1. Introduction
AllocBoard ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our staff allocation management platform. AllocBoard is operated by AllocBoard Ltd, based in the United Kingdom. We are the data controller for the personal data processed through our platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) where applicable.
2. Information We Collect
Account Information
When you create an account, we collect your email address, full name, and optionally your profile picture. Account authentication is handled by our trusted partner, Clerk.
Staff Records
Administrators enter and manage staff member names, staff type (research or admin), allocation data (person-month values per project), and expense records including amounts, dates, and descriptions. Staff members recorded in the system do not have login credentials—their information is managed entirely by administrators.
Project Data
We store information about your projects including names, descriptions, start and end dates, work package details, budgets, allocation history, reporting periods, expense types (salary, travel, operating costs), and AI-generated outputs such as risk assessments.
Payment Information
Payment processing is handled entirely by Stripe. We store your subscription status and plan type, but we never store credit card numbers, bank details, or other sensitive payment information.
3. How We Use Your Information
- Provide and maintain our service
- Process your subscription and payments
- Send important service updates and notifications
- Respond to your enquiries and support requests
- Improve our platform and develop new features
- Ensure the security of our service
- Generate AI-assisted risk assessments using your project and allocation data
4. Legal Basis for Processing
- Contract: Processing necessary to provide our service to you
- Legitimate interests: Improving our service and ensuring security
- Legal obligation: Compliance with applicable laws
- Consent: Where you have given explicit consent
5. Data Sharing and Third Parties
We share your data with trusted service providers who help us operate our platform. We do not sell your personal data to third parties.
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication | Email, name, profile picture | United States |
| Stripe | Payment processing | Email, payment details | United States |
| Supabase | Database hosting | All application data | London, UK (eu-west-2) |
| Anthropic | AI-powered risk assessments | Pseudonymised project data, allocation data, budget figures | United States |
| Vercel | Website hosting | IP address, request metadata | Global (edge network) |
For organisations requiring a signed Data Processing Agreement, please see our DPA.
6. Automated Processing and AI Features
Our AI-powered features, including risk assessment, process your project, staff, and budget data through third-party AI providers (currently Anthropic). These features are important to understand: • Staff names and emails are pseudonymised before any data is sent to AI providers — no personal identifiers leave your account. • AI features are user-initiated — they only run when you explicitly request them, not through automatic profiling or monitoring. • AI outputs are advisory only — they are not used for automated decision-making that produces legal effects or similarly significant effects on individuals. • You can choose not to use AI features — the core allocation management functionality works independently of AI features. • Data sent to AI providers is processed according to their data processing agreements and is not used to train their models.
7. Data Retention
We retain your account data for as long as your account is active. Upon account termination or staff removal, personal data is immediately anonymised. Anonymised records are retained for 30 days before hard deletion. Database backups are retained for up to 7 days for disaster recovery. Audit logs are retained for 1, 3, or 5 years depending on your plan tier. Payment and billing records are retained for 6 years after the end of the financial year in which the transaction took place, as required by HMRC.
8. Data Security
We implement robust technical and organisational measures to protect your personal data, including: • AES-256-GCM field-level encryption for sensitive data (names, emails, salaries) with per-tenant encryption keys • Row-Level Security (RLS) on all tenant data tables ensuring strict database-level isolation • Blind indexes (HMAC-based) for searching encrypted data without decryption • Immediate anonymisation of personal data upon removal • All data hosted in the UK (London, eu-west-2) with TLS encryption in transit • Secure authentication via Clerk with session management For full details, see our Security page at /security.
9. Your Rights
Under UK and EU GDPR, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data
- Restriction: Restrict processing of your personal data
- Portability: Receive your data in a portable format
- Objection: Object to processing based on legitimate interests
To exercise any of these rights, please contact us at [email protected].
10. Cookies
We use a minimal number of essential cookies for authentication and payment processing. We do not use marketing or advertising cookies. For full details, see our Cookie Policy at /cookies.
11. International Data Transfers
Some of our sub-processors — specifically Clerk (authentication), Stripe (payments), and Anthropic (AI features) — are based in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) as applicable.
12. Children's Privacy
Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us: Email: [email protected] You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.