ControlStandard.Tools Get free report

Legal

Privacy Policy

Last updated: 10 May 2026

ControlStandard.Tools — Privacy Policy

  • Last updated: 10 May 2026
  • Controller: Scorchsoft Ltd (company no. 07246693), registered in England and Wales.
  • Registered office: 13 Portland Road, Edgbaston, Birmingham, B16 9HN, United Kingdom.
  • Contact: privacy@scorchsoft.com

This Privacy Policy explains how Scorchsoft Ltd ("Scorchsoft", "we", "us", "our") collects, uses, shares, and protects personal data in connection with the ControlStandard.Tools platform (the "Service"). It should be read alongside the Terms and Conditions, which are incorporated by reference. Capitalised terms used but not defined here have the meanings given to them in the Terms.

We are based in the United Kingdom and the Service is operated from the UK. We welcome international users; this Policy applies wherever you are.

1. Who this Policy applies to

This Policy covers personal data we process about:

  • Users of the Service, including account holders, Authorised Users invited into an Organisation, and people who request resources such as the Pocket Standard;
  • Lead and visitor data captured through public diagnostics (Control Score, Pain Automation Score), waitlist forms, and contact forms;
  • Individuals whose data is entered into the Service by a Customer, for example teammates added as Authorised Users or named project owners; and
  • Visitors to our public marketing pages.

We do not knowingly collect personal data about children under 18.

2. Our role: controller and (where applicable) processor

Under the UK GDPR, the role we act in depends on the type of data:

  • We are the controller of account data we hold about Users (name, email, password hash, role and permission assignments, audit-log records, login timestamps, terms-acceptance records, and platform usage logs).
  • We are the controller of lead and visitor data captured through public diagnostics, waitlist signups, and marketing forms.
  • We may act as a processor of personal data that a Customer uploads about its own teammates, project owners, or invitees. For that data the Customer (the Organisation) is the controller and we process the data on the Customer's documented instructions, in accordance with the Terms.

3. Personal data we collect

Depending on how you use the Service, we may collect the following categories of personal data:

  • Account data: first name, last name, email address, password (stored only as a salted hash), Organisation name, role and permission assignments, email-verification status, terms-acceptance records (which version was accepted and when), and notification preferences.
  • Profile and project data: project names, owners, missions, narratives, control-point details, check-in scores and reflections, and any other content you submit to the Service.
  • Diagnostic submissions: answers and free-text context provided through the Control Score and Pain Automation Score diagnostics.
  • Financial-tool data: where you use the Drift-Tax Calculator, ROI estimator, or similar cost-estimation tools, we record the numeric and text inputs you supply (for example, headcount, hourly rates, willingness-to-pay or build-cost figures), the totals and ratios computed from them, the date and time of the calculation, the assessment submission they relate to, and the recipient email address if you elect to email the result to yourself.
  • Lead-capture data: name, email, company, role, team size, marketing-consent flag, and any free-text fields, where these are provided through public forms.
  • Billing data: plan selection, subscription status, renewal date, and a Stripe customer reference. We do not store full payment-card details on our systems. Card data is processed and stored by Stripe.
  • Marketing-consent data: whether you opted in or out of our mailing list, and any subsequent changes.
  • Communications: any correspondence you send to us, including support requests, feedback, and notices.
  • Usage and technical data: IP address, browser type, device and operating-system information, pages visited, actions performed, timestamps, error logs, and rate-limit metadata.
  • Attribution data: UTM parameters captured from referral links and the referral code (if any) used at signup.

4. How we use personal data and our legal bases

We use personal data for the following purposes, relying on the following lawful bases under the UK GDPR:

  • To provide and operate the Service (authentication, access control, generating diagnostic outputs, storing project data, sending transactional emails such as verification and password reset) — performance of a contract with you, or your Organisation, or legitimate interests in operating the Service.
  • To process Customer-controlled data (for example, personal data of teammates added as Authorised Users) — on the Customer's documented instructions as controller.
  • To process payments and manage subscriptionsperformance of a contract and legal obligation (record-keeping).
  • To send marketing emails about ControlStandard.Tools, The Control Standard, and Scorchsoft — consent (where you have opted in). You can withdraw consent at any time through the unsubscribe link in any email or by emailing privacy@scorchsoft.com.
  • To capture and follow up with leads generated through public diagnostics, waitlists, and contact forms — legitimate interests in following up on enquiries you initiated, and consent where required (for example, for ongoing marketing emails).
  • To secure the Service (rate limiting, fraud and abuse detection, audit logging, incident investigation) — legitimate interests in protecting the Service, its users, and third parties.
  • To improve the Service (analysing how features are used, reviewing feedback, fixing bugs) — legitimate interests in maintaining and improving the Service. We do not use Your Content to train third-party AI or machine-learning models.
  • To operate the Financial Tools (saving the inputs and outputs of the Drift-Tax Calculator and ROI estimator against your assessment submission, so you can return to or email yourself the result) — performance of a contract and legitimate interests in offering the tool. We may use aggregated, de-identified Financial-Tool usage to improve the underlying model and copy; we do not publish or share the specific figures you enter.
  • To comply with legal obligations (tax and accounting, responses to lawful requests) — legal obligation.
  • To communicate with you about your account, service updates, security matters, and changes to the Terms or this Policy — performance of a contract or legitimate interests.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms and have concluded they are not. You may object to such processing at any time by contacting privacy@scorchsoft.com.

5. Cookies and similar technologies

We use a small number of strictly necessary cookies and similar technologies to:

  • keep you signed in and maintain session state;
  • remember your preferences (for example, plan or display state);
  • protect against cross-site request forgery (CSRF); and
  • protect the Service against abuse.

We do not use third-party advertising cookies or cross-site tracking cookies. We may use first-party analytics that respect Do Not Track and that do not identify individual users. If we introduce optional analytics or marketing cookies in future, we will provide a cookie banner that lets you choose what to allow.

6. How we share personal data

We share personal data only as necessary to operate the Service and in accordance with this Policy.

  • Within your Organisation. Project, check-in, and assessment data is visible to other Authorised Users of the same Organisation according to their role-based permissions. Aggregate team views may surface results across Authorised Users to managers and admins.
  • Service providers and sub-processors. We use a small number of trusted sub-processors to host the Service, store data, send emails, manage subscriptions, and provide infrastructure. Each sub-processor is bound by appropriate contractual obligations covering confidentiality, security, and data protection. Our current key sub-processors include:
  • Stripe — payment processing.
  • MailerSend — transactional email (verification, password reset, account notices).
  • Mailchimp — marketing email list (only for users who opt in).
  • Insightly — business-enquiry CRM (only for data submitted through the "work with Scorchsoft" enquiry form).
  • Cloud hosting providers — infrastructure and storage. An up-to-date list of sub-processors is available on request from privacy@scorchsoft.com.
  • Professional advisers. We may share personal data with our lawyers, auditors, insurers, and other professional advisers where reasonably necessary and under duties of confidentiality.
  • Legal and regulatory disclosures. We may disclose personal data where required by law, court order, or competent regulatory authority.
  • Business transfers. In the event of a merger, acquisition, sale of assets, or corporate reorganisation, we may transfer personal data to the relevant party as part of that transaction, subject to appropriate confidentiality arrangements.

We do not sell personal data, we do not share it for cross-context behavioural advertising, and we do not use Your Content to train third-party AI or machine-learning models.

7. International transfers

Some of our sub-processors are located outside the United Kingdom. Where we transfer personal data outside the UK we rely on appropriate safeguards under the UK GDPR, including (as applicable) the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or an adequacy decision by the UK Government. On request, we will provide information about the relevant transfer mechanism.

8. How long we keep personal data

We retain personal data only for as long as necessary for the purposes set out in this Policy, taking into account the nature of the data and applicable legal and contractual obligations.

  • Account data: while the account is active and for a reasonable period afterwards (typically up to 6 years) for audit, dispute resolution, and legal compliance.
  • Project, check-in, and diagnostic data: while the relevant Organisation account is active, plus the retention window described above, unless you ask us to delete it sooner.
  • Lead-capture data: for as long as is reasonable to follow up on the enquiry; thereafter for record-keeping in line with our legitimate interests, unless you ask us to delete it.
  • Marketing-consent data: until you withdraw consent and for a reasonable period afterwards to demonstrate that we honoured your choice.
  • Billing records: for the period required by tax and accounting law (typically 6 years from the end of the relevant accounting period).
  • Technical and audit logs: typically 30 to 90 days for routine logs; longer where needed for security incident investigation.
  • Backups: routine backups may contain copies of personal data for a limited period after the data has been deleted from our active systems, before being overwritten in the ordinary course.

We will delete or anonymise personal data when it is no longer required.

9. Your rights

Under the UK GDPR you have the following rights in respect of personal data we hold about you:

  • the right to be informed about how your personal data is processed (this Policy);
  • the right of access to your personal data;
  • the right to rectification of inaccurate or incomplete personal data;
  • the right to erasure ("right to be forgotten") in certain circumstances;
  • the right to restrict processing in certain circumstances;
  • the right to data portability where processing is based on consent or contract;
  • the right to object to processing based on legitimate interests or to direct marketing; and
  • rights in relation to automated decision-making and profiling — we do not carry out automated decision-making that produces legal or similarly significant effects on you.

To exercise any of these rights, please contact privacy@scorchsoft.com. We will respond within the time periods required by the UK GDPR (generally within one calendar month).

Where personal data is processed by us as a processor on behalf of an Organisation (for example, data uploaded about teammates), data-subject requests should ordinarily be directed to that Organisation as controller. We will assist the Organisation in responding to such requests where reasonably required.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority — https://ico.org.uk — although we encourage you to contact us first so that we can try to resolve any concerns.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include encryption in transit (HTTPS/TLS), password hashing, role-based access controls, audit logging, rate limiting, environment segregation, and least-privilege access for staff.

No system is perfectly secure and we cannot guarantee the security of personal data transmitted over the internet. We encourage you to use a strong, unique password and, where available, multi-factor authentication.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and (where required) you, in line with our obligations under the UK GDPR.

11. Marketing communications

If you opt in to our mailing list — for example by ticking the marketing box at signup or by requesting the Pocket Standard with marketing consent — we will send you occasional product updates, practical control tips, and Scorchsoft news. You can unsubscribe at any time using the link in any email, by updating your preferences in the Service, or by emailing privacy@scorchsoft.com. Opting out of marketing does not affect transactional emails, which we must send to operate your account.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Where we make material changes we will notify you by email, by an in-Service notice, or both, before the changes take effect. The "last updated" date at the top of this page indicates when this Policy was last revised. Where the change is material, we will require you to re-acknowledge it in the Service.

13. Contact

If you have any questions about this Privacy Policy or how we handle personal data, please contact:

Scorchsoft Ltd 13 Portland Road, Edgbaston, Birmingham, B16 9HN, United Kingdom privacy@scorchsoft.com

This Privacy Policy was last updated on the date shown at the top of this page.

Read the terms and conditions → Back to ControlStandard.Tools