Skip to main content
← Back to home

Privacy Policy

Last Updated: 21 June 2026

Effective Date: 7 March 2026

1. Introduction

220 Yards Limited (trading as SCORE) ("SCORE", "we", "us", "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

SCORE provides a SaaS platform for survey companies to manage, store, and quality-check survey reports. We operate in two distinct capacities: as a data controller for our customers' account data, and as a data processor for survey reports and client data processed on behalf of our customers.

2. Data Controller Information

Company Name: 220 Yards Limited (trading as SCORE)

Companies House Number: 07563087

Registered Address: 15 Victoria Mews, Mill Field Road, Cottingley Business Park, Bingley, England, BD16 1PY

Contact Email: hello@scorehq.io

Website: scorehq.io

3. Scope and Applicability

This Privacy Policy applies to:

  • SCORE Customer Data: Information about survey companies (our direct customers) and their authorised users who access the SCORE platform (we are the data controller)
  • Surveyor Client Data: Survey reports and client information processed on behalf of our customers (we are the data processor)

4. What Personal Data We Collect

4.1 SCORE Customer Data (We are Controller)

When you use the SCORE platform, we collect:

Account Information:

  • Email addresses, first and last names, RICS number, qualification
  • Company affiliation, password hashes (pseudonymised)
  • User roles and permissions, avatar image, email sign-off preferences

Company Information:

  • Company name, address, phone number, email
  • Job reference prefix

Financial Information:

  • Bank details for invoicing (account name, sort code, account number)
  • Phone payment numbers, invoice payment terms, payment reference instructions
  • Invoice history (amounts, status, currency)

Usage Data:

  • Feature usage patterns, session data, error logs
  • Browser/device type, aggregated usage statistics
  • Interaction events (clicks, navigation paths), heatmap data, masked session replays
  • A/B test and experiment participation data

Security Data:

  • IP addresses, login attempts (successful and failed), lockout failure counts
  • Access timestamps, user agent strings, geolocation (derived from IP)

Support Data:

  • Support enquiries via email, communication history

Marketing Data:

  • Email addresses, names, subscription preferences, engagement data (opens, clicks)

4.2 Surveyor Client Data (We are Processor)

On behalf of our customers (survey companies), we process:

Client Information:

  • Full name, preferred name, email address, phone number (with country prefix)
  • Postal address, correspondence address, business name, client type (individual/business)

Survey Reports:

  • Report PDFs containing relevant information required to complete the survey (content varies by report type and may include personal data about property owners, purchasers, vendors, and other parties)

Job Metadata:

  • Property addresses, UPRN, coordinates, property type and description
  • Survey type, inspection dates and contact details, fees, quotes, invoices
  • Purchaser/vendor names, estate agent details, lender and broker references
  • Panel manager references, RICS conflict of interest declarations

AI Processing:

  • Text extracted from survey PDFs via OCR
  • QC context data (e.g. lender name, applicant name, property details, loan information)
  • Extracted field values and confidence scores

Communications:

  • Report delivery records, email logs (recipient, subject, body, delivery status)
  • Job notes and activity audit trail

Note: For Surveyor Client Data, your surveyor company is the data controller and determines the lawful basis for processing. SCORE processes this data strictly on their instructions.

5. Lawful Basis for Processing

5.1 SCORE Customer Data

We process your personal data under the following lawful bases:

  • Contract (Article 6(1)(b)): Account management, service delivery, billing, and customer support are necessary to perform our contract to provide the SCORE platform
  • Legal Obligation (Article 6(1)(c)): Billing records retained for 7 years for tax compliance
  • Legitimate Interest (Article 6(1)(f)): Server-side and aggregated platform analytics (to improve functionality), operational error and exception monitoring (Sentry, with personal data scrubbed), security monitoring (to protect accounts), product updates to existing customers (soft opt-in)
  • Consent (Article 6(1)(a)): Marketing emails and promotional content require explicit opt-in consent; non-essential analytics, session replay, heatmaps and A/B testing we run on the platform (PostHog and Sentry) require your explicit opt-in consent, which you can withdraw at any time

5.2 Surveyor Client Data

SCORE processes Surveyor Client Data as a data processor under Article 28 of UK GDPR. The customer (surveyor company) is the data controller and determines the lawful basis, typically:

  • Contract: Delivery of survey services to their clients
  • Legitimate Interest: Property surveys for legal/regulatory purposes

6. How We Use Your Personal Data

We use SCORE Customer Data for:

  • Providing and managing user accounts on the SCORE platform
  • Processing payments and generating invoices
  • Providing customer support and technical assistance
  • Monitoring platform performance, identifying bugs, and improving functionality
  • Detecting unauthorised access and preventing fraud
  • Sending service notifications (transactional emails)
  • Sending product updates and marketing communications (with consent or soft opt-in)

We use Surveyor Client Data strictly on customer instructions for:

  • Storing and managing survey reports and associated job data
  • Managing survey workflows (quoting, booking, inspections, invoicing, report delivery)
  • AI-powered OCR and field extraction for quality checking
  • Client communications on behalf of the surveyor (terms, quotes, reports, payment requests)
  • Maintaining audit trails and activity logs for accountability

7. Data Retention Periods

We retain personal data only as long as necessary.

Data Type Retention Period
Account and company data (including BACS details)Duration of subscription + 90 days
Billing records (invoices, tax records)7 years from end of financial year (legal requirement)
Email logs (delivery status, content)90 days
Usage analytics (raw logs)90 days (aggregated analytics retained indefinitely in anonymised form)
Security and error logs (including Sentry)Active monitoring: 90 days; Incident records: 24 months
Activity audit trailDuration of subscription + 90 days; deleted with account
Support ticketsDuration of subscription + 12 months
Marketing dataActive: Duration + 24 months; Unsubscribed: 30 days
Survey reports (processor)Customer-controlled (per Data Processing Agreement terms)

8. Who We Share Your Data With (Sub-Processors)

We engage sub-processors to provide our services. All sub-processors are bound by data processing agreements. For a complete and up-to-date list of sub-processors (provider, purpose, and location), please see our Sub-Processor Register on our Trust Center.

9. International Data Transfers

All personal data is primarily stored and processed within the UK and EEA. PostHog stores all data on EU Cloud (Frankfurt) so it does not leave the EU; PostHog, Inc. is US-incorporated, so any US access is covered by EU Standard Contractual Clauses and the UK International Data Transfer Addendum in the PostHog Data Processing Agreement. Transfers to outside the UK/EEA are carried out by certain other sub-processors — Featurebase (for certain auxiliary support-tooling services), Better Stack (for any non-EEA resilience), and Cloudflare (CAPTCHA / bot-protection challenge processing, routed through EU data centres for UK/EEA traffic). In all cases, onward transfers are covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum incorporated into the relevant Data Processing Agreement. See our Sub-Processor Register for sub-processor locations.

10. How We Protect Your Data

We implement industry-standard technical and organisational security measures to protect your personal data:

  • Encryption: AES-256 encryption at rest, TLS 1.2+ encryption in transit
  • Authentication: Multi-factor authentication (MFA) mandatory for all SCORE production system access; MFA available and strongly recommended for all user accounts
  • Access Control: Role-based access, least privilege principle, quarterly access reviews
  • Monitoring: Security event logging, automated alerting for anomalies
  • Backups: Automated daily backups, encrypted and stored separately
  • Framework Alignment: Working towards Cyber Essentials Plus certification and aligned with ISO 27001 principles

For details about how we use AI services and our commitments around AI transparency, please see our AI Transparency & Data Trust Notice.

11. Cookies

We use strictly necessary cookies for platform authentication and security (hub.scorehq.io). Non-essential analytics and heatmap technologies (PostHog and Sentry session replay) are off by default on both the marketing site (scorehq.io) and the SCORE platform — they load only after you opt in via our cookie consent banner. You can withdraw consent at any time via Account → Privacy & Cookies (on the platform) and the footer "Cookie settings" link (on both sites). For full details, see our Cookie Policy.

12. Your Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data (subject to legal obligations)
  • Right to Restriction of Processing: Request limitation of processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise your rights, contact us at compliance@scorehq.io. We will respond within 30 days, which may be extended by a further two months for complex or numerous requests.

Note: If you are a survey client (data subject of our customer), please contact the surveyor company directly as they are the data controller. We will assist them in responding to your request.

13. AI and Automated Decision-Making

Opt-in to AI features: SCORE users opt in to AI-assisted features. We process data for AI only when you have agreed to use those features.

AI processing (Mistral AI): We use Mistral AI to extract text and structured data from survey reports for quality checking and field validation. This processing:

  • Does not involve automated decision-making that produces legal or similarly significant effects
  • Is limited to technical analysis and data extraction
  • Operates under survey company instructions (they are responsible for informing their clients)
  • Is not retained or used for training by the third party: Mistral AI does not retain your data or use it to train their models; processing is performed under our data processing agreement with no retention or training use by them

AI-assisted QC and algorithmic scoring: We use AI for quality-control (QC) scoring of survey content. This is transparent: each QC check is explained so surveyors can review and act on it. It is AI-assisted QC to help surveyors do their job, not profiling or automated decision-making that produces legal or similarly significant effects.

Optional AI QC improvements: Companies can opt in to allow us to use data to improve AI quality-control (QC) features. Where this option is enabled, we may use limited data for that purpose. Training data retention for AI QC improvements is limited and is handled in line with this policy and our data retention schedules.

No profiling: We do not use your personal information for profiling or automated decision-making that produces legal or similarly significant effects.

14. Right to Complain to the ICO

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your personal data appropriately:

Information Commissioner's Office

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at compliance@scorehq.io.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. We will notify you of material changes by:

  • Email notification to registered users
  • Notice on our website and platform
  • Updating the 'Last Updated' date at the top of this policy

16. Contact Us

If you have questions about this Privacy Policy or concerns about how we handle your personal data, please contact us:

General enquiries: hello@scorehq.io

Data protection & rights requests: compliance@scorehq.io

Website: scorehq.io

Document Information

  • Version: 1.5
  • Effective Date: 7 March 2026
  • Last Updated: 21 June 2026
  • Next Review: 21 June 2027

Version History

  • v1.5 (21 June 2026): Added PostHog, Inc. as sub-processor for product analytics, session replay, heatmaps, surveys, feature flags and A/B testing on both the SCORE platform and marketing site (scorehq.io); updated §4.1 usage data to include interaction events, heatmaps, masked session replays, and A/B test participation; updated §5.1 lawful basis to include Sentry operational error monitoring under LI and explicit consent for PostHog/Sentry non-essential analytics under Consent; updated §9 to note PostHog EU data residency (Frankfurt) with US access covered by EU SCCs/UK Addendum; updated §11 cookies to describe default-off consent flow, withdrawal via Account → Privacy & Cookies and footer "Cookie settings".
  • v1.4 (29 April 2026): Added Cloudflare, Inc. (Turnstile) as sub-processor for bot protection on public-facing forms; updated §9 to reflect Cloudflare's EU data residency for UK/EEA traffic.
  • v1.3 (29 April 2026): Added AWS Bedrock as sub-processor for AI/ML processing (model hosting); added cross-reference to AI Transparency & Data Trust Notice in §10.
  • v1.2 (10 April 2026): Added Featurebase (support messenger, help centre, changelog, public feedback board and roadmap) and Better Stack (uptime monitoring, public status page) to sub-processor table; updated §9 international transfers to acknowledge onward SCCs + UK Addendum transfers via Featurebase and Better Stack sub-sub-processors.
  • v1.1 (7 March 2026): Initial version.

Document Reference: SCO-POL-PP | 220 Yards Limited (trading as SCORE) — registered in England and Wales.