Privacy Policy

Terms of Use – SightGlass Diagnostic Tool

1 Introduction

Welcome to SightGlass. These Terms of Use (“Terms”) govern your access to and use of the SightGlass diagnostic tool (“Service”). By using this Service, you agree to comply with these Terms.

Our Privacy Notice & GDPR Policy outlines how we collect, use, and protect your data. You can review the full policy here.

If you do not agree to these Terms, please do not use the diagnostic tool.

2 Purpose of the Service

SightGlass provides online diagnostics and insights to help individuals and organizations better understand their strategic priorities, capabilities, and development areas.
To deliver this service effectively:

• We collect data from users (e.g., responses, preferences, organizational insights).
• We process this data responsibly, ensuring privacy and security.
• We generate personalized and/or aggregated insights based on responses.
• We retain data longitudinally by default to allow users to track changes over time. Users may request data deletion at any time.

We do not provide legal, financial, or medical advice, and any insights should be used as informational guidance rather than definitive recommendations.

3 User Responsibilities

By using SightGlass, you agree to:

• Provide accurate information when completing the diagnostic.
• Use the insights responsibly, understanding that they are meant to support personal or organizational decision-making.
• Respect intellectual property (see Section 5).
• Not misuse the Service, including attempts to manipulate results or gain unauthorized access.

If you are using SightGlass as part of an organization, you confirm that you have permission to participate.

4 Data & Privacy

We take data privacy seriously. The use of your data is covered in our Privacy Notice & GDPR Policy, which includes:

• What data we collect (e.g., name, email, responses).
• How we use it (to generate insights, improve the tool).
• Your rights (access, correction, deletion, opting in/out of tracking).
• Security measures (encryption, access controls).

We retain personal data longitudinally by default to enable users to track their progress over time. However, users may request the deletion of their data at any time.

For full details, please review our Privacy Notice here.

Additionally, we utilize Brilliant Assessments as a key platform for our diagnostic services. Users acknowledge that their data may be processed through this platform, which operates under its own Privacy Policy and Security Statement.

5 Use of Reports, Images, and Intellectual Property

• Personal Reports & Insights: You may share your individual report with colleagues, teams, or advisors to support organizational learning and action planning.
• Use of Visual Data Representations: SightGlass allows reasonable use of images, charts, or graphics from your report in further communications, presentations, or discussions to help apply insights effectively.
• Third-Party Use & Partnerships:
  – If you or your organization wish to use SightGlass insights, images, or methodology beyond personal or internal purposes, please contact us to request permission.
  – SightGlass partners have additional rights to use reports, insights, and diagnostic data as part of their work with organizations. If you are interested in exploring partnership opportunities, please get in touch.

SightGlass content, methodology, and generated insights remain owned or licensed by SightGlass and protected by intellectual property laws.

6 Service Availability & Changes

• We strive to keep SightGlass operational, but we do not guarantee uninterrupted or error-free service.
• SightGlass reserves the right to update, modify, or discontinue parts of the diagnostic tool without prior notice.
• If necessary, we may suspend access for security, maintenance, or legal reasons.

7 Limitation of Liability

To the extent permitted by law:

• SightGlass is provided on an “as-is” basis, and we make no warranties about the accuracy or suitability of insights.
• We are not liable for any decisions made based on SightGlass insights.
• We do not guarantee that SightGlass will always be available, secure, or free of errors.
• If you experience technical issues, please contact our support team at [insert contact].

If you experience technical issues, please contact our support team at info@sightglassgroup.com.

8 Acceptance of Terms & Updates

By continuing to use SightGlass, you confirm that you:

• Have read and understood these Terms.
• Accept how we handle data and provide insights.
• Agree to comply with all applicable laws when using the Service.

We may update these Terms from time to time. Continued use of the Service after updates constitutes acceptance of the new Terms.

GDPR Compliance for SightGlass Diagnostic Tool

1 Introduction

This Privacy Notice explains how SightGlass collects, processes, and protects your personal data when you participate in our diagnostic tool. We are committed to ensuring that your personal information is handled securely and in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

By using the diagnostic tool, you acknowledge that you have read and understood this Privacy Notice.

2 Who is the Data Controller?

The Data Controller responsible for your personal data is:

Data Controller: Andy Mackay
Email: andy.mackay@sightglassgroup.com

Registered Address:
61 Dublin Street
Edinburgh
EH3 6NL
Scotland

Company Number (UK Registration): SC829611

3 What Personal Data We Collect

Depending on your interaction with the diagnostic tool, we may collect the following types of personal data:

• Identification Data: Name, email address, job title, and organization (if applicable).
• Diagnostic Responses: Answers and insights provided during the assessment.
• Technical Data: IP address, browser type, and interaction logs for security and usability improvements.

We do not collect sensitive personal data (e.g., health, racial or ethnic background) unless explicitly required and with your consent.

4 Legal Basis for Processing

We process personal data based on the following lawful bases under GDPR:

• Legitimate Interest (Article 6(1)(f)): To analyze diagnostic responses and generate insights that help organizations and individuals improve performance.
• Consent (Article 6(1)(a)): If required, we will request your explicit consent before processing certain data.
• Contractual Obligation (Article 6(1)(b)): If you use the diagnostic as part of a contractual service.

Additionally, as part of our service, we utilize Brilliant Assessments as a data processing platform. Users acknowledge that their data may be processed through this platform, which operates under its own Privacy Policy and Security Statement.

5 Data Retention Policy & Longitudinal Tracking

We retain personal data longitudinally by default to enable users to track their progress over time. Users may request data deletion at any time.

• Personal Data (e.g., name, email, job title, and linked responses):
  – Stored for up to 5 years, unless a user requests deletion.
• Diagnostic Responses (Anonymized Data): Retained for 3–5 years for research, benchmarking, and organizational insights.
• Technical Data (e.g., IP address, logs): Retained for 6–12 months, then deleted.
• Fully Anonymized Data: May be retained indefinitely for research and analytics.

6 Data Sharing & Third Parties

We do not sell or rent your personal data. However, data may be shared with:

• Authorized Service Providers (e.g., cloud hosting, analytics tools) under strict Data Processing Agreements (DPAs).
• Your Organization (if applicable) to provide aggregated insights.
• Brilliant Assessments (as our diagnostic processing platform).
• Legal Authorities, if required by law.

Brilliant Assessments, as a key Data Processor, follows strict GDPR security standards. Users can review their Privacy Policy and Security Statement for further details.

All third parties are contractually obligated to maintain GDPR-compliant security and confidentiality standards.

7 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data at rest and in transit.
• Access controls to limit data access to authorized personnel.
• Regular security audits to prevent unauthorized access.

Brilliant Assessments has obtained ISAE 3402 Type 2 – Service Organization Control (SOC 2) certification, reflecting their commitment to high security standards.

8 Your Rights Under GDPR

As a data subject, you have the following rights:

8. Right to Access: Request a copy of your personal data.
9. Right to Rectification: Correct inaccuracies in your data.
10. Right to Erasure (“Right to be Forgotten”): Request deletion of your data.
11. Right to Restrict Processing: Limit how your data is used.
12. Right to Data Portability: Receive your data in a structured format.
13. Right to Object: Stop processing based on legitimate interest.

To exercise your rights, contact andy.mackay@sightglassgroup.com

9 International Data Transfers

If your data is processed outside the European Economic Area (EEA), we ensure compliance through:

• Standard Contractual Clauses (SCCs) approved by the EU Commission.
• Adequacy decisions for countries with equivalent data protection laws.

Data Controller & Processing Policy

1 Introduction

This Data Controller & Processing Policy sets out how SightGlass manages, processes, and protects personal data collected through our diagnostic tool, in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy defines our responsibilities as a Data Controller, our relationships with Data Processors, and how we ensure data protection.

2 Data Controller Responsibilities

As a Data Controller, SightGlass determines the purposes and means of processing personal data. We are responsible for:

• Ensuring that all data collection and processing activities comply with GDPR requirements.
• Defining the lawful basis for processing personal data (see Section 4).
• Implementing appropriate security measures to protect personal data.
• Managing user rights and consent preferences effectively.
• Ensuring compliance in relationships with third-party Data Processors.
• Ensuring continuity of data protection in the event of an ownership change or acquisition.

Data Controller Details:

Name: Andy Mackay
Email: andy.mackay@sightglassgroup.com

Registered Address:
61 Dublin Street
Edinburgh
EH3 6NL
Scotland

Company Number (UK Registration): SC829611

3 Categories of Personal Data Processed

We process the following categories of personal data:

• Identification Data: Name, email address, job title, and organization (if applicable).
• Diagnostic Responses: Answers provided during the assessment.
• Technical Data: IP address, browser type, and interaction logs (for security and usability improvements).

We do not process special categories of personal data (e.g., health, racial or ethnic background) unless explicitly required and with user consent.

4 Legal Basis for Processing

Under Article 6 of GDPR, we rely on the following legal bases for processing personal data:

• Legitimate Interest (Article 6(1)(f)): To analyze responses, generate insights, and improve our services.
• Consent (Article 6(1)(a)): Where required, users will be asked to explicitly consent to processing.
• Contractual Obligation (Article 6(1)(b)): If users engage in our services as part of a contractual agreement.

Additionally, as part of our service, we utilize Brilliant Assessments as a data processing platform. Users acknowledge that their data may be processed through this platform, which operates under its own Privacy Policy and Security Statement.

5 Data Retention Policy & Longitudinal Tracking

We retain personal data longitudinally by default to enable users to track their progress over time. Users may request data deletion at any time.

• Personal Data (e.g., name, email, job title, and linked responses):
  – Stored for up to 5 years, unless a user requests deletion.
• Diagnostic Responses (Anonymized Data): Retained for 3–5 years for research, benchmarking, and organizational insights.
• Technical Data (e.g., IP address, logs): Retained for 6–12 months, then deleted.
• Fully Anonymized Data: May be retained indefinitely for research and analytics.

6 Third-Party Data Processors

SightGlass engages third-party service providers to support our operations. These entities act as Data Processors and process data strictly under our instructions. We enter into Data Processing Agreements (DPAs) to ensure compliance. Processors may include:

• Cloud Hosting Providers (e.g., AWS, Microsoft Azure, Google Cloud) for secure storage.
• Analytics Services to improve diagnostic functionality.
• Brilliant Assessments as our diagnostic processing platform.
• Organizational Clients (if users participate as part of a company program).

Brilliant Assessments, as a key Data Processor, follows strict GDPR security standards. Users can review their Privacy Policy and Security Statement for further details.

All Data Processors must comply with GDPR security and confidentiality standards.

7 User Rights and Control Over Data

Users have the following rights under GDPR:

• Right to Access: Request a copy of their data.
• Right to Rectification: Correct inaccuracies.
• Right to Erasure: Request deletion of personal data.
• Right to Restrict Processing: Limit how data is used.
• Right to Data Portability: Receive data in a structured format.
• Right to Withdraw Consent: Users can stop data retention or tracking at any time.
• Right to Object: Challenge data processing based on legitimate interest.

To exercise these rights, users can contact andy.mackay@sightglassgroup.com

8 Business Transfers & Data Protection

In the event of an acquisition, merger, or ownership change of SightGlass, user data may be transferred to the acquiring entity. Any such transfer will:

• Be conducted in compliance with GDPR.
• Ensure that data protection standards remain unchanged.
• Provide users with prior notification, offering them the option to request deletion of their data before any transfer.

9 International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we ensure compliance using:

• Standard Contractual Clauses (SCCs) approved by the EU Commission.
• Adequacy decisions for countries with equivalent data protection laws.

10 Compliance and Monitoring

We regularly monitor and update our data protection practices to ensure ongoing compliance with GDPR. This includes:

• Conducting annual GDPR compliance reviews.
• Maintaining audit logs for data processing activities.
• Ensuring staff training on data protection responsibilities.