Privacy Policy — The Resilient SME
Legal

Privacy Policy

Last updated: 27 June 2026  ·  Applies to: The Resilient SME & Chance Chapters  ·  Company No. 17053510  ·  London, England

Contents
  1. Who we are
  2. Our products
  3. What data we collect
  4. How we use your data
  5. Lawful basis
  6. Data processors
  7. Data sharing
  8. Retention periods
  9. Your rights
  10. Security
  11. Cookies
  12. Changes
Section 1

Who we are

We are the data controller responsible for personal data collected through our products and websites. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

The Resilient SME Ltd
Company No. 17053510
Registered in England & Wales
Email: info@theresilientsme.com
Website: theresilientsme.com

We are not currently registered with the Information Commissioner's Office (ICO) as a data processor but process personal data under legitimate interest and consent as described below. If you have concerns about how we handle your data, you have the right to contact the ICO at ico.org.uk.

Section 2

Our products

This Privacy Policy covers all products operated by The Resilient SME Ltd:

The Resilient SME
theresilientsme.com
A B2B intelligence platform providing SME resilience assessments, benchmarked reports, and advisory intelligence for business owners and their advisors. Includes the assessment survey, Digital Coach, and live portfolio dashboard.
Chance Chapters
chancechapters.com
A B2C personalised short story service that creates AI-generated, illustrated and narrated stories for individuals. Operated as a sub-brand of The Resilient SME Ltd.

Where data practices differ materially between products, this is noted in the relevant sections below.

Section 3

What data we collect

The Resilient SME — Assessment Platform:

Data type Examples How collected
Identity & contact Name, job role, email address Assessment form
Business information Company name, sector, employee count, annual turnover Assessment form
Location Country, postcode / ZIP (first few characters only) Assessment form (postcode is optional)
Assessment responses Answers across up to 11 resilience domains Assessment form
Derived scores Domain scores, overall RSME Index, resilience band Calculated from assessment responses
Financial context Revenue range, margin indicators (Tier 2 & 3 only, optional) Assessment form — optional fields
Payment data Transaction reference, amount paid, discount applied Stripe payment processing — card details never reach our servers
Digital Coach conversations Questions asked about your report Coach interface — processed in real time, not permanently stored by us
Technical data IP address, browser type, device information Standard website and hosting logs

Chance Chapters — Story Service:

Data type Examples How collected
Identity & contact Name, email address Story order form
Story inputs Character details, story preferences, personal details woven into narrative Story order form
Optional image Selfie or photo for AI face substitution (optional feature) Uploaded by user — used only for illustration generation, not stored permanently
Payment data Transaction reference, amount paid Stripe payment processing — card details never reach our servers
We do not collect special category data (sensitive personal data) as defined under UK GDPR — such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data — through either product.
Section 4

How we use your data

The Resilient SME:

  • To generate and deliver your personalised resilience assessment report by email
  • To power the Digital Coach — your report is processed in real time to answer your questions
  • To update the live portfolio dashboard where a sponsor or advisory firm is involved
  • To produce anonymised, aggregated resilience data for benchmarking and regional intelligence (e.g. "State of MK SME Resilience" — no individual is identifiable)
  • To process payment for paid assessment tiers
  • To improve our assessment methodology and report quality
  • To respond to enquiries and provide support

Chance Chapters:

  • To generate and deliver your personalised story, illustration and narration by email
  • To process payment for your order
  • To respond to support or delivery enquiries

We do not:

  • Sell personal data to any third party
  • Use personal data for automated decision-making with legal effect
  • Use data for direct marketing without explicit consent
  • Share identifiable personal data with advisors or sponsors without your knowledge
Section 5

Lawful basis for processing

Processing activity Lawful basis
Completing an assessment or story order Consent — you actively choose to submit the form and tick the consent box
Delivering your report or story by email Contract — necessary to fulfil the service you have paid for or requested
Payment processing Contract — necessary to complete the transaction
Producing anonymised aggregate benchmarks Legitimate interest — no individual is identifiable; provides public and commercial value
Improving our products and methodology Legitimate interest — proportionate to the benefit of improving service quality
Responding to support enquiries Legitimate interest — expected and proportionate

You may withdraw consent at any time by contacting us at info@theresilientsme.com. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

Section 6

Data processors we use

We use the following trusted third-party services to operate our products. Each is subject to contractual obligations to protect your data and, where applicable, operates under UK GDPR-compliant data processing agreements:

Stripe
Payment processing — card details are handled entirely by Stripe and never reach our servers
🇺🇸 USA / 🇬🇧 UK — GDPR compliant · stripe.com/privacy
Netlify
Website hosting and serverless functions — assessment payloads are temporarily stored in Netlify Blobs during payment confirmation and deleted immediately after
🇺🇸 USA — GDPR compliant · netlify.com/privacy
Make.com (Integromat)
Automation — routes assessment data to report generation, Google Sheets and email delivery
🇪🇺 EU — GDPR compliant · make.com/en/privacy-notice
OpenAI
AI report and story generation — your assessment responses and story inputs are processed to generate personalised content
🇺🇸 USA — GDPR compliant · openai.com/privacy
Google (Sheets & Gmail)
Dashboard data storage (anonymised aggregates) and report delivery by email
🇺🇸 USA / 🇬🇧 UK — GDPR compliant · policies.google.com/privacy
Squarespace
Website hosting for theresilientsme.com
🇺🇸 USA — GDPR compliant · squarespace.com/privacy
Anthropic
Powers the Digital Coach — your report content is processed in real time to answer questions. Conversations are not used to train Anthropic models under our API agreement
🇺🇸 USA — GDPR compliant · anthropic.com/privacy
ElevenLabs (Chance Chapters only)
Audio narration generation for personalised stories
🇺🇸 USA — GDPR compliant · elevenlabs.io/privacy
Section 7

Data sharing

We may share data in the following circumstances:

Recipient What is shared Basis
Advisory firms or sponsors (RSME only) Your assessment scores and report — only where you complete the assessment via a partner's branded survey URL. You will be made aware of the partner at the point of assessment. Consent (implied by use of partner URL) — no identifiable data shared without awareness
Local authorities or public bodies Anonymised, aggregated resilience data only (e.g. average scores by sector or postcode district). No individual is identifiable. Legitimate interest — public benefit
Data processors listed above Minimum data necessary for each service to function Contract / Data Processing Agreements
Legal or regulatory authorities Data required by law, court order, or regulatory obligation Legal obligation

We do not sell, rent, or trade personal data. We do not share identifiable personal data with any third party for their own marketing purposes.

Section 8

How long we keep your data

Data type Retention period Reason
Assessment responses and scores 3 years from date of assessment Enables longitudinal benchmarking and re-assessment comparison
Generated reports 3 years from date of generation Support and re-delivery if needed
Payment records 7 years HMRC financial record-keeping requirement
Netlify Blobs (temporary payment storage) Deleted immediately after payment confirmation Temporary only — no longer needed once webhook fires
Digital Coach conversations Session only — not permanently stored by us Processed in real time via Anthropic API; not retained after session ends
Chance Chapters story inputs 90 days from order date Support and re-delivery; deleted thereafter
Optional photos (Chance Chapters) Deleted after illustration generation — not retained Used only for the specific illustration; no ongoing storage
Google Sheets dashboard data Retained in anonymised aggregate form indefinitely Ongoing benchmarking dataset — no individual is identifiable

You may request deletion of your personal data at any time. See Section 9 for how to exercise this right.

Section 9

Your rights under UK GDPR

You have the following rights regarding your personal data. To exercise any of these, contact us at info@theresilientsme.com. We will respond within 30 days.

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
  • Right to restrict processing — request that we limit how we use your data while a query is resolved
  • Right to data portability — receive your data in a structured, commonly used format
  • Right to object — object to processing based on legitimate interest, including use for benchmarking or analysis
  • Right to withdraw consent — withdraw consent at any time without affecting prior processing
  • Right to complain — lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113
Section 10

Security

We take appropriate technical and organisational measures to protect personal data, including:

  • All data transmitted over HTTPS / TLS encryption
  • API keys and credentials stored as server-side environment variables — never exposed in client-side code
  • Payment data handled entirely by Stripe — card details never reach our servers
  • Temporary assessment data stored in Netlify Blobs and deleted immediately after payment confirmation
  • Access to Google Sheets dashboard restricted to authorised personnel

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

Section 11

Cookies

Our websites use minimal cookies. Squarespace (theresilientsme.com) sets standard session and analytics cookies. Our assessment survey at survey.theresilientsme.com does not set cookies beyond those required for the Stripe payment process.

We do not use advertising or tracking cookies. You can control cookies through your browser settings at any time.

Section 12

Changes to this policy

We may update this Privacy Policy from time to time as our products and processes evolve. The date at the top of this page will always reflect the most recent version. For material changes we will notify users by email where we hold contact details.

Previous versions are available on request.

Questions about your privacy?

Contact us directly — we aim to respond within 5 working days.

The Resilient SME Ltd
Email: info@theresilientsme.com
Company No. 17053510 · London, England

For complaints: Information Commissioner's Office — ico.org.uk