Last updated: 3 July 2026
Standard Tier ("we", "us", "our") operates the website at www.standardtier.co.uk. We provide a tool that helps venues with 200–799 capacity comply with the Terrorism (Protection of Premises) Act 2025 (Martyn's Law).
For privacy enquiries, contact us at jack@standardtier.co.uk.
Staff members and volunteers sign themselves up on the training portal. When they do, we collect:
The lawful bases below cover the personal data we control. Staff and volunteer training data is different: we process it on the venue's documented instructions as a processor, not under our own lawful basis. See section 4.
| Purpose | Lawful basis |
|---|---|
| Account creation and authentication | Contract |
| PPP document generation | Contract |
| Service emails (magic links, reminders) | Contract |
| Staff and volunteer sign-in accounts for the training portal | Legitimate interest (operating a secure login). The training records behind the login are processed for your venue as processor (see section 4) |
| Payments and billing | Contract |
| Keeping billing records | Legal obligation (tax rules mean we keep them for 6 years) |
| Compliance updates and waitlist emails | Consent (there's an unsubscribe link in every email) |
| Website analytics and performance | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
Staff members and volunteers register themselves on the training portal using a code from their venue. The training data they generate there (name, training progress, quiz results) is held for the venue: the venue (as the employer or organiser) is the data controller for it, and Standard Tier acts as a data processor on the venue's behalf. The sign-in account itself (the email address and login used to access the portal) is the one part we hold as a controller, so the portal has a secure login (see section 3).
Venue managers are responsible for informing their staff and volunteers that their training data is processed through Standard Tier and for what purpose.
Staff members and volunteers who wish to exercise their data rights should contact their venue manager in the first instance. You may also contact us directly at jack@standardtier.co.uk.
The controller-processor relationship is governed by our Data Processing Agreement, which is incorporated into the Terms of Service and meets the requirements of UK GDPR Article 28.
We share data with the following service providers, who process it on our behalf. The full up-to-date list, with links to each provider's own privacy policy, is on our Subprocessors page. If this table and that page ever differ, the Subprocessors page is the current one.
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting and analytics | US (UK-US Data Bridge) |
| Neon | Database hosting | EU |
| Resend | Transactional email | US (UK-US Data Bridge) |
| OAuth sign-in (if chosen) | US (UK-US Data Bridge) | |
| Stripe | Payment processing | US (UK-US Data Bridge) |
International transfers to US-based providers are protected by the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) or Standard Contractual Clauses.
We will notify registered account holders by email at least 30 days before adding a new third-party processor that handles venue or staff data, so you can review the change and raise any concerns before it takes effect.
We only use strictly necessary cookies for authentication. We do not use advertising, tracking, or preference cookies. Because these cookies are essential for the service to function, no cookie consent banner is required under PECR. Here is the full list:
| Cookie | What it does | How long it lasts |
|---|---|---|
| better-auth.session_token (on the live site: __Secure-better-auth.session_token) | Keeps you signed in | Until your session expires or you sign out |
Our analytics (Vercel Analytics) doesn't use cookies or any device storage, so it needs no consent under PECR.
Under UK GDPR you have the right to:
To exercise any of these rights, email jack@standardtier.co.uk. We will respond within one calendar month.
We don't make solely automated decisions with legal or similarly significant effects about you. Training quizzes are marked automatically, but what happens with the result is decided by your venue, not by us.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
If you think we've handled your personal data wrongly, you can complain to us directly. From 19 June 2026 this is a right set out in the Data (Use and Access) Act 2025, and we've built a process around it.
One thing to check first: if your complaint is about training data your venue holds about you, the venue is the controller, so raise it with your venue manager (see section 4). You can still write to us and we'll pass it on.
Send your complaint to jack@standardtier.co.uk. You don't need a form or a particular format. Tell us what happened and what you'd like us to put right.
We'll acknowledge your complaint within 30 days of receiving it. Then we'll look into it and write back with our findings as soon as we reasonably can. How long that takes depends on how complex the issue is, but we won't sit on it.
We keep a record of every complaint and how we dealt with it.
Complaining to us first is the new normal under the Act, but it doesn't take away your right to go to the Information Commissioner's Office. You can raise a complaint with the ICO at any time at ico.org.uk or by calling 0303 123 1113.
All data is encrypted in transit (TLS) and at rest. Database connections use SSL. Authentication sessions are managed securely with time-limited, single-use magic links. Access to venue data is restricted to the venue's registered manager.
If we become aware of a personal data breach affecting your venue or staff data, we will notify you without undue delay and in any event within 24 hours of becoming aware, so that you can meet your own 72-hour notification obligation to the Information Commissioner's Office under UK GDPR Article 33.
Venue managers who hold an account with us must be 18 or over. The staff training portal may be used by workers aged 16 or 17, since venues lawfully employ people of that age. Where an under-18 worker completes training, the venue is the controller for that person's data and is responsible for the lawful basis and for informing them. We do not knowingly collect data from anyone under 16, and if we become aware that we have, we will delete it promptly.
We may update this policy from time to time. Material changes will be communicated by email to registered venue managers. The "last updated" date at the top of this page will always reflect the latest version.