Privacy Policy

1. Controller and Processor Roles

Fully Coded Solutions Limited, trading as SkillDrill ("we", "us", "our"), is registered in England and Wales. The role we play under UK GDPR depends on whose data is being processed:

• SkillDrill as controller. We are the data controller only for personal data we collect directly for our own purposes: website visitors, marketing leads, prospective customers, direct billing contacts, and people who contact us by email or through our website forms.
• SkillDrill as processor. For all personal data uploaded into the platform by a customer organisation (the "tenant") — including staff, applicants, learners, volunteers, and other end users invited or imported by that tenant — the tenant is the data controller and SkillDrill acts as the data processor on every plan. This processing is governed by the Data Processing Agreement, which forms part of the customer's contract with us.

If you are an employee, applicant, learner or other end user whose data was added to SkillDrill by an organisation, you should direct data-rights requests to that organisation in the first instance; we will assist them in responding.

Privacy contact: [email protected]

2. What We Collect

We collect the following categories of personal data:

• Account information: Name, email address, organisation name, and role
• Conversation data: Responses provided during AI-facilitated skill conversations
• Skills data: Skills, qualifications, and experience identified through conversations
• Profile information: Job title, department, and other professional details
• Usage data: Log data, device information, and interaction patterns
• Payment data: Billing information processed through our payment provider

3. How We Use It

We use personal data to:

• Provide and maintain the SkillDrill platform
• Facilitate AI-powered skill conversations and analysis
• Generate skill profiles, team insights, and analytics
• Flag professional concerns disclosed during conversations for review by designated personnel
• Send service-related communications (account alerts, product updates)
• Improve the platform through anonymised, aggregated analytics
• Comply with legal obligations

4. Legal Basis for Processing

We process personal data under the following legal bases (UK GDPR Article 6):

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interests: Improving our Service, preventing fraud, and ensuring platform security
• Consent: Where explicitly given, such as for marketing communications
• Legal obligation: Where required by applicable law

Special-category data (UK GDPR Article 9)

During an AI-facilitated skills conversation, an end user may volunteer information that constitutes special-category personal data under UK GDPR Article 9 — most commonly information concerning physical or mental health, caring responsibilities, or disability-related reasonable adjustments. SkillDrill may also flag conversations that contain welfare signals (for example mentions of significant stress, sleep problems, or harassment) so that a designated person within the tenant organisation can follow up.

Where SkillDrill processes special-category data on behalf of a tenant, it does so under the following Article 9 conditions, alongside Schedule 1 of the Data Protection Act 2018:

• Art. 9(2)(b) — employment, social security and social protection law. The tenant, as employer, has obligations under UK employment law including the duty of care under the Health and Safety at Work etc. Act 1974, reasonable adjustments under the Equality Act 2010, and safeguarding obligations relevant to its sector. Processing welfare signals to discharge these obligations is permitted under Article 9(2)(b) read with DPA 2018 Sch. 1 Part 1 paragraph 1.
• Art. 9(2)(h) — occupational medicine and assessment of working capacity. Where a tenant uses SkillDrill as part of a workflow that involves an occupational-health professional or that assesses fitness for a particular role, processing may also rely on Article 9(2)(h) read with DPA 2018 Sch. 1 Part 1 paragraph 2.

Welfare signals surfaced by the AI are not used to diagnose, screen for or treat any medical condition. SkillDrill is not a medical device and does not provide clinical advice. Where a welfare flag is raised, the appropriate response is for a designated human within the tenant organisation (typically HR, a safeguarding lead or a line manager) to reach out to the individual.

Special-category data is encrypted at rest with tenant-specific keys, restricted to designated administrators by role-based access control, and subject to the data subject rights set out in section 7 below.

5. Data Sharing

We do not sell personal data. We share data only with:

• AI providers: Conversation data is processed by our AI model provider to facilitate skill conversations. Data is not used to train AI models.
• Cloud infrastructure: Data is stored on secure cloud infrastructure within the UK/EU
• Payment processors: Billing data is processed by our PCI-compliant payment provider
• Your organisation: Your employer (tenant administrator) can access your skill profile and conversation summaries

We require all third-party processors to maintain appropriate security measures and process data only on our instructions.

6. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts: Data retained for the duration of the subscription
• Deleted accounts: Live data is permanently deleted within 30 days of account closure. Encrypted backups containing residual copies are purged within a further 60 days (90 days total from closure).
• Conversation data: Encrypted at rest with tenant-specific encryption keys
• Billing records: Retained for 7 years as required by financial regulations

7. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Withdrawal of consent: Withdraw consent at any time where processing is consent-based

To exercise these rights, contact us at [email protected]. We will respond within 30 days. If your data was uploaded by an employer or other organisation, please contact that organisation in the first instance.

8. Children's Data

SkillDrill is a business-to-business service provided to organisations under a customer contract. Whether any individual end user is under 18 is determined by the customer organisation (the tenant) acting as the data controller — for example, where a tenant uses SkillDrill to capture skills, qualifications or training data for apprentices, learners, junior staff, or volunteers who may be aged 16 or 17.

Where SkillDrill processes data relating to end users under 18 on behalf of a tenant:

• The tenant is responsible, as controller, for establishing the lawful basis for that processing and for obtaining any consents required from the individual or, where relevant, a parent or guardian.
• SkillDrill has designed the platform with the UK Information Commissioner's Office Age Appropriate Design Code (AADC) in mind, including data minimisation, transparency, and switching off non-essential profiling by default.
• Data subject rights (access, rectification, erasure, portability) apply equally to under-18 end users and can be exercised through the tenant or, in cases where the tenant cannot be reached, directly with us.

SkillDrill does not knowingly market its services to children, does not allow self-signup by individuals under 18 outside of a tenant context, and does not process special-category data about children for advertising or profiling purposes.

9. Cookies

We use essential cookies required for the Service to function (session management, authentication). We do not use third-party tracking cookies or advertising cookies. Analytics cookies, if used, are anonymised and do not track individual users across websites.

10. Contact

For privacy-related enquiries or to exercise your data rights:

Email: [email protected]
Post: Fully Coded Solutions Limited, Barn Owl Cottage, Chapel Hill, Ponsanooth, TR3 7ET, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.