Legal Documents - Organisations

This page contains the legal and technical documents relevant to deploying DebtRiot within your organisation. It is intended for procurement teams, data protection officers, and anyone responsible for evaluating third-party tools under UK GDPR. All documents are available to download. If you have questions before signing, contact hello@debtriot.co.uk.

Data Processing Agreement (DPA)

Required under UK GDPR Article 28 for any organisation deploying DebtRiot. This agreement sets out how DebtRiot (the processor) handles data on behalf of your organisation (the controller). Because DebtRiot does not collect personal data from end users, the DPA is brief and straightforward. A countersigned copy is provided to every client before deployment.

→ Download DPA (PDF)

B2B2C Terms & Conditions

Governs the relationship between DebtRiot and your organisation, including permitted use, access controls, liability, and termination. Covers both pilot and paid subscription periods.

→ Download Terms & Conditions (PDF)

Pilot Agreement

Sets out the terms of the free three-month pilot: no charge, no auto-renewal, no size limit. Includes data deletion obligations at pilot end and the process for transitioning to a paid subscription if you choose to continue.

→ Download Pilot Agreement (PDF)

Data Architecture Summary

What DebtRiot collects, where it lives, and who can see it.

What is collected End users Nothing. No name, no email, no financial data, no device ID. End users interact with the tool anonymously.

Org admin Email address only — used for dashboard login and account correspondence.

Usage telemetry Anonymous session start and session completion counts, stored per organisation. No content, no user identity.
Where data is stored Upstash Redis KV, EU region (Frankfurt). Data is namespaced under b2b2c: — logically isolated from all other DebtRiot data. No data is stored on Vercel infrastructure beyond ephemeral request processing.
Retention 12 months rolling. Telemetry counts older than 12 months are automatically overwritten. Org admin accounts and associated data are deleted within 30 days of contract end or on written request, whichever comes first.
Who can access DebtRiot only. Data is never sold, shared, or disclosed to third parties. Org admins can view their own organisation's aggregate counts via their dashboard — they see no data from other organisations. No personal identifiers are accessible to anyone.
At pilot end All data associated with your organisation — telemetry counts and admin account — is deleted on request. Deletion is confirmed in writing within 5 business days. No data is retained after deletion.
ICO Registration: ZC115123 — registered with the Information Commissioner's Office under Miss Monika Pankiewicz, trading as DebtRiot.