How your data is handled

The Regulated Business Compass is operated by Lexi Thurston, trading as Entrepreneurial Alchemy. We are the data controller for the personal information collected through this service.

Contact: privacy@entrepreneurial-alchemy.co.uk

Registered address:
Office 7, Chard Enterprise Centre
Beeching Close
Chard
Somerset
TA20 1BB

We collect only what we need to take payment, deliver your report, and email you about it. Specifically:

• Your email address, captured at Stripe Checkout.
• Your first name and your chosen pronouns, captured on the consent step, so the report can address you correctly.
• Your answers to the calibration questions (working style, business model, what else is in your life, relationship to rest).
• Your answers to the 43 questions across five domains (the main compass questions).
• Computed scores derived from your answers (the Regulated Business Index, domain percentages, and related internal calculations).
• The generated report itself.
• Standard payment metadata (Stripe transaction identifiers). We do not see or store your card details; Stripe handles those.

Some of the calibration questions ask about neurodivergence and health, including mental health. Under UK GDPR Article 9 this is treated as special category data and requires more than ordinary lawful basis.

We process this data only with your explicit consent, given separately on the consent step before you reach any of those questions. You can decline that consent and still complete the compass; the report will simply have less personalisation in those areas.

You can withdraw consent at any time by emailing privacy@entrepreneurial-alchemy.co.uk. When you do, we will delete the relevant fields. If you have already received a report, the report was generated under the consent you gave at the time; the underlying data goes when you ask it to.

The data is used to:

• Generate your personalised compass report (this is the product you paid for).
• Send the small set of transactional emails the service relies on: the welcome email after payment, the "report is ready" email, and the magic-link emails you use to come back to your dashboard or report.
• Send progress reminders if you have started the compass but not finished it. These are transactional, limited to two messages (48 hours and 7 days after last activity), and stop once you complete the compass.
• If you opted in separately for follow-up emails from Lexi about your pattern and the Regulated Business Architecture Series, we use your email for those. You can unsubscribe at any time.

We do not sell your data. We do not use it to train any AI model. We do not share it with anyone outside the specific service providers listed below.

For email, payment metadata, calibration answers, diagnostic answers, scores, and the generated report: Article 6(1)(b), performance of the contract.

For special category data (neurodivergence, health, optional identity context): Article 9(2)(a), explicit consent. You give this on the consent step and can withdraw it at any time.

For the optional follow-up emails (the "nurture" opt-in): Article 6(1)(a), consent.

We use a small number of well-known service providers. Each has its own privacy policy and Data Processing Agreement with us.

• Supabase hosts the database. Your data is stored in the London region so it stays in the UK at rest.
• Vercel hosts the website. Requests are processed transiently; nothing about your responses is stored at Vercel.
• Stripe handles payment. They see your email and payment information. They do not see your compass answers.
• Resend sends the transactional emails. They see your email address and the email content (which is just the link plus our standard wording).
• OpenRouter is the AI gateway used to generate your report. They forward the request to Anthropic, the AI model provider. The request includes your calibration context, your domain answers, and your scores; it does not include your email or your name in any way that ties the data back to you. OpenRouter is configured for no prompt logging and no training; provider routing is pinned to Anthropic so your data is not routed to an unvetted provider.

OpenRouter and Anthropic are US-based, which means part of generating your report involves an international transfer. This is covered by the UK International Data Transfer Agreement / Standard Contractual Clauses with both providers, and the payload is minimised: scores and structured context, not raw identifiers.

Everything else (database storage, hosting, transactional email delivery) stays within the UK and EU.

We keep your compass responses, scores, and generated report for 24 months after you complete the compass, after which they are deleted or anonymised. This window exists so you can come back to your report later and so a re-take can be compared against your earlier pattern if you choose to do one.

Special category free-text (for example, a written description of your neurotype, or anything you wrote about identity context) is kept only as long as it is actively needed and is reviewed for early deletion. You can ask for this to be removed at any time.

If you have opted in to the follow-up Entrepreneurial Alchemy emails, your email is kept on the list until you unsubscribe. Payment records are kept as required by UK tax law (approximately six years), as a Stripe-side record; we keep a minimal local copy.

You have the right to:

• Access the personal data we hold about you.
• Rectify anything that is wrong.
• Eraseyour data (the "right to be forgotten").
• Restrict processing, or object to it, in certain circumstances.
• Withdraw consent for the special category data at any time.
• Port your data to another service in a machine-readable format.
• Lodge a complaintwith the UK Information Commissioner's Office (the ICO) at ico.org.uk.

To exercise any of these rights, email privacy@entrepreneurial-alchemy.co.uk. We will respond within one month.

Your report is generated by an AI model following a methodology Lexi developed over seven years of practitioner work. The report is informational guidance; it is not a diagnosis, a clinical assessment, or any kind of automated decision with legal or significant effect on you. Article 22 of UK GDPR therefore does not apply in the way it does to, say, an automated credit decision.

The interpretation logic is Lexi's; the AI applies it. You can ask for a human review of your report at any time by emailing privacy@entrepreneurial-alchemy.co.uk.

We use TLS for everything in transit. The database is encrypted at rest. Database access is restricted to the minimum needed to operate the service and is logged. Secrets and API keys live in server-side environment variables, not in your browser. The scoring logic and the AI prompt are never sent to your device. We have a documented process for responding to any data breach.

This is version 1 of the privacy notice. We may update it as the service evolves; the "last updated" date at the top of the page will always be current. If a change materially affects how your data is handled, we will email you about it before it takes effect.

For anything to do with your data, your rights, or questions about this notice: privacy@entrepreneurial-alchemy.co.uk.