Tenzing logoTenzing

    Privacy Policy

    How we protect and handle your information

    Effective Date: 28 March 2026

    Tenzing IT Ltd (Company No. 16276709), with registered office at 4th Floor Office, 205 Regent Street, London, England, W1B 4NB, is committed to protecting your privacy and being transparent about how we use your data. This Privacy Policy explains what information we collect through our website (including the Secure AI Assessment), how we use and safeguard it, and your rights.

    Data Protection Contact: We have not appointed a statutory Data Protection Officer (as we are not required to under UK GDPR). However, for any questions or concerns about your data, you can contact our founder Eoin Fahy, who oversees privacy matters, at info@tenzing.it.com or by writing to our registered office.

    Key Points

    Data We Collect

    • Assessment responses: Your answers to our Secure AI Assessment (multiple-choice survey). If you do not submit your contact details, responses are stored anonymously (not linked to your identity).
    • Contact details: If you choose to request your full results or a consultation, we collect personal information (e.g. name, email, company) via a form.
    • Usage data: We use cookies and similar technologies to collect information about how you use our site (e.g. pages visited, time spent, clicks). Non-essential cookies (like analytics) are only set with your consent. Essential technologies (like certain cookies or localStorage for remembering your progress) are used to provide the service you requested and do not require consent under applicable law.

    How We Use Data

    • To provide the service: We calculate your AI security score and generate a personalised results report from your survey responses. If you submit your details, we use them to send you the full report and schedule your free consultation (if requested).
    • To improve our services: We analyse survey responses in aggregate (without personal identifiers) to calculate average scores and identify trends, helping us refine our assessment and marketing (e.g., "the average score is 36/100").
    • To communicate with you: We will contact you with your results and consultation details. We will not send you marketing emails unless you have explicitly opted-in.

    Lawful Basis

    • Contract/Service: Processing your assessment responses and contact details to provide results and a consultation is based on performing a service you requested (treated as contract or pre-contractual step under UK GDPR Article 6(1)(b)).
    • Legitimate Interests: Analysing anonymised survey data to improve our services and understand industry trends is in our legitimate interests (Article 6(1)(f)), which we have balanced against your rights and freedoms. Also, if you reach out to us or become a client, we may process communications or basic details to run our business and respond to you (another legitimate interest).
    • Consent: We rely on your consent for any optional uses of data, for example, setting analytics cookies and sending marketing communications. Where we use consent, you have the right to withdraw it at any time.

    Data Storage & Security

    • Survey data (assessment responses and scores) are stored in a secure database hosted by Supabase (a cloud service).
    • Contact form submissions are sent to and stored in HubSpot, our Customer Relationship Management (CRM) platform, which we use to email your results and manage consultation appointments.
    • Analytics data (if you consent) is processed by Google Analytics. We protect your data with appropriate security measures and restrict access to authorised personnel. We do not sell your personal information.

    Retention

    • Anonymous survey responses (with no identifying info) may be kept indefinitely for statistical analysis and service improvement.
    • If you provide contact details, we retain your personal data as long as necessary to fulfil the purposes for which you provided it. For example, we will keep your details to send your results and conduct your consultation. After delivering these, we generally retain contact data for up to 12 months in case of follow-up needs, unless you become a client or we have another lawful reason to keep it longer. We regularly review the data we hold and delete or anonymise data that is no longer needed.
    • Email communications you send us may be retained for our records for a similar period, unless a longer retention is required (e.g., for legal reasons).

    International Transfers

    Our service providers may process data outside the UK. In particular, HubSpot and Google Analytics may store data in the United States or other countries. Whenever we transfer data outside the UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) to ensure your data remains protected in line with UK data protection standards.

    Your Rights

    You have the following rights regarding your personal data:

    • Access: You can request a copy of the personal data we hold about you.
    • Correction: You can ask us to correct inaccuracies in your personal data.
    • Deletion: You can request that we delete your data if it is no longer needed, or if processing is unlawful.
    • Objection & Restriction: You can object to processing based on legitimate interests, and request we stop or pause certain processing. For example, you can opt out of any direct marketing at any time.
    • Data Portability: For data you provided to us and that we process by automated means on the basis of consent or contract, you can request a copy in a portable format.
    • Withdraw Consent: If we rely on consent (e.g., for marketing or analytics cookies), you can withdraw that consent any time. This will not affect the lawfulness of any use of your data prior to withdrawal.
    • Complaints: If you believe we have infringed your data rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We encourage you to contact us first so we can address your concerns.

    To exercise your rights or for any privacy-related questions, please contact Eoin Fahy at info@tenzing.it.com or write to Privacy Team, Tenzing IT Ltd, 4th Floor Office, 205 Regent Street, London, England, W1B 4NB. We will respond to requests in accordance with applicable law (usually within one month).

    Detailed Information

    1. Data We Collect

    We collect personal data in the following ways:

    Secure AI Assessment Responses

    When you answer questions in our online Secure AI Assessment, we record your answers and use them to compute your AI security score and generate a report. By default, these responses are not linked to you as an individual unless you choose to provide your personal details at the end. If you stop before finishing or decide not to submit the optional form, we may still save your partial or complete responses in an anonymous form (identified by a random session ID, not by name or email) for our internal analysis. We do not seek or intentionally collect sensitive personal data in the assessment, and we ask that you not include any sensitive information in your responses.

    Contact and Identity Information

    On the results page of the assessment, you may be asked to provide personal details such as your name, work email address, and company name. Providing this information is entirely voluntary. If you submit these details, we link them to your assessment responses so that we can deliver your detailed results and follow up with you. We will also record the fact that you submitted this information, along with a timestamp, in our database. If you use other contact forms or sign-up forms on our site, we will collect any similar contact information you provide through those forms (with relevant notices at the point of collection).

    Usage Data (Cookies and Similar Technologies)

    When you browse our website or take the assessment, we use tools to collect data about your device and how you interact with our site. This includes:

    • Technical data: such as your IP address (we configure Google Analytics to anonymise IP addresses for UK/EU users), browser type, device type, and operating system.
    • Browsing data: pages or screens you view, how you navigate, time spent on pages, and links clicked.

    We gather this information through cookies and similar technologies (including browser local storage). Some of these are essential to the functionality of our site. For example, we use localStorage to remember your progress and which version of the results page you should see, so we can provide a seamless survey experience. These essential technologies do not store any personally identifying information and are used solely to deliver the services you request (and thus are likely exempt from consent requirements under cookie laws). We also use analytics cookies (e.g., Google Analytics) to help us understand and improve how our site is used; these are non-essential and are only set with your consent via our cookie banner.

    2. How We Use Your Data

    We use personal data collected through our website and assessment for the following purposes:

    • Providing and Personalising Services: If you take the Secure AI Assessment, we will use your answers to calculate your Secure AI Maturity Score and generate a personalised results report for you. If you request a free consultation or full results by submitting the contact form, we will use the information you provide (and your assessment results) to email you the detailed report and to schedule or conduct the consultation. Essentially, we use your data to deliver the services and information you have asked us for.
    • Service Improvement and Analytics: We review and analyse assessment responses on an aggregated or anonymised basis to improve our assessment tool and our services. For example, we might determine overall trends such as the average industry score or common areas of strength and weakness across all participants. These insights are used in our marketing (e.g. sharing that "the average Secure AI readiness score is 36/100 among companies who took the assessment") and to refine the assessment questions or focus areas. Importantly, when used for these purposes, the data is not linked to individual identities. We also use website analytics (from GA4) to understand user behaviour like how many visitors start the survey vs. complete it, which helps us identify potential improvements.
    • Communications and Customer Support: If you contact us with questions, support requests, or feedback (via email or contact forms), we will use your contact information and any details you provide to respond to you and resolve any issues. If you have submitted your details for a consultation or to receive your results, we may send you service-related communications, such as appointment confirmations or follow-up tips related to your assessment results. These communications are considered part of the service and are not promotional in nature.
    • Marketing (Only with Consent): We will not add you to any mailing list or send you marketing emails unless you have explicitly consented to this. For instance, if our form includes an optional checkbox to receive our newsletter or updates and you tick it, then we will use your email to send you those communications. You can unsubscribe at any time. If you are an existing client or we have another lawful basis (e.g., a soft opt-in under PECR for existing customers), we will still respect your preferences and include an easy opt-out in every message.

    3. Lawful Basis for Data Processing

    We always ensure we have a valid legal basis under UK GDPR for each use of personal data:

    • Providing the Assessment Results/Consultation (Contract): When you participate in the Secure AI Assessment and request your results or a consultation, we consider that you are entering into a contractual relationship with us for those services. We process your survey responses and personal details to fulfil our obligations in that contract or pre-contract (UK GDPR Article 6(1)(b)). If you do not provide the necessary personal details, we simply deliver what we can (e.g. on-screen results without emailing you) and do not create any named contact record unless you supply that information.
    • Service Improvement & Analytics (Legitimate Interests): We process data to improve our products and services under legitimate interests (UK GDPR Article 6(1)(f)). This includes analysing de-identified survey results to produce aggregate statistics, and using website analytics to enhance user experience. We have considered the potential impact on your privacy and determined that our use of anonymised or low-impact data in this way does not override your rights (especially since personal identification is removed or minimised). You have the right to object to processing based on our legitimate interests, and we will honour such requests unless we have a compelling reason not to.
    • Consent (Analytics & Marketing): For any processing that is not strictly necessary for delivering our services, we will ask for your consent. This applies to analytics cookies (we will only analyse your website activity if you opt into analytics cookies) and to direct marketing emails (we will only send newsletters or promotional emails if you have opted in). You can withdraw your consent at any time.

    4. Cookies and Local Storage

    Cookies are small text files placed on your device, and local storage is a browser feature used to store data locally. We use both for the following purposes:

    Essential Functions

    Some cookies or local storage entries are used to make our site work correctly. For example, when you take the Secure AI Assessment, we use a local storage item to remember which variant of the results page you should see (for A/B testing) and to keep track of your progress in the quiz. These are analogous to "strictly necessary" cookies. They ensure the service functions as expected (for instance, so you do not lose your progress if you navigate between pages). We use these necessary cookies/local storage based on the "communication or service requested" exemption under PECR (Privacy and Electronic Communications Regulations), which means we do not require prior consent for them. They do not gather information for marketing, but only to provide the core service you are using.

    Analytics Cookies

    We use Google Analytics (GA4) to collect information about how visitors use our site (e.g., which pages are popular, how users navigate the survey). Google Analytics sets cookies to recognise your browser and record user interactions. We have configured these analytics to operate in compliance with data protection guidelines: for example, IP anonymisation is enabled so that Google does not store your full IP address. Because these cookies are not strictly necessary, we rely on your consent to deploy them. When you first visit our site, you can choose to accept or reject analytics cookies via the cookie banner. We do not deploy analytics cookies unless you have opted in. You can also manage cookie preferences through your browser settings or our cookie settings at any time.

    5. How We Store and Protect Your Data

    We use third-party cloud services to store and process data, and we select providers that apply strong security measures:

    • Supabase (Database): Our Secure AI Assessment responses and scores are stored in a Supabase database (built on a PostgreSQL cloud database). Supabase is hosted on servers in secure data centres. We have implemented access controls so that only authorised team members can access the data. We also use security features like encryption in transit (HTTPS) for data transfer.
    • HubSpot (CRM): When you submit a form for your results or a consultation, your personal details and assessment results are sent to HubSpot, our customer relationship management platform. HubSpot stores and organises this information to help us follow up with you. HubSpot's servers may be located in the United States. We have a contract with HubSpot that includes Standard Contractual Clauses to protect any personal data transferred outside the UK, ensuring an adequate level of protection for your information.
    • Email and Communications: If you contact us via email or other means, your communications will be stored by our email service provider. We take steps to secure our email accounts and require authentication for access.
    • Security Measures: We maintain appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. For example, we use encryption for data in transit, regularly update our software, and limit access to personal data on a need-to-know basis. While we strive to protect your information, no website or Internet transmission is completely secure. We therefore cannot guarantee absolute security, but we commit to reacting promptly to any breaches and notifying affected individuals and regulators as required by law.

    6. Data Retention

    We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal or reporting requirements:

    • Survey Data: If you do not submit contact details, your assessment responses are stored in our database without any personal identifiers. We may retain this anonymised data indefinitely since it is useful for long-term trend analysis and does not identify you. If at any time you want us to delete even this anonymous response data, you can contact us and we will delete it (note that we will not be able to find your specific answers unless you provide the date and approximate time you took the assessment, since the data is not stored under your name or email).
    • Contact and Consultation Data: If you submit your personal details for results or a consultation, we typically retain that information (and your associated assessment results) for up to 12 months. This allows us to follow up with you, evaluate the effectiveness of our assessment, and keep a record of our interactions. If you become a client of our services, we will retain your information as part of our business records for the duration of our relationship and as long as necessary thereafter (for instance, for contracts and finance, typically six years for UK tax record-keeping). If you do not become a client or engage in further services, we will periodically review and delete personal data that is no longer needed for the purposes explained to you.
    • Analytics Data: Information collected via cookies/analytics is retained in Google Analytics for the default retention period. This data is mainly aggregated, but may include pseudonymous identifiers. We do not combine this with any identifiable information about you.

    We anonymise or delete personal data when it is no longer needed. For example, if you unsubscribe from marketing or if the retention period has lapsed and we have no other legal basis to keep your data, it will be removed from our active systems. We may retain minimal information to record your preferences or consents (for example, to make sure we do not email you after you have opted out).

    7. International Data Transfers

    Your data may be transferred outside the UK:

    • HubSpot (USA): Our CRM provider, HubSpot, is based in the United States. This means your contact details and any associated assessment results may be stored on servers in the USA. HubSpot is part of the EU-U.S. and Swiss-U.S. Data Privacy Framework and offers Standard Contractual Clauses to ensure lawful data transfers post-Brexit.
    • Google Analytics (Worldwide): Google may process analytics data on servers globally (including the USA). We have enabled measures like IP anonymisation and entered into data protection terms with Google. Google also relies on Standard Contractual Clauses for international data transfers.
    • Supabase: Depending on the server location for our Supabase database, your assessment data could be stored outside the UK. Supabase provides commitments to comply with GDPR and offers the ability to host data in EU data centres. We have chosen a server location that best aligns with our user base.

    Whenever we transfer your data internationally, we ensure that appropriate safeguards are in place. These may include Standard Contractual Clauses, which are legal contracts approved by the UK and EU to protect personal data transferred abroad. We also consider any supplementary measures recommended by regulators to ensure your data remains secure and protected according to UK GDPR standards.

    8. Your Data Protection Rights

    You have rights under data protection law regarding the personal data we hold about you. These include:

    • Right to be Informed: You have the right to be given clear, transparent information about how we use your personal data. That is the purpose of this Privacy Policy.
    • Right of Access: You can request access to the personal data we hold about you, commonly known as a "Subject Access Request." This allows you to receive a copy of the data and certain supplementary information.
    • Right to Rectification: If any personal data we have is incorrect or incomplete, you have the right to have it corrected.
    • Right to Erasure: You can ask us to delete or remove your personal data in certain circumstances, for example, if it is no longer necessary for us to hold it, or if you withdraw consent and we have no other lawful basis for processing.
    • Right to Restrict Processing: You can request that we restrict (pause) the processing of your personal data in specific situations (e.g., while we address a complaint that the data may be inaccurate or being processed unlawfully).
    • Right to Data Portability: You have the right to obtain certain personal data from us in a structured, commonly used, machine-readable format, and to request that we transfer it to another data controller where applicable. This right applies to personal data you have provided to us which we process by automated means based on your consent or on a contract.
    • Right to Object: You can object to any processing based on legitimate interests. If you file an objection, we will stop processing your data for that purpose unless we have a strong overriding reason to continue (in accordance with the law). You can also object at any time to direct marketing, and we will immediately stop sending you marketing communications.
    • Right to Withdraw Consent: If we rely on consent to process your data, you have the right to withdraw that consent at any time. For example, you can opt out of analytics cookies or unsubscribe from our marketing emails. Once you withdraw consent, we will stop the specific processing that was based on consent.
    • Right to Lodge a Complaint: If you are concerned about our data practices, you have the right to complain to the Information Commissioner's Office (ICO), which is the UK's supervisory authority for data protection issues. We encourage you to contact us first with any complaints, so we can address your concerns directly if possible.

    To exercise any of these rights, please contact us at info@tenzing.it.com or write to Privacy Team, Tenzing IT Ltd, 4th Floor Office, 205 Regent Street, London, England, W1B 4NB. We will respond to your request as soon as we can, and at most within one month (this period may be extended by a further two months for complex requests; we will inform you if an extension is needed). We may need to verify your identity for security purposes before proceeding with certain requests.

    Additional Information

    Third-Party Links

    Our website may contain links to other websites (for example, a link to our LinkedIn page or external resources). Please note that these websites have their own privacy policies, and we do not accept responsibility or liability for their content or practices. We encourage you to read the privacy notices of any external sites you visit.

    Children's Data

    Our website and services are not directed to children, and we do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and believe we have collected your child's information improperly, please contact us so we can delete it.

    Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by updating the effective date at the top of this policy and, if appropriate, by additional means (such as a notice on our website or an email notification). We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.