Privacy Policy

Effective: 20 June 2026

This policy explains what personal data SCORM Lab (scorm-lab.com) collects, why, and your rights over it.

Your SCORM packages never leave your browser. When you import a package, it is unpacked and run entirely on your device; the package files are never uploaded to us or anyone else. They are held in your browser’s local storage (Cache Storage, via an in-browser service worker) only so the Service can run and resume them, and you can remove them at any time by clearing your browser data.

1. Who is responsible for your data

The data controller is Lost End Found Ltd, a company registered in England & Wales (company no. 15713779), registered office 86–90 Paul Street, London EC2A 4NE, United Kingdom. For any privacy question, or to exercise your rights, contact privacy@scorm-lab.com.

2. Your SCORM packages (processed in your browser)

The packages you import are not personal data we collect: they are not uploaded to any server. The package bytes live in your browser’s Cache Storage, served back to the player by an in-browser service worker. Only the package’s imsmanifest.xml is parsed, and that parsing happens client-side, in your browser. We have no access to your packages or their contents.

3. What we collect, and why

We keep the personal data we process to the minimum needed to run the Service. The table below lists each category, its purpose, and our legal basis under UK GDPR.

Data Purpose Legal basis
Email address To verify you and create the lightweight account that unlocks debugging, and to send you the one-time verification code. Performance of the service you request, and our legitimate interest in operating a gated free tool and reducing abuse.
One-time verification code (transactional email) To confirm you control the email address. These emails are transactional, not marketing — they are sent regardless of any marketing choice. Performance of the service you request.
Marketing consent & timestamp If — and only if — you tick the optional opt-in box, we record that you consented (and when) so we may send you product updates and tips. Your consent (UK GDPR & PECR).
Cloud waitlist details If you join the separate SCORM Lab Cloud waitlist: your email, plus the company size, role, and price indication you choose to give, so we can contact you about Cloud. Your consent to be contacted about SCORM Lab Cloud.
IP address (anti-abuse) Used transiently to count requests for rate limiting, so the email flow cannot be abused. Stored only as short-lived counters keyed by IP. Our legitimate interest in protecting the Service from abuse.
IP address & browser User-Agent (session record) When you verify and a session is created, your IP address and browser User-Agent at that moment are stored on the session record, so we can secure and manage your signed-in session. They are kept for the life of the session and removed when it expires or your account is deleted. Our legitimate interest in securing accounts and detecting session misuse, and performance of the service you request.

We use our own self-hosted, cookie-less Umami analytics (running on our infrastructure at analytics.lostendfound.com) to understand aggregate, anonymised usage — page views, referrer, approximate country, device and browser — together with a strictly-masked session replay on a sample of visits, to find and fix usability issues, on the basis of our legitimate interest in operating and improving the Service. Both are cookie-less and set no tracking cookies, and the replay’s strict masking means the text you read and anything you type is never captured. We do not use any advertising or cross-site trackers, and we do not sell your data.

4. Marketing — opt-in only

Marketing is strictly optional. At the email step there is an unticked checkbox (“Email me SCORM tips & product updates”). We send marketing only if you tick it, and we record your consent together with a timestamp. The one-time verification code is not marketing — it is sent whether or not you opt in.

You can withdraw consent at any time, with no effect on the lawfulness of processing before withdrawal — use the unsubscribe link in any marketing email, or email privacy@scorm-lab.com.

5. Cookies

After you verify your email, we set a single strictly-necessary session cookie so you are not asked to verify again on each visit. This cookie is essential to the Service you requested, so no consent banner is required for it. We do not use advertising, analytics, or cross-site tracking cookies.

6. Anti-abuse measures

To keep the free tool usable, the email form includes a hidden “honeypot” field (it collects no data — only automated bots fill it in). Where it is configured, we may also use Cloudflare Turnstile, a privacy-preserving anti-bot check that processes anti-bot signals on our behalf under Cloudflare’s terms. As noted above, we rate-limit requests using short-lived counters keyed by IP address.

7. Who processes data on our behalf

We use Cloudflare as our infrastructure provider. Cloudflare hosts the Service (Workers and Static Assets), runs the database in which we store your email and related records (Cloudflare D1, database scorm-lab-leads, located in the Western Europe region), sends the verification-code email from no-reply@scorm-lab.com via Cloudflare Email Service, and, where configured, provides the Turnstile anti-bot check. Inbound email to scorm-lab.com is forwarded to us via Cloudflare Email Routing. Cloudflare acts as our processor under a data processing agreement.

8. International transfers

Your data is stored in the Western Europe region. Where any processing by Cloudflare involves a transfer of personal data outside the UK or EEA, that transfer is protected by an appropriate safeguard — an adequacy decision or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable.

9. How long we keep it

10. Your rights

Under UK GDPR you have the right to:

To exercise any of these, email privacy@scorm-lab.com. You also have the right to complain to the UK’s supervisory authority, the Information Commissioner’s Office (ICO), at ico.org.uk.

11. Children

The Service is a developer and authoring tool intended for professional use and is not directed at children. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. When we do, we will revise the effective date at the top of this page. Material changes will be made clear before they take effect.

13. Contact

Lost End Found Ltd

86–90 Paul Street, London EC2A 4NE, United Kingdom

Company no. 15713779 (England & Wales)

Email: privacy@scorm-lab.com

© 2026 Lost End Found Ltd SCORM Lab Terms of Service