Privacy policy

This policy explains how Do Your Bit Ltd (“we”, “us”), trading as Scale at Speed, handles your personal data when you use the Scale at Speed Advisor at scaleatspeed.ai. We handle your data lawfully under the UK GDPR and the Data Protection Act 2018.

1. What we collect

When you use the Advisor we may collect and store:

• Account data — your email address, display name, and (if you sign in with Google) your Google account ID and profile picture URL.
• Conversation data — every message you send to the advisor and every response the advisor generates, stored so the conversation can continue and (for paid members) so the advisor can recall past sessions.
• Scorecard data — if you complete a Scale at Speed scorecard, the scores and the original submission payload are stored against your account.
• Billing data — if you upgrade, a Stripe customer ID, subscription ID and payment dates (we never see or store your card number — Stripe handles that).
• Usage data — the IP address you connect from, the browser user-agent, timestamps of requests and session activity.
• Referral device signal (referral sign-ups only) — if you arrive through a referral invite link, your browser computes a privacy-preserving device identifier locally, using the open-source FingerprintJS library entirely within your browser (no third-party fingerprinting service is contacted). We store it against the referral record only, to detect and prevent referral fraud (for example, one person creating many fake accounts to farm rewards).
• Marketing preferences — the tags we apply to your record in Mailchimp based on the topics you discuss with the advisor (e.g. “topic-hiring”, “topic-cash-flow”).
• Audio data (voice mode only) — when you use voice mode, your microphone audio is streamed in real time to our transcription and synthesis processors. Audio is processed in transit and is not stored by us or by the processors. Transcripts derived from your audio are saved against your account in the same way as text-mode messages.

2. Why we use it

• To provide the Advisor (authenticate you, run the chat, remember paid members’ context).
• To bill paid members and maintain records required by UK tax law.
• To send you transactional emails (magic link login, payment failures, membership receipts).
• To send you marketing emails via Mailchimp only if you’ve opted in. You can unsubscribe at any time.
• To improve the service — anonymised and aggregated patterns across users (e.g. which business problems come up most often) may inform future content and features.
• To investigate fraud, abuse, or technical issues.

3. Legal bases (UK GDPR Art. 6)

• Contract — running the Advisor you’ve asked for.
• Legitimate interest — core functionality, fraud prevention, keeping the service online, and aggregate first-party analytics (Google Analytics 4 via Google Tag Manager) used to understand how the Advisor is used in aggregate. We have carried out a Legitimate Interests Assessment (LIA): the analytics is first-party, IP addresses are anonymised by GA4 before storage, and the data is used only to improve the service. GA4 runs in cookieless form until you consent. Advertising and remarketing cookies (Meta Pixel, Google Ads, LinkedIn Insight — configured via Google Tag Manager) are set only with your consent via the cookie banner; no advertising or cross-site profiling occurs without your consent. You can withdraw your cookie choice at any time via Cookie settings (see §7). For referral sign-ups we also compute a local device identifier (see section 1) solely to detect referral fraud — it is first-party, computed in your browser, never used for advertising or cross-site tracking, and assessed only against other referral sign-ups. You can object to the analytics processing at any time using the link in section 7, and to other legitimate-interest processing under section 6.
• Consent — marketing emails. You can withdraw consent at any time by unsubscribing.
• Legal obligation — accounting and tax records.

4. Who we share it with

We use the following third-party processors. Each is bound by a data-processing agreement with us. We do not sell your data to anyone.

• Anthropic (US) — runs the Claude AI model that powers the advisor. Your messages are sent to Anthropic to generate responses. Anthropic's API terms explicitly state that they do not train their models on data submitted via the API — your conversations are never used to improve or fine-tune any AI model. Anthropic privacy policy.
• ElevenLabs (US) — runs voice mode end-to-end. Microphone audio is streamed to ElevenLabs Conversational AI for transcription, voice activity detection, and turn handling; the advisor's reply is then synthesised by ElevenLabs and streamed back to your browser. ElevenLabs does not retain transcripts or synthesised audio. ElevenLabs privacy policy.
• Supabase (US/EU) — hosts our database. Supabase privacy policy.
• Stripe (Ireland / US) — handles all payment processing. Stripe privacy policy.
• Postmark / ActiveCampaign (US) — sends transactional emails. Postmark privacy policy.
• Mailchimp / Intuit (US) — manages our marketing list. Intuit privacy policy.
• Google (US) — only if you sign in with Google; handles the OAuth handshake. Google privacy policy.
• ScoreApp (UK) — if you complete a scorecard, your submission passes through ScoreApp to our systems. ScoreApp privacy policy.
• Cloudflare (US) — DNS, CDN and DDoS protection in front of the site. Cloudflare privacy policy.
• Hostwinds (US) — our VPS host. Hostwinds privacy policy.

Some processors are based outside the UK/EEA. Transfers rely on UK International Data Transfer Addenda, EU Standard Contractual Clauses, or adequacy decisions as applicable.

5. How long we keep it

• Conversation messages — retained for as long as your account is active. Paid members’ past sessions are summarised automatically for future context.
• Scorecard results — retained for as long as your account is active.
• Billing records — retained for seven (7) years after your last payment to meet UK tax law.
• Magic-link tokens — deleted within 7 days of expiry.
• Account data — on deletion, all personal data is erased except billing records required by law.

6. Your rights

You can request to:

• Access a copy of the data we hold about you;
• Correct anything that is inaccurate;
• Delete your account and all associated personal data (right to erasure);
• Export your data in a portable format;
• Object to processing based on legitimate interest;
• Withdraw marketing consent at any time (every marketing email includes an unsubscribe link).

To exercise any of these rights, email [email protected]. We will respond within one month.

If you’re unhappy with our response you can complain to the UK Information Commissioner’s Office at ico.org.uk.

7. Cookies and local storage

We use four categories: strictly necessary, session attribution, first-party analytics (relied on under legitimate interest — see section 3), and advertising / remarketing (consent only). GA4 runs in cookieless form under denied consent; advertising and remarketing cookies are set only after you accept via the banner below.

Strictly necessary

• sas_session — identifies your authenticated session; HttpOnly, Secure, SameSite=Lax; expires after 30 days.
• sas_oauth — transient cookie used only during the Google sign-in handshake; expires after 10 minutes.
• sas_demo — anonymous demo session identifier written server-side (HttpOnly); expires after 7 days. Lets your demo conversation persist until you sign in, when the session is merged and this cookie is deleted.

Session attribution (functional)

• sas_utm_first — stores first-touch UTM campaign parameters at the start of your visit; expires after 30 days. Written to your account at signup.
• sas_utm_last — stores most-recent UTM campaign parameters; expires after 24 hours.
• sas_ref — stores the referral code from a referral invite link; expires after 30 days.
• sas_consent_v1 (localStorage — not a cookie) — stores your Accept / Reject choice from the cookie banner. Kept locally in your browser; not transmitted to our servers.

First-party analytics (Google Analytics 4)

• _ga, _ga_WM07W5FTXR — Google Analytics; expires 2 years / 13 months; used to distinguish users and sessions for aggregate, first-party analytics. IP addresses are anonymised by GA4 before storage. Under denied consent, GA4 operates in cookieless mode and these cookies are not set.

Advertising and remarketing (consent only)

Set only after you accept via the cookie banner. Used to measure ad performance and build remarketing audiences. Configured in Google Tag Manager; managed by the respective platforms.

• Meta Pixel — _fbp and related; expires up to 90 days.
• Google Ads — _gcl_* cookies; expiry varies (30–90 days).
• LinkedIn Insight Tag — li_*, bcookie; expiry varies (30 days to 2 years).

Demo conversation retention

Anonymous demo conversations (started before sign-up) are stored server-side for up to 7 days and deleted on expiry or when merged into your account at sign-up, whichever comes first. The IP address of demo requests is logged for abuse prevention and deleted after 7 days. UTM campaign parameters captured during your visit are stored against your account at sign-up for attribution purposes.

Cookie settings

To opt out of GA4 in your browser, install Google’s opt-out browser add-on. To change or withdraw your cookie choice at any time: Cookie settings

To exercise your right to object to processing based on legitimate interest, email [email protected].

8. Security

All traffic between your browser and our servers is encrypted with TLS. Data at rest in Supabase is encrypted. Webhook endpoints (ScoreApp, Stripe) use shared-secret and cryptographic signature verification. We restrict direct access to production infrastructure to named engineers only.

Despite our efforts, no internet transmission is 100% secure. If a breach affects your personal data and creates a high risk to your rights, we will notify you without undue delay.

9. Children

The Advisor is not intended for users under 16. We do not knowingly collect personal data from anyone under 16.

10. Changes

We may update this policy. The “Last updated” date at the top reflects the most recent change. Material changes will be announced by email to members.

11. Contact

Data controller: Do Your Bit Ltd (Company No. 08130003)
Registered office: Suite 2a, 7th Floor — PF City Reach, 5 Greenwich View Place, London, E14 9NN, United Kingdom
Email: [email protected]