tracking cookies.

9. Security

We use industry-standard technical measures (TLS in transit, encryption at rest, principle-of-least-privilege access controls). No internet service is 100% secure; we'll notify affected users without undue delay if we ever experience a breach affecting personal data.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated by email to active subscribers.

11. Contact

Questions about this policy or how we handle your data? Email hello@ratecalc.io.