Privacy Policy

Clinton AI Ltd (“Clinton AI”, “we”, “us”, “our”) is a private limited company incorporated in England and Wales under company number 17055092, with its registered office in Leeds, United Kingdom.

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, Clinton AI Ltd is the controller of the personal data described in this policy. You can contact us at any time about how we handle your data by emailing clinton@clintonai.co.uk.

This policy sets out how we collect, use, retain, and protect personal data when you interact with us. That includes, without limitation:

• visiting or browsing https://clintonai.co.uk (the “Website”);
• completing the contact form or the AI Readiness Audit, booking a call via our calendar integration, or sending us an email;
• subscribing to our research or case study newsletter;
• engaging us as a client, supplier, partner, recommender, or contractor;
• being named as a prospect or contact in the course of our outbound business development activities.

This policy does not apply to third-party websites we link to. You should read the privacy notices published by those third parties before submitting personal data to them.

We process the following categories of personal data:

• Identity and contact data: name, job title, company name, business email address, telephone number, postal address, LinkedIn URL, and the domain of the company you represent.
• Transactional and engagement data: the content of messages you send us through the contact form, email, or calendar integration; notes taken during discovery calls; proposals and invoices issued; payment records held by our payment processor; records of sequence-based follow-up emails and your replies.
• Website and analytics data: pages viewed, referrer, approximate location derived from IP, device type, and session timings collected through our own analytics. We do not knowingly collect advertising identifiers.
• Prospect research data: publicly available information gathered through professional networks, company websites, and permitted-use data providers (for example LinkedIn Sales Navigator and Apollo) for the purposes of legitimate outbound business development.

We do not deliberately collect special category data under Article 9 UK GDPR, and we ask that you do not send us such data through the Website. If you do, we will delete it on receipt unless it is legally required.

We rely on the following legal bases under Article 6 UK GDPR to process your personal data:

• Contract (Article 6(1)(b)): where processing is necessary to take steps at your request prior to entering into a contract, or to perform a contract you have entered into with us.
• Legitimate interests (Article 6(1)(f)): where it is in our legitimate interests to operate, promote, and grow our business, and those interests are not overridden by your rights and freedoms. Specifically, we rely on legitimate interests for (i) responding to enquiries, (ii) administering client relationships post-contract, (iii) conducting targeted outbound business development to organisations and professionals whose work indicates a genuine need for our services, and (iv) maintaining website analytics for operational purposes.
• Consent (Article 6(1)(a)): where you have opted in to our research and case study newsletter, and where non-essential cookies or analytics require opt-in under the Privacy and Electronic Communications Regulations 2003 (“PECR”).
• Legal obligation (Article 6(1)(c)): where we must process data to comply with our obligations under UK tax law, anti-money laundering rules, Companies Act reporting, and similar legal requirements.

Where we rely on legitimate interests, we have conducted a balancing assessment and retain records of our reasoning. You may object to processing carried out on this basis at any time by emailing us.

We send a newsletter only to individuals who have explicitly opted in on this Website or confirmed their preference in writing. Every newsletter email carries a one-click unsubscribe link. Unsubscribing is processed within 72 hours and removes you from all future marketing sends.

We also conduct outbound business development where we identify an organisation or role for which our services may be relevant. For business contacts in B2B contexts, we rely on legitimate interests under Article 6(1)(f) UK GDPR and comply with the PECR “soft opt-in” and corporate-subscriber rules as applicable. We do not send marketing to private individuals in a personal capacity without consent.

Transactional emails, such as proposal follow-ups, invoice reminders, and service delivery communications, are sent under the contract basis and are not marketing for the purposes of PECR.

We use your personal data to:

• respond to enquiries and deliver the services we have been engaged to provide;
• issue proposals, contracts, and invoices, and process payments;
• send service and transactional communications related to active engagements;
• send our newsletter, where you have opted in;
• conduct targeted outbound business development to professional contacts in relevant roles;
• maintain internal records, meet tax and regulatory obligations, and produce aggregate analytics;
• detect, prevent, and investigate fraud, abuse, and security incidents.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, as defined in Article 22 UK GDPR.

We use a short list of reputable third-party processors to operate the Website and run the business. Each is bound by a written data processing agreement that reflects the Article 28 UK GDPR requirements. As at the date of this policy, those processors include:

• Supabase (database and authentication) — EU region, used to store enquiry records, lead records, proposal data, and newsletter subscribers.
• Vercel (website hosting and edge network) — primarily EU region, used to deliver the Website.
• Resend (transactional email delivery) — used to send individual emails including auto-replies, proposals, and newsletter broadcasts.
• Stripe Payments UK, Ltd. (payments) — used to issue and process invoices. Stripe is an independent controller for the purposes of payment data.
• Calendly, LLC — used for discovery call scheduling where you choose to book a time.
• Google (Gemini) and OpenAI — used for server-side generation of content and assisted operational tasks. We do not submit client confidential data to these services for training purposes; we rely on their enterprise data handling commitments and do not use personal data in AI prompts except where strictly necessary for the task and permitted by the contract with you.
• Slack Technologies Limited — used for internal notifications about enquiries and pipeline activity. Slack receives metadata (names, email addresses, pipeline stage) but not payment data.

We may share your personal data with our professional advisers (including lawyers, accountants, and auditors) where necessary, and with law enforcement, regulators, or courts where we are legally required to do so. We do not sell personal data.

Where a processor is located outside the UK, we rely on a valid transfer mechanism under Article 46 UK GDPR. This is typically the UK Addendum to the European Commission Standard Contractual Clauses, supplemented by our own technical and organisational measures. A copy of the specific transfer tools used for any processor is available on written request.

We retain personal data only for as long as is necessary for the purpose for which it was collected, subject to the longer retention periods required by law:

• Enquiries that do not proceed to a contract: up to 24 months from last contact.
• Active client records: for the duration of the engagement plus seven years thereafter, to comply with UK tax and accounting record-keeping requirements.
• Newsletter subscribers: until you unsubscribe, or after 24 months of inactivity with no opens or clicks.
• Website analytics: up to 14 months in identifiable form, after which data is aggregated.
• Sequence and outreach records: up to 36 months, after which records are deleted unless you become an active client.

At the end of the applicable retention period, we either delete the data or anonymise it so it can no longer be associated with you.

Under UK GDPR you have the following rights, which you may exercise at any time:

• the right of access to your personal data;
• the right to rectification of inaccurate data;
• the right to erasure in the circumstances set out in Article 17;
• the right to restrict processing;
• the right to data portability for data processed by automated means under contract or consent;
• the right to object to processing carried out on the basis of legitimate interests, including for direct marketing;
• the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
• the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, please email us at clinton@clintonai.co.uk. We will respond within one month, although we may extend this by up to a further two months where the request is particularly complex, in which case we will notify you within the initial one-month period.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include encryption in transit and at rest for sensitive fields, least-privilege access controls, multi-factor authentication for administrative systems, audit logging, and regular review of security practices. No system is entirely immune from risk, and you should notify us immediately if you believe an unauthorised party has accessed your personal data through our Website.

The Website uses only strictly necessary cookies required for its operation. We do not use third-party advertising cookies. Where we use first-party analytics, the processing relies on consent under PECR where applicable, and aggregated data is retained on the terms set out in section 9.

The Website and our services are directed at businesses and working professionals. We do not knowingly collect personal data from children under the age of 18. If you believe a child has submitted personal data to us, please contact us and we will delete it.

We keep this policy under review and will update it where our practices change. The “last reviewed” date at the top of this page indicates when it was last updated. Material changes will be brought to your attention by a prominent notice on the Website or, where we hold your email address in an active context, by email.

You have the right to lodge a complaint with the UK Information Commissioner’s Office if you believe our processing of your personal data infringes the UK GDPR. The ICO can be contacted at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, and we encourage you to contact us first at clinton@clintonai.co.uk.