Risk to Ready

Privacy Notice

Last updated: 2026-05-01

This Privacy Notice explains how DarkhorseOne Limited collects, uses, stores and shares personal data in connection with the Risk to Ready website, assessment tools, reports, digital resources and related services.

Risk to Ready is a business-readiness and risk-control service designed to help founders, freelancers, sole traders, small companies and early-stage businesses understand practical compliance and operational setup issues.

This Privacy Notice applies when you visit our website, complete a Risk to Ready assessment, submit an enquiry, create an account, purchase a service, download a resource, subscribe to communications, or otherwise interact with us.

1. Who we are

For the purposes of UK data protection law, DarkhorseOne Limited is the data controller of the personal data described in this Privacy Notice, unless we tell you otherwise.

Controller: DarkhorseOne Limited
Trading/product name: Risk to Ready
Company number: 15002342
Registered office: Suite 3.1, 27 Castle Street, Canterbury, Kent, England, CT1 2PX
Contact email: service@darkhorseone.co.uk

You can contact us about privacy matters at:

Email: service@darkhorseone.co.uk

We are responsible for deciding why and how your personal data is processed in connection with Risk to Ready.

2. Legal framework

We process personal data in accordance with applicable UK data protection and privacy laws, including:

The Data Protection Act 2018 is the UK legislation that replaced the Data Protection Act 1998 and sits alongside the UK GDPR framework. PECR applies to activities such as electronic marketing and cookies or similar technologies.

3. Personal data we collect

We may collect and process the following categories of personal data.

3.1 Identity and contact data

This may include:

3.2 Business profile and assessment data

When you complete a Risk to Ready assessment or request a report, we may collect information about your business or intended business activity, including:

Some of this information may relate to a business rather than an individual. However, where it identifies or can reasonably identify a living individual, we treat it as personal data.

3.3 Account, order and transaction data

If you create an account or purchase services, we may process:

We do not normally store full payment card details. Card payments are usually processed by an external payment provider.

3.4 Website, device and technical data

When you use our website, we may collect technical information such as:

3.5 Communications data

If you contact us, we may process:

3.6 Marketing data

Where applicable, we may process:

4. Special category data

Risk to Ready is not designed to collect special category data.

Special category data includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation.

Please do not submit special category data through Risk to Ready unless we specifically ask for it and explain why it is required.

If we ever need to process special category data, we will identify a lawful basis under Article 6 UK GDPR and a separate condition under Article 9 UK GDPR. The ICO confirms that both are required when processing special category data.

5. How we use your personal data and our lawful bases

We only process personal data where we have a lawful basis to do so. UK data protection law requires organisations to identify a lawful basis before processing personal data.

PurposePersonal data usedLawful basis
To provide the Risk to Ready assessmentIdentity, contact, business profile, assessment responsesContract, or steps prior to entering into a contract
To generate recommendations, reports or resource suggestionsAssessment responses, business profile, risk indicatorsContract, or legitimate interests
To respond to enquiriesIdentity, contact and communications dataLegitimate interests, or steps prior to entering into a contract
To create and manage user accountsIdentity, contact and account dataContract
To process purchases, subscriptions and invoicesIdentity, contact, transaction and billing dataContract and legal obligation
To provide customer supportAccount, communications and service dataContract and legitimate interests
To improve Risk to ReadyAssessment patterns, website analytics, feedbackLegitimate interests
To protect website and service securityTechnical data, logs and account dataLegitimate interests
To prevent fraud or misuseTechnical, account and transaction dataLegitimate interests
To comply with legal, tax and accounting obligationsTransaction, invoice and account recordsLegal obligation
To send service communicationsContact, account and service dataContract and legitimate interests
To send marketing communicationsContact and marketing preference dataConsent or legitimate interests, depending on the circumstances
To manage unsubscribe and suppression listsContact and marketing preference dataLegal obligation and legitimate interests

Where we rely on legitimate interests, our interests may include operating and improving Risk to Ready, understanding customer needs, protecting our systems, developing relevant services, and communicating with business users about related services.

We will only rely on legitimate interests where we consider that our interests are not overridden by your rights, freedoms or interests.

6. AI-assisted processing

Risk to Ready may use AI-assisted systems to help analyse assessment responses, identify business-readiness patterns, generate recommendations, produce draft reports, summarise risks, or suggest relevant resources.

AI-assisted processing may involve structured prompts, rules, scoring models, retrieval-based knowledge resources, or other automated support tools.

We use AI-assisted processing to support practical business-readiness guidance. It is not intended to provide final legal, tax, accounting, immigration, employment-law or regulatory advice.

Unless we expressly tell you otherwise:

The UK GDPR restricts solely automated decisions, including profiling, where they have legal or similarly significant effects on individuals. This is why Risk to Ready should be positioned as a support and guidance tool, not as a final decision-maker.

7. Cookies and similar technologies

Our website may use cookies or similar technologies.

Cookies may be used for:

We will not use non-essential cookies unless we have a lawful basis to do so and, where required, have obtained valid consent.

Under ICO guidance, consent for cookies must be freely given, specific and informed, and must involve an unambiguous positive action. The ICO also states that simply placing cookie information in a hard-to-find privacy policy is not enough.

Where non-essential cookies are used, we should provide a separate cookie banner or cookie management tool that allows users to accept or reject them.

A separate Cookie Notice may be provided.

8. Direct marketing

We may send you marketing communications where permitted by law.

For example, we may send marketing emails where:

You can unsubscribe from marketing communications at any time by using the unsubscribe link in our emails or by contacting us.

We may still send non-marketing service communications, such as messages about your account, orders, assessments, security, legal updates or service changes.

9. Who we share personal data with

We may share personal data with third parties where necessary for the purposes set out in this Privacy Notice.

These may include:

We do not sell personal data.

Where a third party processes personal data on our behalf, we expect them to act only on our instructions, protect the data appropriately, and comply with applicable data protection obligations.

10. International transfers

Some service providers may process personal data outside the United Kingdom.

Where this involves a restricted transfer under UK data protection law, we will use an appropriate transfer mechanism, such as:

The ICO identifies the IDTA and the UK Addendum as standard contractual safeguards available for restricted transfers under the UK GDPR.

11. Data retention

We will keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to meet legal, accounting, tax, reporting, security and dispute-resolution requirements.

Indicative retention periods are set out below.

Data categoryIndicative retention period
Website enquiriesUp to 24 months after the last meaningful contact
Risk to Ready free assessment responsesUp to 24 months, unless deleted earlier or converted into a customer record
Paid assessment reports and customer recordsFor the duration of the customer relationship and up to 6 years afterwards
Invoices, payment records and accounting recordsUsually 6 years, in line with tax and accounting requirements
Account recordsFor the life of the account and up to 6 years after closure where needed
Marketing consent recordsUntil consent is withdrawn, plus a reasonable period to maintain suppression records
Unsubscribe or suppression recordsAs long as necessary to ensure we do not contact you again for marketing
Website analytics dataAccording to the analytics configuration and cookie settings
Security logsUsually short-term, unless required for investigation, security, legal or audit purposes

If a fixed retention period cannot be stated, we will determine retention by reference to the nature of the data, the purpose of processing, legal limitation periods, regulatory requirements, risk level, and whether the data is still needed.

ICO guidance expects organisations to tell individuals either the retention period or the criteria used to determine it.

12. Security

We use appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

These measures may include:

The UK GDPR’s data protection principles include integrity and confidentiality, storage limitation, data minimisation, purpose limitation, accuracy, accountability, and lawfulness, fairness and transparency.

No website or digital service can be guaranteed to be completely secure, but we take reasonable steps to protect the personal data we process.

13. Your rights

Depending on the circumstances, you may have the following rights under UK data protection law:

The ICO identifies these as individual rights under UK data protection law.

To exercise your rights, contact us at:

Email: service@darkhorseone.co.uk

We may need to verify your identity before responding.

We will respond to valid requests within the time required by law.

Your right to object

You have the right to object to our processing of your personal data where we rely on legitimate interests, including profiling based on legitimate interests.

You also have the right to object to direct marketing at any time.

If you object to direct marketing, we will stop using your personal data for that purpose.

14. Withdrawing consent

Where we rely on consent, you may withdraw your consent at any time.

Withdrawing consent does not affect processing that took place before consent was withdrawn.

You can withdraw consent by contacting us or, where applicable, by using the relevant unsubscribe or cookie preference controls.

ICO guidance states that people should be told they can withdraw consent at any time and that withdrawal should be as easy as giving consent.

15. Accuracy of information

Please ensure that the information you provide to Risk to Ready is accurate and up to date.

Risk to Ready assessments and recommendations depend on the information submitted. If the information you provide is incomplete, inaccurate or outdated, the resulting assessment may also be incomplete, inaccurate or unsuitable for your circumstances.

16. Children

Risk to Ready is intended for business users and is not directed at children.

We do not knowingly collect personal data from children through Risk to Ready. If you believe that a child has provided us with personal data, please contact us so that we can review and, where appropriate, delete it.

17. Third-party links and resources

Our website may contain links to third-party websites, tools, resources or services.

We are not responsible for the privacy practices, security or content of third-party websites. You should read the privacy notices of those third parties before providing personal data to them.

18. Complaints

If you have concerns about how we process your personal data, please contact us first so that we can try to resolve the issue.

You also have the right to complain to the UK Information Commissioner’s Office.

Information Commissioner’s Office
Website: ico.org.uk
Telephone: 0303 123 1113

The ICO is the UK authority responsible for upholding information rights and data privacy.

19. Changes to this Privacy Notice

We may update this Privacy Notice from time to time.

The latest version will be published on our website with the “Last updated” date shown at the top.

Where changes are material, we may notify users by email, website notice or other appropriate means.