Privacy Policy

Last updated: 27 April 2026

This policy explains how Joe Reid, trading as Stratavue (a sole trader registered in the United Kingdom) (“we”) collects, uses, stores, and protects personal data when you use our Service. We are the data controller for personal data submitted directly by you (e.g. account details). For data your organisation uploads about other people (employees, customers, third parties), your organisation is the controller and we are the processor.

1. What data we collect

  • Account data — name, email, organisation.
  • Billing data — handled by Stripe. We receive only the last 4 digits and card brand for display.
  • Usage data — login times, page views, audit log entries.
  • Content you upload — capabilities, initiatives, evidence, processes, and other data you enter into the Service.

2. How we use it

  • To provide and improve the Service.
  • To send transactional emails (welcome, billing alerts, password reset).
  • To send the optional weekly digest, which you can opt out of in your notification preferences.
  • To investigate abuse, security incidents, or legal requests.

3. Legal basis (UK GDPR)

  • Contract performance — for core service delivery.
  • Legitimate interests — for security, fraud prevention, and abuse detection.
  • Consent — for optional emails (digest) and any non-essential cookies.
  • Legal obligation — for accounting and tax records.

4. Sub-processors

We use the following sub-processors to deliver the Service:

  • Supabase, Inc. — database hosting and authentication services. Data processed in the United Kingdom.
  • Stripe Payments UK Limited — payment processing for paid subscriptions. Data processed in the United Kingdom. Stripe Payments UK Limited is authorised by the Financial Conduct Authority as an electronic money institution (firm reference number 900461).
  • Anthropic, PBC — AI assistance for the optional onboarding wizard. Data processed in the United States, with international transfers governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  • Vercel, Inc. — web application hosting. Data processed in the United Kingdom.
  • Google Ireland Limited (Google Workspace) — transactional email delivery. Data processed in the United Kingdom and the European Economic Area.
  • Upstash, Inc. — rate-limiting infrastructure to protect against abuse. Data processed in the United Kingdom.

5. Business transfers

If Stratavue undergoes a change of ownership — such as a merger, acquisition, or sale of assets — your personal data may be transferred to the acquiring entity as part of that transaction. We will notify affected users by email at least 30 days before any such transfer becomes effective. The acquiring entity will be bound by the terms of this Privacy Policy unless and until you receive notice of a new policy, at which point you may exercise your data subject rights (including erasure) before continuing to use the Service under the new terms.

6. International transfers

The Anthropic transfer is the only international transfer of personal data and is governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. All other sub-processors process data in the United Kingdom or the European Economic Area only, with no international transfer.

7. Data retention

  • Account data is retained while your account is active and deleted within 30 days of account closure (per the trial-cleanup cron and GDPR cascade).
  • Audit logs are retained for 7 years in line with UK regulatory standards.
  • Backups are retained for 30 days.

8. Your rights under UK GDPR

  • Access (Article 15) — via /settings/data-export for organisation admins.
  • Rectification (Article 16) — edit in-app, or contact us.
  • Erasure (Article 17) — /settings/delete-organisation for org admins, or /settings/leave-workspace for individual users.
  • Portability (Article 20) — via /settings/data-export.
  • Object to processing — contact us.
  • Withdraw consent — via /settings/notifications, or contact us.

9. Cookies

We use essential cookies for login session and preferences. We do not currently use third-party analytics or advertising cookies. If this changes, we will update this policy and re-prompt for consent.

10. Security

We use TLS encryption in transit, encryption at rest, role-based access controls, and append-only audit logging. We conduct regular security review of our infrastructure and dependencies.

11. Data breach notification

Material data breaches are reported to the Information Commissioner's Office (ICO) within 72 hours of discovery and to affected users without undue delay.

12. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

13. Contact

For privacy questions, data subject access requests, or complaints, contact contact@stratavue.co.uk. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

Material changes to this policy will be notified by email 30 days in advance. Continued use of the Service after the effective date constitutes acceptance.