Privacy Policy

Last updated: 8 June 2026

BundleRight is operated by Nimble Tech Ltd ("we", "us", or "our"). This privacy policy explains how we collect, use, and protect your personal data when you use our document bundling service.

1. Information We Collect

Waitlist Information: When you join our waitlist, we collect:

Account and Billing Information: When you purchase credits, we collect:

Contact and Support Enquiries: When you contact us through our contact form or by email, we collect:

Document Processing: When you use BundleRight to process documents:

Security and Abuse-Detection Logs: For each sign-in, session creation, and bundle generation we log:

These logs never contain document content, filenames, extracted text, or your raw licence key. We retain them for 90 days and they are then automatically deleted. Legal basis: legitimate interests (security monitoring, fraud and abuse prevention).

2. How We Use Your Information

We use the information we collect to:

We will never:

3. Zero Data Retention (ZDR)

BundleRight is built with law firm security requirements in mind. We do not send your document text to the Claude API directly. AI calls are routed through AWS Bedrock — the same AWS account in which our application and database run — so that AWS is the data processor for those calls under the AWS Data Processing Addendum that already governs the rest of our infrastructure. Anthropic, as the underlying model provider, does not receive your content directly under this arrangement.

Under the AWS DPA covering our Bedrock calls:

The Claude API itself is not invoked directly from BundleRight at any point — every regression test on every code change verifies this. If a future code change accidentally tried to bypass Bedrock, the automated test suite would fail before the change could ship.

Independent of AWS's retention, on our own systems:

4. Data Storage and Security

We implement appropriate security measures to protect your information:

Breach notification. If a personal data breach occurs that affects information we hold about you, we will notify the UK Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Article 33 of UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly under Article 34, describing what happened, what data was affected, what we have done in response, and what (if anything) you should do next.

We maintain an internal incident response process covering detection, containment, assessment, notification, and post-incident review.

5. Data Sharing

We share your information only with trusted service providers who help us operate BundleRight:

The full table — purpose, data, and region for each — lives on our Sub-processors page and is updated when sub-processors change.

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

6. Your Rights

Under UK data protection law (UK GDPR), you have the right to:

To exercise any of these rights, please use our contact form.

7. Data Retention

8. Cookies, Browser Storage, and Tracking

BundleRight is designed to minimise client-side state:

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. International Transfers

BundleRight is hosted entirely on AWS in the United Kingdom (London region, eu-west-2), and your licence and billing data does not leave the UK.

Document processing also runs inside AWS, with the following routing:

The AWS Data Processing Addendum covers all of this AI processing. Document text is not transferred to the United States as part of BundleRight processing.

Stripe processes payment information under its own international transfer safeguards; we never see or store your card details.

10. Children's Privacy

BundleRight is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email (if you have provided one) or by posting a notice on our website. The "Last updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Nimble Tech Ltd
Please contact us using our contact form
Website: bundleright.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.