1. Who we are (the controller)
Mediation and ADR Services Limited (trading as Mediate-AI; UK ICO registration C1938651; Companies House No. 17233766; registered office 66 Paul Street, London EC2A 4NA) is the controller of your personal data for the purposes of UK GDPR. Contact via our contact form.
The Mediate-AI software is owned by Trance Limited (overseas entity OE025742; ICO C1894395) and operated by Mediation and ADR Services Limited under licence; Trance Limited is not a processor of personal data submitted to Mediate-AI mediations.
2. What we collect
- Account data: name, email, password (hashed using bcrypt)
- Billing data: Stripe customer ID and payment status. Card details are held by Stripe — we never see them
- Mediation data: case details, position statements, evidence documents you upload, reservation prices (private to you), caucus notes (private to you), interactions with the AI mediator, settlement amounts, bank account details for settlement payment (only added by you for use on your own Settlement Agreement)
- Other party data: when you initiate a mediation we collect the email address (and optionally name) of the other party so we can send the invitation
- Technical data: IP address, browser, timestamps and minimal logs needed to operate the service securely
3. Special category data
The information you choose to share when describing a dispute may include special category data under UK GDPR Article 9 (e.g. health information in personal injury / package travel claims, financial information in consumer credit claims). You disclose this voluntarily for the purpose of obtaining a resolution. We process it under Article 9(2)(a) (your explicit consent) and to establish, exercise or defend legal claims under Article 9(2)(f). Only share what is relevant.
4. Lawful basis (UK GDPR Article 6)
- Performance of contract — to deliver the mediation service you have signed up for
- Legitimate interests — security, fraud prevention, anti-abuse caps on free services, service improvement (we never use your content to train AI models)
- Legal obligation — accounting and tax records, regulatory compliance
- Consent — for any optional marketing communications, withdrawable any time
5. Who we share data with
- The other party to your mediation — both parties see each other's polished case statement, the AI assessment, the proposal and reasoning, and (for the Settlement Agreement) the Claimant's bank details. Reservation prices, caucus notes and individual evidence are kept private to the party who submitted them
- Stripe — payment processing
- Anthropic — AI processing of your case content (data sent for inference, not retained for training under their commercial API terms)
- Resend — transactional email delivery (invitations, reminders, settlement confirmations)
- Hetzner — server hosting (UK / EU data residency)
We do not sell or rent your data. We do not share with advertising networks.
6. Where your data is stored
Your data is stored on servers located in the UK / EEA. Some processors (Anthropic for AI inference) may process data outside the UK; this is done under appropriate contractual safeguards including the UK International Data Transfer Addendum.
7. How long we keep it (data retention)
We take data minimisation seriously. Our retention schedule:
- Settled mediation data — auto-purged 21 days after settlement. All case content (statements, evidence, proposal reasoning, the Settlement Agreement, bank details added to it) is permanently deleted from our servers 21 days after the date of settlement (14 days for the defendant to pay + 7 days buffer). We retain only an anonymised aggregate record (claim amount, settlement amount, claim type, dates — no names, no emails, no documents) for our own performance statistics.
- Account deletion — 3 working days. When you request account deletion, your account is marked for deletion immediately, signed out, and permanently deleted after 3 working days. Sign back in within those 3 working days to cancel. After deletion all your personal contact details, intake sessions, evidence and chat history are permanently removed; any settled mediations are anonymised as above.
- Active account data: retained while your account is active and you continue to use the service.
- Abandoned intake drafts: deleted after 90 days of inactivity.
- Refusal / Bad-Faith Certificates: retained for 6 years (CPR limitation period) — these are formal legal documents that may need to be produced in subsequent proceedings.
- Billing records: 6 years (statutory).
- Backups: rolling 7 days local; offsite backups (Hetzner Storage Box) retained per provider rolling policy.
8. Your rights
Under UK GDPR you have the right to: access your data, correct inaccurate data, erase your data, restrict processing, object to processing, port your data, and withdraw consent. Contact us via our contact form. We aim to respond within 30 days.
If you are unhappy with how we handle your data you can complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.
9. Cookies
See our Cookies Policy.
10. Security
We use TLS encryption for all traffic, encrypted backups, hashed passwords, principle-of-least-privilege access controls, and offsite data backups. No system is perfectly secure; if we have a notifiable breach we will notify the ICO within the remainder of the mediation window and affected users without undue delay.
11. Children
The service is not intended for under-18s. We do not knowingly collect data from children.