Skip to content
HoursBack

Privacy policy

Last updated: 6 June 2026

This version replaces the previous policy in full.

About this policy

This is the privacy policy for HoursBack. It explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. It is written in plain English on purpose. If anything is unclear, email us at [email protected] and we will explain it.

We are the data controller for the personal data described below, as defined by UK GDPR and the Data Protection Act 2018.

Who we are

HoursBack is an AI workflow assessment business operated by David Bevan as a sole trader, registered in the United Kingdom. When this policy says “we”, “us”, or “HoursBack”, it means that business. When it says “you”, it means you as a visitor to www.hoursback.co.uk or as a HoursBack customer.

Contact for any privacy question, request, or complaint: [email protected].

What data we collect, and when

We collect personal data in the following situations:

  • When you take the AI readiness quiz. We collect your email address, your answers to the nine quiz questions, the scores those answers generate, and (if you tick the marketing box) your consent to receive a follow-up email sequence. We do not require any other identifying information to deliver your quiz result. To generate your personalised quick wins, your quiz answers are sent to Anthropic’s Claude API at the point you ask for the breakdown (see “How we use AI” below).
  • When you fill in the contact form. Name, email address, business name (optional), and the message you write to us.
  • When you use a free tool (such as the admin cost calculator at /tools). Your email address, the industry you selected, and the numbers you entered into the calculator so we can email you the breakdown.
  • When you subscribe to the prompt library or newsletter. Email address only.
  • When you book and pay for an assessment. Your name, email address, business name, the answers you give in the pre-session questionnaire (which includes free-text descriptions of your typical day, your biggest time sinks, and what you would do with ten reclaimed hours a week), the date and time of your session, and the payment confirmation Stripe returns to us. Stripe handles your card details directly; we never see or store them.
  • When you attend your live diagnostic session. The session is held over Zoom and is recorded with cloud transcription enabled. The video recording and the auto-generated transcript are pulled into HoursBack’s database so we can draft your report. We will tell you on the call that recording is taking place.
  • When we deliver your report. We store the draft and final report content, the version history, and a note of when you open the report summary page (a one-pixel log entry, no third-party tracking).
  • When you join the referral programme. Your name, email address, the referral code we mint for you, and the click count on your link.
  • When you visit the website. Anonymous usage data via PostHog (see “Cookies and analytics” below).
  • When we email you. A delivery log entry (template name, subject, status), plus aggregate engagement data from Resend (our email provider). Open tracking is turned off; click tracking on our short links is on so we can debug deliverability.
  • When you use the website chat assistant (Ask HoursBack). The content of the messages you type, your email address if you choose to share it, the timestamp and version of the consent you give before the chat starts, and basic session metadata (the page you started on, the page that referred you, and a random session identifier). We ask you not to share client names or other sensitive details in the chat, and we do not need them to help you. Your messages are sent to Anthropic’s Claude API to generate each reply; Anthropic does not use them to train its models. Anonymous chat transcripts are kept for 90 days and then deleted automatically (see “Website assistant (Ask HoursBack)” below).

How we use your data, and the lawful basis

UK GDPR requires us to have a lawful basis for each use.

  • To deliver the service you paid for (running the assessment, drafting and sending the report, follow-up check-ins, the Implementation Kickstart, the Custom AI Agent Build). Lawful basis: performance of the contract between you and HoursBack.
  • To send transactional emails (booking confirmation, session reminder, report delivery, 7-day and 30-day check-ins, refund confirmation). Lawful basis: performance of the contract, or legitimate interest where you are a free user (for example, when we email you your quiz action plan).
  • To send marketing emails (the post-quiz nurture sequence, the newsletter, anything promotional). Lawful basis: your consent, given by ticking the marketing box on the quiz or signing up to the newsletter. You can withdraw consent at any time using the one-click unsubscribe link in every email, or by emailing us. We honour the unsubscribe immediately.
  • To improve the website and our services. Lawful basis: legitimate interest. We use anonymous PostHog analytics to see which pages are read, what converts, and where forms break. Inputs are masked so we never see what you typed.
  • To comply with legal obligations. We retain payment records as required by HMRC (six years). Lawful basis: legal obligation.

How we use AI to draft your report

This is the part most consultancies do not disclose, so we want to be direct. When you book an assessment, we use Anthropic’s Claude API to help draft your report. The inputs to the AI are:

  • Your questionnaire answers.
  • The transcript of your session.
  • Any extra material you ask us to look at (a spreadsheet, a process document, a screen recording).

The AI produces a draft. David Bevan reads, edits, and verifies every report by hand before it is sent. No decision with legal or similarly significant effect is made about you solely by automated means, so Article 22 of UK GDPR (rights related to automated decision-making) does not apply.

Anthropic processes the data on US infrastructure. Anthropic has confirmed in its terms that API inputs are not used to train its models. We do not pass your personal data to any other AI provider for the purpose of drafting your report.

Separately, we use kie.ai to generate marketing visuals for our own website. kie.ai does not receive any of your data; it only sees prompts written by HoursBack about our own brand.

Website assistant (Ask HoursBack)

We run an AI chat assistant on the website called Ask HoursBack. It answers questions about our services and helps you decide whether an assessment is right for you. The assistant is powered by Anthropic’s Claude API, which acts as our processor for the chat. Everything you type in the chat is sent to Anthropic to generate each reply.

Our lawful basis for the chat itself is legitimate interest: handling a pre-sales enquiry from someone who has chosen to start a conversation with us. If you give us your email address in the chat so we can follow up with marketing (for example, your quick wins or assessment details), our lawful basis for that follow-up is your consent, which we confirm with a separate double opt-in step. You can withdraw that consent at any time using the unsubscribe link in every email.

Anthropic processes the data on US infrastructure. This is the same processor and the same UK-US transfer basis we rely on for drafting reports (see “International transfers” below). Anthropic has confirmed in its terms that API inputs are not used to train its models, so your chat messages are not used for model training.

We keep anonymous chat transcripts for 90 days and then delete them automatically. If you give us your email address in the chat, the transcript is linked to your contact record and kept no longer than an anonymous transcript unless you go on to book an assessment. Before the chat starts, we show a short notice and ask you to confirm that you understand the chat uses AI, that your messages are sent to Anthropic, and that you are 18 or over. We record the time and version of that confirmation.

Cookies and analytics

HoursBack does not run marketing or advertising cookies. We do not share data with ad networks. The only cookies we set are strictly necessary:

  • An authenticated admin session cookie, set only when an administrator signs in to the back office.
  • A signed access cookie when you enter the passcode on your report summary page, so you do not have to retype the passcode on every visit.
  • A CSRF token cookie on form submissions, to stop other websites tricking your browser into sending data to us.

For website analytics we use PostHog, configured in memory mode. That means PostHog does not set cookies and does not write to local storage. Your anonymous session id lasts only as long as your current browser tab. We chose this setup so we can run analytics without needing a cookie consent banner, which we believe is a better experience for you.

We also use PostHog’s session-recording feature on selected pages. All form inputs and any element marked as sensitive are masked in the recording, so we never see what you type into a form.

Who we share your data with

We use the following third-party processors. Each one is named here so you can read their own privacy notice if you want to.

  • Supabase — our database and storage backend. Hosts your questionnaire answers, session transcript, contact record, report content, and email log. EU-hosted on our project.
  • Stripe — payment processing. Holds your card details and the payment record. We never see the card number.
  • Cal.com — booking scheduling. Holds the appointment slot, your name, email, and any free-text answers you give in the booking form.
  • Zoom — video calls. The session video and the auto-generated transcript are produced by Zoom Cloud Recording and pulled into our database via the Zoom API. Zoom retains its own copy until our automated workflow archives or deletes the source recording.
  • Resend — transactional and marketing email delivery. Receives the email address and the email content, and reports back delivery, open, and click status (open tracking is off; click tracking is on for our short links).
  • Anthropic (Claude API) — report drafting. Receives your questionnaire and transcript at the moment we draft the report.
  • PostHog — product analytics. EU-hosted (eu.i.posthog.com).
  • Google Drive — when we mark your report as sent, we mirror a copy of your transcripts, questionnaire, and report into a Google Drive folder under our control as a working archive.
  • Buffer — schedules our own LinkedIn company-page posts. No client data passes through Buffer; it only sees content HoursBack writes about itself.
  • kie.ai — image generation for our own marketing visuals. No client data passes through kie.ai.
  • Vercel — hosts the website and runs the serverless functions that power our forms and admin tools.

We do not sell your data. We do not pass it to ad networks or data brokers. We share it only with the processors above, and only to the extent each one needs to do its job.

International transfers

Several of the processors named above are based in the United States (Stripe, Anthropic, Zoom, Resend, Cal.com, Buffer, kie.ai, Google, Vercel). Transferring personal data from the UK to a country outside the UK and the European Economic Area requires safeguards under Article 44 of UK GDPR.

The safeguards we rely on are:

  • The UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework) where the US vendor has self-certified to it, including Anthropic, Google, and Stripe.
  • The UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which our vendors sign as part of their Data Processing Agreement.

If you want to see a specific vendor’s safeguard documentation, email us and we will point you at it.

How long we keep your data

  • Quiz lead records — until you unsubscribe, or after 24 months of no engagement, whichever comes first.
  • Contact form submissions, free-tool leads, newsletter and prompt library signups — same as above.
  • Questionnaire and session transcript — 24 months from report delivery, then deleted from live systems unless you ask us to keep them longer (for example, for a follow-up engagement).
  • Report content — same as above. Your own copy is yours forever; this retention applies to the version on our systems.
  • Email send log — 12 months, for deliverability diagnostics.
  • Chat assistant transcripts — 90 days for anonymous sessions, then deleted automatically. Email-linked sessions are kept no longer than that unless you go on to book an assessment.
  • Stripe payment record — six years, as required by HMRC for UK self-employed tax records.
  • Referral records — while the programme is active, plus 12 months.

If you ask us to delete your data sooner, we will. The only exception is the Stripe payment record, which we have to keep for the legal period set by HMRC.

Security

The technical and organisational measures we take:

  • All traffic to the website is over HTTPS / TLS in transit.
  • Data at rest in Supabase is encrypted by the provider.
  • The admin area (where transcripts and reports live) is behind a password and a signed session cookie.
  • Client report summary pages are behind a 6-character passcode we share with you when we deliver the report.
  • Every public form has CSRF protection and rate limiting.
  • We never store payment card details. Stripe Checkout handles card capture directly on Stripe’s infrastructure.

Data breaches

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office within 72 hours of becoming aware of it, and we will tell you directly without undue delay where the risk is high.

Your rights

Under UK GDPR, you have the right to:

  • Know what data we hold about you (right of access).
  • Have inaccurate data corrected (right to rectification).
  • Have your data deleted, subject to the legal-obligation carve-out above (right to erasure).
  • Get a copy of the data you have given us in a portable, machine-readable format (right to data portability).
  • Restrict or object to specific uses, including marketing communications (which you can also stop with the unsubscribe link in every email).
  • Withdraw any consent you have given. Withdrawing consent does not affect anything we did before you withdrew it.

To exercise any of these rights, email us at [email protected]. We will respond within one month, free of charge. We may ask for a simple identity check before we act on a request, to make sure we are not handing data to the wrong person.

If you are not satisfied with our response, you can complain to the Information Commissioner’s Office, which is the UK’s data-protection regulator. The ICO accepts complaints at ico.org.uk/concerns or by phone on 0303 123 1113. You do not have to give us a chance to respond first, but it usually moves faster if you do.

Children

HoursBack is sold to working business owners. The services are not intended for under-18s and we do not knowingly collect personal data about children.

Affiliate links and tool recommendations

Some of the tool recommendations on our website, in quiz results, and in assessment reports contain affiliate links. If you sign up to a recommended tool through one of these links, HoursBack may earn a small commission. This does not change the price you pay.

Recommendations are made on the basis of what we think will save you the most time given your specific business. We are not paid by any third-party tool provider to recommend their product, and the existence of an affiliate relationship does not affect which tools we put in front of you. Where a tool does not have an affiliate programme, we link to it anyway.

Affiliate links may appear in:

  • The AI readiness quiz results.
  • Your assessment report (delivered as a PDF and online).
  • The client-facing report summary page.
  • Blog posts and the prompt library where tools are referenced.
  • Free-tool result pages at /tools/*.

When you click an affiliate link, the third-party provider sees that the visit came from HoursBack. We do not share your personal data, assessment answers, or report content with any affiliate partner. Anything you do on the third party’s site is governed by that provider’s own privacy policy.

You are never required to use a recommended tool, and you are free to navigate to the provider’s site directly instead of clicking our link. Doing so does not affect the service you get from HoursBack. For our position on third-party tool liability see our terms of service.

Changes to this policy

We may update this policy from time to time. Whenever we make a material change, we will summarise it at the top of this page for at least 30 days after the change takes effect, and we will email active clients before the change applies to them. Minor edits (typos, link fixes, clarifications) take effect on publication and are only noted in the “last updated” date.

Governing law

This policy is governed by the laws of England and Wales. Our processing is regulated by the UK General Data Protection Regulation and the Data Protection Act 2018.

Questions about your data? Get in touch