Privacy Policy
How RPNA Ltd handles personal data across therpna.co.uk and app.therpna.co.uk.
1. Who we are
This privacy policy applies to:
- The RPNA marketing site at therpna.co.uk
- The RPNA Responsible AI Maturity Index app at app.therpna.co.uk
Both are operated by:
RPNA Ltd
Unit 5 Brockley Road, Elsworth, Cambridge, CB23 4EY
Email: speaktous@therpna.co.uk
RPNA Ltd is registered as a Data Controller with the UK Information Commissioner's Office (ICO). Our registration number is ZB541978. We are the Data Controller for all personal data described below.
2. What personal data we collect
Marketing site (therpna.co.uk)
- First name and last name
- Email address
- Any further information you choose to share when you contact us, sign up to receive communications, or submit an enquiry form
Responsible AI Maturity Index app (app.therpna.co.uk)
When you complete the assessment, we collect:
- Your sector, sub-sector and organisation size (provided before the assessment begins)
- Your responses to the 12 self-assessment questions
- The category scores and overall maturity tier calculated from your responses
- A short technical session identifier so we can link your anonymous results view to your emailed report (if you request one)
When you request the full report by email, we additionally collect:
- Your name
- Your work email address
- Your organisation name
- Whether you consent to receive marketing communications from us
You always see what is collected before you submit it. Where information is mandatory, the form makes that clear. You can use the assessment without requesting the emailed report, in which case we keep only the anonymous response data described above.
3. Why we collect it and our lawful basis
We rely on the following lawful bases under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:
Legitimate interest. We use your name, email and organisation to send you the report you requested and, where relevant, to follow up on your enquiry. We use the assessment responses to deliver your individual report and to improve the Index over time using aggregated, anonymised data. You can object to processing on this basis at any time.
Consent. Where you tick the marketing opt-in box, we use your contact details to send you Future of Work content, event invitations and service updates. You can withdraw consent at any time by clicking unsubscribe in any email or by writing to speaktous@therpna.co.uk.
Contract performance. Where you engage RPNA Ltd to deliver services, we process your contact and engagement details to fulfil that contract.
Legal obligation. Where we are required to retain or share data to comply with UK law (for example, accounting and tax records).
If you are unsure which basis applies to you, contact us using the details in Section 9.
4. How we store, use and share your data
Where your data lives
Personal data submitted through the Maturity Index app is processed by:
- Netlify, Inc. hosts
app.therpna.co.ukand stores form submissions via Netlify Forms. - Resend, Inc. sends the verification email and the report email.
Both are bound by data processing agreements with RPNA Ltd and act only on our written instructions. No other third party receives your assessment data.
If you contact us by email at speaktous@therpna.co.uk, your message reaches us via Google Workspace (Google Ireland Limited).
Categories of recipient
Your personal data is shared only with:
- The processors named above, acting on our written instructions
- Professional advisers (legal, accounting) where strictly required
- UK or EEA authorities where we are legally required to do so
We do not sell, rent or trade your personal data with anyone for their own marketing.
International transfers
Netlify and Resend are based in the United States. Google Workspace operates from the EEA but is part of a US-headquartered group.
We rely on the following safeguards for transfers outside the UK and EEA:
- The UK-US Data Bridge (operational from October 2023) and the EU-US Data Privacy Framework, under which Netlify, Resend and Google provide adequate protection for personal data transferred from the UK and EEA to the United States.
- Standard Contractual Clauses with the UK International Data Transfer Addendum (IDTA) for any other transfers, where required.
Automated processing
Your overall maturity tier (Ad Hoc, Aware, Defined, Embedded or Optimised) is calculated automatically from the answers you give. The calculation is straightforward arithmetic and the tier is shown to you as a guide for your own use. No legal or significant decisions are made about you on the basis of this score.
5. How long we keep your data
| Data type | Retention |
|---|---|
| Enquiry and contact data (marketing site forms) | 24 months from last contact |
| Client engagement records | Duration of engagement plus 6 years (statutory) |
| Newsletter and marketing data | While you remain subscribed; deleted within 30 days of unsubscribe (we keep a minimal suppression record so we do not contact you again) |
| Maturity Index responses linked to email | 36 months from the date you completed the assessment |
| Maturity Index responses (anonymous) | Retained indefinitely in aggregate, anonymised form for service improvement and benchmarking. Once anonymised, the data is no longer personal data and rights of access, rectification and erasure no longer apply to it. |
After the relevant retention period, identifiable personal data is securely deleted or fully anonymised.
6. Cookies and similar technologies
Maturity Index app (app.therpna.co.uk)
The app uses only strictly necessary local browser storage to remember your progress through the assessment if you reload the page or briefly navigate away. It does not set any cookies and does not run any analytics, marketing or third-party tracking code.
Because all storage on the app is strictly necessary for the service you have asked us to provide, no cookie banner is required by UK PECR or the EU ePrivacy Directive. You can clear local storage at any time using your browser's site settings.
If we ever add analytics or marketing tools to the app, we will introduce a consent banner before doing so and update this policy.
Marketing site (therpna.co.uk)
The marketing site is informational. It is hosted on a third-party platform that may set strictly necessary cookies for site operation and security, which do not require your consent under UK PECR or the EU ePrivacy Directive. Where any non-essential cookies are present, they are set only if you accept them via the consent banner shown on first visit. You can change your choice at any time by clearing your browser cookies and revisiting the site.
We comply with the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive.
7. Your rights under UK GDPR
You have the following rights, subject to certain conditions and exemptions in UK and EU law:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure: ask us to delete your personal data in certain circumstances
- Restriction: ask us to limit how we use your data
- Portability: request your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests, or to direct marketing
- Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing
To exercise any right, email speaktous@therpna.co.uk. We will respond within one month. Requests are free of charge.
If you are based in the EEA, equivalent rights apply under EU GDPR and you may exercise them through the same contact.
8. How to make a complaint
If you have concerns about how we handle your personal data, please contact us first at speaktous@therpna.co.uk and we will work to resolve the matter.
You also have the right to lodge a complaint with a supervisory authority.
United Kingdom. Information Commissioner's Office (ICO).
Website: ico.org.uk · Telephone: 0303 123 1113 · Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
European Economic Area. You may complain to the supervisory authority in your country of residence, place of work, or where the alleged infringement took place.
9. Contact us
For any question about this policy or how we use your personal data:
Email: speaktous@therpna.co.uk
Post: RPNA Ltd, Unit 5 Brockley Road, Elsworth, Cambridge, CB23 4EY
10. Changes to this policy
We may update this policy from time to time to reflect changes in our practice or legal requirements. The date at the top of this page shows when it was last revised. Where changes are material, we will make reasonable efforts to notify you. We recommend checking this page periodically.