Kestrel

Privacy Policy

Last updated: 6 April 2026

1. Who we are

Kestrel is operated by OnKestrel Limited, registered in England with its registered office in Newcastle-upon-Tyne. We are the data controller for personal data processed through the Kestrel platform. For data protection enquiries, contact privacy@onkestrel.com.

2. What we collect and why

Free tools (no account required)

We do not collect personal data when you use our free tools without signing in. Calculations and document generation happen in your browser. We may collect anonymous usage analytics (tool name, session identifier) if you have consented to analytics cookies. Lawful basis: consent.

Account registration

When you create an account, we collect your email address, display name, and any business details you choose to provide (business name, type, size, industry). Lawful basis: contract performance (providing the service you signed up for).

Dispute resolution

When you file or respond to a dispute, we process the information you submit, including respondent details, submissions, evidence files, and communications. Lawful basis: contract performance and legitimate interests (facilitating structured dispute resolution).

Payment information

Payment card details are processed directly by Stripe, our payment processor. We do not store or have access to your full card details. We store a Stripe customer identifier to manage your subscription. Lawful basis: contract performance.

3. How we use your data

We process your data to:

  • provide, operate, and improve the Kestrel platform;
  • manage your account and subscription;
  • facilitate dispute resolution between parties, including sending notifications about dispute activity;
  • send transactional emails (account confirmation, dispute updates, deadline reminders);
  • detect and prevent fraud, abuse, and security incidents;
  • comply with our legal obligations.

We do not use your data for direct marketing, sell it to third parties, or use it to train artificial intelligence models.

4. Data sharing and sub-processors

We share personal data only with the following categories of recipients, under appropriate data processing agreements:

ProviderPurposeData location
SupabaseDatabase, authentication, file storageEU (Frankfurt)
VercelApplication hostingEU / UK edge nodes
ResendTransactional email deliveryEU
StripePayment processingEU / UK
Google AnalyticsWebsite analytics (consent-based)EU

We do not share your data with any other third parties unless required to do so by law or a valid court order.

5. Data retention

Account data: Retained for the lifetime of your account plus 30 days after account deletion to allow for recovery.

Dispute records: Retained for 6 years after dispute closure, in line with the limitation period for contract claims under the Limitation Act 1980 as it applies in England and Wales.

Saved documents: Retained for the lifetime of your account. Unsigned documents from unauthenticated users are retained for 90 days.

Payment records: Retained for 7 years as required for tax and accounting purposes.

Audit logs: Retained for 6 years for legal compliance and dispute integrity purposes.

6. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: request a copy of your personal data.
  • Right to rectification: correct inaccurate or incomplete personal data.
  • Right to erasure: request deletion of your personal data, subject to our retention obligations.
  • Right to data portability: receive your data in a structured, commonly used format.
  • Right to restrict processing: request that we limit processing of your data in certain circumstances.
  • Right to object: object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent (e.g. analytics), you may withdraw at any time.

You can exercise these rights through your account settings or by emailing privacy@onkestrel.com. We will respond within one month as required by law.

7. Cookies

We use strictly necessary cookies to maintain your session and preferences. We use analytics cookies (Google Analytics, Vercel Analytics) only with your explicit consent, collected through our cookie consent banner.

You can withdraw cookie consent at any time by clearing your browser cookies for our domain. Analytics data collected with IP anonymisation enabled.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), row-level security at the database layer, access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee the absolute security of your data.

9. Limitation of liability for data processing

While we take reasonable care to protect your data, to the fullest extent permitted by applicable law, OnKestrel Limited shall not be liable for any indirect, incidental, or consequential damages arising from any unauthorised access to or alteration of your data, any interruption or cessation of data processing, or any data breach caused by circumstances beyond our reasonable control.

Our total liability for any data protection claim shall not exceed the greater of (a) fees paid by you in the twelve months preceding the incident, or (b) one hundred pounds sterling (£100).

Nothing in this policy limits your statutory rights under UK GDPR or your right to lodge a complaint with the Information Commissioner’s Office (ICO).

10. International transfers

We endeavour to keep all personal data within the UK and the European Economic Area (EEA). Where data is processed outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the ICO.

11. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The “last updated” date at the top reflects the most recent revision.

12. Complaints

If you are unhappy with how we handle your personal data, please contact us at privacy@onkestrel.com and we will do our best to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.