Privacy Policy

How We Handle Your Data

Your privacy matters to us. This policy explains what personal data we collect, how we use it, and what rights you have under UK data protection law.

Last updated: March 2026

1. Who We Are

This website — The Trans Inclusion Toolkit (https://thetransinclusiontoolkit.co.uk) — is operated by SEE Change Happen Ltd, a company registered in England and Wales.

Company Registration: 13138905
Registered Address: 1 The Briars, Waterberry Drive, Waterlooville, PO7 7YH
Contact Email: info@seechangehappen.co.uk

SEE Change Happen Ltd is the data controller for personal data collected through this site. This means we decide how and why your personal data is processed.

2. What Data We Collect

We collect personal data in the following ways:

Data you provide directly

When you submit a form on this site (such as the contact form or email signup), we collect the information you enter. This may include your first name, last name, email address, job role, organisation name, areas of interest, and any message you choose to write. All forms on this site are processed through HubSpot, our customer relationship management platform.

Trans Inclusion Impact Diagnostic

When you take the Trans Inclusion Impact Diagnostic — our free online self-assessment — we collect the following data:

  • Registration details — your first name, last name, and email address (provided when you start the diagnostic)
  • Diagnostic responses — your answers to 50 questions about your organisation’s trans inclusion readiness. These are organisational self-assessments, not personal data about your gender identity, beliefs, or protected characteristics
  • Calculated scores — your overall score, domain scores (across 5 governance areas), and tier assignment, generated automatically from your responses

This data is processed on our platform to generate your diagnostic results, which are available immediately and stored in your account. Your diagnostic data may also be synced to our HubSpot CRM to enable follow-up communications (subject to your consent preferences).

Important: The diagnostic assesses your organisation’s governance readiness. It does not ask about your personal gender identity, sexual orientation, religion, or any other special category data as defined under UK GDPR Article 9.

Quinn AI Inclusion Assistant

When you use Quinn — our AI-powered inclusion assistant available on the Ask Quinn page — we collect the following data:

  • Conversation messages — the questions you type and the responses Quinn generates. Your messages are sent to OpenAI (via their API) to generate responses. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models
  • Knowledge base queries — your questions are converted into mathematical representations (embeddings) and matched against our knowledge base stored in Pinecone, a vector database service. No personal data is stored in Pinecone — only your query embedding is sent temporarily to find relevant content
  • Feedback ratings — if you rate a response using the thumbs up/down buttons, your rating, the question, and the response text are stored in our WordPress database for quality assurance and to improve Quinn’s effectiveness. These ratings are not linked to your personal identity
  • Email transcripts — if you choose to email yourself a copy of your conversation, we temporarily process the email address and conversation content to send the transcript via our email service. We do not retain copies of emailed transcripts
  • Local chat history — your conversation is temporarily cached in your browser’s local storage (not on our servers) so it persists if you refresh the page. This data is automatically deleted after 24 hours or when you click “New chat”

Important: Quinn provides general educational guidance — not legal, HR, or professional advice. Responses are AI-generated and may contain errors or inaccuracies. Please do not share personal information about identifiable individuals or confidential organisational data in your conversations with Quinn.

Subscriptions and payments (Stripe)

When you purchase a paid subscription to The Trans Inclusion Toolkit, your payment is processed by Stripe, a PCI DSS Level 1 certified payment processor. We collect and process the following data in connection with your subscription:

  • Payment information — your card details are entered directly on Stripe’s hosted checkout page. We do not see, store, or have access to your full card number or payment credentials. Stripe provides us with a limited reference (last four digits, card brand, and expiry month) for identification and support purposes only
  • Billing details — your name, email address, and billing address as provided at checkout. These are stored by Stripe and shared with us to manage your subscription
  • Subscription metadata — your subscription tier, billing cycle (monthly/annual), start date, renewal date, and payment status. This data is stored in our CRM (HubSpot) to manage your access tier and is used to control which features you can access on the site
  • Stripe Customer ID — a unique identifier assigned by Stripe, stored in our CRM to link your subscription to your account
  • Invoice and transaction history — records of payments, refunds, and billing events are maintained by Stripe and accessible to you through the Stripe Customer Portal

Your payment data is processed by Stripe in accordance with their Privacy Policy and is protected by PCI DSS Level 1 security standards — the highest level of certification in the payment industry.

Data collected automatically

When you visit this site, we automatically collect certain technical data through analytics tools. This includes page views, session duration, referral source, device type, browser type, and approximate geographic location. This data is collected via Google Analytics (through the Google Site Kit plugin) and Jetpack Stats. IP addresses are anonymised by Google Analytics before storage.

Cookies

This site uses cookies. Cookie consent is managed through the HubSpot cookie consent banner, which appears when you first visit the site. See Section 5 below for full details of the cookies we use.

Strategic Pathway Data

When you use the Strategic Pathway, we collect and store the following data to provide the service:

  • Organisation profile — organisation name, type, sector, size, and your role. Stored for 90 days after your last activity.
  • Pathway progress — which steps you have completed, your selections, and AI-generated analysis results. Stored for 90 days after your last activity.
  • Policy vault documents — policy files you upload for analysis. Stored as WordPress media attachments. You can delete these at any time from your dashboard. Automatically removed 90 days after your last activity.
  • Health check scores — AI-generated quality scores for uploaded policies. Stored alongside the policy files.
  • Usage telemetry — which tools you use, how often, and at what tier. Used to enforce fair usage limits and improve the service. No content of your policies or analysis is stored in telemetry.
  • Feedback and reports — any bug reports, feedback, or snagging tickets you submit, including screenshots if provided.

Data Retention

Your Strategic Pathway data is retained for 90 days after your last activity on the platform. If you do not log in or use any tool for 90 consecutive days:

  1. 60 days — you will receive an email reminder that your data will be removed.
  2. 75 days — you will receive a second reminder.
  3. 88 days — you will receive a final warning.
  4. 90 days — your pathway data, vault policies, and diagnostic results will be permanently deleted.

Subscription data (payment history, invoices) is retained by Stripe in accordance with their data retention policy and UK financial record-keeping requirements.

You can request immediate deletion of your data at any time by contacting us or using the “Request Deletion” option in your dashboard account settings.

AI Processing

Several tools in the Strategic Pathway use artificial intelligence (OpenAI GPT models) to analyse your policies and generate guidance. When you use these tools:

  • The text of your uploaded policies is sent to OpenAI’s API for analysis.
  • OpenAI does not use your data for training. We use their API under a data processing agreement that prohibits training on customer content.
  • AI-generated outputs are decision-support guidance, not legal advice.
  • We do not store the raw AI API responses beyond the structured results saved in your pathway state.

3. How We Use Your Data

We use the personal data we collect to:

  • Respond to your enquiries — when you submit a contact form, we use your details to get back to you
  • Send requested research materials — if you sign up for our email list, we send you the Beyond Compliance research findings and related resources
  • Improve our website — analytics data helps us understand which content is most useful and how visitors navigate the site
  • Send marketing communications — only with your explicit consent, we may send you updates about our research, services, and events. You can unsubscribe at any time
  • Deliver your diagnostic results — when you complete the Trans Inclusion Impact Diagnostic, we use your responses to generate a personalised PDF report, calculate your scores across 5 governance domains, and deliver your report by email
  • Benchmark and improve the diagnostic — we use aggregated, anonymised diagnostic data to improve the quality and relevance of the assessment. Individual responses are never published or shared in identifiable form
  • Provide the Quinn AI assistant — when you ask Quinn a question, we process your message through OpenAI and Pinecone to generate a relevant, context-aware response grounded in the Toolkit knowledge base
  • Improve Quinn’s responses — we use anonymised feedback ratings (thumbs up/down) to assess the quality and accuracy of Quinn’s responses and identify areas for improvement. Individual conversations are not reviewed unless flagged through the feedback system
  • Process your subscription — when you purchase a paid subscription, we use your billing and subscription data to manage your access tier, process payments via Stripe, send renewal reminders, and provide subscription management through the Stripe Customer Portal
  • Ensure site security — we monitor for security threats and maintain the integrity of the site

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. We rely on the following bases:

  • Consent — when you submit a form or subscribe to our email communications, you give explicit consent for us to process the data you provide. You may withdraw consent at any time by contacting us or using the unsubscribe link in our emails
  • Legitimate interests — we use analytics data to improve our site and services. We have assessed that this processing is proportionate and does not override your rights
  • Contractual necessity — where you have purchased a subscription or requested a service from us (such as a paid subscription, diagnostic session, or executive briefing), we process your data as necessary to deliver that service, manage billing, and maintain your access

5. Cookies

Cookies are small text files placed on your device when you visit a website. This site uses the following cookies:

HubSpot cookies

__hstc — tracks visitor sessions (expires after 13 months).
__hssc — tracks sessions for analytics (expires after 30 minutes).
hubspotutk — stores a unique visitor ID (expires after 13 months).
__cf_bm — Cloudflare bot management (expires after 30 minutes).

Google Analytics cookies

_ga — distinguishes unique users (expires after 2 years).
_gid — distinguishes unique users (expires after 24 hours).
_gat — throttles request rate (expires after 1 minute).

Technical cookies

litespeed — LiteSpeed Cache performance cookie (session).
wordpress_logged_in_* — WordPress authentication (session, only for logged-in users).
sch_auth_token — authenticates registered toolkit users who sign in via email verification (expires after 30 days).

Managing cookies

You can manage your cookie preferences using the HubSpot cookie consent banner that appears when you first visit the site. You can also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the site.

6. Third-Party Services

We use the following third-party services that may process your data:

  • Stripe — payment processing for paid subscriptions. Stripe handles all card data and billing in accordance with PCI DSS Level 1 standards. Stripe Privacy Policy
  • HubSpot — CRM, form processing, email marketing, live chat, and cookie consent. HubSpot Privacy Policy
  • Google Analytics — website analytics and audience measurement. Google Privacy Policy
  • Jetpack / WordPress.com — site statistics, security, and performance. Automattic Privacy Policy
  • OpenAI — powers the Quinn AI inclusion assistant. Your chat messages are sent to OpenAI’s API to generate responses. OpenAI does not use API data to train its models. OpenAI Enterprise Privacy
  • Pinecone — vector database service used by Quinn to search the Toolkit knowledge base. Only mathematical representations of your query are sent; no personal data is stored. Pinecone Privacy Policy
  • LiteSpeed Cache — technical site caching for performance. No personal data is stored or transmitted

Each of these services operates under its own privacy policy. We have data processing agreements in place where required.

7. Data Sharing

We do not sell your personal data to third parties. We share personal data only in the following circumstances:

  • With data processors — we share data with Stripe, HubSpot, Google, OpenAI, and Pinecone as necessary to provide the services described above. These processors act on our instructions under appropriate data processing agreements
  • Where required by law — we may disclose personal data if required to do so by law, regulation, or court order
  • To protect our rights — we may disclose data to enforce our terms of use or to protect the rights, property, or safety of SEE Change Happen Ltd, our users, or the public

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit — the site uses HTTPS (TLS) encryption for all connections
  • Secure data processing — form data is processed and stored by HubSpot, which maintains SOC 2 Type II certification and implements enterprise-grade security controls
  • AI service security — Quinn chat messages are transmitted to OpenAI and Pinecone via encrypted API connections. OpenAI does not use API data to train its models
  • Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis
  • Payment security — subscription payments are processed by Stripe, which is PCI DSS Level 1 certified. Card data is entered directly on Stripe’s secure hosted checkout page and never passes through our servers
  • Encrypted credentials — API keys and service credentials used by the site are stored using AES-256-CBC encryption
  • Regular review — we periodically review our security practices and update them as necessary

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Form submissions — contact form and enquiry data is retained in our HubSpot CRM for the duration of the business relationship plus 2 years
  • Email subscriber data — retained until the subscriber opts out or requests deletion
  • Diagnostic data — your diagnostic responses, scores, and results are retained for as long as necessary to deliver the service and for benchmarking purposes. You may request deletion at any time
  • Analytics data — retained according to Google Analytics and Jetpack default retention periods (typically 14–26 months)
  • Subscription and billing data — your subscription metadata (tier, billing cycle, start/end dates) is retained in our CRM for the duration of your subscription plus 2 years for accounting and tax purposes. Stripe retains payment and invoice records in accordance with their own retention policies and applicable financial regulations. Saved assessments and tool outputs are retained for 90 days after subscription cancellation
  • Quinn conversations — chat messages are processed in real time by OpenAI and are not permanently stored on our servers. Feedback ratings are retained in our WordPress database (capped at the most recent 1,000 ratings) for quality improvement purposes. Local chat history in your browser expires automatically after 24 hours

You may request deletion of your personal data at any time by contacting info@seechangehappen.co.uk.

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15) — you may request a copy of the personal data we hold about you. We will provide this within 30 days of your request
  • Right to rectification (Article 16) — if the data we hold about you is inaccurate or incomplete, you may request that we correct it
  • Right to erasure (Article 17) — you may request that we delete your personal data. This is sometimes known as the “right to be forgotten”. We will comply unless we have a legal obligation to retain the data
  • Right to restriction of processing (Article 18) — you may request that we limit how we process your data while a concern is being resolved
  • Right to data portability (Article 20) — you may request your data in a structured, commonly used, machine-readable format so that you can transfer it to another service
  • Right to object (Article 21) — you may object to processing based on legitimate interests or direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds
  • Rights related to automated decision-making (Article 22) — we do not use automated decision-making or profiling that produces legal or similarly significant effects. Quinn’s AI responses are informational only and do not produce decisions with legal effects
  • Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact info@seechangehappen.co.uk. We will respond within 30 days of receiving your request. If we need more time (up to a further 60 days for complex requests), we will inform you and explain why.

11. International Data Transfers

HubSpot, our CRM and marketing platform, processes some data in the United States. HubSpot maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Agreement. For details, please refer to HubSpot’s Data Processing Agreement.

Google Analytics may also process data outside the UK/EEA. Google provides appropriate safeguards including Standard Contractual Clauses. See Google’s data transfer frameworks for more information.

Stripe processes payment data in the United States and other jurisdictions. Stripe maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses and certification under the EU-US Data Privacy Framework. See Stripe’s Privacy Policy for details.

OpenAI processes Quinn chat data in the United States. OpenAI’s API data processing agreement includes appropriate safeguards for international data transfers. Pinecone also processes data in the United States under equivalent protections.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with a revised “Last updated” date. Where changes are material, we may also notify email subscribers directly. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Email: info@seechangehappen.co.uk
Post: SEE Change Happen Ltd, 1 The Briars, Waterberry Drive, Waterlooville, PO7 7YH

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113