GDPR Compliance
Last updated: 5 April 2026
FlinnSchema is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.
1. Data Controller
The data controller for personal data processed through FlinnSchema is:
Flinn G Evans
FlinnSchema
Kent, United Kingdom
Email: admin@flinnschema.com
2. Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6 of the UK GDPR:
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide the Service you have signed up for |
| Running website audits | Contract (Art. 6(1)(b)) | Core service delivery |
| Payment processing | Contract (Art. 6(1)(b)) | Necessary to fulfil paid service agreements |
| LLM prompt testing | Contract (Art. 6(1)(b)) | Paid feature included in premium subscription |
| Blog post generation | Contract (Art. 6(1)(b)) | Paid feature included in premium subscription |
| Funnel analytics and conversion tracking | Legitimate interest (Art. 6(1)(f)) | Understanding how visitors use our landing pages to improve the Service. IPs are hashed and never stored in raw form. |
| Google Analytics | Legitimate interest (Art. 6(1)(f)) | Anonymised website usage data to improve the Service |
| Payment record retention (7 years) | Legal obligation (Art. 6(1)(c)) | Required for UK accounting and tax compliance |
| Featured case studies | Consent (Art. 6(1)(a)) | Only published with your explicit agreement |
3. Data Processing Activities
Data We Process
- Identity data: Name, email address
- Contact data: Email address
- Technical data: Browser user agent, hashed IP address, device type
- Website data: URL, page content, structured data, reviews (all publicly available)
- Transaction data: Payment confirmations, subscription status, billing periods
- Usage data: Page views, feature usage, funnel events
- Business data: Business name, industry, location (used for LLM testing)
Automated Decision-Making
Our audit scoring engine uses automated processing to generate AI visibility scores based on 26 factors. These scores are informational only and do not have legal or similarly significant effects. LLM test results are verified by an AI classifier (Claude Haiku) but can be manually disputed by the user.
4. Sub-Processors
We use the following third-party data processors:
| Processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Supabase Inc. | US | Database, authentication | All account, audit, and report data |
| Stripe Inc. | US | Payment processing | Payment card details, transaction data |
| Vercel Inc. | US (edge global) | Application hosting | Request data, application logs |
| OpenAI | US | LLM testing, content generation | Business name, URL, industry, location |
| Anthropic | US | Verification classifier | LLM response snippets, business context |
| Perplexity AI | US | LLM testing | Business name, URL, industry, location |
| Google LLC | US | LLM testing, reviews, analytics | Business name, URL, analytics cookies |
| xAI Corp. | US | LLM testing | Business name, URL, industry, location |
5. International Data Transfers
As our sub-processors are primarily based in the United States, personal data is transferred outside the UK. These transfers are protected by:
- Standard Contractual Clauses (SCCs) included in our agreements with each processor
- Each processor’s own data protection certifications and compliance measures
- Minimisation of personal data transferred (we only send what is necessary for each service)
We do not transfer personal data to any country that lacks adequate data protection without appropriate safeguards.
6. Data Subject Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You can request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format (JSON) within 30 days.
Right to Rectification (Art. 16)
You can request correction of any inaccurate or incomplete personal data. You can also update your name and email directly in your account settings.
Right to Erasure (Art. 17)
You can request deletion of your personal data. You can delete your account directly from account settings, or email us. Data will be deleted within 30 days, except payment records retained for legal compliance (7 years).
Right to Restrict Processing (Art. 18)
You can request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of your data following a rectification request.
Right to Data Portability (Art. 20)
You can request your data in a machine-readable format. We will provide a JSON export of your account data, audit results, and report data.
Right to Object (Art. 21)
You can object to processing based on legitimate interest (such as analytics tracking). To opt out of Google Analytics, use the Google Analytics Opt-out Browser Add-on.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (e.g. case study publication), you may withdraw consent at any time by contacting us.
How to Exercise Your Rights
Email admin@flinnschema.com with your request. We will verify your identity and respond within 30 days. No fee is charged for reasonable requests.
7. Data Protection Measures
- All data transmitted over HTTPS (TLS 1.2+)
- Passwords hashed with bcrypt (via Supabase Auth)
- Row-level security (RLS) enforced on all database tables
- Server-side quota enforcement prevents unauthorised API access
- API keys and secrets stored as environment variables, never in client-side code
- Stripe webhooks verified with signature checking
- IP addresses hashed with SHA-256 and salt before storage
- Admin functions restricted to authorised email addresses
8. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33
- If the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay, as required by Article 34
- We will document the breach, its effects, and the remedial action taken
9. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113
10. Contact
For any GDPR-related enquiries:
Email: admin@flinnschema.com
Location: Kent, United Kingdom