Data Protection Policy

Last updated: 6 March 2026

1. Our Commitment

JustStart Limited ("JustStart", "we", "us") is committed to protecting the personal data of our users, programme participants, and website visitors. This Data Protection Policy outlines the measures we take to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Protection Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, fairness, and transparency: we process data lawfully, fairly, and in a transparent manner. We clearly inform you about how and why we use your data.
  • Purpose limitation: we collect data only for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
  • Data minimisation: we collect only the data that is necessary for the purposes we have identified. We do not collect excessive or irrelevant information.
  • Accuracy: we take reasonable steps to ensure personal data is accurate and up to date. We provide mechanisms for you to update your information.
  • Storage limitation: we retain personal data only for as long as necessary to fulfil its purpose, after which it is securely deleted or anonymised.
  • Integrity and confidentiality: we implement appropriate security measures to protect personal data against unauthorised access, loss, or damage.
  • Accountability: we take responsibility for our data processing activities and can demonstrate compliance with these principles.

3. Technical Security Measures

We implement the following technical measures to protect your personal data:

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: personal data stored in our database is encrypted at rest using industry-standard encryption.
  • Secure authentication: access to our systems requires authenticated credentials with appropriate access controls.
  • Payment security: all payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. We never store full card numbers on our servers.
  • Database security: our database (hosted on Supabase) implements Row-Level Security (RLS) policies to ensure data access is properly controlled.
  • PII anonymisation: we have implemented automated anonymisation procedures for personal data that is no longer required for active processing.

4. Organisational Security Measures

  • Access controls: access to personal data is restricted to team members who require it for their role. We follow the principle of least privilege.
  • Data handling procedures: all team members follow documented procedures for handling personal data.
  • Incident response: we have procedures in place to detect, report, and respond to personal data breaches promptly.
  • Regular reviews: we regularly review and update our security measures and data processing practices.

5. Data Processing Activities

We process personal data for the following activities:

  • Programme delivery: managing registrations, delivering content, and tracking progress for Masterclass, Leap Sprint, and Leap Bootcamp participants.
  • Payment processing: securely processing programme fees through Stripe, including payment intents, card management, and upgrades.
  • Lead management: capturing and managing enquiries from potential participants across all programmes and the newsletter.
  • Assessment tools: processing responses to our Readiness Assessment and Idea Scorecard to provide personalised feedback.
  • Communications: sending programme updates, session reminders, and marketing communications (with consent).

6. Data Processors

We use the following third-party processors, each selected for their strong data protection practices:

  • Stripe — payment processing. PCI DSS Level 1 certified. Processes payment data under their own data controller responsibilities for fraud prevention.
  • Supabase — database hosting and authentication. Data is stored with encryption at rest and in transit, with Row-Level Security enforced.
  • Vercel — website hosting and deployment. Provides edge network delivery with security protections.

All processors are bound by data processing agreements that require them to protect personal data to at least the same standard as required by UK GDPR.

7. Data Breach Procedures

In the event of a personal data breach, we will:

  • Investigate and contain the breach as quickly as possible.
  • Assess the risk to affected individuals.
  • Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms.
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document the breach, its effects, and the remedial actions taken.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data where there is no compelling reason to continue processing.
  • Right to restrict processing: request that we limit the processing of your data in certain circumstances.
  • Right to data portability: receive your data in a structured, commonly used, and machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, please contact our data protection lead at privacy@juststart.tech. We will respond to your request within 30 days.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when introducing new technologies or processing activities that are likely to result in a high risk to individuals' rights and freedoms. This includes assessments for new programme features, tools, and third-party integrations.

10. International Data Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to countries with an adequacy decision from the UK Secretary of State.
  • Standard Contractual Clauses (SCCs) approved by the ICO.
  • Additional technical measures where required to ensure equivalent protection.

11. Review and Updates

This Data Protection Policy is reviewed regularly and updated as necessary to reflect changes in our processing activities, legal requirements, or best practices. The "last updated" date at the top of this page indicates when the policy was last revised.

12. Contact and Complaints

For any questions, concerns, or requests related to data protection, please contact:

JustStart Limited — Data Protection Lead
Email: privacy@juststart.tech

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):