Privacy Policy – Ascendrix Systems Limited
1. INTRODUCTION
This privacy notice explains how Ascendrix Systems Limited (“we”, “us”, “our”, or “Ascendrix”), trading as Ladder of Growth (LoG), collects, uses, stores, and protects your personal data when you interact with our websites, products, and services, including:
- https://ladderofgrowth.io – our main brand and marketing site
- https://ladderos.com – our assessment delivery platform
By providing us with your data, you confirm that you are at least 16 years of age (or have a parent/guardian’s consent if younger).
Data controller
- Legal entity: Ascendrix Systems Limited (incorporated in Scotland on 13 November 2025, company number SC869897)
- Trading as: Ladder of Growth
- Registered office: Chestney House, 149 Market Street, St Andrews, Fife KY16 9PF
- General contact email: hello@ladderofgrowth.io
- Privacy / data protection contact: jj@ladderofgrowth.io
Directors: Alexia Leachman and Jennifer Joan Stenhouse.
Data Protection Officer: Not appointed. Ascendrix is a small business that does not carry out large-scale systematic monitoring of data subjects or large-scale processing of special category data within the meaning of UK GDPR Article 37(1), and so is not required to appoint a DPO at current scale. We have documented this assessment in our internal compliance records and will revisit the question at each growth milestone.
EU representative: Not appointed. Ascendrix does not currently target the EU market within the meaning of UK GDPR Article 27. We will appoint an EU representative if and when our EU customer base becomes material.
UK supervisory authority: Information Commissioner’s Office (ICO) – ico.org.uk. The UK ICO is the regulator for the whole of the United Kingdom (including Scotland). If you have a complaint about how we handle your data, we’d appreciate the opportunity to resolve it first, but you can complain directly to the ICO at any time on 0303 123 1113.
2. OUR DUAL ROLE — IMPORTANT CONTEXT
Ascendrix Systems Limited has two roles in relation to personal data:
A. As a data controller for Ladder of Growth’s own D2C assessment products
When you purchase one of our own LoG-branded assessments directly from us, which are currently:
- ADHD Operating Profile
- Anxiety Assessment (LoG version)
- Burnout Risk Assessment
…we determine the purposes and means of processing your personal data. We are your data controller. The rest of this notice tells you how we do that.
B. As a data processor for other organisations’ assessment products
We also operate the LoG platform on behalf of other organisations (currently: Blossoming Limited, which uses the LoG platform to deliver its Head Trash and Fearless Birthing assessments). For those products, we are a processor, and the organisation you bought from is the controller. If you took an assessment under a Head Trash, Fearless Birthing, or other partner brand, please refer to that organisation’s privacy notice, not this one, for how your data is handled.
You can identify which case applies to you by looking at:
- The brand you saw at point of purchase (LoG / ADHD assessment / Anxiety assessment / Burnout assessment = Ascendrix as controller; Head Trash / Fearless Birthing = Blossoming as controller, Ascendrix as processor)
- The privacy notice linked from the assessment page
3. WHAT DATA WE COLLECT (when you use our D2C products)
3.1 Standard personal data
- Identity Data — first name, occasionally last name
- Contact Data — email address
- Financial Data — payment card details (handled by Stripe — we do not store full card numbers)
- Transaction Data — products purchased, dates, amounts
- Technical Data — IP address, browser type/version, device identifiers
- Usage Data — how you use our websites and services
3.2 Special category / sensitive data (UK GDPR Article 9)
We collect and process special category personal data in the context of our assessments. This includes:
- ADHD-related data — responses to questions about attention, executive function, energy patterns, and related psychological / neurological context
- Anxiety-related data — responses to questions about anxiety patterns, triggers, and your internal experience
- Burnout-related data — responses to questions about burnout indicators, work / life balance, and recovery patterns
Legal basis for processing special category data: Explicit consent (UK GDPR Article 9(2)(a)). You provide this consent when you start an assessment. You can withdraw consent at any time by emailing us at jj@ladderofgrowth.io. Withdrawing consent will not affect lawful processing already carried out, but we will stop processing for affected purposes going forward and will delete on request.
3.3 Important note on diagnostic framing
Our assessments are not clinical diagnostic tools. They are structured self-assessments designed to help you understand patterns in how you operate. Results are written by AI (using your scored responses) and are advisory only.
- If you are concerned about ADHD, anxiety, burnout, or any other mental-health matter, please consult a qualified healthcare professional (GP, psychiatrist, clinical psychologist, or equivalent).
- Our assessments are not a substitute for professional evaluation, treatment, or care.
3.4 Children
Our services are not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe we hold data about a child, please contact us at jj@ladderofgrowth.io and we will delete it.
4. HOW WE COLLECT YOUR DATA
4.1 Directly from you
- Filling in forms on ladderofgrowth.io and ladderos.com
- Purchasing assessments
- Creating an account
- Completing assessments
- Communicating with us by email
4.2 Automated technologies
- Cookies and similar technologies on ladderofgrowth.io and ladderos.com (see Section 11)
- Server logs (IP addresses, request paths, timestamps)
4.3 Third parties
- Payment confirmations from Stripe
- Marketing attribution from advertising platforms (where used)
5. HOW WE USE YOUR DATA
We will only use your personal data when legally permitted. The lawful bases we rely on:
- Contract — to deliver the assessment product you purchased
- Legitimate Interests — to operate the business, improve our services
- Legal Obligation — tax, accounting, reporting
- Consent — for marketing communications and for processing special category data
Purposes and lawful basis
| Purpose | Data types | Lawful basis (Article 6) | Article 9 basis (where relevant) |
|---|---|---|---|
| Register you as a customer / set up your account | Identity, Contact | Contract | n/a |
| Process payments | Identity, Contact, Financial, Transaction | Contract; Legitimate Interest | n/a |
| Deliver the assessment you purchased (including running the assessment, generating the report, delivering it to you) | Profile, Special Category | Contract | Explicit consent |
| Generate AI-assisted reports from your assessment responses | Special Category | Contract | Explicit consent |
| Send transactional emails (order confirmations, report deliveries) | Identity, Contact | Contract | n/a |
| Send marketing communications about Ascendrix / LoG products | Identity, Contact, Marketing | Consent | n/a |
| Analyse usage to improve our services | Technical, Usage | Legitimate Interest | n/a |
| Protect our systems against fraud and abuse | Technical, Usage | Legitimate Interest | n/a |
| Comply with legal, tax, accounting obligations | Identity, Contact, Financial, Transaction | Legal Obligation | n/a |
6. SUB-PROCESSORS (when we are your controller)
We use the following third-party service providers to deliver our D2C products. We have data processing agreements with each. They process your personal data only on our instructions.
| Sub-processor | What they do | Where they process data | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database hosting for assessment data, application backend | EU (Ireland, eu-west-1) | UK adequacy regulations |
| Anthropic, PBC | AI report generation (Claude model). We send your assessment scores (anonymised — no name, email, or contact ID) to Anthropic’s API. Anthropic does not use API data to train its models. | USA (specific routing not currently confirmed by Anthropic; we will update this notice if Anthropic confirms a fixed region) | UK IDTA + EU-US Data Privacy Framework (Anthropic is DPF-certified) |
| GHL (HighLevel / LeadConnector LLC) — our Ascendrix sub-account, separate from any partners’ | CRM for LoG D2C customers, marketing automation, email delivery, payment processing | USA | UK IDTA + EU-US Data Privacy Framework |
| Mailgun (via GHL) | Outbound transactional + marketing email | USA | UK IDTA + EU-US Data Privacy Framework |
| Stripe | Payment processing | EU / USA | Standard Contractual Clauses with UK Addendum / UK IDTA |
| A2 Hosting, Inc. | Web hosting for ladderofgrowth.io and ladderos.com | Netherlands (EU) | UK adequacy regulations (EEA data) |
| Cloudflare, Inc. (if/when added) | CDN, DDoS protection | Global | UK IDTA + EU-US Data Privacy Framework |
7. INTERNATIONAL DATA TRANSFERS
Ascendrix Systems Limited is registered in Scotland. UK data protection law (the UK GDPR and the Data Protection Act 2018) governs how we handle your personal data. The UK ICO is the supervisory authority for all of the UK.
Many of our sub-processors are based outside the United Kingdom. We rely on the following safeguards for international transfers:
- UK adequacy regulations for transfers to countries the UK government has determined provide an adequate level of data protection (including all EEA countries, which covers our website hosting in the Netherlands and our database hosting in Ireland).
- UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum for transfers to non-adequate countries (including the USA).
- EU-US Data Privacy Framework (DPF) for transfers to US companies certified under the framework (including Anthropic and several others listed in Section 6).
If you would like further information on the safeguards in place for any specific transfer, email us at jj@ladderofgrowth.io.
8. DATA SECURITY
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit — all websites and APIs use HTTPS/TLS
- Encryption at rest — database storage (Supabase) encrypts data at rest
- Access control — only authorised personnel can access personal data
- Row-level security (RLS) on all assessment-related database tables, restricting access to authorised server-side operations only
- Token-based access to your reports — each report has a unique, unguessable 64-character token; reports cannot be enumerated or guessed
- Server-side keys — API keys and service credentials are held only in server-side environment secrets, never exposed to client code
- Spend caps on AI API usage to prevent abuse
- Regular security audits of our database and edge functions
- Two-director governance at Ascendrix — material privacy and security decisions require both directors’ agreement, and breach response is jointly handled by both directors
We retain logs of access and changes to personal data for audit purposes.
If you become aware of a security issue with our systems, please email jj@ladderofgrowth.io. We will investigate. We will notify affected users and the ICO without undue delay (and in any event within 72 hours of becoming aware of the breach where required by UK GDPR Article 33).
9. DATA RETENTION
We keep your personal data only as long as we need it.
| Data category | Retention period | Reason |
|---|---|---|
| Customer account data (Identity, Contact) | 6 years after last interaction | UK tax law (HMRC) requires basic customer records for 6 years |
| Financial / transaction records | 6 years after the transaction | UK tax law |
| Assessment data (your responses and report) | 2 years from your last interaction with us, after which it is anonymised or deleted | Allows you to access your historic reports during a reasonable use window while honouring data-minimisation principles |
| Marketing data (where consent is the basis) | Until you withdraw consent or 3 years of inactivity | Active subscriber window |
| Website analytics / server logs | 12 months | Limited retention |
| Support correspondence | 3 years after resolution | Follow-up queries |
After the retention period, data is either deleted or fully anonymised.
You can request deletion at any time — see Section 10.
10. YOUR LEGAL RIGHTS
Under UK GDPR you have the following rights:
- Right of access — get a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — to processing based on legitimate interests, and to direct marketing
- Right to withdraw consent — where consent is the lawful basis (including special category data and marketing)
- Right not to be subject to automated decision-making — including profiling, where it produces legal or similarly significant effects
Our assessments use AI to generate your personalised report. This is a suggestion-generating tool, not a diagnostic decision. It does not produce legal or similarly significant effects on you, and the report is for you to use as you choose — not used to make automated decisions about you.
To exercise any of these rights, email jj@ladderofgrowth.io. We will respond within one month. If your request is complex, we may extend this by up to two further months and will let you know.
We may ask you to verify your identity before processing a request.
Our refund policy is available here at ladderofgrowth.io/refund-policy/
11. COOKIES
See our separate Cookie Policy here.
You can configure your browser to refuse cookies. Some parts of our websites may not function correctly without essential cookies.
12. THIRD-PARTY LINKS
Our websites include links to third-party websites and tools. We are not responsible for their privacy practices. When you leave our sites, please read the privacy policies of any websites you visit.
13. CHANGES TO THIS NOTICE
We may update this notice from time to time. The current version is always available at Ladder of Growth here and at ladderos.com with the date of the update shown at the bottom.
If we make material changes, we will notify you by email or via a prominent notice on our website before the changes take effect.
14. GOVERNING LAW
This Privacy Notice is governed by the law of Scotland. Any dispute or claim arising out of or in connection with this Privacy Notice or its subject matter will be subject to the exclusive jurisdiction of the Scottish courts. If you are a consumer resident in another part of the United Kingdom, you may also bring proceedings in the courts of the part of the United Kingdom in which you are resident; nothing in this section limits the statutory rights you have as a consumer.
Your rights under the UK General Data Protection Regulation and the Data Protection Act 2018 apply throughout the United Kingdom and are not affected by this choice of governing law. You may complain to the UK Information Commissioner’s Office at any time at ico.org.uk or on 0303 123 1113, regardless of where in the UK you live.
*Notice last updated: 18/01/2026
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]