Legal

Privacy Policy

Version 1.1 · Effective April 2026

PRISM Training Labs Ltd ("we", "us", "our") is committed to protecting the personal data of everyone who uses or interacts with our training platform. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

Questions about this policy or how we handle your data? privacy@prismtraininglabs.com

1.

Who We Are

PRISM is a web-based training platform that helps companies develop the thinking and investigation skills of their customer support teams. We operate at prismtraininglabs.com.

For the purposes of UK GDPR, PRISM acts as a data processor on behalf of the organisations whose agents use the Platform. The subscribing organisation is the data controller in respect of their agents' personal data.

Customer organisations are responsible for ensuring they have an appropriate lawful basis for providing employee data to PRISM for training and evaluation purposes.

For data we collect directly from website visitors (such as enquiry form submissions), PRISM acts as the data controller.

2.

What Data We Collect

2.1 Training platform users (support agents)

When an agent completes a PRISM training session, we collect and store:

—Full name

—Work email address

—Team code (provided by their employer)

—Training session responses — what the agent wrote in the three response fields

—Modules visited during each scenario

—AI-generated scores across 8 thinking dimensions

—Overall session score

—RAG status, risk summary and recommendation (generated for the manager dashboard)

—Date and time of session completion

2.2 Website visitors

If you submit a contact or demo request form on our website, we collect your email address and any information you choose to include. We do not use tracking cookies or analytics tools beyond what is necessary to operate the site.

2.3 Manager dashboard users

Managers who log in to the PRISM Manager Dashboard do so using credentials provided by PRISM or their organisation. We do not collect additional personal data from managers beyond what is required to authenticate their access.

3.

Why We Collect It — Our Lawful Basis

We process personal data on the following lawful bases under UK GDPR:

Contractual necessity

We process agent data (name, email, scores, session records) because it is necessary to provide the training platform service that the subscribing organisation has contracted for.

Legitimate interests

We generate RAG status, risk summaries and recommendations so that managers can meaningfully understand their team's performance. This is the core purpose of the Platform and the reason organisations subscribe.

Consent (website enquiries)

When you submit a contact form on our website, you are providing your email address voluntarily for the purpose of receiving a response from us.

4.

How We Use Your Data

—To deliver the PRISM training session and score agent responses using our AI Scoring Engine;

—To generate and display training results, scores and feedback to the agent at the end of their session;

—To populate the Manager Dashboard with session results, RAG status and performance recommendations;

—To enable CSV export of results for managers;

—To respond to enquiries submitted via the website contact form;

—To maintain the security and integrity of the Platform.

PRISM does not make automated employment decisions. All scoring outputs are intended to support human-led training and coaching decisions by managers. We do not use agent training data for marketing, advertising, or any purpose beyond providing the Platform as described above.

5.

Who We Share Data With

We do not sell personal data to any third party. We share data only with the following sub-processors, strictly for the purpose of operating the Platform:

Supabase

Database storage

All training results, scores and session data are stored in a Supabase database. Supabase is SOC 2 compliant and data is stored within the EU.

Location: EU

Anthropic

AI scoring engine

Agent responses are sent to Anthropic's API for scoring under their enterprise data processing terms. Responses are not used to train public foundation models.

Location: USA (Standard Contractual Clauses apply)

Vercel

Platform hosting

The PRISM application is hosted on Vercel. Vercel processes request data as necessary to serve the application.

Location: USA / EU (Standard Contractual Clauses apply)

Resend

Transactional email

We use Resend to deliver results emails to agents and managers following a completed session.

Location: USA (Standard Contractual Clauses apply)

Stripe

Payment processing

We use Stripe to process subscription payments. Stripe does not receive agent training data.

Location: USA (Standard Contractual Clauses apply)

6.

How Long We Keep Your Data

We retain training session data (name, email, scores, session records) for as long as the subscribing organisation holds an active PRISM subscription.

Upon termination of a subscription, data will be deleted or returned to the subscribing organisation within 30 days, unless a longer retention period is required by law.

Website enquiry data is retained for up to 12 months from the date of submission, after which it is deleted.

7.

Your Rights Under UK GDPR

If you are an agent whose data is processed through the PRISM Platform, you have the following rights:

Right of accessYou can request a copy of the personal data we hold about you.

Right to rectificationYou can ask us to correct any inaccurate data we hold about you.

Right to erasureYou can ask us to delete your personal data, subject to any obligations we have to retain it.

Right to restrictionYou can ask us to restrict processing of your data in certain circumstances.

Right to objectYou can object to processing carried out on the basis of legitimate interests.

Right to portabilityYou can request your data in a structured, machine-readable format.

To exercise any of these rights, contact us at privacy@prismtraininglabs.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8.

Security

—All data is stored in Supabase, which is SOC 2 Type II certified;

—Data is encrypted in transit using TLS and at rest;

—Access to the Manager Dashboard is protected by authentication;

—Access to production systems is restricted to authorised personnel only;

—We review our security practices regularly.

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the affected subscribing organisation and the ICO as required by UK GDPR.

9.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date at the top of this page. Continued use of the Platform following any changes constitutes acceptance of the updated policy.

Contact Us

For any questions about this Privacy Policy, data subject rights requests, or data protection matters:

DATA PROTECTION: privacy@prismtraininglabs.com

GENERAL: legal@prismtraininglabs.com

DPA REQUESTS: A Data Processing Agreement is available to subscribing organisations on request.

Version 1.1 · April 2026 · The most current version will always be available at prismtraininglabs.com/privacy

Version 1.1 · Effective April 2026

Questions about this policy or how we handle your data? privacy@prismtraininglabs.com