Privacy Policy

Last updated: 3 April 2026

1. Who We Are

Hoxley is operated by Hoxley Limited, a company registered in England and Wales (Company No. 17054172), registered office at This Workspace, 18 Albert Road, Bournemouth BH1 1BZ.

Email: support@hoxley.ai

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Hoxley Limited acts as data controller in relation to account data and website usage data.
• Hoxley Limited acts as data processor in relation to compliance documents and personal data uploaded by customer firms using the Hoxley platform.

2. Scope

This policy explains how we collect and use personal data when you:

• Create and use a Hoxley account
• Connect your Notion workspace
• Connect your Google Drive account
• Import and analyse documents
• Visit https://hoxley.ai

Hoxley is a business-to-business compliance analysis platform intended for FCA authorised firms.

3. Personal Data We Process

3.1 Account Data (Controller)

We collect:

• Email address
• Name (if provided)
• Firm name
• FCA Firm Reference Number (FRN)
• Company number
• Role within the firm

3.2 Document Data (Processor)

When you upload or import documents, we process:

• Document content
• Document metadata
• AI-generated findings
• User actions within the platform

Your firm remains the data controller for any personal data contained within uploaded documents.

3.3 Notion Integration

If you connect a Notion workspace, we process:

• Workspace identifiers
• OAuth tokens
• Content of pages you choose to import

We do not access content that has not been explicitly shared with the Hoxley integration.

3.4 Technical Data (Controller)

We collect limited technical information, including:

• IP address
• Browser and device information
• Usage data

3.5 Google Drive Integration

If you connect a Google Drive account, we process:

• OAuth credentials required to access selected files
• File metadata (such as file names, structure, and types)
• Content of files you explicitly select or import

We do not access or index files that have not been explicitly selected or authorised. Access is limited to the permissions granted by you and can be revoked at any time via your Google account settings.

4. Lawful Bases

We process personal data under the following lawful bases:

• Performance of contract – to provide the Hoxley service
• Legitimate interests – to secure and improve the platform
• Legal obligation – where required by law

Where we act as a processor, processing is carried out under contract with the relevant customer firm.

5. AI Processing

Hoxley uses third-party AI services to analyse documents submitted by users.

Document content is transmitted securely for analysis. AI outputs are returned to and stored within your Hoxley account.

Hoxley does not provide legal advice. Users remain responsible for reviewing and validating outputs.

No solely automated decision-making with legal or similarly significant effects is carried out.

6. Use of Google User Data

If you connect your Google Drive account, Hoxley will access and process Google user data in accordance with your authorisation. This may include file metadata and the contents of files you explicitly select or import into Hoxley.

Hoxley accesses Google user data solely to import documents into the platform, analyse content for compliance purposes, and generate outputs within your Hoxley workspace.

Hoxley does not access, read, or process files that you have not explicitly selected or authorised. Google user data is not used for advertising purposes, not sold to third parties, and not used for any purpose other than providing and improving Hoxley's functionality.

Google user data may be shared with trusted service providers strictly to deliver core platform functionality. This includes Anthropic (provider of Claude AI), which processes document content to generate compliance analysis, and OpenAI, which generates vector embeddings of document content to enable regulatory search. Both providers are contractually restricted from using the data for any other purpose, and your data is not used to train their models.

Hoxley's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Data Sharing and Processors

We use third-party service providers to operate the platform, including providers of hosting, database infrastructure, email delivery and AI processing services.

These providers process personal data on our behalf under contractual safeguards.

8. International Transfers

Where personal data is transferred outside the United Kingdom, appropriate safeguards are applied in accordance with UK data protection law.

9. Data Retention

We retain:

• Account data for the duration of the account and up to 12 months after closure.
• Document data for the duration of the account and delete it following confirmed account closure.
• Technical logs for a limited period for security purposes.

Customer firms are responsible for their own regulatory record-keeping obligations.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse.

No system can guarantee absolute security.

11. Your Rights

Under UK GDPR, individuals have rights including:

• Access
• Rectification
• Erasure
• Restriction
• Data portability
• Objection

Requests should be sent to support@hoxley.ai.

Where we act as a data processor, we will direct requests to the relevant controller firm.

You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Children

Hoxley is not intended for individuals under 18.

13. Changes

We may update this policy from time to time. The latest version will always be available at hoxley.ai.