How We Handle Your Data
Your privacy matters to us. This policy explains what personal data we collect, how we use it, and what rights you have under UK data protection law.
1. Who We Are
This website — The Trans Inclusion Toolkit (https://thetransinclusiontoolkit.co.uk) — is operated by SEE Change Happen Ltd, a company registered in England and Wales.
Company Registration: 13138905
Registered Address: 1 The
Briars, Waterberry Drive, Waterlooville, PO7 7YH
Contact Email: [email protected]
SEE Change Happen Ltd is the data controller for personal data collected through this site. This means we decide how and why your personal data is processed.
2. What Data We Collect
We collect personal data in the following ways:
Data you provide directly
When you submit a form on this site (such as the contact form or email signup), we collect the information you enter. This may include your first name, last name, email address, job role, organisation name, areas of interest, and any message you choose to write. Form submissions are sent server-side to HubSpot, our customer relationship management platform, only when you explicitly submit the form.
Trans Inclusion Impact Diagnostic
When you take the Trans Inclusion Impact Diagnostic — our free online self-assessment, available at app.thetransinclusiontoolkit.co.uk — we collect the following data:
- Registration details — your first name, last name, and email address (provided when you start the diagnostic)
- Diagnostic responses — your answers to 55 questions about your organisation's trans inclusion readiness. These are organisational self-assessments, not personal data about your gender identity, beliefs, or protected characteristics
- Calculated scores — your overall score, domain scores (across 5 governance areas), and tier assignment, generated automatically from your responses
This data is processed on our platform to generate your diagnostic results, which are available immediately and stored in your account. Your diagnostic data may also be synced to our HubSpot CRM to enable follow-up communications (subject to your consent preferences).
Important: The diagnostic assesses your organisation's governance readiness. It does not ask about your personal gender identity, sexual orientation, religion, or any other special category data as defined under UK GDPR Article 9.
Quinn AI Inclusion Assistant
When you use Quinn — our AI-powered inclusion assistant, available at app.thetransinclusiontoolkit.co.uk — we collect the following data:
- Conversation messages — the questions you type and the responses Quinn generates. Your messages are sent to OpenAI (via their API) to generate responses. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models
- Knowledge base queries — your questions are converted into mathematical representations (embeddings) and matched against our knowledge base stored in Pinecone, a vector database service. No personal data is stored in Pinecone — only your query embedding is sent temporarily to find relevant content
- Feedback ratings — if you rate a response using the thumbs up/down buttons, your rating, the question, and the response text are stored for quality assurance and to improve Quinn's effectiveness. These ratings are not linked to your personal identity
- Email transcripts — if you choose to email yourself a copy of your conversation, we temporarily process the email address and conversation content to send the transcript via our email service. We do not retain copies of emailed transcripts
- Local chat history — your conversation is temporarily cached in your browser's local storage (not on our servers) so it persists if you refresh the page. This data is automatically deleted after 24 hours or when you click "New chat"
Important: Quinn provides general educational guidance — not legal, HR, or professional advice. Responses are AI-generated and may contain errors or inaccuracies. Please do not share personal information about identifiable individuals or confidential organisational data in your conversations with Quinn.
Subscriptions and payments (Stripe)
When you purchase a paid subscription to The Trans Inclusion Toolkit, your payment is processed by Stripe, a PCI DSS Level 1 certified payment processor. We collect and process the following data in connection with your subscription:
- Payment information — your card details are entered directly on Stripe's hosted checkout page. We do not see, store, or have access to your full card number or payment credentials. Stripe provides us with a limited reference (last four digits, card brand, and expiry month) for identification and support purposes only
- Billing details — your name, email address, and billing address as provided at checkout. These are stored by Stripe and shared with us to manage your subscription
- Subscription metadata — your subscription tier, billing cycle (monthly/annual), start date, renewal date, and payment status. This data is stored in our CRM (HubSpot) to manage your access tier and is used to control which features you can access on the platform
- Stripe Customer ID — a unique identifier assigned by Stripe, stored in our CRM to link your subscription to your account
- Invoice and transaction history — records of payments, refunds, and billing events are maintained by Stripe and accessible to you through the Stripe Customer Portal
Your payment data is processed by Stripe in accordance with their Privacy Policy and is protected by PCI DSS Level 1 security standards — the highest level of certification in the payment industry.
Analytics and tracking
We do not run Google Analytics, social-media pixels, or third-party advertising networks on this site.
We collect a minimal, first-party analytics signal directly on our own server as you browse: the page path you visited and a broad arrival category (for example, direct, search, or referral). This signal is never linked to your name, email address, or any other identifying information; it is not combined with data from other sites; and it does not use device fingerprinting or any persistent cross-site tracking identifier. It exists solely to tell us, in aggregate, which pages are useful and where visitors are arriving from.
This site also loads a tracking script from HubSpot, our CRM platform, to help us understand site usage and support marketing communications. HubSpot's analytics cookies are non-essential and are gated behind this site's own first-party cookie banner, which appears on your first visit: those cookies are only set if you accept the banner; if you decline, no HubSpot analytics cookies are set at all. You can change your choice at any time using the "Manage cookies" link in the site footer, which reopens the banner.
Where this site includes a contact or enquiry form, the information you enter is sent server-side to our CRM (HubSpot) only when you explicitly submit the form, regardless of your cookie consent choice.
Strategic Pathway Data
When you use the Strategic Pathway, we collect and store the following data to provide the service:
- Organisation profile — organisation name, type, sector, size, and your role. Stored for 90 days after your last activity.
- Pathway progress — which steps you have completed, your selections, and AI-generated analysis results. Stored for 90 days after your last activity.
- Policy vault documents — policy files you upload for analysis. You can delete these at any time from your dashboard. Automatically removed 90 days after your last activity.
- Health check scores — AI-generated quality scores for uploaded policies. Stored alongside the policy files.
- Usage telemetry — which tools you use, how often, and at what tier. Used to enforce fair usage limits and improve the service. No content of your policies or analysis is stored in telemetry.
- Feedback and reports — any bug reports, feedback, or snagging tickets you submit, including screenshots if provided.
Data Retention
Your Strategic Pathway data is retained for 90 days after your last activity on the platform. If you do not log in or use any tool for 90 consecutive days:
- 60 days — you will receive an email reminder that your data will be removed.
- 75 days — you will receive a second reminder.
- 88 days — you will receive a final warning.
- 90 days — your pathway data, vault policies, and diagnostic results will be permanently deleted.
Subscription data (payment history, invoices) is retained by Stripe in accordance with their data retention policy and UK financial record-keeping requirements.
You can request immediate deletion of your data at any time by contacting us or using the "Request Deletion" option in your dashboard account settings.
AI Processing
Several tools in the Strategic Pathway use artificial intelligence (OpenAI GPT models) to analyse your policies and generate guidance. When you use these tools:
- The text of your uploaded policies is sent to OpenAI's API for analysis.
- OpenAI does not use your data for training. We use their API under a data processing agreement that prohibits training on customer content.
- AI-generated outputs are decision-support guidance, not legal advice.
- We do not store the raw AI API responses beyond the structured results saved in your pathway state.
3. How We Use Your Data
We use the personal data we collect to:
- Respond to your enquiries — when you submit a contact form, we use your details to get back to you
- Send requested research materials — if you sign up for our email list, we send you the Beyond Compliance research findings and related resources
- Improve our website — our first-party analytics signal helps us understand which content is most useful and how visitors navigate the site
- Send marketing communications — only with your explicit consent, we may send you updates about our research, services, and events. You can unsubscribe at any time
- Deliver your diagnostic results — when you complete the Trans Inclusion Impact Diagnostic, we use your responses to generate a personalised report, calculate your scores across 5 governance domains, and deliver your report by email
- Benchmark and improve the diagnostic — we use aggregated, anonymised diagnostic data to improve the quality and relevance of the assessment. Individual responses are never published or shared in identifiable form
- Provide the Quinn AI assistant — when you ask Quinn a question, we process your message through OpenAI and Pinecone to generate a relevant, context-aware response grounded in the Toolkit knowledge base
- Improve Quinn's responses — we use anonymised feedback ratings (thumbs up/down) to assess the quality and accuracy of Quinn's responses and identify areas for improvement. Individual conversations are not reviewed unless flagged through the feedback system
- Process your subscription — when you purchase a paid subscription, we use your billing and subscription data to manage your access tier, process payments via Stripe, send renewal reminders, and provide subscription management through the Stripe Customer Portal
- Ensure site security — we monitor for security threats and maintain the integrity of the site
4. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. We rely on the following bases:
- Consent — when you submit a form or subscribe to our email communications, you give explicit consent for us to process the data you provide. You may withdraw consent at any time by contacting us or using the unsubscribe link in our emails
- Legitimate interests — we use our first-party analytics signal to improve our site and services. We have assessed that this processing is proportionate, privacy-light by design, and does not override your rights
- Contractual necessity — where you have purchased a subscription or requested a service from us (such as a paid subscription, diagnostic session, or executive briefing), we process your data as necessary to deliver that service, manage billing, and maintain your access
5. Cookies
Cookies are small text files placed on your device when you visit a website. This site does not set any analytics or advertising cookies unless you accept them via the cookie banner described below. The following cookies are used:
Functional and security cookies (always set)
__cf_bm — Cloudflare bot management, used to protect the site from automated
abuse (expires after 30 minutes).
Turnstile verification cookie — set
only when you submit a form, to confirm you are not a bot (short expiry).
Analytics cookies (only if you accept)
This site shows a first-party cookie banner on your first visit. If you accept, HubSpot sets the following cookies to help us understand site usage:
- hubspotutk — visitor identification for analytics, up to 13 months
- __hstc — main HubSpot analytics cookie, up to 13 months
- __hssc — session tracking, 30 minutes
- __hssrc — session cookie, deleted when you close your browser
If you decline, none of these cookies are set and no HubSpot analytics tracking takes place. Your accept/decline choice itself is stored in your browser's local storage, not a cookie. You can change your choice at any time using the "Manage cookies" link in the site footer, which reopens the banner.
Preferences
Your light/dark theme preference is stored in your browser's local storage, not a cookie, and never leaves your device.
Account and platform cookies
If you sign in to your account at app.thetransinclusiontoolkit.co.uk, that platform sets a strictly necessary authentication cookie to keep you signed in. This is covered by this Privacy Policy but operates on the app subdomain, not on this marketing site.
Managing cookies
You can control cookies through your browser settings at any time. To change your analytics consent choice, use the "Manage cookies" link in the site footer to reopen the cookie banner and select accept or decline. Declining removes the HubSpot analytics cookies described above; the strictly necessary security cookies remain, as the site cannot function safely without them.
6. Third-Party Services
We use the following third-party services that may process your data:
- Stripe — payment processing for paid subscriptions. Stripe handles all card data and billing in accordance with PCI DSS Level 1 standards. Stripe Privacy Policy
- HubSpot — CRM, form processing, and email communications. Contact records are created server-side only when you submit a form. HubSpot Privacy Policy
- Cloudflare — hosting, content delivery, and security, including bot management and spam protection (Turnstile) on forms. Cloudflare Privacy Policy
- Amazon Web Services (AWS) — file and media storage (S3), backups, and content delivery (CloudFront), processed in the London (eu-west-2) region. AWS Privacy Notice
- OpenAI — powers the Quinn AI inclusion assistant. Your chat messages are sent to OpenAI's API to generate responses. OpenAI does not use API data to train its models. OpenAI Enterprise Privacy
- Pinecone — vector database service used by Quinn to search the Toolkit knowledge base. Only mathematical representations of your query are sent; no personal data is stored. Pinecone Privacy Policy
Each of these services operates under its own privacy policy. We have data processing agreements in place where required.
7. Data Sharing
We do not sell your personal data to third parties. We share personal data only in the following circumstances:
- With data processors — we share data with Stripe, HubSpot, Cloudflare, OpenAI, and Pinecone as necessary to provide the services described above. These processors act on our instructions under appropriate data processing agreements
- Where required by law — we may disclose personal data if required to do so by law, regulation, or court order
- To protect our rights — we may disclose data to enforce our terms of use or to protect the rights, property, or safety of SEE Change Happen Ltd, our users, or the public
8. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit — the site uses HTTPS (TLS) encryption for all connections
- Secure data processing — form data is processed and stored by HubSpot, which maintains SOC 2 Type II certification and implements enterprise-grade security controls
- AI service security — Quinn chat messages are transmitted to OpenAI and Pinecone via encrypted API connections. OpenAI does not use API data to train its models
- Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis
- Payment security — subscription payments are processed by Stripe, which is PCI DSS Level 1 certified. Card data is entered directly on Stripe's secure hosted checkout page and never passes through our servers
- Encrypted credentials — API keys and service credentials used by the platform are stored using AES-256-CBC encryption
- Regular review — we periodically review our security practices and update them as necessary
While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Form submissions — contact form and enquiry data is retained in our HubSpot CRM for the duration of the business relationship plus 2 years
- Email subscriber data — retained until the subscriber opts out or requests deletion
- Diagnostic data — your diagnostic responses, scores, and results are retained for as long as necessary to deliver the service and for benchmarking purposes. You may request deletion at any time
- Analytics data — our first-party analytics signal retains aggregated page-path and arrival-category records only; these are not linked to your identity and are kept only as long as necessary for reporting
- Subscription and billing data — your subscription metadata (tier, billing cycle, start/end dates) is retained in our CRM for the duration of your subscription plus 2 years for accounting and tax purposes. Stripe retains payment and invoice records in accordance with their own retention policies and applicable financial regulations. Saved assessments and tool outputs are retained for 90 days after subscription cancellation
- Quinn conversations — chat messages are processed in real time by OpenAI and are not permanently stored on our servers. Feedback ratings are retained (capped at the most recent 1,000 ratings) for quality improvement purposes. Local chat history in your browser expires automatically after 24 hours
You may request deletion of your personal data at any time by contacting [email protected].
10. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15) — you may request a copy of the personal data we hold about you. We will provide this within 30 days of your request
- Right to rectification (Article 16) — if the data we hold about you is inaccurate or incomplete, you may request that we correct it
- Right to erasure (Article 17) — you may request that we delete your personal data. This is sometimes known as the "right to be forgotten". We will comply unless we have a legal obligation to retain the data
- Right to restriction of processing (Article 18) — you may request that we limit how we process your data while a concern is being resolved
- Right to data portability (Article 20) — you may request your data in a structured, commonly used, machine-readable format so that you can transfer it to another service
- Right to object (Article 21) — you may object to processing based on legitimate interests or direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds
- Rights related to automated decision-making (Article 22) — we do not use automated decision-making or profiling that produces legal or similarly significant effects. Quinn's AI responses are informational only and do not produce decisions with legal effects
- Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal
To exercise any of these rights, please contact [email protected]. We will respond within 30 days of receiving your request. If we need more time (up to a further 60 days for complex requests), we will inform you and explain why.
11. International Data Transfers
HubSpot, our CRM and marketing platform, processes some data in the United States. HubSpot maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Agreement. For details, please refer to HubSpot's Data Processing Agreement.
Stripe processes payment data in the United States and other jurisdictions. Stripe maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses and certification under the EU-US Data Privacy Framework. See Stripe's Privacy Policy for details.
Cloudflare provides hosting, content delivery, and security for this site across its global edge network. Where this involves processing personal data outside the United Kingdom, it takes place under Cloudflare's Data Processing Addendum, which incorporates the European Commission's Standard Contractual Clauses and the UK Addendum (International Data Transfer Agreement). See Cloudflare's Privacy Policy for details.
OpenAI processes Quinn chat data in the United States, under OpenAI's Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK Addendum. Pinecone also processes data in the United States, under Pinecone's Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK Addendum.
12. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with a revised "Last updated" date. Where changes are material, we may also notify email subscribers directly. We encourage you to review this policy periodically.
13. Contact Us
If you have questions about this privacy policy or how we handle your data, please contact us:
Email: [email protected]
Post: SEE Change Happen Ltd, 1 The Briars, Waterberry Drive,
Waterlooville, PO7 7YH
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113