Privacy Policy · B2B Identity

01

Who we are

B2B Identity Ltd is the data controller responsible for your personal data. We are a private limited company registered in England and Wales.

Detail	Information
Company name	B2B Identity Ltd
Company number	17068528
Registered address	Darlington, North East England
Trading as	B2B Identity, IOD Thinker, FirstPickUp
Contact email	hello@b2bidentity.co.uk
Website	b2bidentity.co.uk

We are registered with the Information Commissioner's Office (ICO) as a data controller. For questions about how we handle your personal data, contact us at hello@b2bidentity.co.uk.

02

What personal data we collect and why

2.1 — IOD Thinker diagnostic sessions

When you use the IOD Thinker tool at b2bidentity.co.uk/thinker/, we collect and process the following:

Session responses — the text you enter during the diagnostic conversation. These are stored in our secure database and transmitted to Anthropic's Claude API to generate your diagnostic output.
Session identifier — an auto-generated alphanumeric code that links your responses to your output. This is not linked to your name or email address unless you voluntarily provide them within your responses.
Payment status — whether a session has been paid for (boolean flag only). Full payment card details are never stored by us.
Session output — the diagnostic analysis generated from your responses, stored to enable document delivery.

2.2 — Payment information

Payments for the Formation Signal Document (£149) are processed exclusively by Stripe, Inc. B2B Identity Ltd does not receive, store, or process your card number, expiry date, CVV, or bank account details at any point. Stripe provides us with a transaction reference and payment status only. Stripe's privacy policy is available at stripe.com/gb/privacy.

2.3 — Technical and server data

Our hosting provider (Fasthosts Internet Ltd, UK) automatically collects standard server access log data, which may include your IP address, browser type, operating system, referring URL, and pages accessed. This data is used for server security, performance monitoring, and fault resolution.

2.4 — Analytics (consent-based)

With your consent, we use Google Tag Manager (GTM-T2V5F32G) to load analytics tools that help us understand how visitors use our website. Analytics cookies are only set after you accept them via our cookie consent banner. If you decline, no analytics data is collected about your visit. See our Cookie Policy for full details.

2.5 — Communications

If you contact us by email, we retain your name, email address, and the content of the correspondence for the purpose of responding to your enquiry and maintaining a record of communications.

03

Our lawful basis for processing

UK GDPR requires us to have a legal basis for processing personal data. We rely on the following:

Processing activity	Lawful basis
Storing and analysing your session responses to generate your diagnostic output	Legitimate interests (Article 6(1)(f)) — necessary to deliver the service you requested; Contract performance (Article 6(1)(b)) for paid sessions
Processing your payment via Stripe	Contract performance (Article 6(1)(b))
Server access logs	Legitimate interests (Article 6(1)(f)) — server security and performance
Analytics cookies and tracking	Consent (Article 6(1)(a))
Email correspondence	Legitimate interests (Article 6(1)(f)) — responding to and recording business communications

04

Third parties and data processors

We share personal data with the following third-party processors and sub-processors. We have data processing agreements in place with each of them where required.

Anthropic, Inc. (USA)

Your session responses are transmitted to Anthropic's Claude API to generate the diagnostic analysis. Anthropic processes this data as a data processor acting on our instructions. Data is transferred to the United States under Anthropic's standard contractual clauses and their API data processing agreement. Anthropic's API terms state that data submitted via the API is not used to train models by default. Anthropic's privacy policy: anthropic.com/privacy.

Stripe, Inc. (USA)

Payment processing is handled by Stripe. Stripe operates as an independent data controller for payment data and a data processor for transaction data on our behalf. Data is transferred under Stripe's EU/UK Standard Contractual Clauses. Stripe's privacy policy: stripe.com/gb/privacy.

Fasthosts Internet Ltd (UK)

Our website and database are hosted on servers operated by Fasthosts Internet Ltd, a UK company. All session data and database content is stored in the United Kingdom. No international transfer occurs for hosted data.

Google LLC (USA)

With your consent, Google Tag Manager and Google Analytics are used to collect anonymised site usage data. Data is transferred to the USA under Google's EU/UK Standard Contractual Clauses. Google's privacy policy: policies.google.com/privacy. If you decline analytics cookies, no data is sent to Google.

05

International data transfers

Some of our processors (Anthropic, Stripe, Google) are based in the United States. Transfers to these processors are made under UK-approved Standard Contractual Clauses or equivalent adequacy mechanisms, ensuring your data receives a level of protection consistent with UK GDPR. Where consent-based transfers occur (analytics), you may withdraw consent at any time via our cookie settings.

Session data stored in our database and server logs are held exclusively within the United Kingdom on Fasthosts servers.

06

How long we keep your data

Data type	Retention period	Reason
Session responses and diagnostic output	24 months from session date	To enable retrieval if technical issues occur; to support service improvement
Payment transaction records	7 years	HMRC financial record-keeping obligations
Server access logs	90 days	Security monitoring and fault diagnosis
Cookie consent records	13 months	Demonstrating compliance with consent obligations
Email correspondence	3 years from last contact	Record of communications and dispute resolution

After the applicable retention period, personal data is securely deleted or anonymised so it can no longer be associated with you.

07

Your rights under UK GDPR

You have the following rights in relation to the personal data we hold about you. To exercise any of these rights, contact us at hello@b2bidentity.co.uk. We will respond within one calendar month.

Right of access — you may request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification — you may ask us to correct inaccurate personal data.
Right to erasure — you may ask us to delete your personal data where we have no compelling reason to continue processing it. Note that some data must be retained for legal or financial reasons.
Right to restrict processing — you may ask us to pause processing of your data in certain circumstances, for example while a dispute is resolved.
Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data.
Right to object — you may object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent — where processing is based on consent (e.g. analytics cookies), you may withdraw consent at any time by adjusting your cookie preferences. Withdrawal does not affect the lawfulness of processing before withdrawal.

Because the IOD Thinker uses an auto-generated session ID rather than your name or email, we may need you to provide your session ID to locate your data. This is displayed in the browser during and after your session. If you cannot locate it, contact us and we will assist.

08

Cookies

We use cookies on this website. For full details of the cookies we set, their purpose, duration, and how to manage them, please read our Cookie Policy.

09

Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These measures include:

HTTPS encryption for all data in transit between your browser and our servers
SSL/TLS encryption on all outbound API calls
Database access restricted to server-side application code only
Payment processing handled entirely by Stripe — we never handle raw card data
Server-side session management with no sensitive data stored client-side

No method of transmission over the internet is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

10

Children

Our services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

11

Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will update the version number and date at the top of this page. We encourage you to review this policy periodically. Continued use of our services after a change is posted constitutes acceptance of the updated policy.

12

Complaints and the ICO

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, welcome the opportunity to resolve your concern directly before you contact the ICO. Please email us first at hello@b2bidentity.co.uk.