Privacy Policy

1. Who we are

DutyKit is a trading name of MFPD Studios (S Corp, Pennsylvania, USA). We are the data controller for personal data collected through dutykit.co.uk.

Contact: hello@dutykit.co.uk

2. What data we collect and why

DutyKit collects minimal personal data. We do not collect or process personal data about patients or individuals served by your organisation. The intake assessment captures organisational compliance responses only. The personal data we do collect:

• Email address — provided voluntarily at the start of your assessment. Used to send your session resume code and your completed kit. Not used for marketing.
• Organisation name and sector — used solely to generate your PDF output.
• Session resume code — a short alphanumeric token stored temporarily to support save-and-resume functionality. Expires after 30 days.
• Payment data — processed entirely by Stripe. MFPD Studios does not store card details. Stripe’s privacy policy governs payment processing.
• Technical data — standard server logs (IP address, browser type) retained for security and service improvement.

3. Lawful basis and applicable law

Although MFPD Studios is incorporated in the United States, we apply UK GDPR to the personal data of users based in the United Kingdom. UK-based users retain all rights set out in Section 6 below, including the right to complain to the UK Information Commissioner’s Office, regardless of where DutyKit is incorporated.

For users based in the UK, our lawful basis for processing is Article 6(1)(b) UK GDPR — processing necessary to perform the contract (delivering your kit) — and Article 6(1)(f) — legitimate interests — for server logs and service improvement.

4. Data retention

• Email address and session data: deleted 30 days after your assessment.
• Purchase records: retained for 7 years in accordance with applicable tax law.
• Server logs: retained for 90 days then deleted.

5. Third-party processors

We share data with the following processors under written agreement:

• Stripe — payment processing. PCI DSS Level 1 certified.
• Resend — transactional email delivery of resume codes and completed kits.
• Hosting provider — server infrastructure. Data stored within the UK/EEA where possible.

We do not sell your data. We do not share it with any other third parties.

6. Your rights

If you are based in the UK, you have rights under UK GDPR including the right to access, correct, or erase your personal data, and to complain to the Information Commissioner’s Office at ico.org.uk. To exercise any right, contact hello@dutykit.co.uk.

7. Cookies

DutyKit uses essential session cookies required for the service to function. No advertising or tracking cookies are set.

8. Changes to this policy

We may update this policy from time to time. The current version is always available at dutykit.co.uk/privacy.