How we look after your data.

This page explains what personal information Limitless Psychology collects, how we use it, who else processes it on our behalf, and the rights you have over it under UK data protection law.

Last updated: May 2026. Effective from the date of publication.

Contents

Who we are
What we collect
Why we use it (purposes and lawful bases)
Who else processes your data
How long we keep it
Your rights
International transfers
Security
Children
Changes to this policy
Contact and complaints

1. Who we are

Limitless Psychology Ltd is the data controller responsible for the personal information collected through this website and the School Masking Scales Web App. We are a private limited company registered in England and Wales (company number 16890844), with registered office at 778 Livesey Branch Road, Blackburn, England, BB2 5DN. We operate under UK data protection law (the UK GDPR and the Data Protection Act 2018).

You can contact us at info@limitlesspsy.co.uk for any privacy-related question.

Data Protection Registration: Registered with the Information Commissioner's Office (ICO). Registration reference: ZC160731.

2. What we collect

The data we collect depends on which parts of our service you use.

If you visit the public website

No personal data is collected.
Standard server-level logs (handled by our UK hosting provider, Krystal) may temporarily record IP addresses and request metadata. We do not access or store these logs ourselves.
We use Cloudflare Web Analytics — a privacy-first, cookieless tool — to measure aggregate page views and visits. It does not set cookies, does not track or identify individual visitors, and does not collect personal data.
Cookies and local storage — see our cookies notice.

If you create an account or subscribe to the Web App

Email address.
Password (stored as a salted hash by our authentication provider, Supabase — we never see your password in plain text).
Subscription status, Stripe customer ID, Stripe subscription ID.
Card-sort progress saved locally in your browser (sms-card-sort-state). This is stored in your browser's local storage, not on our servers.
Usage record of the photo-import feature (a count of imports per day, used to enforce a daily fair-use cap). No imagery is retained — see below.

If you use "Import from photo" in the Web App

The photo you upload is transmitted to our backend, resized in your browser before upload, and forwarded to Anthropic's Claude vision API solely to identify card placements.
Neither Limitless Psychology nor Anthropic retains the photo after processing. The response (a mapping of card IDs to placements) is returned to your browser and then discarded server-side.
We log only the fact that you ran an import (for billing and rate-limiting purposes); the contents of the photo are not logged.

If you buy the printed card pack (preorder)

Your name, email, shipping address, and payment details are collected by our payment provider, Stripe, during checkout.
We receive your name, email, and shipping address from Stripe so we can fulfil your order. We do not see or store your card details — Stripe handles all payment processing.

If you contact us by email or use a "Contact" link

Your email address and the contents of your message.

If you book a consultation

Limited personal and professional information necessary to arrange and deliver the consultation. Details handled within an educational psychology consultation are covered by separate professional confidentiality obligations under HCPC and BPS guidance.

3. Why we use it (purposes and lawful bases)

Purpose	Data used	Lawful basis
Create and maintain your Web App account	Email, password hash	Performance of contract (UK GDPR Art 6(1)(b))
Process subscription payments and grant Web App access	Email, Stripe IDs, subscription status	Performance of contract
Process card-pack preorders and ship them	Name, email, shipping address, Stripe IDs	Performance of contract
Operate the photo-import feature	Photo (transient), per-user daily count	Performance of contract
Enforce fair-use limits and prevent abuse	Per-user daily import count	Legitimate interests (UK GDPR Art 6(1)(f)) — protecting service availability and cost
Reply to enquiries	Email address, message content	Legitimate interests
Comply with legal, accounting, and tax obligations	Transaction records	Legal obligation (UK GDPR Art 6(1)(c))

We do not use your personal data for profiling, automated decision-making with legal effects, or marketing without your consent.

4. Who else processes your data

To operate the service, we share specific personal data with a small number of trusted third-party processors. Each only receives what they need to perform their role. They process data on our behalf under written contracts that meet UK GDPR requirements.

Supabase — authentication and database hosting for the Web App. Stores email, password hash, and subscription status. supabase.com/privacy
Stripe — payment processing for subscriptions and the card-pack preorder. Stores name, email, address, and payment details. stripe.com/gb/privacy
Anthropic — AI vision processing for the "Import from photo" feature. Receives the uploaded photo transiently and returns a card-placement mapping. Photo is not retained. anthropic.com/legal/privacy
Krystal Hosting — UK-based web hosting for the public website and the info@limitlesspsy.co.uk mailbox. Receives standard server logs (IP, request metadata). krystal.io/legal/privacy-policy
Cloudflare Web Analytics — privacy-first, cookieless website analytics (aggregate page views and visits). It does not use cookies, does not track or identify individual visitors, and does not store personal data. cloudflare.com/web-analytics

We do not sell, rent, or share your personal data with anyone outside this list, except where we are required to do so by law.

5. How long we keep it

Account and subscription data — kept while your account is active and for up to 12 months after cancellation, after which the account and associated data are deleted on request or as part of routine clean-up.
Photo imports — the photo itself is never retained; only an anonymised daily count remains, and that count automatically resets each day.
Payment and transaction records — kept for 6 years to comply with UK tax and accounting law.
Card-sort progress in local storage — held in your browser only, for as long as you choose. You can clear it from the Web App or via your browser's settings.
Enquiry emails — kept for as long as needed to deal with the matter, then archived or deleted in line with normal email retention.
Consultation records — retained in line with HCPC and BPS professional record-keeping standards (typically 7 years post-discharge for adults, or until the young person reaches age 25, whichever is later).

6. Your rights

Under the UK GDPR you have the following rights over personal data we hold about you:

Access — request a copy of the data we hold.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data ("right to be forgotten") where there is no overriding legal reason to keep it.
Restriction — ask us to limit how we use your data while a query is being resolved.
Portability — receive your data in a structured, machine-readable format, or have it transferred to another service.
Objection — object to processing based on legitimate interests.
Withdraw consent — where we rely on your consent, you can withdraw it at any time (this does not affect lawfulness of processing before withdrawal).

To exercise any of these rights, email info@limitlesspsy.co.uk. We will respond within one month (extendable to three months for complex requests). There is no fee, unless the request is manifestly unfounded or excessive.

7. International transfers

Some of our processors are based outside the UK or process data on infrastructure outside the UK and the EEA:

Stripe operates globally and may transfer payment data outside the UK under appropriate safeguards (UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum).
Anthropic is a US-based company; transfers to Anthropic occur under the UK International Data Transfer Agreement.
Supabase is a US-based company that offers EU data residency; our Limitless Psychology project is hosted in its EU region (eu-west-1, Ireland), so account and database data is stored within the EEA.

Where transfers occur, we rely on the safeguards listed above to ensure your data continues to be protected to UK standards.

8. Security

We take reasonable technical and organisational measures to protect your data, including:

HTTPS encryption for all traffic between your browser and our services.
Industry-standard password hashing (handled by Supabase Auth).
Row-level security in our database, restricting account data to its rightful owner.
Edge functions guarded by signed authentication tokens for sensitive operations (e.g. photo import).
Payment data is handled entirely by Stripe, a PCI-DSS Level 1 certified processor.

No internet service can guarantee perfect security. If we ever become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the Information Commissioner's Office within 72 hours and, where the risk is high, contact affected users directly.

9. Children

The School Masking Scales resource is designed to support adults (educational psychologists, schools, clinicians, parents and carers) in having conversations with children and young people about school masking. The Web App and other parts of the service are intended for use by adult professionals or carers, not by children directly. We do not knowingly collect personal data from children under 13.

If a child has provided us with personal data without parental consent, please contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time — for example, when we add or change a third-party processor, or when the law changes. We will update the "Last updated" date at the top of the page. For significant changes (such as a new category of data being collected, or a change in lawful basis), we will give you reasonable notice — for example, by email if you have an account with us.

11. Contact and complaints

For any privacy-related question or request, email info@limitlesspsy.co.uk.

You also have the right to complain to the UK regulator, the Information Commissioner's Office (ICO), if you believe we have not handled your data properly. We would prefer the chance to put things right first, so please consider contacting us before raising a complaint with the ICO.

ICO website: ico.org.uk · ICO helpline: 0303 123 1113.