- Contract Performance (Article 6(1)(b)): Processing necessary to provide our service to you
- Legitimate Interests (Article 6(1)(f)): For service improvement, security, and fraud prevention
- Consent (Article 6(1)(a)): For optional marketing communications and analytics cookies
- Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations
6. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:
- Account Data: Retained while your account is active, plus 2 years after account closure for legal and administrative purposes
- CPD Reflections: Stored in your account until you delete them or close your account
- Payment Records: Retained for 7 years as required by UK tax legislation
- Usage Logs: Retained for up to 12 months for security and service improvement
- Uploaded Documents: Temporarily processed and deleted within 24 hours of processing
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we process your data
- Right to Data Portability: Request transfer of your data to another provider
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
To exercise any of these rights, please contact us at mark@wizardsoftware.co.uk. We will respond within one month of your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Third-Party Data Processors
We share your data with the following trusted third parties who process data on our behalf:
- Replit: Authentication and hosting services (United States - Privacy Shield certified)
- Stripe: Payment processing (PCI DSS Level 1 certified)
- Anthropic: AI processing for reflection generation (data processed per their enterprise terms)
These processors are contractually bound to protect your data and process it only as instructed by us. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses.
9. Cookies and Tracking
We use cookies and similar technologies to:
- Essential Cookies: Enable core functionality like authentication and session management
- Analytics Cookies: Understand how you use our service to improve it (with your consent)
- Preference Cookies: Remember your settings and preferences
You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling essential cookies may affect service functionality.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Secure authentication via Replit Auth
- Regular security audits and monitoring
- Access controls and staff training
- Incident response procedures
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. The "Last Updated" date at the top of this page indicates when the policy was last revised.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
We aim to respond to all enquiries within 5 working days.