Privacy Policy

Last updated: 25 February 2026

1. Data controller

The data controller for easyKSB is Grayscaled Ltd, registered in England and Wales (company number: 17017057), with registered address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. Website: grayscaled.dev.

For data protection queries, contact our data protection lead at [email protected]. For general support, email [email protected].

2. What data we collect

  • Account data: name, email address, and profile information provided via Clerk (our authentication provider).
  • Evidence uploads: documents and text you upload for KSB matching. This may include assignments, reflective accounts, witness statements, and workplace evidence.
  • Usage data: selected apprenticeship standard, specialism choices, coverage results, matching history, and feature interactions.
  • Billing data: payment information is processed directly by Stripe. We store only your Stripe customer ID and subscription tier. We never see or store your card details.
  • Technical data: IP address, browser type, device information, and access timestamps for security and performance purposes.

3. How we use your data

  • To provide the KSB matching and coverage analysis service.
  • To process your evidence using AI models (OpenAI for generating text embeddings, Anthropic for matching assessment and reasoning).
  • To manage your account, subscription, and usage limits.
  • To generate PDF and CSV exports of your coverage data when requested.
  • To detect and prevent abuse, fraud, and security incidents.
  • To improve and maintain the service, including monitoring performance and fixing bugs.
  • To comply with legal obligations, including tax and regulatory requirements.

4. Legal basis for processing (UK GDPR)

  • Contract (Article 6(1)(b)): processing your evidence, providing KSB matching results, managing your account and subscription.
  • Legitimate interest (Article 6(1)(f)): improving the service, security monitoring, fraud prevention, and anonymous analytics. We have conducted a balancing test and determined that these interests do not override your rights.
  • Legal obligation (Article 6(1)(c)): retaining billing records for HMRC compliance and responding to lawful requests from authorities.

We do not rely on consent as a legal basis for core processing. Where we introduce optional features that require consent (such as marketing emails), we will ask separately and you can withdraw consent at any time.

5. Third-party processors

We share data with the following sub-processors to provide the service:

  • Clerk (USA) — authentication, account management, and session tokens.
  • Stripe (USA) — payment processing and subscription management.
  • OpenAI (USA) — generating text embeddings from your evidence for similarity matching. We use the API with zero data retention; your content is not used to train OpenAI models.
  • Anthropic (USA) — AI assessment of evidence against KSBs and generating match reasoning. We use the API with zero data retention; your content is not used to train Anthropic models.
  • Hetzner Online GmbH (Germany) — server hosting, database storage, and infrastructure.
  • Cloudflare (USA) — DNS, CDN, and landing page hosting.
  • Resend (USA) — transactional and marketing email delivery. We share your email address and first name to send you account notifications and, where you have consented, marketing communications.

We maintain a Data Processing Agreement (DPA) or equivalent contractual terms with each sub-processor. We will update this list if we add new sub-processors.

6. AI processing and automated decisions

When you upload evidence, we send the extracted text to AI providers for processing:

  • Embeddings: your evidence text is converted into a numerical vector by OpenAI. This vector is stored in our database and used to find similar KSB statements. The original text sent to OpenAI is not retained by them.
  • Matching: your evidence text and candidate KSB statements are sent to Anthropic to generate confidence scores and written reasoning. This content is not retained by Anthropic after processing.

The matching process constitutes automated decision-making under Article 22 of UK GDPR. However, these results are advisory only and do not produce legal or similarly significant effects. No decisions about your apprenticeship, employment, or qualifications are made solely by our AI. You can confirm, reject, or override any match result, and you should always review results with your training provider or assessor before relying on them.

We do not use your data to train or fine-tune any AI model. Your evidence content is processed in real time and is not stored by our AI providers.

7. International data transfers

Your data is primarily stored on servers in Germany (Hetzner, EU). However, some of our sub-processors are based in the United States. When data is transferred outside the UK, we ensure appropriate safeguards are in place:

  • EU/EEA: covered by the UK adequacy decision for the EU. No additional safeguards required.
  • USA (Clerk, Stripe, OpenAI, Anthropic, Cloudflare): transfers are protected by the UK International Data Transfer Agreement (IDTA) and/or the UK addendum to EU Standard Contractual Clauses (SCCs), as applicable to each provider.

We minimise the data sent to US-based AI providers to only what is necessary for processing (evidence text and KSB statements). No account data, billing data, or personal identifiers are sent to AI providers.

8. Data retention

  • Account data: retained while your account is active. Permanently deleted when you delete your account.
  • Evidence and matching data: retained until you delete it or close your account. You can delete individual evidence items at any time, and they are permanently removed.
  • Billing records: retained for 7 years after the transaction as required by HMRC for tax purposes.
  • Usage logs: retained for 90 days for debugging and abuse prevention, then automatically purged.
  • Technical logs: server access logs are retained for 30 days.

When you delete your account, all personal data (evidence, matches, embeddings, account details) is permanently removed immediately. Anonymised, aggregated analytics (e.g. total number of matches processed) may be retained indefinitely.

9. Data security

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Database storage is encrypted at rest.
  • Authentication is handled by Clerk with industry-standard session management.
  • API access requires valid authentication tokens; all endpoints enforce user-scoped data access.
  • Administrative access is restricted to authorised personnel and all admin actions are audit-logged.
  • We do not store passwords directly; authentication is delegated entirely to Clerk.

10. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
  • Document all breaches, including those that do not require notification, in an internal breach register.

11. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data (Subject Access Request).
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”). You can delete evidence directly in the app, or delete your account entirely through your account settings.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interest.
  • Data portability: receive your data in a structured, machine-readable format. You can download a full export of your data (account details, evidence, matches, and usage history) as JSON from your dashboard, or export coverage data as CSV.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects (see section 6).
  • Lodge a complaint with the ICO at ico.org.uk/make-a-complaint or call 0303 123 1113.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. If your request is complex, we may extend this by up to two additional months and will inform you of the reason for the delay.

12. Children and young people

easyKSB is designed for apprentices, who may be aged 16 and over. We do not knowingly collect data from anyone under 16. If you are aged 16 or 17, you may use the service; under UK GDPR, individuals aged 13 and over can consent to online services, and we consider apprenticeship usage to be a legitimate context for 16-17 year olds.

If you believe a child under 16 has provided us with personal data, please contact [email protected] and we will delete it promptly.

13. Cookies

We use only strictly necessary cookies:

  • Authentication cookies (set by Clerk) to maintain your login session.
  • Session cookies for CSRF protection and security.

We do not use advertising, analytics, or tracking cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under the Privacy and Electronic Communications Regulations (PECR).

14. Changes to this policy

We may update this policy from time to time. For material changes (e.g. new sub-processors, changes to data processing purposes, or changes to your rights), we will notify you via email at least 14 days before the changes take effect. Minor clarifications or formatting changes may be made without notice.

The “last updated” date at the top of this page reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance.