Company & Controller

Who Is Responsible for Your Data

This site and platform are operated by SEE Change Happen Ltd, a company registered in England and Wales, Company No. 13138905, registered address 1 The Briars, Waterberry Drive, Waterlooville, PO7 7YH. SEE Change Happen Ltd is the data controller for personal data collected through this site and the platform at app.thetransinclusiontoolkit.co.uk.

Source: Privacy Policy, §1 "Who We Are".

Encryption & Application Security

How Data Is Protected in Transit and at Rest

  • Encryption in transit — the site and platform use HTTPS (TLS) encryption for all connections.
  • Encrypted credentials — API keys and service credentials used by the platform are stored using AES-256-CBC encryption.
  • Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis.
  • Bot and abuse protection — Cloudflare bot management, and Turnstile on forms, protect the site from automated abuse.

Source: Privacy Policy, §8 "Data Security".

Access & Authentication

How Sign-In and Licensing Work

  • Per-user licensing — Practitioner and Professional access levels are licensed per user.
  • Passwordless sign-in — you sign in with your personal email address and a 6-digit one-time code sent by email. There are no passwords to set, store, or forget — so there is no password database to breach, reuse, or phish.
  • Devices — each licence covers up to 2 devices. If you need to use a new device once you've reached that limit, you can retire an existing device yourself to free up a slot.

Sub-processors

Who Else Processes Your Data

  • Stripe — payment processing for paid subscriptions; PCI DSS Level 1 certified. Card data is entered on Stripe's own hosted checkout page and never passes through our servers.
  • HubSpot — CRM, form processing, and email communications; maintains SOC 2 Type II certification.
  • Cloudflare — hosting, content delivery, and security, including bot management and Turnstile on forms.
  • OpenAI — powers the Quinn AI inclusion assistant and the Strategic Pathway's AI-powered tools.
  • Pinecone — vector database used by Quinn to search the Toolkit knowledge base; no personal data is stored, only a temporary query embedding.

Source: Privacy Policy, §6 "Third-Party Services".

AI Data Handling

No AI Training on Your Data

Commitment

OpenAI's API data usage policy states that API inputs and outputs are not used to train their models. Where Quinn or the Strategic Pathway's AI tools analyse your questions or uploaded policies, we use OpenAI's API under a data processing agreement that prohibits training on customer content. Pinecone, the vector database behind Quinn's knowledge-base search, stores no personal data — only a temporary mathematical representation (embedding) of your query is sent to find relevant content.

Source: Privacy Policy, "Quinn AI Inclusion Assistant" and "AI Processing" sections.

AI Architecture

How the Toolkit Uses AI

You interact with the Toolkit application — never directly with an AI provider. The Toolkit is not a front-end on a chatbot: it is an application whose services make their own API calls to AI models where a task needs one, through a deliberately platform- and model-agnostic layer.

  • Model selection is per task. The model used is specific to the need of the calling service — currently mostly OpenAI's GPT-5.4 mini and GPT-5.5 models.
  • Prompts come from a tested library. Calls are built from a predetermined, multi-layered prompt library that injects steering as needed (for example, UK English) — not free-form pass-through of your input.
  • It is not purely AI. Deterministic code performs look-ups and cross-referencing, and output is cross-checked against tables of predetermined citations — code is reliable and repeatable where AI, by its nature, varies.
  • Models are evaluated before they are adopted. The platform has A/B scaffolding that tests new models against a saved benchmark of known-good responses, so the platform can evolve as models evolve.

Data Residency

Where Your Data Is Processed

We do not claim UK-only data residency. HubSpot and OpenAI/Pinecone process some data in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement; Stripe processes payment data in the United States and other jurisdictions under Standard Contractual Clauses and its certification under the EU-US Data Privacy Framework.

File and media storage, backups, and content delivery run on Amazon Web Services — S3 and CloudFront — in the London (eu-west-2) region, so that data does not leave the UK. This website is served by Cloudflare; the Toolkit application itself is hosted with a UK hosting provider, and we are confirming its precise data-centre location.

Source: Privacy Policy, §6 "Third-Party Services" and §11 "International Data Transfers".

Your Rights

Access, Export, Deletion & Cancellation

Under UK GDPR you can request access to your data (within 30 days), rectification, erasure, restriction of processing, data portability, and can object to processing or withdraw consent at any time. We do not use automated decision-making that produces legal or similarly significant effects.

Strategic Pathway data (organisation profile, pathway progress, Policy Vault documents, diagnostic results) is retained for 90 days after your last activity, with reminder emails at 60, 75, and 88 days before deletion — or you can request immediate deletion at any time from your dashboard or by contacting us.

Paid subscriptions can be cancelled at any time via the Stripe Customer Portal, with no cancellation fees. Saved assessments and exports remain available for 90 days after cancellation — export your data via each tool's export function before then.

Source: Privacy Policy §10 "Your Rights" and §9 Data Retention; Subscription Terms §4 "Cancellation" and §9 "Your Content and Data".

Service Availability

Uptime & Support Commitments

We do not offer a formal Service Level Agreement (SLA) or uptime guarantee. If your organisation requires guaranteed uptime or dedicated support, contact us to discuss a bespoke enterprise arrangement.

Source: Subscription Terms, §7 "Service Availability".

Contact

Questions or a Security Concern?

A due-diligence pack for procurement and legal teams — including our consulting practice's data-handling and privilege architecture note and retention and secure deletion policy — is available on request. For questions about this page, our data handling, or to report a security or data protection concern, email [email protected] or use our contact page. If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Source: Privacy Policy, §13 "Contact Us".