Trust, security and privacy

This page is maintained by the EYReady team to answer common security and privacy questions about the platform. It describes controls that are in place today; it is not an independent certification or audit report.

Who can access your setting's data

EYReady is a multi-tenant platform. Each setting is isolated and only people you explicitly invite to your setting can see its data. Roles include owner, admin, editor and staff, and what each role can see is enforced server-side by row-level access rules, not by hiding things in the user interface.

Sensitive HR fields on team members (such as DBS reference numbers and safeguarding training dates) are restricted to owners, admins and editors. Staff users only see their own profile.

Sign-in and authentication

Sign-in uses email and password or Google sign-in. Passwords are never stored by EYReady, the underlying authentication service hashes them. Invitation links are single use and expire.

Hosting and platform

EYReady is hosted on Lovable Cloud, which runs application code on Cloudflare's global edge network and stores data in a managed Postgres database. Encryption in transit (HTTPS/TLS) is enabled for all traffic to the application and to integrated services.

We do not store credit card numbers ourselves. Payments are handled by Stripe; only non-sensitive identifiers (such as a subscription status) are kept on our side, and the underlying Stripe customer and subscription IDs are not readable by ordinary app users.

What data we hold

EYReady holds the information your managers and staff enter into the platform: setting details, team member records, uploaded policies and curriculum descriptions, quiz answers, and account and billing metadata. We do not request bank details, payment card numbers, or children's personal data.

Subprocessors and integrations

EYReady relies on a small number of trusted providers to operate the service:

  • Lovable Cloud, application hosting and database.
  • Cloudflare, edge delivery and DDoS protection.
  • Stripe, subscription billing and payment processing.
  • Resend, transactional and notification email delivery.
  • AI providers (Anthropic and the Lovable AI Gateway) used to generate policy and curriculum drafts and quiz questions from the inputs you provide.

Cookies and analytics

EYReady uses cookies and local browser storage that are necessary to keep you signed in and to remember your preferences. We do not run third-party advertising trackers.

Retention and deletion

Data is retained for as long as your setting has an active account. If you would like a copy of your data, or you want your setting and its data deleted, please contact us using the details below and we will action the request.

Contact us about privacy or security

For privacy questions, data subject access requests, or to report a suspected security issue, please email hello@eyready.co.uk. We aim to respond within 5 working days.

If you believe you have found a vulnerability, please contact us first rather than disclosing it publicly so we can fix it quickly.

This page is editable content maintained by EYReady. It is not a certification, independent audit, or legal contract. For binding terms, see your subscription agreement.