Privacy Policy
Effective: 20 June 2026
This policy explains what personal data SCORM Lab (scorm-lab.com) collects, why, and your rights over it.
1. Who is responsible for your data
The data controller is Lost End Found Ltd, a company registered in England & Wales (company no. 15713779), registered office 86–90 Paul Street, London EC2A 4NE, United Kingdom. For any privacy question, or to exercise your rights, contact privacy@scorm-lab.com.
2. Your SCORM packages (processed in your browser)
The packages you import are not personal data we collect: they are not
uploaded to any server. The package bytes live in your browser’s Cache Storage, served
back to the player by an in-browser service worker. Only the package’s
imsmanifest.xml is parsed, and that parsing happens client-side, in your
browser. We have no access to your packages or their contents.
3. What we collect, and why
We keep the personal data we process to the minimum needed to run the Service. The table below lists each category, its purpose, and our legal basis under UK GDPR.
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | To verify you and create the lightweight account that unlocks debugging, and to send you the one-time verification code. | Performance of the service you request, and our legitimate interest in operating a gated free tool and reducing abuse. |
| One-time verification code (transactional email) | To confirm you control the email address. These emails are transactional, not marketing — they are sent regardless of any marketing choice. | Performance of the service you request. |
| Marketing consent & timestamp | If — and only if — you tick the optional opt-in box, we record that you consented (and when) so we may send you product updates and tips. | Your consent (UK GDPR & PECR). |
| Cloud waitlist details | If you join the separate SCORM Lab Cloud waitlist: your email, plus the company size, role, and price indication you choose to give, so we can contact you about Cloud. | Your consent to be contacted about SCORM Lab Cloud. |
| IP address (anti-abuse) | Used transiently to count requests for rate limiting, so the email flow cannot be abused. Stored only as short-lived counters keyed by IP. | Our legitimate interest in protecting the Service from abuse. |
| IP address & browser User-Agent (session record) | When you verify and a session is created, your IP address and browser User-Agent at that moment are stored on the session record, so we can secure and manage your signed-in session. They are kept for the life of the session and removed when it expires or your account is deleted. | Our legitimate interest in securing accounts and detecting session misuse, and performance of the service you request. |
We use our own self-hosted, cookie-less Umami analytics (running on our
infrastructure at analytics.lostendfound.com) to understand aggregate,
anonymised usage — page views, referrer, approximate country, device and browser
— together with a strictly-masked session replay on a sample of
visits, to find and fix usability issues, on the basis of our legitimate interest in
operating and improving the Service. Both are cookie-less and set no tracking cookies, and
the replay’s strict masking means the text you read and anything you type is never
captured. We do not use any advertising or cross-site trackers, and we do
not sell your data.
4. Marketing — opt-in only
Marketing is strictly optional. At the email step there is an unticked checkbox (“Email me SCORM tips & product updates”). We send marketing only if you tick it, and we record your consent together with a timestamp. The one-time verification code is not marketing — it is sent whether or not you opt in.
You can withdraw consent at any time, with no effect on the lawfulness of processing before withdrawal — use the unsubscribe link in any marketing email, or email privacy@scorm-lab.com.
5. Cookies
After you verify your email, we set a single strictly-necessary session cookie so you are not asked to verify again on each visit. This cookie is essential to the Service you requested, so no consent banner is required for it. We do not use advertising, analytics, or cross-site tracking cookies.
6. Anti-abuse measures
To keep the free tool usable, the email form includes a hidden “honeypot” field (it collects no data — only automated bots fill it in). Where it is configured, we may also use Cloudflare Turnstile, a privacy-preserving anti-bot check that processes anti-bot signals on our behalf under Cloudflare’s terms. As noted above, we rate-limit requests using short-lived counters keyed by IP address.
7. Who processes data on our behalf
We use Cloudflare as our infrastructure provider. Cloudflare hosts the
Service (Workers and Static Assets), runs the database in which we store your email and
related records (Cloudflare D1, database scorm-lab-leads, located in the
Western Europe region), sends the verification-code email from
no-reply@scorm-lab.com via Cloudflare Email Service, and, where configured,
provides the Turnstile anti-bot check. Inbound email to scorm-lab.com is
forwarded to us via Cloudflare Email Routing. Cloudflare acts as our processor under a data
processing agreement.
8. International transfers
Your data is stored in the Western Europe region. Where any processing by Cloudflare involves a transfer of personal data outside the UK or EEA, that transfer is protected by an appropriate safeguard — an adequacy decision or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable.
9. How long we keep it
- Your email and account are kept for as long as your account is active, and are deleted on request.
- Marketing consent records are kept while your consent stands; if you withdraw, we keep a minimal record that you opted out so we honour it.
- Cloud waitlist entries are kept while the waitlist is active, and are deleted on request or once Cloud launches and the list is no longer needed.
- Session records — including the IP address and browser User-Agent captured when the session was created — are kept for the life of the session (by default up to 7 days) and are deleted when the session expires or your account is deleted.
- Anti-abuse counters keyed by IP are transient and expire automatically.
10. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected (rectification);
- have your data erased;
- restrict how we process your data;
- object to processing based on our legitimate interests;
- data portability;
- withdraw consent at any time (where processing is based on consent).
To exercise any of these, email privacy@scorm-lab.com. You also have the right to complain to the UK’s supervisory authority, the Information Commissioner’s Office (ICO), at ico.org.uk.
11. Children
The Service is a developer and authoring tool intended for professional use and is not directed at children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. When we do, we will revise the effective date at the top of this page. Material changes will be made clear before they take effect.
13. Contact
Lost End Found Ltd
86–90 Paul Street, London EC2A 4NE, United Kingdom
Company no. 15713779 (England & Wales)
Email: privacy@scorm-lab.com