Legal
Privacy Notice
Last updated: 18 June 2026
This notice explains how Lee Freeman, a sole trader trading as MLR PreCheck handles personal data when people visit the website, contact us, book a demonstration, create or use an account, purchase the Service or submit content.
1. Who we are
Lee Freeman, a sole trader trading as MLR PreCheck, of 54 Chestnut Lane, Ashford, Kent, United Kingdom, operates the MLR PreCheck website and application. Lee Freeman is the controller for personal data used to manage accounts, enquiries, demonstrations, support, billing, security, website operation and business communications.
When a customer submits marketing copy or documents containing personal data about other people, the customer is normally the controller and Lee Freeman trading as MLR PreCheck acts as processor under the Data Processing Agreement.
2. Contact details
Privacy enquiries, rights requests and complaints may be sent to [email protected] or posted to Lee Freeman, a sole trader trading as MLR PreCheck, 54 Chestnut Lane, Ashford, Kent, United Kingdom.
MLR PreCheck has not appointed a statutory Data Protection Officer. Privacy matters are handled directly by the business operator.
3. Personal data we collect
3.1 Account and workspace data
- Name and work email address.
- Password authentication records. MLR PreCheck does not receive a readable copy of your password.
- Organisation, workspace, role, invitations and membership.
- Acceptance records for the Terms, DPA, Disclaimer and material updates.
- Optional workspace logo, brand terms and branded sign-in address.
3.2 Customer content and service records
- Marketing copy pasted into the Service.
- Word documents and text extracted from them.
- Check titles, tags, versions, findings, suggestions and final drafts.
- User actions such as accepting, declining or marking a finding as having evidence.
- Customer support information connected with a check or workspace.
3.3 Enquiry, demonstration and support data
- Name, company, work contact details and message submitted through the contact form.
- Information submitted when booking or attending a demonstration.
- Emails and support messages, including notes needed to answer or resolve the request.
- Privacy complaints, rights requests and suspected-breach reports.
3.4 Billing data
- Plan, seat count, subscription status, invoice and payment history.
- Payment-method tokens and limited card metadata supplied by the payment provider. MLR PreCheck does not store full card numbers or card-security codes.
3.5 Technical, security and usage data
- IP address, browser, device, language, date and time.
- Authentication, error, API, security and audit logs.
- Pages and features used, subject to cookie choices.
- Approximate location derived from IP address where supplied by a provider.
3.6 Data you must not submit
The Service is not intended for patient data, health information, special-category data, children’s data, full payment-card data or other Prohibited Data described in the Terms. If prohibited data is submitted accidentally, contact us promptly so we can take appropriate deletion or containment steps.
4. How we obtain personal data
We obtain personal data directly from you, from a workspace owner who invites you, automatically through operation and security logs, from consented analytics or advertising technologies, and from providers used to operate the Service.
5. Purposes and lawful bases
| Purpose | Data used | Lawful basis | Explanation |
|---|---|---|---|
| Create and manage accounts and provide the Service | Account, workspace, service content and usage records | Contract | Necessary to provide the business service requested. |
| Process third-party personal data in Customer Content | Customer content and associated audit records | Processor instructions under the DPA | The customer determines why the personal data is submitted. |
| Respond to enquiries and arrange demonstrations | Name, company, work contact details, message and demonstration-booking information. | Steps requested before a possible contract, or legitimate interests where the enquiry does not relate to a possible contract. | Necessary to answer genuine business enquiries and arrange requested demonstrations. |
| Provide customer support | Account details, support correspondence and relevant service records. | Contract and legitimate interests. | Necessary to support users, investigate problems and maintain service quality. |
| Protect accounts, prevent abuse and investigate incidents | Technical, security, account and audit data | Legitimate interests; legal obligation where applicable | Necessary to operate a secure business service and protect users. |
| Administer subscriptions, payments, tax and accounting | Account and billing data | Contract; legal obligation | Necessary to charge for the Service and retain required financial records. |
| Handle privacy rights, complaints and suspected personal-data breaches | Contact details, identity information where required, complaint details, correspondence and case records. | Legal obligation, with legitimate interests where necessary to administer the case securely or establish, exercise or defend legal claims. | Necessary to meet data-protection duties, investigate the matter and retain an appropriate audit trail. |
| Send essential service messages | Account and security data | Contract; legitimate interests | Includes verification, password, security, billing and material legal notices. |
| Send optional marketing | Contact details and marketing choices | Consent, where required | Marketing is separate from service messages and can be stopped at any time. |
| Measure website use and advertising effectiveness | Cookie identifiers and online activity. | Consent. | Non-essential analytics and advertising technologies are not loaded before the required consent. |
| Establish, exercise or defend legal claims | Relevant account, contract, content and correspondence | Legitimate interests; legal obligation | Used only where reasonably necessary. |
6. Artificial intelligence processing
The Service sends submitted content through a server-side gateway to the active AI model provider to produce the requested findings and wording suggestions. API credentials are not exposed to the user’s browser.
MLR PreCheck does not use Customer Content to train its own general-purpose models. Customer Content is processed by the configured AI service under that provider’s current terms. Contact [email protected] for current provider information.
The current provider, model route and verified retention position are stated on the Security and Data Protection page. If those facts change, this notice and the Security page must be updated before or at the same time as the change.
The Service does not make decisions that produce legal or similarly significant effects about an individual. Findings are advisory and require human review.
7. Recipients and service providers
We disclose personal data only where needed to operate the Service, meet legal duties or protect legal rights. The provider categories are:
- Database, authentication and file-storage provider.
- Application hosting, edge-network and security providers.
- AI gateway and model provider.
- Payment provider for paid subscriptions.
- Email, contact-form and demonstration-booking provider, where used.
- Analytics and advertising providers, only after the relevant consent.
- Professional advisers, insurers, authorities or courts where reasonably necessary or legally required.
- A buyer or successor if the business or Service is transferred, subject to confidentiality and data-protection duties.
A current list of providers that process Customer Personal Data is maintained on the Security and Data Protection page. MLR PreCheck does not sell personal data.
8. International transfers
Some providers may process personal data outside the United Kingdom or European Economic Area. Before making a restricted transfer, MLR PreCheck must use a lawful transfer route. Depending on the provider and destination, this may include UK adequacy regulations, the UK Extension to the EU-US Data Privacy Framework for an eligible and active participant, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses.
Where required, MLR PreCheck must complete or rely on an appropriate transfer risk assessment and apply additional safeguards. Copies or details of applicable safeguards may be requested through [email protected], subject to necessary redactions.
9. Retention
| Record | Default retention |
|---|---|
| Account data | While the account is active, then deletion or anonymisation from primary systems within 90 days unless a longer period is required for disputes, fraud prevention or law. |
| Customer content | Until the customer deletes it or the account ends. We delete Customer Content from active systems after the account or content is deleted and allow protected backup copies to expire under the hosting provider's normal backup cycle, subject to the DPA and verified platform capability. |
| Contract and acceptance records | Six years after the customer relationship ends. |
| Contact and demo enquiries | Up to two years after the last meaningful contact, unless the information becomes part of an active customer record or must be retained for a dispute. |
| Support correspondence | Up to three years after the matter closes. |
| Privacy complaints and rights requests | Two years after the case closes, unless a longer period is needed for an active regulatory or legal matter. |
| Billing and tax records | Six years after the relevant financial year, or longer if required by tax law. |
| Security and audit logs | Up to 12 months unless needed for an active investigation or legal claim. |
| Cookie consent record | Up to 13 months from the choice or until replaced by a new choice. |
| Marketing suppression record | As long as reasonably needed to ensure that an opt-out is respected. |
Personal data may be kept for longer where law requires it or where reasonably necessary for an active complaint, dispute, fraud investigation, security incident or legal claim. Data that has been irreversibly anonymised is no longer personal data.
10. Security
MLR PreCheck uses proportionate technical and organisational measures intended to protect personal data. These include authenticated access, role and workspace controls, encrypted transport, provider-managed encryption at rest, restricted administrative access, secret management, logging and incident procedures. The current verified controls are described on the Security and Data Protection page.
No internet service can guarantee absolute security. Users must protect credentials, use strong unique passwords and report suspected compromise promptly.
11. Your rights
Subject to the conditions and exceptions in data-protection law, individuals may request access, correction, deletion, restriction, portability or objection. Consent can be withdrawn where consent is the basis. Marketing can always be stopped.
Rights requests may be sent to [email protected]. We may need information to confirm identity and understand the request. We normally respond within one month and may extend by up to two further months for a complex or numerous request, as permitted by law.
Where MLR PreCheck holds Customer Personal Data only as processor, we may refer the request to the relevant customer controller and assist that customer under the DPA.
12. Data-protection complaints
You can submit a data-protection complaint or suspected-breach report through the Report a privacy concern form or by emailing [email protected].
We will acknowledge your complaint within 30 days. Without undue delay, we will take appropriate steps to investigate it, keep you informed where necessary and tell you the outcome.
You may also complain to the Information Commissioner’s Office in the United Kingdom (ico.org.uk) or, where applicable, another competent supervisory authority.
13. Cookies and similar technologies
Necessary and user-requested storage technologies support authentication, security and preferences. Analytics and advertising technologies are used only after the required consent. The Cookie Policy explains the current technologies, purposes, providers, retention and how to change a choice.
14. Children and health data
The Service is for business users aged 18 or over. It is not intended for children, patient data, health information or US Protected Health Information. MLR PreCheck is not a HIPAA Business Associate and does not offer a Business Associate Agreement.
15. Changes to this notice
We may update this notice when the Service, providers or law changes. We will give registered users reasonable notice of a material change by email or in-app message. The date at the top shows the latest revision.