Privacy Notice
Last updated: 2026-05-01
This Privacy Notice explains how DarkhorseOne Limited collects, uses, stores and shares personal data in connection with the Risk to Ready website, assessment tools, reports, digital resources and related services.
Risk to Ready is a business-readiness and risk-control service designed to help founders, freelancers, sole traders, small companies and early-stage businesses understand practical compliance and operational setup issues.
This Privacy Notice applies when you visit our website, complete a Risk to Ready assessment, submit an enquiry, create an account, purchase a service, download a resource, subscribe to communications, or otherwise interact with us.
1. Who we are
For the purposes of UK data protection law, DarkhorseOne Limited is the data controller of the personal data described in this Privacy Notice, unless we tell you otherwise.
Controller: DarkhorseOne Limited
Trading/product name: Risk to Ready
Company number: 15002342
Registered office: Suite 3.1, 27 Castle Street, Canterbury, Kent, England, CT1 2PX
Contact email: service@darkhorseone.co.uk
You can contact us about privacy matters at:
Email: service@darkhorseone.co.uk
We are responsible for deciding why and how your personal data is processed in connection with Risk to Ready.
2. Legal framework
We process personal data in accordance with applicable UK data protection and privacy laws, including:
- the UK General Data Protection Regulation;
- the Data Protection Act 2018;
- the Privacy and Electronic Communications Regulations 2003, where relevant to cookies and electronic marketing.
The Data Protection Act 2018 is the UK legislation that replaced the Data Protection Act 1998 and sits alongside the UK GDPR framework. PECR applies to activities such as electronic marketing and cookies or similar technologies.
3. Personal data we collect
We may collect and process the following categories of personal data.
3.1 Identity and contact data
This may include:
- name;
- email address;
- telephone number, if provided;
- company name or trading name;
- job title or role;
- communication preferences.
3.2 Business profile and assessment data
When you complete a Risk to Ready assessment or request a report, we may collect information about your business or intended business activity, including:
- business type, sector and trading status;
- whether you operate as a sole trader, freelancer, limited company, partnership or other structure;
- business stage;
- approximate revenue band or expected business activity;
- whether you employ staff or plan to employ staff;
- operational setup;
- HR, tax, accounting, data protection, Companies House or compliance-readiness indicators;
- answers provided in diagnostic questionnaires;
- risk scores, readiness scores, recommendations and generated report content.
Some of this information may relate to a business rather than an individual. However, where it identifies or can reasonably identify a living individual, we treat it as personal data.
3.3 Account, order and transaction data
If you create an account or purchase services, we may process:
- account login details;
- order history;
- subscription status;
- billing details;
- invoice records;
- payment confirmation records;
- customer support records.
We do not normally store full payment card details. Card payments are usually processed by an external payment provider.
3.4 Website, device and technical data
When you use our website, we may collect technical information such as:
- IP address;
- browser type and version;
- device type;
- operating system;
- pages visited;
- date and time of visit;
- referral source;
- approximate location derived from technical data;
- cookie identifiers;
- analytics events, where enabled.
3.5 Communications data
If you contact us, we may process:
- enquiry details;
- email correspondence;
- support messages;
- feedback;
- meeting notes;
- records of our responses.
3.6 Marketing data
Where applicable, we may process:
- marketing preferences;
- consent records;
- unsubscribe records;
- engagement with emails or campaigns.
4. Special category data
Risk to Ready is not designed to collect special category data.
Special category data includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation.
Please do not submit special category data through Risk to Ready unless we specifically ask for it and explain why it is required.
If we ever need to process special category data, we will identify a lawful basis under Article 6 UK GDPR and a separate condition under Article 9 UK GDPR. The ICO confirms that both are required when processing special category data.
5. How we use your personal data and our lawful bases
We only process personal data where we have a lawful basis to do so. UK data protection law requires organisations to identify a lawful basis before processing personal data.
| Purpose | Personal data used | Lawful basis |
|---|---|---|
| To provide the Risk to Ready assessment | Identity, contact, business profile, assessment responses | Contract, or steps prior to entering into a contract |
| To generate recommendations, reports or resource suggestions | Assessment responses, business profile, risk indicators | Contract, or legitimate interests |
| To respond to enquiries | Identity, contact and communications data | Legitimate interests, or steps prior to entering into a contract |
| To create and manage user accounts | Identity, contact and account data | Contract |
| To process purchases, subscriptions and invoices | Identity, contact, transaction and billing data | Contract and legal obligation |
| To provide customer support | Account, communications and service data | Contract and legitimate interests |
| To improve Risk to Ready | Assessment patterns, website analytics, feedback | Legitimate interests |
| To protect website and service security | Technical data, logs and account data | Legitimate interests |
| To prevent fraud or misuse | Technical, account and transaction data | Legitimate interests |
| To comply with legal, tax and accounting obligations | Transaction, invoice and account records | Legal obligation |
| To send service communications | Contact, account and service data | Contract and legitimate interests |
| To send marketing communications | Contact and marketing preference data | Consent or legitimate interests, depending on the circumstances |
| To manage unsubscribe and suppression lists | Contact and marketing preference data | Legal obligation and legitimate interests |
Where we rely on legitimate interests, our interests may include operating and improving Risk to Ready, understanding customer needs, protecting our systems, developing relevant services, and communicating with business users about related services.
We will only rely on legitimate interests where we consider that our interests are not overridden by your rights, freedoms or interests.
6. AI-assisted processing
Risk to Ready may use AI-assisted systems to help analyse assessment responses, identify business-readiness patterns, generate recommendations, produce draft reports, summarise risks, or suggest relevant resources.
AI-assisted processing may involve structured prompts, rules, scoring models, retrieval-based knowledge resources, or other automated support tools.
We use AI-assisted processing to support practical business-readiness guidance. It is not intended to provide final legal, tax, accounting, immigration, employment-law or regulatory advice.
Unless we expressly tell you otherwise:
- Risk to Ready does not make decisions about you that produce legal effects or similarly significant effects solely by automated means;
- AI-generated outputs are advisory and informational;
- users remain responsible for deciding whether to act on any recommendation;
- important business, legal, tax or HR decisions should be reviewed by an appropriately qualified professional.
The UK GDPR restricts solely automated decisions, including profiling, where they have legal or similarly significant effects on individuals. This is why Risk to Ready should be positioned as a support and guidance tool, not as a final decision-maker.
7. Cookies and similar technologies
Our website may use cookies or similar technologies.
Cookies may be used for:
- essential website functionality;
- security;
- remembering preferences;
- analytics;
- performance monitoring;
- marketing or conversion measurement, where enabled.
We will not use non-essential cookies unless we have a lawful basis to do so and, where required, have obtained valid consent.
Under ICO guidance, consent for cookies must be freely given, specific and informed, and must involve an unambiguous positive action. The ICO also states that simply placing cookie information in a hard-to-find privacy policy is not enough.
Where non-essential cookies are used, we should provide a separate cookie banner or cookie management tool that allows users to accept or reject them.
A separate Cookie Notice may be provided.
8. Direct marketing
We may send you marketing communications where permitted by law.
For example, we may send marketing emails where:
- you have given consent;
- you are an existing customer and the communication relates to similar products or services;
- you have not opted out;
- another lawful basis applies.
You can unsubscribe from marketing communications at any time by using the unsubscribe link in our emails or by contacting us.
We may still send non-marketing service communications, such as messages about your account, orders, assessments, security, legal updates or service changes.
9. Who we share personal data with
We may share personal data with third parties where necessary for the purposes set out in this Privacy Notice.
These may include:
- cloud hosting providers;
- website infrastructure providers;
- database and storage providers;
- analytics providers;
- email delivery providers;
- CRM or customer support tools;
- payment processors;
- accounting and invoicing providers;
- AI infrastructure or model providers, where used;
- professional advisers, including accountants, lawyers and consultants;
- regulators, public authorities, courts or law enforcement bodies where required by law.
We do not sell personal data.
Where a third party processes personal data on our behalf, we expect them to act only on our instructions, protect the data appropriately, and comply with applicable data protection obligations.
10. International transfers
Some service providers may process personal data outside the United Kingdom.
Where this involves a restricted transfer under UK data protection law, we will use an appropriate transfer mechanism, such as:
- an adequacy regulation;
- the UK International Data Transfer Agreement;
- the UK Addendum to the EU Standard Contractual Clauses;
- another lawful safeguard recognised under UK data protection law.
The ICO identifies the IDTA and the UK Addendum as standard contractual safeguards available for restricted transfers under the UK GDPR.
11. Data retention
We will keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to meet legal, accounting, tax, reporting, security and dispute-resolution requirements.
Indicative retention periods are set out below.
| Data category | Indicative retention period |
|---|---|
| Website enquiries | Up to 24 months after the last meaningful contact |
| Risk to Ready free assessment responses | Up to 24 months, unless deleted earlier or converted into a customer record |
| Paid assessment reports and customer records | For the duration of the customer relationship and up to 6 years afterwards |
| Invoices, payment records and accounting records | Usually 6 years, in line with tax and accounting requirements |
| Account records | For the life of the account and up to 6 years after closure where needed |
| Marketing consent records | Until consent is withdrawn, plus a reasonable period to maintain suppression records |
| Unsubscribe or suppression records | As long as necessary to ensure we do not contact you again for marketing |
| Website analytics data | According to the analytics configuration and cookie settings |
| Security logs | Usually short-term, unless required for investigation, security, legal or audit purposes |
If a fixed retention period cannot be stated, we will determine retention by reference to the nature of the data, the purpose of processing, legal limitation periods, regulatory requirements, risk level, and whether the data is still needed.
ICO guidance expects organisations to tell individuals either the retention period or the criteria used to determine it.
12. Security
We use appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
These measures may include:
- access controls;
- role-based permissions;
- encryption where appropriate;
- secure hosting;
- backup and recovery procedures;
- monitoring and logging;
- supplier due diligence;
- confidentiality controls;
- regular review of security practices.
The UK GDPR’s data protection principles include integrity and confidentiality, storage limitation, data minimisation, purpose limitation, accuracy, accountability, and lawfulness, fairness and transparency.
No website or digital service can be guaranteed to be completely secure, but we take reasonable steps to protect the personal data we process.
13. Your rights
Depending on the circumstances, you may have the following rights under UK data protection law:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- rights relating to automated decision-making and profiling;
- the right to withdraw consent where processing is based on consent.
The ICO identifies these as individual rights under UK data protection law.
To exercise your rights, contact us at:
Email: service@darkhorseone.co.uk
We may need to verify your identity before responding.
We will respond to valid requests within the time required by law.
Your right to object
You have the right to object to our processing of your personal data where we rely on legitimate interests, including profiling based on legitimate interests.
You also have the right to object to direct marketing at any time.
If you object to direct marketing, we will stop using your personal data for that purpose.
14. Withdrawing consent
Where we rely on consent, you may withdraw your consent at any time.
Withdrawing consent does not affect processing that took place before consent was withdrawn.
You can withdraw consent by contacting us or, where applicable, by using the relevant unsubscribe or cookie preference controls.
ICO guidance states that people should be told they can withdraw consent at any time and that withdrawal should be as easy as giving consent.
15. Accuracy of information
Please ensure that the information you provide to Risk to Ready is accurate and up to date.
Risk to Ready assessments and recommendations depend on the information submitted. If the information you provide is incomplete, inaccurate or outdated, the resulting assessment may also be incomplete, inaccurate or unsuitable for your circumstances.
16. Children
Risk to Ready is intended for business users and is not directed at children.
We do not knowingly collect personal data from children through Risk to Ready. If you believe that a child has provided us with personal data, please contact us so that we can review and, where appropriate, delete it.
17. Third-party links and resources
Our website may contain links to third-party websites, tools, resources or services.
We are not responsible for the privacy practices, security or content of third-party websites. You should read the privacy notices of those third parties before providing personal data to them.
18. Complaints
If you have concerns about how we process your personal data, please contact us first so that we can try to resolve the issue.
You also have the right to complain to the UK Information Commissioner’s Office.
Information Commissioner’s Office
Website: ico.org.uk
Telephone: 0303 123 1113
The ICO is the UK authority responsible for upholding information rights and data privacy.
19. Changes to this Privacy Notice
We may update this Privacy Notice from time to time.
The latest version will be published on our website with the “Last updated” date shown at the top.
Where changes are material, we may notify users by email, website notice or other appropriate means.