This Privacy Policy explains how KSB Planner ( "we", "us", "our") collects, uses, and protects your personal data when you use ksbplanner.co.uk. We operate from the United Kingdom and are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
KSB Planner is the data controller for the personal data described in this policy. If you have questions or wish to exercise your rights, please contact us.
2. What Data We Collect
We collect different categories of data depending on how you interact with the service:
Account data
When you create an account: your email address and (if provided) your name. Authentication is managed by Neon Auth (powered by Better Auth). We do not store passwords in plain text — password hashing is handled by the authentication layer.
Purchase data
When you make a purchase: the apprenticeship standard selected, product tier, order status, and a reference to your Stripe customer record. We do not store card numbers or full payment details — these are processed entirely by Stripe.
Customisation inputs
For Full Pack purchases, you may provide customisation inputs (programme length, delivery model, cohort size, employer sector, age range, SEND considerations, subcontracting status). These are stored against your order and used to generate your content.
Generated content
The AI-generated delivery guide sections we create for you are stored in our database so you can access and download them at any time from your dashboard.
Communications
If you contact us via the contact form or by email, we retain the content of that correspondence to respond to and resolve your enquiry.
Usage and analytics data
With your consent, we collect anonymised analytics data (pages visited, session duration, referral source, device type) via Google Analytics. IP addresses are anonymised before processing. We do not build individual user profiles from this data.
Technical data
Standard server and access logs are generated by our hosting provider (Netlify) and CDN (Cloudflare) for security and performance purposes. These may include anonymised IP address data, browser type, and request timestamps. We do not use these for profiling.
3. How We Use Your Data
We use personal data only for the specific purposes listed below, each with its legal basis under UK GDPR:
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account | Email, name | Contract |
| Process payments and fulfil orders | Email, order data | Contract |
| Generate and store your delivery guide | Order data, customisation inputs | Contract |
| Send order confirmation and account emails | Contract | |
| Respond to support enquiries | Email, correspondence content | Legitimate interests |
| Maintain financial and tax records | Order data, payment references | Legal obligation |
| Prevent fraud and ensure security | Account data, technical logs | Legitimate interests |
| Understand how the site is used and improve it | Anonymised analytics data | Consent |
| Improve AI generation quality (aggregate, not personal) | AI usage logs (no PII) | Legitimate interests |
We do not use your data for automated decision-making that produces legal or similarly significant effects on you.
4. Third-Party Processors
We share data with the following sub-processors only to the extent necessary to deliver the service. Each is bound by a data processing agreement or equivalent contractual safeguard:
| Processor | Location | Purpose | Safeguard | |
|---|---|---|---|---|
| Neon (database) | EU West (London, UK) | Stores accounts, orders, and generated content | Data in UK — no transfer | Policy ↗ |
| Stripe | USA | Payment processing and fraud prevention | UK–US IDTA / SCCs | Policy ↗ |
| Netlify | USA | Web hosting, CDN, and edge delivery | SCCs | Policy ↗ |
| Cloudflare | USA | CDN, DDoS protection, and security | SCCs | Policy ↗ |
| Google Analytics | USA | Anonymised site usage analytics (consent-gated) | SCCs, IP anonymisation enabled | Policy ↗ |
| MailerSend | EU | Transactional email (order confirmations, account emails) | Data in EU — no transfer | Policy ↗ |
| Anthropic | USA | AI generation of prebuilt section content (no PII sent) | SCCs / DPA | Policy ↗ |
| OpenAI | USA | AI generation of certain sections and audit tasks (no PII sent) | SCCs / DPA | Policy ↗ |
AI processors (Anthropic, OpenAI): When we call these APIs to generate your delivery guide, we send the apprenticeship standard specification and your customisation inputs (programme length, delivery model, etc.) — not your name, email, or any directly identifying information. Your personal data is never included in AI generation prompts.
5. International Data Transfers
Some of our processors are based outside the UK. Where personal data is transferred internationally, we ensure an appropriate safeguard is in place:
- UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) where applicable
- For processors located in countries with no UK adequacy decision, we rely on contractual safeguards (DPA / SCCs) with each provider
You can request details of the specific safeguards in place for any transfer by contacting us.
6. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account data (email, name) | Until you delete your account, or 3 years after your last sign-in if inactive |
| Order and payment records | 7 years (legal obligation — financial records) |
| Generated content (pack sections) | Retained while your account is active; deleted on account deletion request |
| Support correspondence | 3 years from last contact |
| Analytics data (Google Analytics) | Up to 2 years (GA4 default); anonymised |
| AI usage logs (no PII) | 12 months |
| Server/access logs | Up to 30 days (Netlify / Cloudflare) |
7. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — ask us to delete your personal data where there is no compelling reason for us to keep it
- Right to restriction — ask us to restrict processing of your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing purposes
- Right to withdraw consent — where processing is based on consent (e.g. analytics cookies), you can withdraw at any time via our cookie settings
To exercise any of these rights, please contact us. We will respond within 30 days. We may need to verify your identity before actioning a request.
Note: the right to erasure does not apply to order records we are legally required to keep (e.g. for tax purposes).
9. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:
- HTTPS encryption for all data in transit
- Passwords hashed and never stored in plain text (handled by Neon Auth / Better Auth)
- Database access restricted to application layer — no public internet exposure
- Payment data handled entirely by Stripe — we never receive or store card details
- Cloudflare DDoS protection and Netlify edge security on all requests
No method of transmission over the internet is 100% secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) as required by law.
10. Children's Privacy
KSB Planner is a professional tool intended for training providers and apprenticeship practitioners. It is not directed at, and we do not knowingly collect data from, anyone under the age of 18.
11. Changes to This Policy
We may update this policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a prominent notice on the site, and the effective date at the top of this page will be updated. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns first — please contact us before raising a complaint with the ICO.
13. Contact
For any privacy-related questions or to exercise your rights, please use our contact page.
Last updated: 30 March 2026