Privacy Policy | Studio:Blueprint

Section 1

1. Data Controller

The data controller for information processed through Studio:Blueprint is Howard Scott, trading as Studio:Blueprint, contactable via [email protected]. This policy applies to all data collected through the Tool, the interactive web report, the dashboard, and the paid upgrade service.

Section 2

2. What Data We Collect

Data Type	When Collected	Purpose
Questionnaire answers (including, depending on the assessment: consultancy structure, AI operations practices, CRM maturity indicators, or marketing technology stack information such as tool inventory, integration maturity, utilisation levels, data quality practices, content operations, automation maturity, governance, and strategic alignment)	When you complete an assessment	Generating your personalised report
Optional financial context (annual revenue, annual spend relevant to the assessment)	When you optionally provide it during an assessment	Financial impact modelling in your report
Email address	When you request a PDF or access your report	Delivering PDFs, authenticating dashboard access, sending magic links
Blueprint ID	Automatically generated	Identifying your specific report
IP address	When you submit an assessment	Stored as part of the lead record for fraud prevention
Name	When you purchase via Stripe (paid tier only)	Included in paid report and confirmation email
Stripe transaction identifiers	When you purchase via Stripe (paid tier only)	Payment verification and record-keeping
Stack Interview conversation transcript	When you complete a Stack Interview session	Generating your stack map, findings, and report; improving the service in anonymised form
AI conversation logs (Ask Blueprint, Explain Alert, and similar Cockpit AI features)	When you use AI-assisted features in the Cockpit	Service improvement and product development; stored for 12 months
Cockpit firm schema data (revenue target, day rate, overhead, billing model, client records, pipeline entries, engagement data, flight plan items, decision ledger entries)	When you set up and use the Cockpit (Studio:Blueprint Operate)	Calculating your Health Index, Burnout Risk, Pipeline, and Runway metrics; powering the Cockpit operating dashboard
Cockpit operating metrics (Health Index, Burnout Risk, Pipeline value, Runway in weeks, and derived scores)	Recalculated automatically each time your Cockpit data changes	Displaying your firm's operating health in the Cockpit dashboard
Agent context API key	When you connect an external AI agent (such as OpenClaw) to your Cockpit account	Authenticating agent read access to your Cockpit intelligence data; stored securely in Vercel KV
Email nurture sequence enrollment and send history	Automatically when you complete a free diagnostic, purchase a paid report, or activate a Cockpit trial	Sending product-related follow-up emails as part of the service; tracking send history to prevent duplicate sends; processing unsubscribe requests
Unsubscribe preference	When you click unsubscribe in any product email	Suppressing future automated product emails; stored indefinitely to honour your preference
Anonymised aggregate diagnostic records	When any paid diagnostic assessment is completed	Benchmarking and service improvement; contains no personal identifiers
White-label configuration data (firm slug, brand colour, logo URL, contact details)	When you configure white-label settings in the Cockpit	Branding client-facing diagnostics and PDFs with your firm identity
Forge diagnostic definitions (questions, dimensions, scoring bands, maturity descriptions)	When you build a diagnostic using The Forge	Generating and serving your custom diagnostic to clients
Forge client run data (client answers, scores, dimension scores, completedAt timestamp)	When your client completes a Forge diagnostic	Generating diagnostic results, populating the client portal, calculating score delta, triggering pipeline and alert events
Client email index (client email addresses linked to your firm)	When a client completes a Forge diagnostic	Authenticating client portal access via magic link
Client portal session tokens	When a client requests portal access via magic link	Authenticating the client's portal session; stored with 30-day TTL then deleted
Consultant-written client recommendations	When you add recommendations in the Cockpit	Displaying recommendations to the client in the portal
Proposal records (title, fee, scope, status, expiry, PDF reference)	When you create a proposal in the Proposal Builder	Generating and tracking consulting proposals; updating pipeline stage on status change
Engagement records (deliverables, time logs, scope changes, health index, diagnostic baseline)	When you create and manage an engagement in the Cockpit	Tracking active engagement health, margin, and diagnostic progress

Section 3

3. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR:

Consent (Article 6(1)(a)): When you submit your email address to receive a PDF or access your report, you explicitly consent to processing for that purpose.
Legitimate interest (Article 6(1)(f)): Processing questionnaire answers to generate the report in your browser, where you have a reasonable expectation of this processing. Storing lead records for consulting lead qualification where you have engaged with a professional diagnostic tool.
Contract (Article 6(1)(b)): Processing payment data to fulfil the paid report purchase.

Section 4

4. How We Use Your Data

Assessment generation (browser-based)

Your questionnaire answers are processed entirely in your browser. No answers are transmitted to our servers until you request a PDF or complete the assessment. The results you see on screen are generated locally on your device.

Free tier (server-based)

When you request a free PDF, your answers, email address, and IP address are transmitted to our Vercel serverless function. A summary PDF is generated and emailed via Resend. A lead record is stored in Vercel KV containing your email, answers, computed analysis, Blueprint ID, and IP address. This record is retained for up to 1 year.

Paid tier (server-based)

When you purchase the full report via Stripe, your name (from Stripe), email, answers, both PDF documents (summary and full), computed analysis, Blueprint ID, IP address, and Stripe transaction identifiers are stored in Vercel KV. This comprehensive record is retained for up to 2 years.

Stack Interview

When you complete a Stack Interview, the full conversation transcript, confirmed tool inventory, utilisation estimates, connection map, and any cost information you choose to share are stored in Vercel KV for 12 months. This data is used to generate your stack map and findings report. It may also be used in anonymised, non-identifiable form to improve the service and develop benchmarking features.

Cockpit AI features

When you use AI-assisted features within the Cockpit (including Ask Blueprint, Explain Alert, and similar), the content of those conversations is stored in Vercel KV for 12 months. This data is used for service improvement and product development. It is not shared with third parties beyond the AI sub-processors listed in Section 5.

Cockpit subscription (Studio:Blueprint Operate)

When you activate a Cockpit trial or subscribe to Studio:Blueprint Operate, your firm schema data is stored in Vercel KV under your user ID. This includes the data you enter during setup (revenue target, day rate, overhead, billing model) and the data you add over time (client records, pipeline entries, engagement data, flight plan items, and decision ledger entries). Six deterministic scoring engines recalculate your Health Index, Burnout Risk, Pipeline, Runway, and related metrics each time your data changes. This data is retained while your subscription is active and for 90 days after it lapses or your trial expires, after which it is deleted. You can request earlier deletion by contacting us.

The Forge and client diagnostics

When you build a diagnostic using The Forge, Studio:Blueprint stores the diagnostic definition (questions, dimensions, scoring configuration) in Vercel KV under your user ID. When your client completes the diagnostic via your white-label URL, their answers and computed scores are stored in Vercel KV under a run record linked to your user ID and the diagnostic ID. This data is used to generate the client's results, populate their client portal, calculate score delta on repeat completions, and trigger pipeline and alert events in your Cockpit. Your client's data is processed on your behalf. You are responsible for obtaining any consent required from your clients before sending them a diagnostic link.

Client portal

When you invite a client to their portal, a magic link token is generated and stored in Vercel KV with a 30-day TTL. The client's email address is added to a client email index linked to your firm. Portal session tokens expire automatically after 30 days. Client portal data (scores, recommendations, progress) is derived from existing Forge run records and recommendation records already stored under your account.

Proposals and engagements

Proposal records created in the Proposal Builder are stored in Vercel KV under your user ID. They contain the proposal title, fee, scope, status, expiry date, and a reference to the generated PDF. Engagement records created from accepted proposals are stored in Vercel KV under your user ID. They contain deliverables, time logs, scope changes, health index calculations, and diagnostic baseline data. These records are retained while your subscription is active and for 90 days after it lapses, then deleted.

Agent context API

If you connect an external AI agent to your Cockpit account, an API key is generated and stored in Vercel KV. This key grants read-only access to a structured intelligence summary of your Cockpit data. It does not grant write access to your firm data. You can revoke this key at any time from within the Cockpit, which immediately invalidates agent access. The key and its associated access log are deleted when revoked or when your subscription ends.

Automated product emails

When you complete a free diagnostic, purchase a paid report, or activate a Cockpit trial, you are automatically enrolled in a short sequence of product-related follow-up emails. These emails are triggered by your actions within the product and are related to your use of the service — they are not marketing emails. You can unsubscribe from these emails at any time by clicking the unsubscribe link in any email. Your unsubscribe preference is stored and honoured immediately.

Consulting lead use

We may use your email address and assessment results to contact you about product features or updates relevant to your diagnostic results. You can opt out of this at any time by contacting us or by using the unsubscribe link in any email. We will not share your data with third parties for their marketing purposes.

Section 5

5. Data Sharing

We share data with the following third-party processors, solely for the purpose of operating the service:

Vercel Inc. (hosting and storage): hosts the API, stores lead and assessment records in Vercel KV (powered by Upstash Redis). Subject to Vercel's privacy policy and Standard Contractual Clauses.
Resend Inc. (email delivery): receives your email address and generated PDFs for delivery. Retains delivery logs for up to 30 days. Subject to Resend's privacy policy.
Stripe Inc. (payment processing): processes payment card details for paid tier purchases. We do not receive or store card details. Subject to Stripe's privacy policy.
Cloudflare Inc. (hosting): serves the frontend application. Processes standard HTTP request data in transit. Subject to Cloudflare's privacy policy.
Google LLC (analytics): Google Tag Manager is used for basic site analytics. Subject to Google's privacy policy.
consentmanager (consent management): manages cookie consent preferences. Subject to consentmanager's privacy policy.
Sentry (Functional Software Inc.) (error monitoring): receives anonymised error reports when application errors occur. Does not process assessment answers or personal data. Subject to Sentry's privacy policy.
OpenRouter (OpenRouter Inc.) (AI inference routing): routes AI inference requests to third-party model providers including Anthropic and Meta. Receives the minimum data necessary to generate a response. Standard Contractual Clauses in place.
Upstash Inc. (USA) — Redis-compatible data store used as the primary storage layer for Cockpit firm schema data, operating metrics, magic link tokens, API keys, and email nurture sequence state. Standard Contractual Clauses in place.

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising purposes.

Section 6

6. Data Retention

Free tier records: Email, answers, computed analysis, Blueprint ID, and IP address stored in Vercel KV for up to 1 year from submission.
Paid tier records: Comprehensive record including name, email, answers, both PDFs, analysis, Blueprint ID, IP address, and Stripe identifiers stored in Vercel KV for up to 2 years from purchase.
Email delivery logs: Retained by Resend for up to 30 days.
Payment records: Retained by Stripe in accordance with their data retention policy and financial regulations.
Stack Interview session and transcript: 12 months from interview date.
Cockpit AI conversation logs: 12 months.
Cockpit firm schema and operating metrics: Retained while your subscription or trial is active, plus 90 days after lapse or expiry, then deleted.
Agent context API key and access log: Retained until revoked by the user or until subscription ends, then deleted.
Email nurture sequence enrollment records: Retained for 60 days from enrollment, then deleted. Unsubscribe preferences are retained indefinitely.
Anonymised aggregate diagnostic records: Indefinite (no personal data).

Section 7

7. Your Rights

Under UK GDPR, you have the right to:

Access: Request a copy of any personal data we hold about you.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your data ("right to be forgotten").
Restrict processing: Request that we limit how we use your data.
Data portability: Receive your data in a structured, machine-readable format.
Withdraw consent: Withdraw consent at any time where processing is based on consent.
Object: Object to processing based on legitimate interest, including consulting lead use.

To exercise any of these rights, contact Howard Scott via [email protected]. We will respond within 30 days. A DSAR response will include all data held in our systems, including stored assessment records, computed analysis, and any associated PDFs.

Sections 8 – 12

8. Cookies and Tracking

The Tool uses Google Tag Manager for basic site analytics and consentmanager for cookie consent management. Session storage is used in the browser to maintain your authenticated session. No advertising cookies or tracking pixels are used. No behavioural profiling is performed.

9. International Transfers

Our hosting providers (Vercel, Cloudflare), email provider (Resend), payment processor (Stripe), and analytics provider (Google) may process data in the United States. These transfers are protected by Standard Contractual Clauses and the providers' compliance with applicable data protection frameworks.

10. Children

The Tool is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be noted on this page with an updated date.

12. Complaints

If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Last updated: 1 April 2026