Privacy policy

This policy explains how Do Your Bit Ltd (“we”, “us”), trading as Scale at Speed, handles your personal data when you use the Scale at Speed Advisor at advisor.scaleatspeed.com. We handle your data lawfully under the UK GDPR and the Data Protection Act 2018.

1. What we collect

When you use the Advisor we may collect and store:

• Account data — your email address, display name, and (if you sign in with Google) your Google account ID and profile picture URL.
• Conversation data — every message you send to the advisor and every response the advisor generates, stored so the conversation can continue and (for paid members) so the advisor can recall past sessions.
• Scorecard data — if you complete a Scale at Speed scorecard, the scores and the original submission payload are stored against your account.
• Billing data — if you upgrade, a Stripe customer ID, subscription ID and payment dates (we never see or store your card number — Stripe handles that).
• Usage data — the IP address you connect from, the browser user-agent, timestamps of requests and session activity.
• Marketing preferences — the tags we apply to your record in Mailchimp based on the topics you discuss with the advisor (e.g. “topic-hiring”, “topic-cash-flow”).

2. Why we use it

• To provide the Advisor (authenticate you, run the chat, remember paid members’ context).
• To bill paid members and maintain records required by UK tax law.
• To send you transactional emails (magic link login, payment failures, membership receipts).
• To send you marketing emails via Mailchimp only if you’ve opted in. You can unsubscribe at any time.
• To improve the service — anonymised and aggregated patterns across users (e.g. which business problems come up most often) may inform future content and features.
• To investigate fraud, abuse, or technical issues.

3. Legal bases (UK GDPR Art. 6)

• Contract — running the Advisor you’ve asked for.
• Legitimate interest — core functionality, fraud prevention, aggregate analytics, keeping the service online.
• Consent — marketing emails, and any cookie category beyond strictly necessary.
• Legal obligation — accounting and tax records.

4. Who we share it with

We use the following third-party processors. Each is bound by a data-processing agreement with us. We do not sell your data to anyone.

• Anthropic (US) — runs the Claude AI model that powers the advisor. Your messages are sent to Anthropic to generate responses. Anthropic privacy policy.
• Supabase (US/EU) — hosts our database. Supabase privacy policy.
• Stripe (Ireland / US) — handles all payment processing. Stripe privacy policy.
• Postmark / ActiveCampaign (US) — sends transactional emails. Postmark privacy policy.
• Mailchimp / Intuit (US) — manages our marketing list. Intuit privacy policy.
• Google (US) — only if you sign in with Google; handles the OAuth handshake. Google privacy policy.
• ScoreApp (UK) — if you complete a scorecard, your submission passes through ScoreApp to our systems. ScoreApp privacy policy.
• Cloudflare (US) — DNS, CDN and DDoS protection in front of the site. Cloudflare privacy policy.
• Hostwinds (US) — our VPS host. Hostwinds privacy policy.

Some processors are based outside the UK/EEA. Transfers rely on UK International Data Transfer Addenda, EU Standard Contractual Clauses, or adequacy decisions as applicable.

5. How long we keep it

• Conversation messages — retained for as long as your account is active. Paid members’ past sessions are summarised automatically for future context.
• Scorecard results — retained for as long as your account is active.
• Billing records — retained for seven (7) years after your last payment to meet UK tax law.
• Magic-link tokens — deleted within 7 days of expiry.
• Account data — on deletion, all personal data is erased except billing records required by law.

6. Your rights

You can request to:

• Access a copy of the data we hold about you;
• Correct anything that is inaccurate;
• Delete your account and all associated personal data (right to erasure);
• Export your data in a portable format;
• Object to processing based on legitimate interest;
• Withdraw marketing consent at any time (every marketing email includes an unsubscribe link).

To exercise any of these rights, email [email protected]. We will respond within one month.

If you’re unhappy with our response you can complain to the UK Information Commissioner’s Office at ico.org.uk.

7. Cookies

We use only strictly necessary cookies:

• sas_session — identifies your authenticated session; HttpOnly, Secure, SameSite=Strict; expires after 30 days of inactivity.
• sas_oauth — transient cookie used only during the Google sign-in handshake; expires after 10 minutes.

We don’t use tracking, analytics or advertising cookies on the Advisor.

8. Security

All traffic between your browser and our servers is encrypted with TLS. Data at rest in Supabase is encrypted. Webhook endpoints (ScoreApp, Stripe) use shared-secret and cryptographic signature verification. We restrict direct access to production infrastructure to named engineers only.

Despite our efforts, no internet transmission is 100% secure. If a breach affects your personal data and creates a high risk to your rights, we will notify you without undue delay.

9. Children

The Advisor is not intended for users under 16. We do not knowingly collect personal data from anyone under 16.

10. Changes

We may update this policy. The “Last updated” date at the top reflects the most recent change. Material changes will be announced by email to members.

11. Contact

Data controller: Do Your Bit Ltd (Company No. 08130003)
Registered office: Suite 2a, 7th Floor — PF City Reach, 5 Greenwich View Place, London, E14 9NN, United Kingdom
Email: [email protected]