B5.ly Business Portal logo

B5.LY Partner Portal (B2B) Privacy Policy

Effective date: 1 January 2026

This Privacy Policy applies only to the B5.LY Partner Portal and related B2B services provided on b5.ly (the “Partner Portal”). It does not apply to the consumer services offered on bigfive.ly, which are governed by a separate privacy policy. The only B2B-related element on bigfive.ly is an informational “Enterprise” button that redirects to the B2B landing page on b5.ly.

1) Who we are

The Partner Portal is operated by:

GLORIAPR Ltd (trading as BigFive / B5.LY where applicable) (“we”, “us”, “our”).

  • Email: Support@b5.ly
  • Support: Support@b5.ly
  • Address: 182-184 High Street North East Ham London E6 2JA Office 12012
  • Company number: 16313878

If you are a Partner and need a signed Data Processing Agreement (“DPA”), contact us at Support@b5.ly.

2) Key definitions

  • Partner: a business customer using the Partner Portal (sometimes referred to as “reseller”, “client”, or “enterprise customer”), including its administrators and representatives.
  • Candidate / End User: an individual invited by a Partner to take an assessment through the Partner Portal.
  • Partner Account Data: personal data about Partner administrators/representatives.
  • Candidate Data: personal data processed in connection with a Candidate’s assessment, results, and report.
  • API Integration: use of our API by a Partner to submit assessment payloads and receive processed outputs (reports/scores), where the Partner may choose not to send Candidate identifiers.

3) Our role: Controller vs Processor

3.1 Partner Account Data (we are Controller)

For Partner Account Data, we act as a data controller. We determine why and how Partner Account Data is processed to operate the Partner Portal (account creation, subscriptions, security, support, and compliance).

3.2 Candidate Data (we are Processor; Partner is Controller)

For Candidate Data collected and processed through the Partner Portal, the Partner is the data controller and we act as a data processor, processing Candidate Data on the Partner’s documented instructions to provide the assessment experience, generate reports, and provide Partner Portal functionality.

3.3 Security and integrity (we may be Controller for limited technical data)

Separately, we may process certain technical and security data (for example, IP address, device/browser details, and security logs) as a controller to protect the Partner Portal, prevent fraud/abuse, and maintain service integrity.

3.4 Candidate rights requests

Because Partners control Candidate Data, Candidates should direct privacy requests to the Partner (the controller). If a Candidate contacts us directly, we will generally redirect them to the Partner, and we will assist the Partner where required under our DPA and applicable law.

4) Data we collect

4.1 Partner Account Data (Controller)

We may collect and process:

  • Identity and contact: name, business email, company/organisation name, role/title (if provided).
  • Account and subscription: plan selection, subscription status, trial status, Stripe references/identifiers, billing country and billing address fields (where provided).
  • Communications: messages sent to us (support requests, demo requests).
  • Technical: IP address, device/browser information, authentication events, and administrative access logs.

4.2 Candidate Data (Processor)

When a Partner uses the Partner Portal UI and invites Candidates, we process:

  • Identifiers: Candidate name and email (as provided by the Partner).
  • Mandatory demographics used for scoring: such as age/date-of-birth confirmation, gender, and country (as required by the assessment design).
  • Assessment content and results: responses (Likert-format), derived scores, and generated report outputs.
  • Usage and technical data: timestamps of assessment actions, IP address, and device/browser details to support security and integrity.

4.3 API Integration data (Processor)

If a Partner uses our API, the Partner may choose not to send Candidate identifiers. In that case:

  • We process assessment payloads and return processed outputs (for example, scores/reports) without receiving Candidate name/email.
  • If a Partner does send identifiers via the API, we will process them as Candidate Data under the same controller/processor framework.

5) How we use data (purposes)

5.1 As Controller (Partner Account Data)

We use Partner Account Data to:

  • Create and manage Partner accounts and administrator access.
  • Provide onboarding, trials, subscriptions, and account administration.
  • Respond to “request a demo” and support inquiries.
  • Protect the Partner Portal (security monitoring, access control, fraud/abuse prevention).
  • Comply with legal obligations and enforce our agreements.

5.2 As Processor (Candidate Data)

We process Candidate Data on the Partner’s instructions to:

  • Deliver the assessment experience and generate reports/outputs.
  • Provide Partner Portal features (invites, access, report retrieval, exports).
  • Troubleshoot issues requested by the Partner (support), subject to access controls and logging.

5.3 Service improvement (de-identified data; opt-out available)

We may use de-identified assessment data to improve scoring quality, reliability, and service performance. When a Partner requests deletion of Candidate identifiers (see Section 8), we remove direct identifiers and may retain de-identified assessment responses together with demographics and timestamps for service improvement, without retaining any Partner/tenant identifier in that retained dataset.

Partner opt-out: Partners may opt out of this de-identified service-improvement use by contacting Support@b5.ly or using an available account setting (where provided). Opt-out does not affect processing necessary to provide the Partner Portal.

6) Legal bases (for Controller processing)

Where UK GDPR or similar laws apply to our controller processing of Partner Account Data, our legal bases typically include:

  • Contract: to provide the Partner Portal and manage subscriptions/trials.
  • Legitimate interests: to secure and improve the Partner Portal, prevent abuse, and operate our business (balanced against user rights).
  • Legal obligation: to comply with applicable laws and respond to lawful requests.

Candidate Data processing is performed as a processor on the Partner’s lawful basis and instructions.

7) Payments: Stripe Managed Payments (Merchant of Record)

Partner subscriptions are handled through Stripe Managed Payments, where Stripe acts as the Merchant of Record for the transaction.

  • Stripe processes payment and may manage tax, fraud prevention, disputes/chargebacks, and transaction-level customer support.
  • We receive limited billing/subscription information necessary to provision access (for example: subscription status, payment confirmation, and transaction identifiers such as session references).
  • We do not store full card numbers.

Assumption used for current policy version: until confirmed otherwise by live testing, Partner receipts/invoices and bank statement descriptors may show Stripe as the seller/merchant, with BigFive/B5 branding shown within the checkout/receipt experience.

8) Retention, deletion, and de-identification

8.1 Partner Account Data retention

We retain Partner Account Data for as long as the Partner account is active and as needed to:

  • Provide the Partner Portal,
  • Maintain security and prevent abuse,
  • Resolve disputes,
  • Comply with legal obligations.

8.2 Candidate Data retention (Partner-controlled)

Candidate Data processed on behalf of a Partner is retained until the Partner deletes it or instructs us to delete it, subject to the timelines and exceptions below.

8.3 Partner offboarding: export and deletion timeline

If a Partner account is terminated:

  • Export window: Partners have up to 30 days to export their data.
  • Primary deletion: We begin deletion from active systems, typically completed within 90 days, unless we must retain limited data for legal, security, or dispute reasons.

8.4 Deletion requests and “identity deletion with answer retention”

When a Partner requests deletion of a Candidate record, we will:

  1. Remove or overwrite direct identifiers (such as name and email) from the Candidate record, and
  2. Disable access links/tokens and remove related identifying metadata within the Partner Portal.

We may retain a de-identified dataset of assessment responses, derived scores, and demographics + timestamps for service improvement (Section 5.3), unless the Partner has opted out.

8.5 Backups (MongoDB Atlas Flex)

We maintain database backups with:

  • Snapshot frequency: daily
  • Retention: 8 days (approximately 8 daily snapshots)
  • Point-in-Time Recovery (PITR): not available on Atlas Flex

Deleted data may remain in backups until the snapshot retention window expires. If we terminate a database cluster, backups are not kept unless we explicitly enable a “keep snapshots after termination” option during termination.

8.6 Logs

We retain security and access logs for up to 12 months, including administrative access records and support-access logs (where applicable). Log retention may vary for certain transient system logs, but we aim to retain relevant security/audit logs for the stated period.

9) Sharing and subprocessors

We share data only as necessary to operate the Partner Portal and deliver services.

9.1 Subprocessors (service providers)

We use service providers (“subprocessors”) such as:

  • Stripe (payments, subscriptions; Merchant of Record for Partner subscriptions)
  • Vercel (application hosting)
  • MongoDB Atlas (database hosting/backups)
  • Resend (email delivery from Support@b5.ly)

We may also use other providers for security, customer support, and operational tooling. Partners may request an up-to-date list of subprocessors by contacting Support@b5.ly.

9.2 Partner access and exports

Partners control access to Candidate Data through their Partner Portal administrators and may export Candidate Data (including reports) using available tools. Partners are responsible for their internal controls and any onward sharing after export.

10) International transfers

Our infrastructure includes:

  • Database region: AWS Frankfurt (eu-central-1)
  • Hosting region: Vercel Washington, D.C., USA (us-east-1)
  • Email delivery: Resend (may process data outside the UK/EEA)

Where personal data is transferred internationally, we use appropriate safeguards (such as standard contractual clauses and/or UK addenda/IDTA equivalents) as required by applicable law.

11) Security

We implement technical and organisational measures designed to protect personal data, including:

  • Access controls and authentication for Partner administrators.
  • Encryption in transit (HTTPS/TLS) and encryption at rest where supported by our hosting providers.
  • Role-based internal access for support (limited access, logged).
  • Monitoring and logging to detect and respond to security events.

No method of transmission or storage is completely secure; however, we maintain safeguards proportionate to the nature of the Partner Portal.

12) Cookies and similar technologies

The Partner Portal uses essential cookies and similar technologies necessary for:

  • authentication and session management,
  • security controls,
  • basic service functionality.

We do not use third-party advertising cookies in the Partner Portal. If we introduce optional analytics cookies in the future, we will update this policy and provide appropriate controls.

13) Children / minors

The Partner Portal is not intended for individuals under 18. We implement an age gate (date picker) preventing continuation unless the user confirms they are 18 or older. Partners must not invite or submit data relating to individuals under 18.

14) Employment and high-stakes decisions disclaimer

B5.LY assessments and reports are intended to provide informational insights and should not be used as the sole basis for employment, promotion, termination, relationship decisions, or other high-stakes outcomes. Partners are responsible for ensuring lawful, fair, and appropriate use of assessments within their organisation and for complying with applicable employment and data protection laws.

15) Your rights (Partners and Candidates)

15.1 Partners (controller relationship for Partner Account Data)

Partner administrators may have rights under applicable data protection laws, including the right to access, correct, or delete Partner Account Data, and to object or restrict certain processing. Requests can be made to Support@b5.ly.

15.2 Candidates (controller is the Partner)

Candidates should submit privacy requests (access, deletion, correction, objection) to the Partner that invited them. If a Candidate contacts us directly, we will generally redirect them to the Partner and assist the Partner where required under our DPA.

15.3 Complaints

If you are in the UK, you may lodge a complaint with the Information Commissioner’s Office (ICO). If you are elsewhere, you may contact your local regulator.

16) Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the Partner Portal, legal requirements, or our processing practices. We will post the updated version on b5.ly and revise the “Effective date” above.

17) Contact

For privacy questions or requests:

Support@b5.ly Use the subject line “Privacy Request”.