Skip to content
Digital Index
Start free

Privacy Policy

We comply with UK GDPR and the Data Protection Act 2018. This notice explains what personal data we collect, how we use it, and your rights. If anything is unclear, email privacy@digitalindex.co.uk.

Who we are (Controller)

Digital Index (“we”, “us”) is the data controller for the service provided at this website. Contact: privacy@digitalindex.co.uk.

What data we collect

  • Account & Sign-in: email address (magic-link). If you choose Google SSO, Google shares your name and email with us.
  • Organisation Profile (optional): name, sector, size band, logo.
  • Survey Responses: your answers, per-category scores (0–5), overall score, report summaries.
  • Billing: subscription status, Stripe customer ID and invoices. We never store full card details.
  • Files: generated reports and export files.
  • Usage & Analytics (only with consent): pages viewed and events (e.g. “survey_completed”).
  • Technical: IP address and user-agent in server logs for security and troubleshooting.

Why we use your data (lawful bases)

  • To provide the service (create orgs, run surveys, generate reports) - Contract.
  • Authentication & security (magic links, audit logs, fraud prevention) - Legitimate interests and Legal obligation.
  • Billing (subscriptions, invoices, dunning) - Contract and Legal obligation.
  • Product analytics (improve usability and reliability) - Consent (off by default).
  • Service emails (welcome, monthly round-up, reminders) - Legitimate interests or Contract. You can opt out of non-essential emails.
  • Marketing (if enabled) - Consent.

Cookies & analytics

We set strictly necessary cookies only. We load analytics (e.g. PostHog) only if you consent. You can change your choice at any time: .

  • Necessary: required for security and core functionality.
  • Analytics (optional): helps us understand usage (no personal profiles; IP handled by our provider).
  • Marketing (optional): off by default; only used if you explicitly enable it.

If your browser’s “Do Not Track” is enabled, we treat that as a rejection of non-essential cookies.

Who we share data with (processors)

We use trusted providers under written contracts and data-processing agreements:

  • Hosting (e.g. Vultr or equivalent) - serves our application.
  • Database (MongoDB Atlas) - stores app data securely.
  • Object storage (Cloudflare R2 or AWS S3) - stores generated exports.
  • Payments (Stripe) - processes subscriptions and invoices.
  • Email (Resend/SendGrid) - sends transactional messages.
  • Product analytics (PostHog) - loaded only with consent.
  • Authentication (NextAuth + optional Google SSO) - identity and sign-in.

We do not sell personal data. We may disclose data if required by law or to protect our rights and users’ safety.

International transfers

Some providers may process data outside the UK/EEA (e.g. in the US). Where that happens, we rely on lawful safeguards such as the UK Addendum to the EU Standard Contractual Clauses or an adequacy decision, and apply technical and organisational measures.

How long we keep data

  • App data (accounts, orgs, surveys, reports): retained for 24 months by default, unless you delete earlier.
  • Billing records: kept as required for tax/accounting (typically up to 6 years).
  • Email logs: kept for a short diagnostic period by our email provider.

You can request deletion at any time (see “Your rights” below). Deletion may be delayed where we are required to keep certain records.

Security

  • HTTPS everywhere; passwordless authentication (magic link) and optional SSO.
  • Row-level access controls and audit logs for sensitive actions.
  • Encryption in transit and at rest where supported by our providers.
  • Least-privilege access and regular dependency updates.

Your rights

Under UK GDPR you can:

  • Access a copy of your data.
  • Correct inaccurate data.
  • Delete your data (where applicable).
  • Restrict or object to processing (including where we rely on legitimate interests).
  • Data portability (for data you provided to us).
  • Withdraw consent at any time (this won’t affect prior lawful processing).

To exercise these rights, email privacy@digitalindex.co.uk. We may ask you to verify your identity.

You can also complain to the UK Information Commissioner’s Office at ico.org.uk.

Children

Our service is not intended for children under 16 and we do not knowingly collect their data.

Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects.

Changes to this notice

We may update this policy to reflect changes to our service or the law. We’ll post the new version here and update the date below.

Last updated: 3 September 2025

Contact

Email privacy@digitalindex.co.uk.