How we handle your data

1. Who we are

Raise is operated by Jamie Taylor trading as Jigsaw Digital, a sole trader based in the United Kingdom. Where this policy uses “we”, “us” or “our”, that’s us.

The point of contact for any privacy question, data subject request, or complaint is Jamie Taylor at jamie@jigsaw.digital.

2. When we’re a controller, when we’re a processor

Raise is sold to organisations (our customers). The organisation you work for is normally the controller for data the organisation uploads or generates about its staff — performance scores, evidence notes, departmental structure and so on. We act as a processor for that data, handling it on the organisation’s documented instructions.

We’re a controller in our own right for a smaller set of data: your account credentials (email, name, hashed password), how you use the product (operational logs, error reports), and any direct correspondence with us.

If you want to exercise rights over data your organisation has uploaded about you, the organisation is the right starting point. We’ll always help route requests if you’re not sure who to ask.

3. What data we collect

Account data (we are controller)

• Your name and work email address.
• A hashed copy of your password (we never see or store the plaintext).
• Authentication metadata returned by Google or Microsoft if you sign in via SSO — typically your email and display name.
• Your role in your organisation (e.g. teacher, observer, curriculum lead) and the directorate or department you belong to.

Service data (your organisation is controller; we are processor)

• Organisational structure: directorates, departments, staff lists, role assignments.
• Performance scores against the categories your organisation uses.
• Evidence notes typed by observers, mentors and line managers.
• Development focuses and review timelines.
• AI-generated summaries derived from the above (see “Sub-processors”).

Operational data (we are controller)

• Error logs and crash reports from the product, captured by Vercel.
• Authentication and access logs captured by Supabase.

We do not collect or store any data about learners. The product is for use by teaching staff and their managers only.

4. How we collect it

• Directly from you — when you sign in, type evidence notes, or correspond with us.
• Via your organisation — when an administrator at your organisation provisions your account or uploads structural data.
• Via single sign-on — if you sign in with Google or Microsoft, we receive the basic profile fields they return (typically email and name).
• Generated by the service — AI-assisted suggestions and summaries are produced by the system from inputs above; logs are produced automatically by our infrastructure providers.

5. Why we process it

The lawful bases under UK GDPR that we rely on:

• Performance of a contract with your organisation, to deliver the service to you (Article 6(1)(b)).
• Legitimate interests for keeping the service secure, preventing abuse, debugging and product improvement (Article 6(1)(f)). We’ve balanced those interests against your privacy and consider them proportionate.
• Documented instructions from the controller when we act as a processor — that is, your organisation’s instructions, set out in our Data Processing Agreement (Article 28).

We do not process data for marketing or profiling. We do not sell data to anyone, ever.

6. Sub-processors

We use a small set of trusted suppliers to run the service:

• Supabase — database, authentication, file storage. Our project is hosted in the EU (UK) region. Privacy.
• Anthropic — the Claude API generates the AI-assisted summaries and category suggestions. Inputs are not used to train Anthropic’s models. US-based. Privacy.
• Vercel — hosts the web application and serves it from edge nodes. Privacy.
• Google — only when you sign in with Google. They tell us your email and name; we don’t access anything else. Privacy.
• Microsoft — only when your organisation has Microsoft single sign-on enabled and you use it. Privacy.

We update this list whenever it changes. If you want notification of changes in advance, email us and we’ll add you to the list of contacts we tell.

7. International transfers

Our database is hosted in the UK. Anthropic and Vercel host their services in the United States. Where we transfer personal data to providers outside the UK, we rely on the UK International Data Transfer Agreement or the equivalent UK Addendum to the EU Standard Contractual Clauses, plus any supplementary measures appropriate to the provider.

You can request copies of the relevant transfer mechanisms by emailing jamie@jigsaw.digital.

8. How long we keep it

• Account data — while your account is active, plus 90 days after deletion as a buffer for accidental restoration. After that, anonymised or deleted.
• Service data — for the duration of your organisation’s contract with us. On termination, we delete or return data within 90 days unless legally required to keep it.
• Backups — covered by our Supabase backup schedule (typically 7–30 days of point-in-time recovery, depending on plan tier). Backups roll off automatically.
• Logs — up to 30 days for operational logs; up to 90 days for security-relevant authentication logs.

9. Your rights

Under UK GDPR, you have the right to:

• Ask for a copy of the personal data we hold about you (right of access).
• Ask us to correct inaccurate data (right to rectification).
• Ask us to delete data we no longer have a basis to hold (right to erasure).
• Restrict our processing of your data while a complaint is investigated.
• Receive a copy of data you provided to us in a portable format (right to portability).
• Object to processing we carry out under legitimate interests.
• Withdraw consent at any time, where we’re relying on consent.

To exercise any of these rights, email jamie@jigsaw.digital. We’ll respond within one calendar month. If your request is about service data, we may need to forward it to your organisation as the controller.

If you’re not satisfied with how we’ve handled a request, you can complain to the Information Commissioner’s Office at ico.org.uk or 0303 123 1113.

10. Security

• All connections to the service are encrypted in transit using TLS 1.2 or higher.
• Data at rest in Supabase is encrypted using AES-256.
• Row-level security policies in Postgres enforce that one organisation can never read another organisation’s data, regardless of bugs in our application code.
• Role-based access inside an organisation limits who can see what (a teacher sees only their own scorecard; a curriculum lead sees their department; and so on).
• Access to production infrastructure is limited and authenticated via SSO with multi-factor authentication.

No system is perfectly secure, and we don’t pretend otherwise. We aim for appropriate measures proportionate to the data we hold, and we keep them under review.

11. Cookies

We use a single category of cookie: session-authentication cookies set by Supabase to keep you signed in. They are strictly necessary for the service to work and are not used for analytics, tracking or advertising. Under PECR these don’t require a consent banner, which is why you don’t see one.

We do not use third-party analytics, advertising pixels or tracking SDKs.

12. Children

The service is for teaching staff and their line managers. We do not knowingly process data about children. Learner data is explicitly out of scope and is not collected, uploaded or stored by the product.

13. Changes to this policy

We’ll update this page when something material changes. For changes that meaningfully affect your rights or how your data is handled, we’ll email account holders at least 30 days before the change takes effect. Minor wording or clarification changes may be made without notice.

14. Contact

For any privacy question, data subject request, or to report a concern: jamie@jigsaw.digital.

Postal address available on request. Complaints regulator: Information Commissioner’s Office.