Privacy Notice

Last Updated: 4 December 2025

This Privacy Notice explains how Eatyourpeas Ltd ("we", "us", or "our"), trading as CheckTick, collects, uses, stores, and protects your personal information when you use our survey platform and services.

1. Introduction

Eatyourpeas Ltd is committed to protecting your privacy and complying with data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.1 Key Principles

• We only collect data necessary to provide our services
• We use strong encryption to protect your data
• We will never sell your personal data to third parties
• You have control over your data and can request deletion at any time
• We are transparent about how we use your information

1.2 Data Controller

For your CheckTick account data, Eatyourpeas Ltd (or the self-hosted instance operator) is the data controller.

Eatyourpeas Ltd is a company registered in England and Wales.

For survey data you collect, you are the data controller and Eatyourpeas Ltd (trading as CheckTick) is the data processor. You are responsible for:

• Obtaining appropriate consent from survey respondents
• Providing privacy notices to respondents
• Ensuring compliance with data protection laws
• Determining the lawful basis for processing

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Username (required)
• Email address (required)
• Password (hashed and encrypted)
• Account tier (FREE, PRO, ORGANIZATION, ENTERPRISE)
• Organization name (if creating an organization account)
• IP address (for security and fraud prevention)
• Account creation date and last login

2.2 Survey Data

When you create surveys and collect responses, we process:

• Survey questions and configuration
• Survey responses (encrypted)
• Respondent data (as configured by you in your surveys)
• Survey metadata (creation date, status, settings)

Important: Survey data is encrypted using keys you control. For individual accounts, only you can decrypt this data. For organization accounts, your organization manages the encryption keys.

2.3 Usage Data

We automatically collect:

• Access logs (timestamps, IP addresses, actions performed)
• Error logs (for debugging and service improvement)
• Browser and device information (user agent, screen resolution)
• Performance metrics (page load times, response times)

2.4 Payment Information

When you subscribe to a paid tier:

• Payment processing is handled by Paddle, our payment processor
• We do not store your credit card or banking information
• We receive from Paddle:
• Transaction IDs
• Subscription status
• Payment status
• Billing country (for tax purposes)
• See Paddle's Privacy Policy: https://www.paddle.com/legal/privacy

2.5 Cookies and Similar Technologies

We use cookies and similar technologies for:

• Authentication (keeping you logged in)
• Session management (maintaining your session state)
• Preferences (remembering your theme and language settings)
• Security (preventing CSRF attacks)

We do not use cookies for:

• Advertising or marketing
• Third-party tracking
• Analytics beyond basic usage statistics

You can control cookie settings in your browser, but some features may not function without essential cookies.

3. How We Use Your Information

3.1 To Provide the Service

We use your information to:

• Create and manage your account
• Authenticate you and maintain security
• Store and process your surveys and responses
• Enable collaboration features (for ORGANIZATION tier)
• Provide customer support
• Process payments and manage subscriptions

Legal Basis: Performance of a contract (our Terms of Service)

3.2 To Improve the Service

We use aggregated, anonymized data to:

• Monitor and improve service performance
• Identify and fix bugs
• Develop new features
• Understand usage patterns

Legal Basis: Legitimate interests (improving our service)

3.3 To Communicate With You

We may send you:

• Transactional emails (account confirmations, password resets, payment receipts)
• Service notifications (maintenance, security alerts, important updates)
• Support responses (replies to your inquiries)

We will not send marketing emails unless you explicitly opt in.

Legal Basis: Performance of a contract and legitimate interests

3.4 For Security and Fraud Prevention

We use your information to:

• Detect and prevent unauthorized access
• Investigate security incidents
• Prevent fraud and abuse
• Comply with legal obligations

Legal Basis: Legitimate interests and legal obligations

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We will never sell, rent, or trade your personal information to third parties for marketing purposes.

4.2 Service Providers

We share data with trusted service providers who help us operate the Service:

• Paddle (payment processing)
• Purpose: Process subscriptions and payments
• Data shared: Email, billing country, transaction information

• Privacy Policy: https://www.paddle.com/legal/privacy

• Cloud Infrastructure Providers

• Purpose: Host the application and database
• Data shared: All service data

• Safeguards: Encryption at rest and in transit, access controls

• Email Service

• Purpose: Send transactional emails
• Data shared: Email addresses, email content
• Only used for service-related communications

All service providers are required to protect your data and may only use it for the specified purposes.

4.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations or valid legal requests
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent fraud or abuse

We will notify you of legal requests unless prohibited by law.

4.4 Business Transfers

If Eatyourpeas Ltd or CheckTick is acquired or merged with another entity, your data may be transferred to the new owner. We will notify you of any such change and your data will remain subject to this Privacy Notice.

4.5 Collaboration Features

If you use ORGANISATION tier collaboration features:

• Your survey data may be visible to authorized team members
• Organization administrators can manage user access
• Organization accounts may recover encryption keys on behalf of users

5. Data Security

5.1 Encryption

We implement strong encryption:

• Survey responses are encrypted using AES-256 encryption
• Encryption keys are separate from data and controlled by you
• Data in transit is protected with TLS/HTTPS
• Passwords are hashed using industry-standard algorithms

5.2 Access Controls

• User data is isolated by account
• Role-based access control (RBAC) for organizations
• Multi-factor authentication available (ENTERPRISE tier)
• Regular access reviews and security audits

5.3 Infrastructure Security

• Regular security updates and patches
• Firewall protection and intrusion detection
• Automated backups with encryption
• Monitoring and logging of security events

5.4 Limitations

While we implement strong security measures, no system is 100% secure. You are responsible for:

• Keeping your password confidential
• Safeguarding your encryption keys
• Using secure networks when accessing the Service
• Reporting security incidents promptly

6. Data Retention

6.1 Active Accounts

We retain your data while your account is active and as needed to provide the Service.

6.2 Deleted Data

When you delete surveys or responses:

• Data is marked for deletion immediately
• Data may remain in backups for up to 90 days
• After 90 days, data is permanently deleted from all systems

6.3 Closed Accounts

When you close your account:

• Your account data is anonymized or deleted within 30 days
• Some data may be retained for legal or compliance purposes
• Backups containing your data are deleted within 90 days

6.4 Legal Retention

We may retain certain data for longer periods when:

• Required by law (e.g., tax records, audit logs)
• Necessary for legal proceedings
• Needed to enforce our Terms of Service

See our Data Governance documentation for detailed retention schedules.

7. Your Data Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

7.1 Right of Access

You can request a copy of your personal data. Use our data export features or contact us for a comprehensive copy.

7.2 Right to Rectification

You can update your account information at any time through your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and data. This will permanently delete:

• Your account and profile
• All surveys you created
• All responses to your surveys

Note: Encrypted data cannot be recovered after deletion.

7.4 Right to Restrict Processing

You can request we limit how we process your data in certain circumstances.

7.5 Right to Data Portability

You can export your data in machine-readable formats (CSV, JSON) at any time.

7.6 Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we have compelling grounds.

7.7 Rights Related to Automated Decision-Making

CheckTick does not use automated decision-making or profiling that produces legal effects.

7.8 How to Exercise Your Rights

To exercise any of these rights:

• Email us at your configured support email
• Use in-app features for data export and account deletion
• Expect a response within 30 days

We may request verification of your identity before fulfilling requests.

8. Children's Privacy

CheckTick may be used to collect survey data about children and young people under 18, particularly in healthcare, educational, or research contexts.

If you collect data about children:

• You must obtain appropriate consent from parents, guardians, or those with parental responsibility
• For healthcare data, you must follow NHS guidelines and Caldicott Principles regarding children's data
• You must have proper clinical documentation and ethical approval where required
• You must comply with Article 8 of GDPR regarding conditions for children's consent
• For children under 13, parental consent is always required
• For children aged 13-17, consider the child's age and maturity when obtaining consent

Your responsibilities as data controller:

• Ensure consent is documented and can be demonstrated
• Provide age-appropriate privacy information to children and their guardians
• Implement appropriate safeguards for children's data
• Consider the best interests of the child in all processing activities
• Comply with local safeguarding requirements

CheckTick assumes that users collecting data about children have obtained all necessary consents, approvals, and clinical documentation as required by law and professional standards. Users are solely responsible for ensuring compliance with all applicable child protection and data protection laws.

9. International Data Transfers

CheckTick is operated in the UK. If you access the Service from outside the UK:

• Your data may be transferred to and stored in the UK
• We ensure appropriate safeguards are in place
• Your data remains protected under UK GDPR standards

For self-hosted instances, data location depends on your hosting provider.

10. Your Responsibilities as a Data Controller

When you collect survey data, you are the data controller and must:

10.1 Obtain Consent

• Provide clear information about what data you're collecting
• Explain how you will use the data
• Obtain explicit consent for sensitive data (health, biometric, etc.)

10.2 Provide Privacy Notices

• Tell respondents how you will process their data
• Explain their rights regarding their data
• Provide contact information for data requests

10.3 Comply with Laws

• Follow GDPR, UK DPA 2018, and other applicable laws
• Ensure you have a lawful basis for processing
• Conduct Data Protection Impact Assessments (DPIAs) when required
• For NHS/healthcare data, comply with NHS data policies and ethics requirements

10.4 Secure Data

• Use CheckTick's encryption features
• Safeguard your encryption keys
• Limit access to authorized personnel only
• Report data breaches as required by law

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

12. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. We will:

• Update the "Last Updated" date at the top
• Notify you of material changes via email or Service notification
• Give you opportunity to review changes before they take effect

Continued use of the Service after changes constitutes acceptance.

13. Contact Us

For privacy-related questions or to exercise your data rights, contact us:

• Email: [email protected]
• Data Protection Officer: [email protected]
• GitHub Issues: https://github.com/eatyourpeas/checktick/issues
• Documentation: https://checktick.com/docs/

14. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

• Website: https://ico.org.uk
• Helpline: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Last Updated: 4 December 2025

This Privacy Notice is designed to be transparent and help you understand how Eatyourpeas Ltd (trading as CheckTick) handles your personal information. If you have any questions, please don't hesitate to contact us.