Draft — pending legal review. These terms are not legally binding until finalized. Questions or corrections: legal@rateplane.com.
Last updated: April 24, 2026
Trust Center
A single place for everything a procurement, security, or privacy team needs to review before working with Rateplane Ltd. All documents below are drafted around UK law (the UK GDPR, the Data Protection Act 2018, and the laws of England and Wales) and reviewed as the product evolves.
Legal and compliance documents
Terms of Service
Commercial terms — plans, billing, acceptable use, IP, limitation of liability, and UK governing law.
Privacy Policy
What personal data we process, lawful bases under UK GDPR, retention periods, sub-processors, and your rights.
Cookie Policy
Every cookie and storage key we actually set, with purpose and duration. Strictly-necessary only.
Data Processing Addendum
EnterpriseArticle 28 processor terms for Enterprise customers, built around the EU SCCs and UK IDTA.
Security posture
Controls we operate today: encryption, access, rate limits, audit logging. Incident response and compliance roadmap.
System status
Live overview of dashboards, ingestion, billing, email, and API surfaces. Incident history and component health.
Our commitments at a glance
Your data stays yours. You retain all rights to workspace content and connected-cloud data. We process it only to deliver the Service and, with your consent, to produce aggregated anonymised statistics. We do not sell or rent personal data.
Credentials are encrypted at rest. AWS, Azure, and GCP credentials are stored under an AES-256-GCM envelope encryption scheme with a key-encryption key held outside the database. Credentials are never returned in API responses or logs.
Breach notification where required. For personal-data breaches likely to result in a risk to data subjects, we notify the UK Information Commissioner's Office without undue delay and no later than 72 hours after becoming aware, where Article 33 UK GDPR applies.
Data subject rights in one month. Access, rectification, erasure, portability, objection, and restriction requests are responded to within one month of receipt. Complaints route to the ICO.
SOC 2 and ISO 27001 are not yet complete. See the compliance roadmap for the current status. We will only describe reports as available after a completed third-party assessment exists.
Report a vulnerability
Responsible disclosure — target acknowledgement within 3 business days
Email responsible-disclosure@rateplane.com with a description, reproduction steps, and any proof-of-concept. The full rules of engagement and safe-harbour language are on the Security page.