Legal Documents - Organisations
This page contains the legal and technical documents relevant to deploying DebtRiot within your organisation. It is intended for procurement teams, data protection officers, and anyone responsible for evaluating third-party tools under UK GDPR. All documents are available to download. If you have questions before signing, contact hello@debtriot.co.uk.
Data Processing Agreement (DPA)
Required under UK GDPR Article 28 for any organisation deploying DebtRiot. This agreement sets out how DebtRiot (the processor) handles data on behalf of your organisation (the controller). Because DebtRiot does not collect personal data from end users, the DPA is brief and straightforward. A countersigned copy is provided to every client before deployment.
B2B2C Terms & Conditions
Governs the relationship between DebtRiot and your organisation, including permitted use, access controls, liability, and termination. Covers both Discovery and paid subscription periods.
→ Download Terms & Conditions (PDF)
Pilot Agreement
Sets out the terms of the 3-month paid Discovery period: scope, pricing, exit clause, and the process for transitioning to an annual subscription. Includes data deletion obligations at end of Discovery if no subscription follows.
Data Architecture Summary
What DebtRiot collects, where it lives, and who can see it.
| What is collected |
End users Nothing. No name, no email, no financial data, no device ID. End users interact with the tool anonymously. Org admin Email address only — used for dashboard login and account correspondence. Aggregate insight Anonymous event counters per organisation per month — usage patterns, strategy choices, completion journeys, and charity signposting effectiveness. No content, no user identity. |
| Where data is stored | Upstash Redis KV, UK region (London). Data is namespaced under b2b2c: — logically isolated from all other DebtRiot data. No data is stored on Vercel infrastructure beyond ephemeral request processing. |
| Retention | Anonymous aggregate counts are retained long-term to enable trend analysis and outcome reporting. As they contain no individual identifiers, they cannot be linked to any person. Org admin accounts and associated data are deleted within 30 days of contract end or on written request, whichever comes first. |
| Who can access | DebtRiot only. Data is never sold, shared, or disclosed to third parties. Org admins can view their own organisation's aggregate insight via their dashboard — they see no data from other organisations. No personal identifiers are accessible to anyone. |
| At contract end | Your organisation's admin account is deleted on request. Aggregate counts (anonymous) are retained for historical trend continuity unless deletion is specifically requested. Deletion is confirmed in writing within 5 business days. No data is retained after deletion request. |