1. Who We Are / Data Controller
This Privacy Policy applies to Mástoras ("Mástoras", "we", "us", "our"), a clarity and story consultancy based in Northern Ireland, United Kingdom.
Mástoras is the data controller in respect of any personal information you provide to us or that we collect in the course of providing our advisory services. This means we are responsible for deciding how and why your personal data is processed, and we are accountable to you under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our website is mastoras.uk and our Funding Intelligence API operates at api.mastoras.uk.
Mástoras is registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration reference is ICO:00014297409.
2. What Personal Data We Collect
2.1 Contact and Enquiry Information
When you contact us or complete an enquiry or assessment form on our website, we may collect:
- Your name
- Email address
- Details about your business or project idea
- Your responses to any diagnostic or assessment questions
2.2 Business Profile Information (Advisory Service)
When we provide funding advisory services to you or your organisation, we may collect and process:
- Organisation name and type
- Business sector and stage of development
- Location (council area, region)
- Years trading, VAT registration status
- Previous grants received
- Project descriptions, funding requirements, and budget information
2.3 Funding Match Reports
When we generate a Funding Match Report for you, the business profile information above is used to produce the report. A copy of the report and the input data is retained in our secure database for the purpose of audit trail, service improvement, and future reference.
2.4 Technical Data
When you visit our website, we may automatically collect:
- IP address and approximate geographic location
- Browser type and version
- Pages visited and time spent on each page
- Referring website or link
This data is collected in aggregate and is not used to identify you individually.
2.5 Data We Do Not Collect
We do not collect or process:
- Payment card or banking information
- Government-issued identification numbers (e.g. NI number, passport)
- Special category data (health, ethnicity, religion, etc.) unless you specifically provide it in a project description and consent to its use
3. How and Why We Use Your Data
| Purpose | Data used | Lawful basis |
|---|---|---|
| Respond to your enquiry or initial assessment | Name, email, business idea, assessment answers | Legitimate interests |
| Deliver funding advisory services | Business profile, project details | Contract performance |
| Generate and store Funding Match Reports | Business profile, project details, report output | Contract performance |
| Maintain an audit trail of advice given | Reports, timestamps, client reference | Legitimate interests |
| Improve and train our matching engine | Anonymised / aggregated report data | Legitimate interests |
| Communicate service updates or relevant funding news | Email address | Consent (you may opt out at any time) |
| Comply with legal or regulatory obligations | Any data as required by law | Legal obligation |
We will never use your data for automated decision-making that produces legal or similarly significant effects without human review.
4. Lawful Basis for Processing
Under UK GDPR, we rely on the following lawful bases:
- Contract performance (Article 6(1)(b)): Where processing is necessary to deliver the advisory service you have requested.
- Legitimate interests (Article 6(1)(f)): Where we have a genuine business reason to process data that does not override your rights — for example, maintaining service records, responding to enquiries, and improving our funding engine. We have assessed these interests and concluded they are proportionate.
- Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with UK law.
- Consent (Article 6(1)(a)): For any optional communications such as funding newsletters or marketing updates. You may withdraw consent at any time by emailing us at the address in Section 12.
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data with third parties. We share data only in the following limited circumstances:
5.1 Technology Sub-processors
To operate our service, we use the following third-party platforms which may process your data on our behalf as data processors. Each is bound by a data processing agreement:
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Secure cloud database storage of reports, fund data and enquiry submissions | EU (eu-west-2, Ireland) |
| Railway Corp. | Hosting the Mástoras Advisor API | USA (see Section 7) |
| Cloudflare Inc. | DNS, DDoS protection and security for mastoras.uk | USA / global CDN (see Section 7) |
5.2 Legal Disclosure
We may disclose your data if required to do so by law, court order, or where we believe disclosure is necessary to protect our rights, your safety or the safety of others, or to investigate fraud.
5.3 Business Transfer
If Mástoras is acquired or merges with another organisation, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
6. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Enquiry and assessment submissions | 2 years from date of submission | Follow-up and service records |
| Funding Match Reports (client reports) | 5 years from date of generation | Advisory audit trail and professional standards |
| Business profile data (used in reports) | Retained with the associated report | Report integrity |
| Email marketing consent | Until you withdraw consent | Consent-based — you control this |
| Technical / server logs | 90 days | Security and incident investigation |
When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.
7. International Data Transfers
Our primary database (Supabase) is hosted in the EU (Ireland), keeping the majority of your data within the UK/EU adequacy framework.
Our API server (Railway) is hosted in the United States. Data passes through Railway's servers when API requests are processed. Railway operates under Standard Contractual Clauses (SCCs) for UK–US data transfers, providing an appropriate level of protection under UK GDPR Article 46.
Cloudflare processes DNS and network traffic globally. Cloudflare is certified under the UK Extension to the EU–US Data Privacy Framework and operates SCCs for UK data transfers.
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, please contact us at the address in Section 12. We will respond within one month of receiving your request.
| Right | What it means |
|---|---|
| Right of access | You can ask for a copy of all personal data we hold about you (a Subject Access Request). |
| Right to rectification | You can ask us to correct inaccurate or incomplete personal data. |
| Right to erasure | You can ask us to delete your personal data where there is no compelling reason to continue processing it. |
| Right to restrict processing | You can ask us to pause processing of your data in certain circumstances. |
| Right to data portability | Where processing is based on consent or contract, you can request your data in a machine-readable format. |
| Right to object | You can object to processing based on legitimate interests or for direct marketing. We will stop unless we have compelling legitimate grounds. |
| Rights re: automated decisions | You have the right not to be subject to solely automated decisions that significantly affect you. |
There is no charge for exercising your rights. If a request is unfounded or excessive, we may charge a reasonable fee or decline the request, but will explain our reasoning.
9. How We Protect Your Data
We take security seriously and have implemented appropriate technical and organisational measures, including:
- Encrypted data in transit: All connections to mastoras.uk and api.mastoras.uk are TLS-encrypted (HTTPS).
- Encrypted data at rest: Our Supabase database applies encryption at rest.
- API authentication: Our Funding Intelligence API requires a secure API key for all data-bearing requests. The public health-check endpoint returns no personal data.
- Row-Level Security: Our database uses Supabase Row-Level Security (RLS) policies to restrict data access at the database layer.
- Access controls: Access to personal data is limited to Mástoras staff with a legitimate need.
- No plaintext passwords: We do not store passwords in our systems.
Despite these measures, no internet-based service is completely immune to security breaches. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.
10. Cookies
Our website may use cookies — small text files stored in your browser — to improve your experience. We use the following types:
| Cookie type | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Essential for the website to function (e.g. session security) | No |
| Analytics | Understand how visitors use the site (Cloudflare Web Analytics — privacy-preserving, no cross-site tracking) | No (privacy-preserving, no personal data) |
| Marketing / third-party | We do not currently use marketing or retargeting cookies | N/A |
You can control or delete cookies through your browser settings. This may affect some website functionality.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or best practice. When we make material changes, we will update the "Last updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of our services after any changes constitutes your acceptance of the revised policy.
12. Contact Us / Complaints
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we have handled your personal data, please contact us:
Mástoras — Clarity & Story Consultancy
Causeway Coast and Glens, Northern Ireland, United Kingdom
Email: hello.mastoras@gmail.com
Website: mastoras.uk
We take all complaints seriously and will respond within 30 days.
Right to Complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection authority:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would, however, appreciate the opportunity to address any concern directly before you approach the ICO.