Data & Privacy

• Assessment answers (to generate your report)
• First name (to personalise emails we send you)
• Email address (to deliver your report and receipts if you choose email delivery)
• Outward postcode (for example "G72, SW1A") to support future location-based signposting to services if you opt in
• IP address (for geo-specific identification to display country-specific questionnaires applicable to your country of origin, and for security/rate limiting purposes)
• Country/jurisdiction (because processes and terminology differ by jurisdiction; may be pre-populated based on IP address but can be manually selected or changed)
• Technical diagnostics needed to keep the service reliable (for example error events and performance timing), designed to avoid personal data
• Browser and device information (user agent, screen size) for technical compatibility and service improvement
• Payment information (processed securely through our payment service provider; we do not store full payment card details)

We aim to collect the minimum data needed to run the service and deliver your report.

• We do not ask for full address, date of birth, bank details, ID documents, or National Insurance number.
• We do not ask for names of beneficiaries or other individuals.
• We do not store your assessment answers inside application error logs.
• Screenshots for error reporting are disabled by default.
• We do not use cookies for tracking or advertising purposes.
• We do not share or sell your personal data to third parties for marketing purposes.

• To generate your report from your answers
• To personalise emails we send you using your first name (optional field)
• To deliver your report by email if you choose email delivery
• To identify your country of origin using IP address geo-location, enabling us to display country-specific questionnaires and content that are applicable to your jurisdiction
• To adapt wording, process notes, and legal terminology by country/jurisdiction to ensure accuracy and relevance
• To protect against abuse and ensure service availability through rate limiting and security monitoring (IP addresses are used temporarily for this purpose and are not stored long-term)
• To maintain and improve reliability using non-PII diagnostics (structured error logs with redaction)
• To support payment processing via our payment service provider where used (payment data is processed securely and we do not store full payment card details)
• To ensure technical compatibility and improve user experience by understanding browser and device capabilities

Free and paid assessments are treated the same from a data protection perspective. The difference is in coverage, not data handling.

• Assessments and reports: kept only as long as needed for delivery and reasonable access. If automated deletion is enabled, records are deleted according to the configured retention policy.
• Logs: stored as structured events and rotated/deleted on a schedule (for example 14 days for file logs and up to 90 days for database logs, depending on configuration).
• If you request deletion, we will delete records where we are able to, subject to legal/financial record-keeping requirements (for example payment records).

• Access controls and least privilege
• Encrypted connections in transit
• Service-role keys kept server-side only
• Structured logging with redaction enabled

Application error logs are designed to avoid personal data. We do not log assessment answers, email addresses, or names in error logs. Logs use correlation IDs (such as assessment ID and request ID) to diagnose issues without recording the content of your answers.

• You can choose not to provide first name or postcode (optional fields)
• You can request deletion (contact support if you have a support contact method)

We use geo-specific IP address identification to determine your approximate country of origin. This enables us to:

• Display country-specific questionnaires that are applicable to your jurisdiction
• Pre-populate country/jurisdiction fields to save you time (you can always change this selection)
• Show relevant content, pricing, and legal terminology for your location
• Ensure you receive assessments that match your country's legal processes

How it works: When you visit our website, we temporarily process your IP address to identify your country. This information is used to customize your experience and is not stored long-term. IP addresses are also used for security purposes (rate limiting and abuse prevention) but are not retained beyond what is necessary for these legitimate purposes.

Your control: You can manually select or change your country/jurisdiction at any time during the assessment process. The IP-based identification is only used as a convenience feature to pre-populate fields.

All personal data we collect and process is handled in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and ensuring full compliance with UK data protection rules.

Our Legal Basis for Processing

• Contractual necessity: Processing your assessment answers and contact information is necessary to provide you with the assessment service you have requested
• Legitimate interests: Using IP addresses for geo-identification, security, and service improvement (we have balanced our interests against your privacy rights)
• Consent: Where you provide optional information (such as first name or postcode for future signposting), we process this based on your consent, which you can withdraw at any time

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you
• Right to rectification: You can ask us to correct any inaccurate or incomplete data
• Right to erasure: You can request deletion of your personal data (subject to legal/financial record-keeping requirements)
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances
• Right to data portability: You can request your data in a structured, machine-readable format
• Right to object: You can object to processing based on legitimate interests
• Rights related to automated decision-making: You have rights regarding automated processing (though our assessments are not fully automated decision-making under GDPR Article 22)

To exercise any of these rights, please contact us through our Contact page or Report a Problem page.

Data Controller Information

We are the data controller for the personal data we collect. If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator. You can find more information at ico.org.uk.

Data Processing Principles

We process your data in accordance with the UK GDPR principles:

• Lawfulness, fairness, and transparency: We only process data for specified, legitimate purposes and are transparent about our practices
• Purpose limitation: We only collect data for specified, explicit purposes and do not use it for incompatible purposes
• Data minimisation: We only collect data that is necessary for our purposes
• Accuracy: We take steps to ensure data is accurate and kept up to date
• Storage limitation: We do not keep data longer than necessary (see Retention section above)
• Integrity and confidentiality: We implement appropriate security measures to protect your data
• Accountability: We are responsible for demonstrating compliance with these principles

Your data is primarily processed and stored within the UK and European Economic Area (EEA). If we need to transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the UK government
• Adequacy decisions by the UK government
• Other legally recognized transfer mechanisms

Our payment service provider (Stripe) may process payment data in accordance with their own privacy policy and applicable data protection laws. We ensure all third-party processors meet UK GDPR standards.

If you select a country outside the UK, the report will use general process language and may include different official guidance links where available. All data processing remains subject to UK GDPR principles regardless of your location.