← Back
Privacy Policy
Last updated: April 2026
This is our plain-English commitment to how we handle your data. We wrote it the way we'd want to read one: short, specific, and honest.
Who we are
This platform (the "Strategic Thinking Partner", also operating at app.thestrategicbusinessofme.com and thestrategicbusinessofme.com) is operated by SBOM Ltd, a private limited company registered in England and Wales (company number pending; will be updated here once issued). Our registered contact address is available on request via ap@thestrategicbusinessofme.com.
For all data-protection questions, you can contact us at ap@thestrategicbusinessofme.com.
What data we collect
When you use the service without signing up
- A randomly generated visitor ID (stored as a cookie)
- Your page visits, clicks, and how long you spend on each page
- Basic device info (browser type, screen size, approximate country from IP)
- Any messages you send within an anonymous session
When you sign up
- Your name and email address
- A password (stored only as a cryptographic hash — we never see your actual password)
- Optional profile information you choose to provide (job title, role type, date of birth)
When you use the thinking partner
- The conversations you have (text and voice transcripts where applicable)
- Any documents you upload (processed and stored in your account)
- Summaries, plans, and patterns the AI surfaces during your sessions
If you pay for a subscription
- Payment is processed by Stripe. We never see or store your full card details — Stripe does. We store a Stripe customer identifier so we can manage your subscription.
What we do with your data
We use your data to:
- Provide the thinking partner service and remember your past sessions so the AI can reference them
- Send you authentication emails (password resets, and in future, verification)
- Analyse anonymous usage patterns so we can improve the product
- Prevent abuse, spam, and fraud
- Respond to your enquiries and provide customer support
- Comply with legal obligations when required
What we do NOT do with your data
- We do not sell your data to anyone. Ever.
- We do not share your conversations with advertisers, employers, or third parties
- We do not use your private conversations to train external AI models outside this service
- We do not read individual user conversations as part of normal operations. The AI reads them — humans at SBOM Ltd do not, except where required by law, security investigation, or with your explicit consent (e.g. if you ask us for support on a specific conversation).
Corporate/enterprise deployments
If your organisation deploys this product at scale, your employer receives aggregate pattern data only — never individual conversations. Your employer cannot read what you type. This is architecturally enforced, not a promise. We consider this a core principle; without it, the tool would not work.
Who your data is shared with
We use a small number of sub-processors to run the service:
- Anthropic — the underlying AI provider (processes your messages to generate responses)
- Hume AI — voice processing (when you use voice mode)
- Stripe — payment processing (if you subscribe)
- Render — cloud hosting
- Email service provider (to send authentication emails)
All sub-processors are contractually required to protect your data. We use only GDPR-compliant providers.
International transfers
Some of our sub-processors (e.g. Anthropic, Stripe) are US-based. Where data is transferred outside the UK/EEA, we rely on standard contractual clauses or equivalent safeguards as permitted by UK/EU GDPR.
How long we keep your data
- Free accounts: Conversation memory is retained for 30 days. Account-level data (name, email) is retained while your account is active.
- Paid accounts: Conversations are retained as long as your subscription is active, so the AI can reference them.
- After account deletion: We delete your personal data within 30 days, except where we are legally required to retain minimal records (e.g. invoices).
- Anonymous analytics: Page views and event data is retained in aggregated form indefinitely, but not linked to your identity after account deletion.
Your rights under UK/EU GDPR
You have the right to:
- Ask for a copy of the personal data we hold on you
- Ask us to correct data that is inaccurate
- Ask us to delete your data (the "right to be forgotten")
- Ask us to stop processing your data
- Object to automated decision-making
- Withdraw consent at any time (for processing based on consent)
- Complain to the Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data
To exercise any of these rights, email ap@thestrategicbusinessofme.com. We will respond within 30 days.
Security
We encrypt data in transit (HTTPS) and at rest (encrypted database). Passwords are hashed with bcrypt. We use industry-standard practices for authentication and session management. No system is 100% secure, but we take this seriously.
Cookies
We use a small number of strictly necessary cookies — mainly to keep you signed in and to give you a visitor ID for analytics. See our Cookie Policy for the full list.
Changes to this policy
We may update this policy as the service evolves. Significant changes will be announced in the app or via email. The "last updated" date at the top reflects the most recent revision.