LEGAL
Privacy Policy
Last Updated: 18 February 2026
1. Introduction
This Privacy Policy explains how Lorm ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our web application at lorm.co.uk and app.lorm.co.uk (the "Service").
Lorm is a sole trader operation based in the United Kingdom.
We are committed to protecting your privacy and complying with:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
Data Controller: Lorm
United Kingdom
Email: privacy@lorm.co.uk
2. What Data We Collect
2.1 Data You Provide Directly
Competition Brief Files — PDF, Word, Excel, PowerPoint, text, HTML, Markdown, and image files containing competition briefs. We process these to analyze and extract information (schedules, requirements, jury members, etc.). Lawful basis: contract performance.
Project Settings and Inputs — Project name, project number, competition scale, consultant names, rendering company names, resource lists, custom dates, and deliverables checkboxes. Used to customize generated outputs. Lawful basis: contract performance.
Email Address (when user accounts are introduced) — Used for account registration, login links, download receipts, and service updates. Lawful basis: contract performance and legitimate interest.
Payment Information — Payment metadata (transaction ID, amount, date, tier purchased). Used to process payments, issue receipts, prevent fraud, and comply with tax law. Credit card details are processed by Stripe and are not stored by us. Lawful basis: contract performance and legal obligation.
2.2 Data Collected Automatically
Session Data — Session ID, login status, and session start time. Used to maintain your session. Stored as an essential cookie (no consent banner required under PECR). Lawful basis: legitimate interest.
Usage Data — Daily analysis count, timestamp of analyses, IP address, browser type, and device type. Used to enforce usage limits, monitor for abuse, and debug errors. Lawful basis: legitimate interest.
Error Logs — Error messages, stack traces, request URLs, and timestamps. Used to diagnose and fix technical issues. Lawful basis: legitimate interest.
2.3 Data We Do Not Collect
We do not collect: precise geolocation data, social media profiles, biometric data, sensitive personal data (health, religion, political views), or analytics/advertising cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking.
3. How We Use Your Data
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Uploaded briefs | AI analysis, information extraction | Contract performance |
| Project settings | Customizing generated outputs | Contract performance |
| Email address | Account management, receipts, service updates | Contract performance + legitimate interest |
| Payment data | Processing purchases, issuing receipts | Contract performance + legal obligation |
| Session data | Maintaining your active session | Legitimate interest |
| Usage data | Enforcing rate limits, monitoring abuse | Legitimate interest |
| Error logs | Debugging and service improvement | Legitimate interest |
Where we rely on "legitimate interest" as a lawful basis, we have assessed that our interest is legitimate, the processing is necessary, and your rights do not override our interest. You have the right to object (see Section 9).
4. Third-Party Data Processors
4.1 Google Gemini API (AI Analysis)
Provider: Google LLC — EU data center
Data shared: Uploaded competition brief files, project settings
Retention: Files are deleted from Gemini API after processing (temporary upload only)
DPA: Google Cloud Data Processing Terms
4.2 Render.com (Web Hosting)
Provider: Render Services, Inc. — Frankfurt, Germany
Data shared: All data processed by the Service
Retention: Temporary files deleted after 24 hours; database records follow our retention policy
DPA: Render Privacy Policy
4.3 Stripe (Payment Processing)
Provider: Stripe, Inc. — EU data centers
Data shared: Email address, transaction amount, payment metadata
Note: Credit card details are handled exclusively by Stripe using PCI-compliant infrastructure. We never see or store your card number.
DPA: Stripe Privacy Policy
4.4 Firebase (Authentication and Database) — Planned
Provider: Google LLC — Europe (Ireland/Belgium)
Data shared: Email addresses, user IDs, analysis history, payment records
Retention: Until account deletion or 3 years inactivity, except payment records (6 years)
DPA: Firebase Privacy
4.5 Resend (Email Delivery) — Planned
Provider: Resend, Inc. — EU servers
Data shared: Email addresses, email content (receipts, password resets, service updates)
Retention: Email logs retained for 30 days
DPA: Resend Privacy Policy
5. International Data Transfers
We configure all third-party services to use European Union data centers wherever possible (Render: Frankfurt, Firebase: Ireland/Belgium, Gemini API: EU region, Stripe: EU, Resend: EU). When all services are configured for EU regions, no international data transfers occur.
If any service processes data outside the EU, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules as appropriate.
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Uploaded briefs | 24 hours | Processed and deleted automatically |
| Analysis results | 90 days | User convenience (view past analyses) |
| User account data | Until deletion or 3 years inactivity | Account management |
| Payment records | 6 years | UK tax law (HMRC requirement) |
| Usage logs | 90 days | Service monitoring and abuse prevention |
| Error logs | 90 days | Debugging and service improvement |
| Email delivery logs | 30 days | Email provider retention policy |
Automatic deletion: Uploaded briefs are deleted 24 hours after upload. Analysis results are deleted after 90 days. Inactive accounts are deleted 3 years after last login (email notification sent 30 days before deletion).
Manual deletion: You can delete individual analysis results and your entire account via account settings or by emailing us. Payment records cannot be deleted until the 6-year legal retention period expires.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: HTTPS/TLS for all connections
- Encryption at rest: AES-256 encryption for stored data
- Secure sessions: Cookies with
Secure,HttpOnly, andSameSiteflags - File validation: Uploaded files are validated for type and size before processing
- API key security: API keys stored server-side as environment variables, never exposed to the client
- Access control: Only the founder has access to production data
No system is 100% secure. We will notify you of any data breaches that pose a risk to your rights (see Section 8).
8. Data Breach Notification
If a personal data breach occurs, we will:
- Notify the ICO within 72 hours if the breach poses a risk to your rights
- Notify affected users without undue delay if the breach poses a high risk
Breach notifications will include: the nature of the breach, what data was affected, likely consequences, steps we have taken to mitigate harm, and steps you should take.
If you suspect a security issue, contact us immediately at security@lorm.co.uk.
9. Your Rights Under GDPR
You have the following rights regarding your personal data:
Right to Access
Request a copy of all personal data we hold about you. Email privacy@lorm.co.uk with "Data Access Request" in the subject line. We will respond within 30 days.
Right to Rectification
Request corrections if your data is inaccurate or incomplete.
Right to Erasure ("Right to Be Forgotten")
Request deletion of your personal data. We will delete your account, uploaded briefs, and analysis results. Payment records must be retained for 6 years per HMRC requirements.
Right to Data Portability
Request a copy of your data in a structured, machine-readable format (JSON).
Right to Object
Object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds.
Right to Restrict Processing
Request restriction of processing in certain circumstances (e.g., while disputing accuracy of data).
Right to Withdraw Consent
Where processing is based on consent, you may withdraw at any time. Most of our processing is based on contract performance or legal obligation.
Right to Complain
If you believe we have mishandled your data, lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
10. Cookies and Tracking
| Cookie Name | Purpose | Expiry | Type |
|---|---|---|---|
session | Maintains login state and associates uploads with your session | Browser close or 24 hours | Essential |
Essential cookies do not require consent under PECR. We do not use analytics cookies, advertising cookies, social media tracking, or cross-site tracking. You do not need to accept a cookie banner to use Lorm.
11. Data Sharing and Disclosure
We do not sell your data. We do not sell, rent, or trade your personal data to third parties for marketing purposes.
We share data only with our sub-processors (see Section 4) and when required by law (court orders, HMRC investigations, ICO audits, fraud prevention). If Lorm is sold or acquired, you will be notified and given the option to delete your account before transfer.
12. Children's Privacy
Lorm is not intended for individuals under 18. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided data to us, contact privacy@lorm.co.uk.
13. Data Minimization
We follow the GDPR principle of data minimization. We collect only the data necessary to provide the Service. We do not ask for your phone number, track your location, or require social media login.
14. Your Choices and Controls
- Sensitive briefs: Do not upload briefs containing sensitive personal data (health records, biometric data). The Service is designed for typical architectural briefs.
- Project settings: Consultant names and client names are optional. You can leave fields blank or use placeholders.
- Delete results: You can delete individual analysis results via account settings.
- Delete account: Delete your account at any time via settings or by emailing privacy@lorm.co.uk.
15. Third-Party Links
The Service may contain links to third-party websites (e.g., jury member portfolios, project references). We are not responsible for the privacy practices of those sites. This Privacy Policy applies only to Lorm.
16. Business Contact Information
If you upload competition briefs containing business contact information (e.g., organizer's email, project stakeholder names), we process this data only for the purpose of analysis and output generation. We do not add contacts to marketing lists or share contact details beyond what is needed for analysis.
17. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in how we process data, legal requirements, or service features. We will notify you by posting the updated policy with a new "Last Updated" date and, where appropriate, sending an email notification.
Material changes take effect 30 days after notification. If you do not agree, you must stop using the Service and delete your account.
18. Contact Us
If you have questions about this Privacy Policy or how we handle your data:
Email: privacy@lorm.co.uk
Data Controller: Lorm, United Kingdom
Please include your name, email address, the nature of your request, and any relevant reference numbers. We will respond within 30 days.