top of page
website_logo2.png

Privacy Policy

WebuildYourAI Ltd (company number 16444783) is registered at Artisans’ House, 7 Queensbridge, Northampton, Northamptonshire, United Kingdom, NN4 7BF.


In this Privacy Policy, “WebuildYourAI”, “we”, “our” or “us” refers to WebuildYourAI Ltd. We are committed to protecting your privacy and handling your personal data fairly, transparently and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Privacy Policy

This Privacy Policy explains how WebuildYourAI collects, uses and shares personal data when you:

  • Visit our website or contact us via email or social media;

  • Subscribe to or use our single‑page application (SPA) platform providing pre‑built AI agents;

  • Engage us for bespoke AI consultancy services; or

  • Otherwise interact with us as a client, supplier or partner.

 

It also describes your rights and how to exercise them. If you are an employee or contractor of one of our clients and we process your data as a processor on their behalf, please refer to the client’s privacy notice.

Roles: Data Controller and Data Processor

WebuildYourAI operates in two roles:

  • Data Controller: We determine the purposes and means of processing personal data for our own services. This includes operating our website, managing user accounts and subscriptions, processing payments and improving our AI platform.

  • Data Processor: For bespoke AI projects and when our AI agents interact with data in client systems, we process personal data on the instructions of the client (the data controller). As a processor, we do not decide how the data is used; we handle it solely for the client’s purposes and in accordance with our contract
     

If your personal data is processed because your employer or another organisation uses our services, that organisation is the data controller and is responsible for explaining how your data will be used. We support our clients in fulfilling data subject requests but cannot respond directly unless instructed by them

Personal Data We Collect

The personal data we collect depends on how you interact with us:

Account and Contact Data

  • Name, company name, job title, email address, telephone number and billing address provided when you create an account, subscribe to the SPA platform or contact us.

  • Payment details (handled by Stripe; we do not store full card numbers).

  • Communication records (emails, chat messages, support tickets).

Content and Integration Data

  • Files, records and data retrieved from your connected systems (e.g. SharePoint, databases, CRM or other SaaS tools) when our AI agents perform tasks. This may include personal data contained in your documents or databases. We only access the data necessary to complete the requested task and do not copy your entire data sets.

  • Outputs generated by the AI agents (summaries, analyses, code snippets), which may include information derived from your content.

 

Usage and Technical Data

  • Log data about your interactions with the SPA platform and AI agents, such as the date/time of requests, commands issued, task statuses and system responses.

  • IP addresses, browser type, device identifiers, error logs and performance metrics collected automatically to monitor service performance and maintain security.

  • Aggregated statistics on feature usage to improve our platform (no profiling or marketing use).

 

Cookies and Tracking Technologies

  • Our website and SPA use cookies and similar technologies for essential functionality, analytics and security. You can manage cookie preferences via your browser settings.

 

Children and Sensitive Data

  • Our services are intended for business clients and are not directed at children. We do not knowingly collect personal data from individuals under 16 and will delete such data if we become aware of it. We do not require special‑category data (e.g., health data, racial or ethnic origin). If you choose to process special‑category data using our AI agents, you are responsible for ensuring a lawful basis under GDPR; we will handle the data with strict security.

How We Use Your Personal Data and Legal Bases

We only process personal data when we have a valid legal basis. Depending on the context, our legal bases are: performance of a contract, legitimate interests, consent, and compliance with law
 

How We Use Personal Data and Our Legal Bases for Processing

We process personal data for several purposes. Below is an explanation of each purpose, the types of data involved, and the legal basis we rely on to carry out that processing.
 

Providing and Managing Our SPA Platform

To operate our subscription-based platform, authenticate users, and enable our AI agents to complete tasks, we process account information, contact details, usage logs, and data retrieved from your authorised integrations (such as SharePoint or other databases).
We process this data because it is necessary to perform the contract you enter into when you subscribe to or use our services.
 

Delivering Bespoke AI Consultancy Projects

For consultancy work, we process personal data supplied by the client. This may include datasets or system access required for model building, evaluation, or deployment.
We rely on performance of a contract, acting strictly under the client’s instructions. After project completion, any client data is returned or deleted, and no data is retained within WebuildYourAI systems.
 

Processing Payments and Managing Subscriptions

When you pay for a subscription or other services, we process billing details, account information, and payment metadata.
Our legal bases are performance of a contract and legal obligations, such as tax and financial record-keeping requirements. Payments are handled securely through Stripe.
 

Improving and Securing Our Services

We analyse technical data, usage logs, task histories, and aggregate analytics to maintain service reliability, troubleshoot issues, and improve AI performance.
Our legal basis is legitimate interests, as these activities help ensure the platform operates securely and effectively for all users. We only use aggregated or pseudonymised data where possible.

Responding to Enquiries and Providing Support

If you contact us for help or to ask questions, we process your contact details along with our communication records.
Depending on the situation, our legal basis is either performance of a contract (when you are an existing user) or legitimate interests (when responding to general enquiries).

Sending Optional Updates or Marketing

If you opt in to receive updates, newsletters, or product information, we use your email address and contact preferences to send these communications.
Our legal basis is consent, which you may withdraw at any time. We do not send unsolicited marketing.

Meeting Legal or Regulatory Obligations

We may process account, billing, identity, or security-related data when required by law, such as responding to regulatory requests or meeting accounting requirements.
The legal basis is compliance with legal obligations.

Information Sharing and Third‑Party Service Providers

We may share personal data with trusted third parties to help us run our business. We ensure that these providers only act on our instructions and protect your data under data processing agreements and, where necessary, Standard Contractual Clauses.

Our Service Providers and How We Share Data With Them
We work with several trusted third-party providers to deliver, secure and improve our services. We only share the minimum data necessary for each purpose, and each provider is bound by GDPR-compliant contractual terms.

Microsoft Azure
We use Microsoft Azure to host our infrastructure. Azure stores account information, content processed by our AI agents, and usage logs.
Our systems are primarily hosted in the UK region, and where Azure transfers data outside the UK or EEA, those transfers are protected through Standard Contractual Clauses (SCCs) and Azure’s internationally recognised security and compliance certifications.


Anthropic (Claude), OpenAI and Other AI Model Providers
When you use our AI agents, relevant portions of your input are transmitted to an external AI model provider such as OpenAI to generate the response.
These providers are based in the United States, and we have agreements in place that rely on SCCs or equivalent safeguards to meet UK GDPR requirements.
Data shared with these providers is used solely to generate the requested output and is not used to train their models unless you explicitly agree to such use.


Pinecone
Pinecone provides our vector database service, allowing us to store numerical embeddings of user content for semantic search and contextual memory.
Only transformed embeddings - not raw documents - are stored. Pinecone operates from the US, with transfers protected under SCCs.


Composio and Similar Integration Platforms
Composio enables secure, user-authorised connections between our system and your internal tools, such as SharePoint, databases, or SaaS applications.
Only the data strictly required to execute each task is transmitted.
Some data may pass through jurisdictions outside the UK; Composio is required to maintain GDPR-compliant processing conditions and appropriate transfer safeguards.


Stripe
Stripe processes all payment transactions on our behalf. Stripe receives billing details and payment card information directly - WebuildYourAI does not store full card details.
Stripe may transfer data to the US and relies on its compliance certifications and SCCs to safeguard those transfers.


Professional Advisers and Regulatory Bodies
In limited circumstances, we may share personal data with legal advisers, accountants, auditors, or regulatory authorities.


This only occurs where required by law or where necessary to establish, exercise or defend legal claims, and only the data required for that purpose is disclosed.

International Data Transfers

Because some of our service providers are based outside the UK or EEA (e.g. AI model providers and vector database services in the United States), your personal data may be transferred internationally. We ensure that such transfers are lawful by using:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner and the EU Commission; or

  • UK adequacy decisions where applicable; and

  • Additional technical and organisational measures to protect your data.

 

You may contact us for more information on these safeguards and, where available, receive a copy of the SCCs.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or to comply with legal obligations. Our retention criteria include:

  • Account and contact data – retained as long as you maintain an account or subscription with us and for six years thereafter to comply with financial record‑keeping obligations.

  • Content and integration data – retained only for the duration of the AI task. For bespoke projects, data is stored in the client’s environment (e.g. Azure tenant) and deleted or returned after project completion. We do not retain client data post‑deployment.

  • Usage and technical data – log files are retained for up to 12 months for troubleshooting, security and service improvement, after which they are deleted or anonymised. Aggregated analytics may be retained longer in anonymised form.

  • Communications and support records – retained for up to six years to document our interactions and comply with legal requirements.

  • Consent records – retained as long as necessary to demonstrate compliance with consent requirements.

 

If we rely on your consent for processing and you withdraw your consent, we will delete your data unless we have a lawful basis for its continued retention. Backup copies may persist for a limited time but will be removed in line with our backup retention schedule.

Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access – Obtain confirmation whether we process your personal data and receive a copy.

  • Right to rectification – Request correction of inaccurate or incomplete personal data.

  • Right to erasure – Request deletion of your personal data where there is no legal basis to continue processing it.

  • Right to restrict processing – Ask us to suspend processing of your data.

  • Right to data portability – Receive your data in a structured, commonly used, machine‑readable format and transfer it to another controller.

  • Right to object – Object to processing where we rely on legitimate interests or direct marketing.

  • Rights relating to automated decision‑making and profiling – Right not to be subject to decisions based solely on automated processing that have legal or significant effects.

 

When we act as a data processor, you should contact the relevant client (data controller) to exercise your rights, and we will assist them in responding. To exercise your rights when we are the controller, please email us at privacy@webuildyourai.com


 or write to the address listed above. We may need to verify your identity before processing your request. We aim to respond within one month and may extend this period if your request is complex.

You have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk) if you believe your data has been processed unlawfully. We would appreciate the opportunity to address your concerns first.

AI Processing and Automated Decision‑Making

Our AI agents use large language models to analyse text, summarise documents, generate code and perform other tasks you request. The AI analyses data you provide and produces outputs based on patterns learned from vast datasets. We do not use AI to make decisions that produce legal or similarly significant effects on individuals without human oversight. The AI’s outputs are suggestions and should be reviewed by you before being acted upon.

We send the minimum necessary information to external AI model providers and require them to process it solely to generate the requested output. Our agreements with these providers prohibit them from training their models on your data without explicit permission and require them to safeguard confidentiality.

Security Measures

We implement appropriate technical and organisational measures to protect personal data. These include:
 

  • Data encryption in transit and at rest;

  • Access controls limiting personnel access based on roles and the principle of least privilege;

  • Segregated client environments for bespoke projects to ensure client data remains isolated;

  • Regular security assessments, vulnerability testing and code reviews;

  • Incident response procedures to detect and manage potential data breaches.

 

Although we strive to protect your data, no system is completely secure. We therefore encourage you to use strong passwords and secure your own systems when connecting to our services.

Changes to This Privacy Policy

We may update this policy to reflect changes in our services, legal requirements or data protection practices. The “Last updated” date at the top indicates when the policy was last revised. For significant changes, we will notify you via our website or by email. Continued use of our services after an update constitutes acceptance of the revised policy. We recommend reviewing this policy periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Privacy Officer
WebuildYourAI Ltd
Artisans’ House, 7 Queensbridge, Northampton, NN4 7BF, United Kingdom
Email: privacy@webuildyourai.com

You can also contact the UK Information Commissioner’s Office via www.ico.org.uk or telephone +44 303 123 1113 if you have concerns about our use of your personal data.

bottom of page