Privacy Policy
Last updated: 25 March 2026
Other legal pages
Note: Assayed primarily processes company data from publicly available sources, not personal data. However, user account information and director details within assessment reports constitute personal data and are handled in accordance with this policy.
1. Data Controller
The data controller for the Assayed platform is Cairnstone Consultancy Ltd, a company registered in England.
For data protection queries, contact our Data Protection Lead at privacy@assayed.co.uk.
2. Data We Collect
Account Data
When you create an account, we collect your name, email address, organisation name, and role. This data is necessary to provide and manage your access to the Service.
Assessment Data
When you run an assessment, the platform queries public and licensed data sources about the target company. This includes company registration details, financial filings, director names, credit data, news articles, legal notices, and public contract records.
Director names and related information within assessments may constitute personal data. This data is sourced from publicly available registers (Companies House, The Gazette) and licensed data providers.
Usage Data
We plan to implement privacy-respecting analytics (PostHog). When implemented, this section will be updated. Currently, only server logs record basic request information.
3. Legal Basis for Processing
We process personal data on the following legal bases:
- Contract performance: Processing your account data and generating assessments is necessary to deliver the Service you have subscribed to.
- Legitimate interests: We collect usage data to improve the Service, monitor performance, and detect abuse. Our legitimate interest in these activities does not override your rights and freedoms.
- Consent: Where we send marketing communications, we do so with your explicit consent. You may withdraw consent at any time.
- Legal obligation: We may process data where required by law, regulation, or legal proceedings.
4. How We Use Your Data
- Providing and maintaining the Service
- Generating company risk assessment reports
- Processing payments through our billing provider
- Communicating service updates and account notifications
- Improving the platform based on usage patterns
- Detecting and preventing fraud or abuse
- Complying with legal obligations
We do not sell your personal data. We do not use your assessment data to train AI models. Each assessment is processed independently and the results belong to you.
5. Sub-processors
We use the following third-party services to operate the platform. Each sub-processor has been evaluated for data protection compliance.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | US (EU-US Data Privacy Framework) |
| Paddle | Payment processing and billing | UK / EU |
| Google Cloud / Vertex AI | AI synthesis for assessment reports | EU (europe-west2) |
| T2A | Company credit data and financial information | UK |
| Vercel | Application hosting and CDN | Global (Edge network) |
6. Data Retention
- Account data: Retained while your account is active and for 30 days after account deletion.
- Assessment data: Retained for 2 years from the date of generation, or until you request deletion, whichever is sooner.
- Usage data: Aggregated and anonymised after 12 months. Anonymised data may be retained indefinitely for service improvement.
- Billing records: Retained for 7 years as required by UK tax and accounting regulations.
You may request deletion of your assessment data at any time by contacting privacy@assayed.co.uk. We will process deletion requests within 30 days.
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to data portability: Request your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including direct marketing.
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
To exercise any of these rights, contact privacy@assayed.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. International Transfers
Some of our sub-processors operate outside the UK. We ensure appropriate safeguards are in place for international data transfers:
- Supabase (US): Certified under the EU-US Data Privacy Framework, which provides an adequate level of protection as recognised by the UK government.
- Google Cloud (EU): Data is processed in the europe-west2 (London) region where available, and in EU regions otherwise. Google operates under Standard Contractual Clauses.
- Vercel (Global): Edge computing may process requests in multiple regions. Application data is stored in EU/UK regions.
10. Children
The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
For privacy-related queries, contact our Data Protection Lead:
- Email: privacy@assayed.co.uk
- Cairnstone Consultancy Ltd