Privacy Policy
Last updated: 17 March 2026
1. Who We Are
StratStack is operated by Incubate & Innovate Limited, a company registered in England and Wales. We are the data controller for the personal data processed through the StratStack platform.
Contact: privacy@stratstack.co.uk
2. What Data We Collect
We collect the following categories of personal data:
- Account information: Name, email address, password (hashed), role, and firm association.
- Profile data: Job title, department, seniority, tenure, and other professional attributes provided during questionnaire onboarding.
- Questionnaire responses: Answers provided by management team members during strategic, operational, and financial data collection sessions.
- Usage data: Pages visited, features used, timestamps, IP address, browser type, and device information.
- Payment data: Processed by Stripe. We do not store card numbers. We retain Stripe customer and subscription IDs.
- Communications: Messages sent through the platform, including AI chat interactions and comments.
3. How We Use Your Data
- To provide and maintain the StratStack platform and services.
- To process questionnaire responses and generate strategic analysis outputs.
- To generate AI-powered synthesis, framework outputs, and reports.
- To process payments and manage subscriptions.
- To send service-related notifications (e.g., questionnaire assignments, deadline reminders).
- To improve the platform through aggregated, anonymised usage analytics.
- To comply with legal obligations.
4. Legal Basis for Processing
We process personal data under the following legal bases (UK GDPR):
- Contract: Processing necessary to provide the StratStack service to you and your firm.
- Legitimate interests: Improving our platform, preventing fraud, and ensuring security.
- Consent: For optional cookies and marketing communications (where applicable).
- Legal obligation: Where required to comply with applicable law.
5. AI Processing
Questionnaire responses are processed by AI (Anthropic Claude) to generate strategic framework outputs, sentiment analysis, and reports. AI outputs are always presented as editable drafts for consultant review. We do not use your data to train AI models. Responses are sent to the AI provider's API at the point of synthesis and are not retained by the AI provider beyond the request lifecycle.
6. Data Sharing
We share personal data with:
- Supabase: Database hosting and authentication (data stored in the EU/UK).
- Stripe: Payment processing.
- Anthropic: AI synthesis processing (data sent to API only during synthesis).
- Vercel: Application hosting.
We do not sell personal data to third parties.
7. Data Retention
We retain your data for as long as your firm's subscription is active, plus 90 days after cancellation to allow for reactivation. After this period, data is permanently deleted unless retention is required by law. You may request earlier deletion by contacting us.
8. Your Rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate personal data.
- Erase your personal data (subject to legal obligations).
- Restrict or object to processing.
- Data portability.
- Withdraw consent (where processing is based on consent).
- Lodge a complaint with the ICO (ico.org.uk).
To exercise these rights, contact privacy@stratstack.co.uk.
9. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), database row-level security, role-based access controls, and secure authentication.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.