Privacy Policy
Effective: 2026-05-14 Last updated: 2026-05-14 Version: 1.0
Not yet ready to publish. This notice cannot be relied on by data subjects until Score is incorporated as a legal entity (docs/backlogs/legal.mdrow LEG-0010). The UK / EU sections below are kept in the draft so they are ready when Score offers the Services to UK / EU residents; operational UK obligations (ICO fee, Article 27 representative) are parked until then.
1. Who we are and what this notice covers
This Privacy Policy describes how {{ENTITY_NAME}} ("Score", "we", "us", "our") collects, uses, shares, and protects personal data. It satisfies the transparency requirements of:
- UK General Data Protection Regulation and Data Protection Act 2018 (UK GDPR)
- EU General Data Protection Regulation (EU GDPR)
- California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA / CPRA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
If a more-specific regional law applies to you, the corresponding section in Part 11 (Regional Privacy Rights) supplements this notice.
This Privacy Policy applies to visitors to our website (score-corp.com), to End users who are enrolled in Score by a Customer organisation or who sign up directly, and to Customer representatives who manage a Score account on behalf of an organisation.
2. Our role: controller, processor, or joint controller
Score's role depends on the personal data in question.
| Scenario | Role |
|---|---|
Website visitors browsing score-corp.com | Score is the controller |
| Customer representatives (admins of Customer orgs) using Score in their work capacity | Score is the controller |
| End users enrolled in Score by a Customer organisation (where the Customer is also the data subject's employer or community operator) | Score is the processor for the Customer's contractual processing, and the controller for the data we generate ourselves (Scores, audit logs, security telemetry) |
| Direct sign-up End users with no Customer affiliation | Score is the controller |
Where Score is a processor for a Customer, the Customer's own privacy notice applies in respect of the processing the Customer instructs. The data processing addendum at docs/legal/data-processing-addendum.md (pending LEG-0006) governs the controller-processor relationship.
3. Contact and data protection contact
For any privacy question, data subject rights request, or complaint, email us at privacy@score-corp.com.
We have not appointed a statutory Data Protection Officer. We have not appointed UK or EU representatives under UK / EU GDPR Article 27 because Score does not currently offer the Services to UK or EU residents. When that changes, we will publish the representative's name and address here before the launch in that territory.
4. What personal data we process
We process the categories of personal data set out below. The categories are organised by the source of the data and the purpose for which we process it.
4.1 Information you provide directly
- Account identifiers. Name, email address, password (hashed), phone number where provided, photograph or avatar where provided.
- Profile information. Job title, employer, team, manager-IC reporting line where you enter it, free-text role description, skills or capabilities you wish to be associated with, professional links you choose to share.
- Communications. The content of any message, email, or support enquiry you send us.
4.2 Information about assessments and scores
- Assessment submissions. Where you submit a peer assessment, we record the assessment (rating only; per the project rule we do not store free-text comments associated with assessments) and the identifier of the submitting user. The identifier of the submitting user is never disclosed to the assessment subject, to any other End user, or to any Customer organisation. See Section 9.
- Derived scores. The aggregate Score we generate from peer assessments about you, with the time-series history of that Score.
- Moments and prompts. Records of the collaboration events that triggered an assessment prompt to be sent to you.
4.3 Information from third parties
- Slack OAuth identifiers. Where your Customer organisation installs Score in Slack, Slack provides us with workspace identifiers (or enterprise identifiers for Enterprise Grid), your Slack user ID, your email address as registered with Slack, your display name, and your team or channel memberships. We use this to materialise your Score account and to deliver assessment prompts.
- Single Sign-On identifiers. Where you sign in via Google or another SSO provider, the provider returns your email address and a stable user identifier.
- Stripe billing identifiers. Where you (or your Customer) make a payment, Stripe returns billing identifiers and the success or failure of the payment. We do not see your full card number; that is processed by Stripe directly.
4.4 Information collected automatically
- Technical data. IP address, browser type and version, device type, operating system, screen resolution, language preference, time zone.
- Usage data. Pages visited on
score-corp.com, time spent, referring URL, in-product navigation events, feature use, error reports. - Cookies and similar technologies. See our Cookie Policy at
/cookiesfor the full list, including strictly-necessary, functional, analytics, and marketing cookies, and how to control them.
4.5 Information we generate
- Audit logs. Records of actions taken on the account: who signed in, who installed Slack, who exported data, who changed configuration.
- Security telemetry. Records used for fraud, abuse, and anonymity-unwinding detection.
5. Why we process your personal data and the lawful basis
For each processing purpose we identify the lawful basis under UK / EU GDPR Article 6 (and, for special-category data, Article 9, although we do not deliberately process special-category data).
| Purpose | Categories used | Lawful basis (UK / EU GDPR) |
|---|---|---|
| Provide the Services: create your account, authenticate you, deliver assessment prompts, calculate your Score, surface your Score to authorised viewers | 4.1, 4.2, 4.3, 4.5 | Performance of a contract (Article 6(1)(b)) where the contract is with you; legitimate interests (Article 6(1)(f)) of the Customer where you are an enrolled End user, balanced against your interests |
| Bill and collect payment from Customers | 4.1 (admin only), 4.3 (Stripe) | Performance of a contract with the Customer (Article 6(1)(b)) |
| Comply with our legal and tax obligations | 4.1, 4.3 | Legal obligation (Article 6(1)(c)) |
| Operate the marketing website: serve pages, log basic technical data, measure traffic for product improvement | 4.4 | Legitimate interests in operating, securing, and improving our website (Article 6(1)(f)) |
| Send marketing communications about Score (newsletters, product updates, launch announcements) | 4.1 | Consent (Article 6(1)(a)) where you have opted in via the website or another channel; legitimate interests (Article 6(1)(f)) for B2B marketing to existing Customer contacts, in line with PECR Regulation 22(3) "soft opt-in" where applicable. You may unsubscribe at any time via the link in every marketing email |
| Detect and prevent fraud, abuse, anonymity unwinding, and gaming of the Scoring system | 4.4, 4.5 | Legitimate interests in protecting the integrity of the Services and the rights of other users (Article 6(1)(f)) |
| Respond to data subject rights requests and other regulator-driven requests | 4.1, 4.5 | Legal obligation (Article 6(1)(c)) |
| Defend, establish, or exercise legal claims | All categories as relevant | Legitimate interests in our legal position (Article 6(1)(f)) |
We do not deliberately process special-category data within the meaning of Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, data concerning health, or data concerning sex life or sexual orientation). Where you voluntarily provide such information (for example in a free-text profile field), we will treat it under the relevant Article 9 condition (typically Article 9(2)(e), data manifestly made public by the data subject) and we will not use it for any purpose beyond the one for which you provided it.
6. Who we share your personal data with
We share personal data only with the categories of recipient set out below.
| Recipient | What we share | Why |
|---|---|---|
| Your Customer organisation (where you are an enrolled End user) | Your Score and, with your consent, your profile information. Never the identity of any assessor of you. | To meet the Customer's contractual relationship with you (typically your employer's). |
| AWS (Amazon Web Services) | All hosted data | Our infrastructure provider. AWS region for primary data is us-east-2 (Ohio, United States). |
| Stripe | Billing identifiers and the payment amount | Payment processing. |
| Slack Technologies (a Salesforce company) | Workspace identifiers and the content of bot messages we send | To deliver the Slack integration. |
| Cognito (Amazon Web Services) | Account identifiers, authentication credentials | Authentication service. |
| Google (where you choose Google SSO) | Email address, SSO authentication artefacts | To authenticate you. |
| Our professional advisers (lawyers, accountants, auditors) | Information necessary to advise us, under confidentiality | To obtain advice. |
| Government, regulator, or law enforcement | Information lawfully required | Where compelled by lawful process, or where required by law. |
| Acquirer in a corporate transaction | All categories | Where we are merged, acquired, or sold; you will be notified in advance. |
We do not sell your personal data, and we do not share your personal data with third parties for those third parties' direct-marketing purposes. We do not engage in cross-context behavioural advertising.
For the avoidance of doubt, we do not disclose the identity of any assessor to the assessment subject, to the subject's Customer organisation, or to any third party, except where the defamation-notice procedure in our Terms of Use Section 16 expressly requires it and the disclosure is made under the controlled procedure described there.
7. International transfers
Score's primary infrastructure is in AWS region us-east-2 (Ohio, United States). When you use the Services from the United Kingdom, the European Economic Area, Switzerland, or any other jurisdiction outside the United States, your personal data is transferred to and processed in the United States.
For transfers from the United Kingdom we rely on:
- The UK Extension to the EU-US Data Privacy Framework where the importing recipient is certified under the Framework; or
- The UK International Data Transfer Agreement (IDTA), or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with the appropriate transfer impact assessment under the ICO's guidance.
For transfers from the European Economic Area or Switzerland we rely on:
- The EU-US Data Privacy Framework where the importing recipient is certified; or
- The European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 modules as applicable), supplemented by a transfer impact assessment.
You may request a copy of the relevant transfer-mechanism documentation by emailing privacy@score-corp.com.
8. How long we keep your personal data
We keep your personal data for the shortest period necessary for the purpose for which it was collected, except where a longer retention period is required or permitted by law. Specific retention periods are:
| Category | Retention period |
|---|---|
| Account identifiers (active accounts) | For the duration of the account, plus 6 months after account deletion for fraud and abuse audit |
| Profile information you provide | For the duration of the account; you may edit or delete at any time |
| Assessment submissions | For the duration of the assessment subject's account, then deleted under the cascade in docs/operations/DATA_MODEL_DELETION.md. The link between an assessment and its submitting user is severed when either party deletes their account, in any case |
| Derived scores and Score history | For the duration of the account |
| Slack OAuth tokens | Until the integration is uninstalled, plus 30 days |
| Billing records | 7 years from the date of the transaction, to meet UK / US tax-record-keeping obligations |
| Audit logs and security telemetry | 13 months by default; longer where retained for an active investigation |
| Marketing-list membership | Until you unsubscribe or 3 years from your last interaction with us, whichever is sooner |
| Support correspondence | 3 years from the date of the last message |
When the retention period expires we delete the data, or where deletion is technically impractical (for example backups), we securely isolate the data and ensure it cannot be used.
9. Anonymity preservation
Score is built on the promise that assessors are anonymous to the assessment subject and to the subject's Customer organisation. This is a contractual commitment in Section 6 of our Terms of Use. In privacy terms it means:
- The identity of the submitting user is stored separately from the visible assessment record, and is never returned by any API the assessment subject, the Customer organisation, or any third party can call.
- We design Score's product surface to resist anonymity unwinding via metadata (timestamps, response orderings, small-N aggregations).
- The defamation-notice procedure (Terms Section 16) is the only documented exception to this rule. It applies only on receipt of a compliant notice, only after Score's internal review, and only where disclosure is necessary to retain the publisher defence under Defamation Act 2013 §5 or to comply with a court order.
If you believe Score's product has unwound assessor anonymity in any other way, please report it to privacy@score-corp.com. We treat such reports as P0 and respond within one business day.
10. Automated decision-making and profiling
Your Score is generated algorithmically from peer assessments. We treat this as automated processing, and we treat any third-party use of your Score in a substantive decision about you (hiring, firing, promotion, lending, insurance, immigration, housing) as engaging UK / EU GDPR Article 22.
You have the following rights in respect of automated decision-making:
- The right not to be subject to a decision based solely on automated processing of your Score, where that decision produces a legal or similarly significant effect on you.
- The right to obtain human intervention in any such decision.
- The right to express your point of view and to contest the decision.
Where you become aware that a Customer (your employer, recruiter, or another party) intends to use your Score in a decision that engages Article 22, you may exercise these rights by contacting that Customer directly, and you may also contact us at privacy@score-corp.com. Where we operate a Score-mediated decision flow ourselves, we surface the human-review path in the product. We do not currently operate any such flow.
Some US state laws confer additional rights to opt out of profiling that "produces legal or similarly significant effects". See Section 11.4 for the state-specific text.
11. Your privacy rights
Your rights depend on where you reside. In all cases you can exercise these rights by emailing privacy@score-corp.com. We respond within the statutory time limit (one month for UK / EU GDPR; 45 days for most US state laws, extendable by a further 45 days where reasonably necessary).
To verify your identity before responding, we may ask you to confirm details we already hold (for example by replying from the email address on the account). We will not request more information than necessary.
11.1 If you are in the United Kingdom or European Economic Area
You have the right to:
- Access the personal data we hold about you (UK / EU GDPR Article 15).
- Rectification of inaccurate or incomplete personal data (Article 16).
- Erasure of your personal data, subject to the exceptions in Article 17(3) (Article 17).
- Restriction of processing in specified circumstances (Article 18).
- Data portability for data you have provided to us where processing is based on consent or contract (Article 20).
- Object to processing based on legitimate interests, including profiling and direct marketing (Article 21).
- Withdraw consent at any time where consent is the lawful basis (Article 7(3)).
- Lodge a complaint with the supervisory authority in your country of residence or of the alleged infringement (Article 77). In the United Kingdom this is the Information Commissioner's Office at
ico.org.uk. In Ireland, the Data Protection Commission atdataprotection.ie. Each EU member state has its own authority.
We will not discriminate against you for exercising any of these rights.
11.2 If you are in Switzerland
You have rights substantially equivalent to those in Section 11.1 under the Swiss Federal Act on Data Protection (revFADP). You may complain to the Federal Data Protection and Information Commissioner.
11.3 If you are in California (CCPA / CPRA)
We collect the following categories of personal information (using the CCPA category labels):
| Category | Collected | Sold or shared |
|---|---|---|
| A. Identifiers (name, email, IP, account name) | Yes | No |
| B. California Customer Records Act categories (name, contact info, employment info) | Yes | No |
| C. Protected classification characteristics | No (we do not deliberately collect) | No |
| D. Commercial information (transaction history) | Yes (for Customer billing) | No |
| E. Biometric information | No | No |
F. Internet or other network activity (browsing on score-corp.com, in-product navigation) | Yes | No |
| G. Geolocation data (approximate, from IP) | Yes | No |
| H. Audio, electronic, visual, thermal, olfactory, or similar information | No | No |
| I. Professional or employment-related information (job title, employer, role) | Yes | No |
| J. Education information | No | No |
| K. Inferences drawn from collected personal information (your Score) | Yes | No |
| L. Sensitive personal information | No (we do not deliberately collect) | No |
We collect the categories above directly from you (Section 4.1, 4.2), from third parties (Section 4.3), and automatically (Section 4.4), for the business purposes set out in Section 5.
As a California resident you have the right to:
- Know what categories and specific pieces of personal information we have collected, used, disclosed, and (if applicable) sold or shared about you.
- Delete personal information we have collected about you, subject to the exceptions in California Civil Code §1798.105(d).
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information (we do not sell or share, but we honour the Global Privacy Control signal).
- Limit the use of sensitive personal information (not currently applicable; we do not deliberately process sensitive personal information).
- Non-discrimination for exercising any of the above rights.
You may exercise these rights by emailing privacy@score-corp.com. An authorised agent may submit a request on your behalf with documented authorisation.
Under California Civil Code §1798.83 ("Shine the Light"), California residents may request once per calendar year the categories of personal information disclosed by us to third parties for direct marketing purposes. Our answer for the preceding calendar year is: none.
11.4 If you are in Colorado, Connecticut, Utah, or Virginia
Under the Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, you have the right to:
- Confirm whether we process your personal data.
- Access your personal data.
- Correct inaccuracies (Colorado, Connecticut, Virginia).
- Delete your personal data.
- Obtain a portable copy of personal data you have provided to us.
- Opt out of processing for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in targeted advertising or sale; you may opt out of profiling at
privacy@score-corp.com.
Where we decline a request, you may appeal at the same email address. We will respond to the appeal within 60 days (Colorado, Connecticut, Virginia) or 45 days (Utah, with a further 45-day extension where reasonably necessary).
11.5 If you are in any other US state with a comprehensive privacy law
We extend the substantive rights in Section 11.4 to residents of any US state that adopts a comprehensive consumer privacy law, including Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, and any subsequent enactment.
11.6 If you are in Canada, Australia, New Zealand, South Africa, or any other jurisdiction with a privacy law
You have the substantive rights conferred by that law. Contact us at privacy@score-corp.com and we will honour your request.
12. How we keep your personal data secure
We operate a security programme designed to protect personal data from accidental loss and from unauthorised access, use, alteration, or disclosure. Specific controls include:
- Transport-layer encryption (TLS 1.2 or higher) for all data in transit.
- Encryption at rest for all data stored in DynamoDB and S3 (server-side encryption with AWS-managed or customer-managed keys).
- Authentication via Cognito with JWT, organisation-scoping via the
X-Org-Idheader, scoped IAM roles for each Lambda. - Audit logging of significant actions, retained for the period in Section 8.
- Background fraud, abuse, and anonymity-unwinding detection.
- Vendor due diligence on processors before they are engaged.
No method of transmission over the internet or storage is 100% secure. Where you become aware of a security incident affecting your account, please contact us at security@score-corp.com immediately.
We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required by UK / EU GDPR Article 33, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).
13. Cookies and similar technologies
See our Cookie Policy at /cookies for the full list of cookies and similar technologies we use, the categorisation between strictly-necessary, functional, analytics, and marketing, and how to control them.
14. Children
The Services are not directed at children under 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it as soon as practicable. If you believe a child has provided us with personal data, please contact privacy@score-corp.com.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Where the change is material we will give you reasonable notice by email (to the address on your account) or by an in-product banner before the change takes effect. The effective date at the top of this notice tells you when the current version came into force. A version history is maintained at docs/legal/privacy-policy-changelog.md.
16. Contact
For any privacy question, data subject rights request, or complaint, email privacy@score-corp.com.
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your country of residence. In the United Kingdom this is the Information Commissioner's Office at ico.org.uk.