Privacy Policy
Last updated: March 8, 2026
This policy explains what personal data we collect and how we use it, covering both our marketing website (www.outcomeproof.com) and the Outcome Proof application (app.outcomeproof.com).
1. Who we are
We are Outcome Proof Ltd, a company registered in Scotland (company number SC873276).
Registered address: Third floor, 3 Hill Street, New Town, Edinburgh, EH2 3JP
Email: support@outcomeproof.com
For the purposes of UK data protection law, we are the data controller for data collected through our website and for account/usage data in the application. When you use the application to store information about your organisation’s work (such as evidence, outcomes, and reports), your organisation is the data controller and we are the data processor acting on your behalf. A Data Processing Agreement is available on request.
2. What we collect
When you visit our website
| Data | Source | Details |
| Name, email, organisation name | Free Trial signup form | Details collected by email only |
| Name, email, organisation name, message | Contact Us form | Details collected by email only |
| Server logs | Automatic | IP address, browser type, pages visited, timestamps |
| Cookies | WordPress | A session cookie necessary for the website to function |
| Analytics data | Google Analytics (GA4) | Pages visited, time on page, approximate location (country / city level), device and browser type, referral source. Collected only if you consent via our cookie banner |
When you create an account
| Data | Details |
| Name | Your full name |
| Email address | Verified during signup |
| Password | Stored securely using one-way hashing (we cannot see your password) |
| Organisation name | Your charity or nonprofit’s name |
| Country | Used to determine your currency and locale |
| Timezone | Detected from your browser, changeable in settings |
| Terms acceptance | A timestamp recording when you agreed to our terms |
When you use the application
| Data | Details |
| Content you create | Text, files, and data you add to the application |
| Organisation data | Details about your organisation, its funding sources, and team members you invite |
| Profile information | Avatar image, locale and timezone preferences |
| Usage logs | An audit trail of actions taken in your account (who changed what, and when) |
| Session data | IP address, browser type, login times — used for session security |
When you pay for a subscription
| Data | Details |
| Payment details | Processed securely by Stripe. We store only the last four digits of your card and your billing address. We never see or store your full card number. |
| Billing history | Invoices and subscription status, managed by Stripe |
3. Why we collect it
| Purpose | Data used |
| Respond to enquiries | Contact form submissions |
| Manage early access waitlist | Signup form submissions |
| Provide the service | Account details, content you create, organisation data |
| Process payments | Payment details (via Stripe) |
| Send important emails | Email address — verification, password resets, security alerts, reporting deadline reminders |
| Keep accounts secure | Session data, login history, two-factor authentication details |
| Maintain an audit trail | Usage logs — so your team can see who changed what |
| Website security and performance | Server logs |
| Improve the service | Aggregated, non-personal usage patterns |
We do not use your data for advertising, profiling, or automated decision-making.
4. Lawful basis
Under UK GDPR, we rely on the following lawful bases:
| Data | Lawful basis |
| Account and content data | Contract — necessary to provide the service you’ve signed up for |
| Payment processing | Contract — necessary to manage your subscription |
| Website form submissions | Consent — you actively choose to submit your details |
| Security and audit logs | Legitimate interest — protecting accounts and maintaining accountability |
| Server logs and session cookies | Legitimate interest — website and application security |
| Analytics cookies (GA4) | Consent — only collected if you accept analytics cookies via our cookie banner |
| Tax records | Legal obligation — UK tax law requires us to retain financial records |
5. Cookies
We use only cookies that are necessary for our website and application to function. We do not use advertising or tracking cookies.
Marketing website (www.outcomeproof.com):
| Cookie | Purpose | Duration | Requires consent? |
| WordPress session cookie | Keeps the website functioning | Browser session | No (strictly necessary) |
| ‘_ga’ | Google Analytics – distinguishes visitors | 2 years | Yes |
| ‘_ga_*’ | Google Analytics – maintains session state | 2 years | Yes |
Application (app.outcomeproof.com):
| Cookie | Purpose | Duration |
| Session cookie | Authentication and security | Expires after a period of inactivity |
| CSRF token | Protects against cross-site request forgery | Session duration |
| Remember me (optional) | Keeps you logged in if you choose this option | Persistent |
| Signup attribution (optional) | Ensures referral discounts are applied correctly | Temporary |
Because we only use strictly necessary cookies, we do not require a cookie consent banner under UK PECR.
6. Who we share data with
We do not sell your data to anyone. We share data only with the following providers, who process it on our behalf:
| Third party | What they process | Where they are based |
| Stripe | Payment details, billing, invoices | United States (EU-US Data Privacy Framework certified) |
| Amazon Web Services (AWS) | Application hosting and infrastructure | United Kingdom |
| Google LLC | Website analytics (GA4) – only if you consent via cookie banner | United States (EU-US Data Privacy Framework certified) |
| Mailgun (Sinch) | Transactional emails (account, billing, and product notifications) and marketing website form submissions | European Union |
Your content is never shared with third parties. It is stored on servers in the UK and is only accessible to members of your organisation.
7. International transfers
Our application and database are hosted in the United Kingdom. Your data stays in the UK for hosting and storage purposes.
The following services are based in the United States:
| Service | Safeguards |
| Stripe | EU-US Data Privacy Framework certified; Standard Contractual Clauses |
| Google (GA4) | EU-US Data Privacy Framework certified; Standard Contractual Clauses |
8. How long we keep your data
Marketing website
| Data | Retention period |
| Waitlist signups | Until product launch plus 6 months, then deleted unless you become a customer |
| Contact form messages | 12 months from submission |
| Server logs | 90 days |
Application
| Data | Retention period |
| Your content (outcomes, evidence, reports) | Kept while your account is active. Deleted 60 days after your account is closed. |
| Audit logs | 2 years, then automatically deleted. Deleted immediately if your organisation’s data is purged. |
| Deleted items | Recoverable for a short period, then permanently removed |
| Session data | Expires after a period of inactivity |
| Billing records | Retained by Stripe for 7 years (UK tax law requirement) |
When you cancel your subscription:
- You keep full access until the end of your paid billing period
- Your account then becomes inactive — your data is preserved but you can only access a limited account page
- After 60 days of inactivity, all your data is permanently and irreversibly deleted
- You can request immediate deletion at any time, or resubscribe to restore access during the 60-day window
9. Security
We take the security of your data seriously. We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit — all connections use TLS (HTTPS)
- Encryption at rest — database and file storage are encrypted
- Password security — passwords are securely hashed; we cannot see your password
- Two-factor authentication — available for all accounts
- Access controls — permissions control who can do what within your organisation
- Audit logging — all significant actions are logged for accountability
Further details about our security practices are available on request.
10. Your rights
Under UK GDPR, you have the right to:
- Access your personal data — you can export all your data from your account settings, or email us for a copy
- Rectification — edit your profile and content at any time, or ask us to correct something
- Erasure — delete your account and all associated data. You can also ask us to delete marketing data (waitlist signup, contact form messages) at any time
- Restrict processing — ask us to limit how we use your data
- Data portability — receive a copy of your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — for form submissions and optional cookies, you can withdraw consent at any time
To exercise any of these rights, email support@outcomeproof.com. We will respond within one month.
If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
11. Children’s data
Our service is designed for organisations, not individuals. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to this policy
If we make significant changes to this policy, we will update the “Last updated” date at the top of this page. For major changes, we will notify you by email (if you have an account) or by a prominent notice on our website.
13. Contact us
For any questions about this privacy policy or how we handle your data:
Email: support@outcomeproof.com
Governing law: This policy is governed by the laws of Scotland.