Privacy Notice
What personal data CommandGridTools.com collects across its tools, why we collect it, and what your rights are. Written in plain English.
Who we are
Controller: Exmoor AI Labs Ltd, registered in England and Wales (Company No. 17177556), registered office: 71–75 Shelton Street, Covent Garden, London WC2H 9JQ. CommandGridTools is a trading name of Exmoor AI Labs Ltd.
Contact: [email protected]
We are not required to appoint a Data Protection Officer but take our obligations under the UK GDPR and Data Protection Act 2018 seriously.
What data each tool collects
| Tool | Data collected | Why |
|---|---|---|
| XVR Scenario Viewer (public /xvr/) | None — all processing happens in your browser | — |
| XVR Scenario Viewer (auth-gated /app/) | Name, email, hashed password, role, organisation, uploaded scenario files, IP address | Account management and access control |
| Command-Aid | Crew names and ranks, station settings, incident location (GPS), operational log entries, incident photos (if uploaded) | Training exercise record-keeping and AI scene analysis |
| Build-Aid | IP address only (for rate limiting). Scenario parameters you enter are sent to AI but not linked to your identity. | AI scenario generation and API quota management |
| Scan-Aid | Uploaded photo, IP address (for rate limiting) | AI scene analysis for training purposes |
| Drive-Aid | Name of person being assessed, driving observations, GPS location during assessment, timestamps | Driving competency assessment records for FRS training |
| CommandGridQuiz | Name, email, hashed password, organisation, quiz activity, IP address (solo rate limiting) | Quiz platform account management |
| Donation popup (all tools) | Browser localStorage only (stored on your device, not our servers): anonymous visit counter, last-donation timestamp, last-dismissed timestamp. If you choose to donate: the amount and which tool you were using are sent to Stripe. Card and billing details are collected directly by Stripe — we never see or store them. | To show the popup at appropriate intervals and process optional one-time donations via Stripe Checkout |
Legal basis for processing
We rely on legitimate interests (UK GDPR Article 6(1)(f)) for most processing — specifically, providing professional training tools to verified fire and rescue service staff. For each tool, the processing is limited to what is necessary for that purpose.
For Drive-Aid assessments of employees, the employing FRS is the data controller and CommandGridTools.com acts as a data processor under a data processing agreement.
Artificial intelligence
The following tools send data to Anthropic's Claude AI for analysis:
- Scan-Aid — your uploaded photo is sent to Anthropic as base64-encoded image data
- Command-Aid — uploaded incident photos are sent for AI scene analysis
- Build-Aid — your scenario parameters (text only, no personal identifiers) are sent
- CommandGridQuiz — quiz topic strings (text only, no personal identifiers) are sent
Anthropic does not use API inputs to train its models. See Anthropic's Privacy Policy for full details.
Scan-Aid and CommandGridQuiz also use ElevenLabs to convert AI-generated text to speech audio. The text sent is AI-generated guidance only — no personal identifiers are included.
How we store your data
Data is stored on an AWS Lightsail server (Amazon Web Services), hosted in the EU/UK region. All traffic is encrypted in transit via HTTPS, enforced by Cloudflare. Passwords are hashed using bcrypt and are never stored in plain text. We never store payment card information — donations are processed entirely by Stripe under their own security standards (PCI-DSS Level 1). See Stripe's Privacy Policy for details of how they handle payment data.
Who we share your data with
| Third party | Purpose | Data shared |
|---|---|---|
| Amazon Web Services | Hosting and storage | All server-side data |
| Cloudflare | CDN and HTTPS | IP addresses, HTTP headers |
| Anthropic | AI analysis (Scan-Aid, Command-Aid, Build-Aid, Quiz) | Photos or text as described above |
| ElevenLabs | Text-to-speech (Scan-Aid, CommandGridQuiz) | AI-generated text only |
| Stripe | Payment processing for voluntary donations | Donation amount, which tool you were using. Card and billing details are collected directly by Stripe under their own privacy policy — we never receive or store them. |
We do not sell your data. We do not share your data with any other third parties.
How long we keep your data
- Accounts (XVR, Quiz): Until you request deletion or the service closes. We aim to delete inactive accounts after 12 months.
- Scan-Aid photos and results: Until you delete them, or a maximum of 30 days (automated deletion in progress).
- Command-Aid incident data: Until deleted by the user or end of the training session.
- Drive-Aid assessments: Up to 2 years, in line with typical FRS training record retention.
- IP rate-limit data: Resets daily.
Training use only
All CommandGridTools tools are for training and exercise use only. Do not upload photographs of real casualties, real incidents, or identifiable members of the public without their consent. Do not record real operational incident data in any CommandGridTools tool.
Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Object to processing based on legitimate interests
- Portability of your data in a machine-readable format
To exercise any of these rights, email [email protected]. We will respond within one calendar month.
Complaints
If you believe we have mishandled your data, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.
Changes to this notice
We will update this notice when our processing changes. The version date at the top indicates when it was last revised.