Privacy Policy
Readiness Layer — readinesslayer.com
Operated by Bimbi Philips Limited
Last updated: 17 March 2026
Version: 1.0
This Privacy Policy explains how Bimbi Philips Limited collects, uses, stores, and protects your personal data when you use the Readiness Layer platform. It applies to readinesslayer.com and all associated partner subdomains.
This policy is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller for the personal data described in this policy.
1. Who we are
Data Controller:
Bimbi Philips Limited
Company No. 08944957
63–66 Hatton Garden, Fifth Floor, Suite 23, London EC1N 8LE
contact@readinesslayer.com
If you have any questions about how we handle your personal data, contact us at the address above.
2. What personal data we collect
2.1 Account data
When you create an account, we collect:
- Full name
- Email address
- Actor type (Buyer, Seller, Broker, Professional)
- Password (stored as a one-way hash — never readable)
- Account creation date and time
2.2 Profile data
When you complete your profile or onboarding, we may collect:
- Business name (Sellers and Brokers)
- Business sector
- Location (region)
- Acquisition criteria (Buyers)
- Professional category (Professionals)
2.3 Assessment data
When you complete a self-assessment, we collect:
- Your answers to all scorecard questions
- Your Readiness Score and pillar breakdown
- The date and time of completion
- Any action plan notes generated
2.4 Evidence data
When you submit evidence for review, we collect:
- The documents you upload to your Evidence Vault
- Metadata associated with those documents (filename, upload date)
- Reviewer notes and decision records associated with your submission
- Resubmission history
2.5 Payment data
When you make a purchase, we collect:
- The product purchased
- The amount paid
- The date and time of payment
- A transaction reference from Stripe
We do not store your card number, CVV, or full payment card details. These are handled exclusively by Stripe.
2.6 Communication data
- Emails you send to us
- Support tickets you raise
- Your responses to any surveys or feedback requests
2.7 Technical data
When you use the Platform, we automatically collect:
- IP address
- Browser type and version
- Device type
- Pages visited and time spent
- Referring URL
- Authentication session tokens
2.8 Partner-sourced data
If you arrive at the Platform through a listing Partner (e.g. Daltons Business), the Partner may share with us:
- Your name and email address
- Your registration date on their platform
- Your listing reference or buyer profile reference
This data is used solely to pre-populate your profile and to trigger relevant communications. We will always tell you when data has been pre-filled from a partner source.
3. How we use your personal data
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract performance |
| Delivering the self-assessment and scoring | Contract performance |
| Processing evidence submissions and conducting reviews | Contract performance |
| Processing payments | Contract performance |
| Sending transactional emails (receipts, review results, magic links) | Contract performance |
| Sending service update emails | Legitimate interests |
| Detecting fraud and preventing misuse | Legitimate interests |
| Improving the Platform and methodology | Legitimate interests |
| Complying with legal obligations (e.g. tax records) | Legal obligation |
| Sending marketing communications (with consent) | Consent |
4. Your evidence vault
Your Evidence Vault contains the documents you submit for review. This data is treated with the highest level of protection:
- Evidence files are stored in an isolated, encrypted data store
- Evidence files are not accessible to the listing platform Partner
- Evidence files are not shared with other users
- Evidence files are not shared with any third party without your explicit written consent
- Only authorised BRS review team members and operations staff can access your vault, solely for the purposes of conducting your review and resolving disputes
5. Who we share your personal data with
5.1 Service providers (data processors)
We use the following third-party processors to deliver the Platform. Each is bound by a Data Processing Agreement compliant with UK GDPR:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | UK / USA |
| Supabase | Database, authentication, file storage | EU / USA |
| Resend | Transactional email delivery | USA |
| Vercel | Platform hosting and infrastructure | USA |
For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) / UK International Data Transfer Agreement (IDTA) as the lawful transfer mechanism where required.
5.2 Listing Partners
We share limited trust state data with the listing Partner through whose platform you arrived:
- Your trust state label (e.g. 'Self-Assessed', 'Evidence-Confirmed')
- Your overall Readiness Score band
- Your BRS ID
We do not share your personal contact details, your evidence files, your assessment answers, or your payment history with any listing Partner.
5.3 Legal obligations
We may disclose your personal data to law enforcement, regulators, or courts if required to do so by law or to protect the rights, property, or safety of Bimbi Philips Limited, our users, or others.
6. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | For the duration of your account plus 3 years |
| Assessment data | For the duration of your account plus 3 years |
| Evidence Vault documents | For the duration of your account plus 3 years |
| Payment records | 7 years (legal requirement) |
| Support and communication records | 3 years from last contact |
| Technical / session logs | 90 days |
When your account is closed, we will delete or anonymise your personal data within 60 days, except where we are required to retain it by law (e.g. payment records for tax purposes).
7. Your rights under UK GDPR
You have the following rights in relation to your personal data:
Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct inaccurate personal data.
Right to erasure: You can ask us to delete your personal data in certain circumstances. Note that we may be required to retain some data for legal reasons.
Right to restriction: You can ask us to restrict processing of your data in certain circumstances.
Right to data portability: You can request your personal data in a structured, machine-readable format.
Right to object: You can object to processing based on legitimate interests or for direct marketing.
Rights related to automated decision-making: We do not make solely automated decisions that have legal or similarly significant effects on you. Our Readiness Score is generated by your own answers to the assessment. Our evidence review decisions are made by a human reviewer.
To exercise any of these rights, email contact@readinesslayer.com with the subject line 'Data Subject Request'. We will respond within one calendar month.
8. Cookies
We use cookies and similar technologies on the Platform. Please see our Cookie Policy at readinesslayer.com/legal/cookies for full details.
9. Marketing communications
We will only send you marketing communications (product updates, announcements, newsletter) if you have given explicit consent at registration or subsequently. You can withdraw consent at any time by clicking unsubscribe in any marketing email or by contacting us at contact@readinesslayer.com.
Transactional emails (magic links, receipts, review results, account notifications) do not require consent and cannot be unsubscribed from while your account is active.
10. Security
We take the following measures to protect your personal data:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted using AES-256
- Your Evidence Vault is isolated from the main application database
- Access to personal data is restricted to authorised staff on a need-to-know basis
- We use multi-factor authentication for all admin access to production systems
- We monitor for unauthorised access and conduct regular security reviews
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify you without undue delay.
11. Children
The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has created an account on the Platform, please contact us at contact@readinesslayer.com and we will delete the account promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before the changes take effect. The 'last updated' date at the top of this policy will always reflect the current version.
13. How to complain
If you are unhappy with how we have handled your personal data, please contact us first at contact@readinesslayer.com.
If you remain unsatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
Bimbi Philips Limited — Company No. 08944957
63–66 Hatton Garden, Fifth Floor, Suite 23, London EC1N 8LE
contact@readinesslayer.com