Sgript Mobile App – Privacy Policy (UK GDPR)

Version: 1.0

Eective date: 16/02/2026

1. Who we are

The Sgript mobile app (“the App”) is provided by Stable Resources Ltd (“Stable”). Stable

provides the technology behind Sgript and normally acts as a data processor.

Your organisation, which provides you with access to the App, is the data controller and is

responsible for deciding how your personal data is used.

Contact Stable (processor):

support@stable.co.uk

dataprotection@stable.co.uk

Contact your organisation (controller):

Please contact your organisation’s privacy team for questions about how and why your data is

used, retention periods or lawful bases.

Stable may act as a controller for limited operational data (e.g., support communications and

account administration). Where Stable acts as controller, we will explain the purpose, lawful

basis and retention.

This policy covers the app; controller’s notice covers organisational use.

2. What the App does

The App allows you to capture content (such as audio recordings, notes, images and

documents) and upload it to your organisation’s Sgript environment.

When the App uploads content, it does so over an encrypted connection (TLS).

3. Personal data we collect

A. Content you add

 Audio recordings you create

 Files you upload (audio, video, documents, images)

 Notes or supporting content you choose to include

B. Account and authentication data

 Your work email address and identity information provided during Microsoft Entra ID

sign-in

 Technical conﬁguration required to connect the App to your organisation’s Sgript

environment (e.g., API base URL)

C. Device and technical information

 Information required to verify connection settings and enable sign-in (e.g., connectivity

checks or conﬁguration values)

D. Service and audit data

 Service usage logs and audit records generated when your organisation uses the Sgript

platform

4. How your data is used

Stable processes personal data on your organisation’s instructions where Stable acts as a

processor (UK GDPR Art. 28). Your organisation will explain its lawful bases in its own privacy

information.

Data category

Purpose

Lawful

basis

Who it is

shared with

Retentio

Storage

location

Recordings, ﬁles,

notes

To allow you to

capture and

upload content for

use within your

organisation’s

Sgript environment

Controller

deﬁned

Your

organisatio

n’s Sgript

environme

Controll

er-

deﬁned

Organisati

controlled

Sgript

system

Sign

in data

To authenticate

you using

Microsoft Entra ID

Controller

deﬁned

Microsoft

identity

services;

your

organisatio

Controll

er-

deﬁned

Identity

provider +

organisati

environme

Technical/conﬁgura

tion data

To connect your

App to your

organisation’s

Sgript environment

and support

troubleshooting

Controller

deﬁned

Your

organisatio

n; Stable if

support

access is

explicitly

requested

Controll

er-

deﬁned

Device +

organisati

on system

Service/audit logs

To operate, secure

and monitor the

Sgript service

Controller

deﬁned;

processed

by Stable

instruction

s (Art. 28)

Your

organisatio

n; Stable as

processor

Controll

er-

deﬁned

Sgript

service

environme

5. Special category data

Content recorded or uploaded through the App may include special category data depending on

what you choose to record and your organisation’s use of the service.

Your organisation determines whether special category data is processed and what safeguards

apply. Stable processes such data only on your organisation’s instructions.

6. Sharing your data

Your data may be shared with:

 Your organisation’s Sgript environment, where it is stored and processed

 Microsoft Entra ID, for authentication

 Stable can access customer data only when authorised by your organisation for support

purposes and only to the extent necessary. Such access is restricted and logged.

Customer data is hosted within a customer-controlled cloud subscription. The customer

retains control over its data through tenant-level isolation, role-based access controls, and

identity-based authentication. Access to data is restricted to authorised users and services

only, and all access is logged to support audit, compliance, and governance requirements.

7. International transfers

Data is hosted in the UK/EEA region agreed with your organisation.

If providing the service involves access from, or transfers to, locations outside the UK/EEA,

appropriate safeguards will be used (for example, the UK IDTA / UK Addendum where

applicable) and customers will be notiﬁed in line with contractual commitments.

8. Security

The Sgript platform includes the following security measures:

 We use technical and organisational measures designed to protect data, including

encryption and access controls.

 The App uses Microsoft Entra ID for authentication. Your organisation may conﬁgure and

enforce controls such as multi-factor authentication (MFA) and Conditional Access.

 Access to customer environments is restricted and controlled through role-based

access and operational procedures. Any privileged access is limited, time-bound where

possible, and logged.

9. Retention

We retain limited operational and security logs for up to 30 days or as deﬁned by a retention

period the user deﬁnes within the app for service security and troubleshooting. Your

organisation controls retention of content.

Oline storage on your device

When you use the App oline, content is stored on your device until it can be uploaded. Once

successfully uploaded the App allows the user to manually delete the recording or recordings

are automatically removed after a user deﬁned retention period set within the App.

10. Your rights

Under UK GDPR, you may have rights to access, correct, delete, restrict or object to the use of

your personal data, and the right to data portability.

Because your organisation is the controller, you should send any request directly to them.

Stable supports your organisation with these requests where required.

11. Children’s data

There is no indication that the App is intended for use by children.

12. Tracking technologies, analytics and crash reporting

The App uses analytics and/or crash reporting to help us understand app performance and

reliability (for example, device type, OS version, app version and error logs).

13. Complaints

You can raise concerns with your organisation’s privacy team. You may also complain to the

Information Commissioner’s Oice (ICO):

https://ico.org.uk

14. Changes to this policy

This policy may be updated from time to time. Any updates will be published within the App or

via your organisation.