Privacy Policy

Data Controller

Decision Atlas operator details to be inserted before paid launch, registered in England and Wales, Company Number to be inserted before paid launch. Registered address: to be inserted before paid launch.

ICO Registration Number: to be inserted before paid launch. Contact for data-protection queries: privacy@decisionatlas.co.uk

Plain-English summary

• Use pseudonyms, initials, or internal references for clients — not full names.
• Do not submit full names, contact details, medical records, safeguarding details, or direct identifiers.
• We use anonymised report metadata and follow-up outcomes to improve matching and report quality.
• Decision Atlas is not a crisis, emergency, safeguarding, clinical, legal, or financial advice service.
• You have rights to access, correct, delete, and port your personal data. Contact us to exercise them.

1. Who this policy applies to

This policy applies to practitioners, account holders, and any person who accesses or uses the Decision Atlas platform to generate decision-support reports. It does not apply to third parties whose anonymised situation information is submitted — those individuals should not be identifiable from submitted content.

2. What personal data we collect and why

Account data: Name, email address, and password (hashed) collected when you create an account. Used to authenticate your access and manage your account. Legal basis: performance of a contract.

Report inputs: Decision domain, age band, country code, pressure level, context flags, and an anonymised situation summary submitted when generating a report. Used to match against reviewed decision-outcome signals and generate your report. Legal basis: performance of a contract.

Payment data: Payment is processed by Stripe. We do not store card numbers. We receive a transaction record confirming payment. Legal basis: performance of a contract and legal obligation (billing records).

Report metadata: Anonymised decision category, pattern classification, DRS score, outcome category, and follow-up results where submitted. Used to improve future pattern matching, report quality, and aggregate decision intelligence. Legal basis: legitimate interests (service improvement), with data minimisation and anonymisation applied.

Usage data: Standard server logs including IP address, browser type, and page access timestamps, retained for security and operational monitoring. Legal basis: legitimate interests (platform security and integrity).

3. What we do not collect or need

Decision Atlas does not need and you must not submit: full client names, addresses, phone numbers, email addresses, medical records, safeguarding details, abuse details, national insurance numbers, or any other information that could directly identify a client. The platform is designed to function on anonymised or pseudonymised input only.

4. Data minimisation and anonymisation

Where report inputs are used for service improvement, they are processed in anonymised or aggregated form. No attempt is made to re-identify individuals from anonymised report metadata. Practitioners are responsible for ensuring that submitted situation summaries do not contain directly identifying information.

5. Follow-up outcome data

Where you voluntarily submit follow-up data (7-day action completion, 30-day decision movement, 90-day outcome category), this information is recorded against your report session without direct client identifiers. It contributes to aggregate pattern improvement only. Legal basis: legitimate interests (vault accuracy and improvement).

6. Data sharing

We do not sell your personal data. We may share data with:

• Supabase — database hosting and authentication. Processing location and Data Processing Agreement terms depend on the active Supabase project configuration and contract.
• Vercel — application hosting. Standard serverless infrastructure.
• Stripe — payment processing. Governed by Stripe's own privacy policy and GDPR compliance framework.
• Anthropic or another AI provider — only if AI classification or enrichment is enabled. Client-identifying data should not be sent; only anonymised or pseudonymised decision context should be processed.

We may disclose data where required by law, court order, or regulatory authority.

7. International data transfers

Some infrastructure providers may process data outside the UK or EEA. Where international transfers occur, Decision Atlas should rely on appropriate transfer safeguards such as standard contractual clauses, adequacy decisions, or equivalent mechanisms recognised under UK GDPR.

8. Data retention

Account data is retained for as long as your account is active and for a period of up to 2 years following account closure, for legal and billing purposes.

Report session records (decision category, pattern, DRS score, anonymised metadata) are retained indefinitely in anonymised form for vault improvement purposes. If a session record can be linked to your account, it will be deleted upon an erasure request subject to the conditions in section 9 below.

Billing and payment records are retained for 7 years as required by UK tax and accounting law.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate personal data.
• Right to erasure — request deletion of your personal data where we no longer have a lawful basis to retain it. Note: anonymised vault data that cannot be linked to your account cannot be deleted as it is not personal data.
• Right to restriction — request that we restrict processing of your data in certain circumstances.
• Right to data portability — receive your account data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests, including for service improvement purposes.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact: privacy@decisionatlas.co.uk. We will respond within one calendar month.

10. Right to complain

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

ICO website: ico.org.uk — Helpline: 0303 123 1113.

We would appreciate the opportunity to address your concern before you contact the ICO. Please contact us first at privacy@decisionatlas.co.uk.

11. Practitioner obligations as data controller

When you submit an anonymised or pseudonymised client situation to Decision Atlas for report generation, you remain responsible for deciding what information is submitted and for ensuring that direct client identifiers are removed before submission. The exact controller / processor relationship may depend on the account type, contract, and processing context.

This means you are responsible for: obtaining any client consent required under your professional obligations and applicable law; ensuring the submission is anonymised before it is sent; and ensuring use of the report complies with your own data protection obligations as a practitioner.

A Data Processing Agreement (DPA) is available on request for practitioners who require one under their own data protection framework. Contact: privacy@decisionatlas.co.uk.

12. Cookies and tracking

Decision Atlas uses session cookies required for account authentication. We do not use third-party advertising cookies or behavioural tracking cookies. Analytics, where used, are aggregated and anonymised.

13. Changes to this policy

We may update this policy as the service develops. Material changes will be communicated to account holders by email and published on this page with a revised date. Continued use of the service after notification constitutes acceptance of the updated policy.

14. Contact

For all privacy, data-protection, and access queries: privacy@decisionatlas.co.uk