Draft — pending legal review. These terms are not legally binding until finalized. Questions or corrections: legal@rateplane.com.
Last updated: April 24, 2026
Trust Center
A single place for everything a procurement, security, or privacy team needs to review before working with Rateplane Ltd. All documents below are written to UK law (the UK GDPR, the Data Protection Act 2018, and the laws of England and Wales) and are kept current as the product evolves.
Legal and compliance documents
Terms of Service
Commercial terms — plans, billing, acceptable use, IP, limitation of liability, and UK governing law.
Privacy Policy
What personal data we process, lawful bases under UK GDPR, retention periods, sub-processors, and your rights.
Cookie Policy
Every cookie and storage key we actually set, with purpose and duration. Strictly-necessary only.
Data Processing Addendum
EnterpriseArticle 28 processor terms for Enterprise customers, built around the EU SCCs and UK IDTA.
Security posture
Controls we operate today: encryption, access, rate limits, audit logging. Incident response and compliance roadmap.
Our commitments at a glance
Your data stays yours. You retain all rights to workspace content and connected-cloud data. We process it only to deliver the Service and, with your consent, to produce aggregated anonymised statistics. We do not sell or rent personal data.
Credentials are encrypted at rest. AWS, Azure, and GCP credentials are stored under an AES-256-GCM envelope encryption scheme with a key-encryption key held outside the database. Credentials are never returned in API responses or logs.
72-hour breach notification. For personal-data breaches likely to result in a risk to data subjects, we notify the UK Information Commissioner's Office and affected customers within 72 hours of confirmation, as required by Article 33 UK GDPR.
Data subject rights in one month. Access, rectification, erasure, portability, objection, and restriction requests are responded to within one month of receipt. Complaints route to the ICO.
SOC 2 Type I in progress; ISO 27001 on the roadmap. See the compliance roadmap for current status. Attestation reports are shared with Enterprise customers under NDA.
Report a vulnerability
Responsible disclosure — we acknowledge within 3 business days
Email responsible-disclosure@rateplane.com with a description, reproduction steps, and any proof-of-concept. The full rules of engagement and safe-harbour language are on the Security page.