AI Bridge Club Ltd

Last Updated: December 2025

1. INTRODUCTION

AI Bridge Club Ltd ("we", "us", "our") is committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

Visit our website (https://aibridgeclub.com)

Use our AI automation services

Interact with our AI chatbots and voice agents

Communicate with us

Become a client of our services

This policy applies to all personal data we process, whether as a data controller (for our own business purposes) or as a data processor (when handling client customer data through our AI services).

Who We Are

Company Name: AI Bridge Club Ltd
Company Number: 16889036
Registered Address: 1 Sandy Lane, Winterley, Sandbach, Cheshire CW11 4RH
Contact: 07366 926333
Email: [email protected]

We are a UK-based business automation consultancy specialising in AI-powered solutions including chatbots, voice agents, social media management, and comprehensive business automation systems.

Our Commitment

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains your rights and how we fulfil our obligations under these laws.

2. SCOPE OF THIS POLICY

This Privacy Policy applies to:

Prospective clients and website visitors - individuals exploring our services

Clients - businesses who contract with us for AI automation services

Client contacts - individuals at client organisations we communicate with

End users - individuals who interact with AI systems we operate on behalf of our clients

Suppliers and partners - individuals at organisations we work with

Important Note on Dual Roles:

When we process data for our own business purposes (marketing, sales, administration), we are the data controller

When we process customer data through AI systems we operate for clients, we are the data processor and our clients are the data controllers

This policy covers both roles and clearly distinguishes between them

3. WHAT PERSONAL DATA WE COLLECT

The personal data we collect depends on your relationship with us and how you interact with our services.

3.1 Data We Collect Directly From You

As a Prospective Client or Website Visitor:

Contact information: Name, email address, phone number, business name

Company details: Business type, size, location, industry

Enquiry information: Details you provide in contact forms, demo requests, or consultation bookings

Communication records: Content of emails, calls, and messages you send us

Appointment data: Scheduled demo or consultation details

Payment information: Billing details, payment card information (processed by third-party payment providers)

Preferences: Communication preferences, service interests

As a Client:

Contract information: Service agreements, terms accepted

Account credentials: Login details for your client portal (if applicable)

Billing and payment records: Invoices, payment history, bank details

Usage data: How you use our services, configuration preferences

Support communications: Service requests, feedback, complaints

Call recordings: Recordings of demo or consultation calls (only when specifically requested by you)

3.2 Data We Collect Automatically

Website and Technology Data:

Device information: IP address, browser type and version, operating system, device identifiers

Usage analytics: Pages visited, time spent on site, navigation paths, referral sources

Cookies and tracking technologies: See Section 15 for detailed cookie information

Technical logs: Server logs, error reports, performance data

3.3 Data We Process on Behalf of Our Clients

Important: This data belongs to our clients. We process it only according to their instructions as their data processor.

Through AI Chatbots:

End-user conversations: Messages exchanged between client customers and AI chatbots

Contact details captured: Names, email addresses, phone numbers collected during conversations

Booking information: Appointment dates, times, service selections

Lead qualification data: Responses to questions, expressed interests, pain points

Chat metadata: Timestamps, session duration, device information

Conversation transcripts: Complete records of all chatbot interactions

Through AI Voice Agents:

Call recordings: Audio recordings of telephone conversations

Call transcripts: Text versions of voice conversations generated by AI

Caller information: Phone numbers, names provided during calls

Call metadata: Date, time, duration, outcome of calls

Voice data: Voice patterns and audio characteristics (processed but not stored separately)

Appointment bookings: Details captured during call handling

Through Social Media Management:

Social media account data: Profile information, follower counts, engagement metrics

Posted content: Text, images, videos we create and post on client accounts

Engagement data: Likes, comments, shares, direct messages received

Analytics: Reach, impressions, click-through rates, audience demographics

Direct messages: Communications between client accounts and their followers (when we respond as part of service)

Through CRM and Business Systems:

Customer contact records: Names, email addresses, phone numbers, addresses

Transaction history: Purchase records, service bookings, payment information

Customer notes: Interactions, preferences, service history

Marketing data: Subscription status, campaign responses, segmentation tags

Reviews and feedback: Customer reviews, ratings, testimonials

3.4 Special Category Data

We do not intentionally collect special category (sensitive) personal data. However, given that many of our clients operate in healthcare-related sectors (dental practices, chiropractic clinics, medical facilities), we acknowledge that:

Health information may be inadvertently disclosed by end-users in conversations with AI chatbots or voice agents

We instruct our clients to configure systems with disclaimers advising users not to share sensitive health information

When discovered, we treat such data with heightened security and delete it in accordance with our retention schedule

We contractually require clients to have appropriate legal bases and consent mechanisms when collecting health data through our systems

If you believe sensitive data has been inappropriately collected, please contact us immediately at [email protected].

4. LEGAL BASIS FOR PROCESSING

Under UK GDPR, we must have a lawful basis to process your personal data. Here are the bases we rely on:

4.1 When We Are the Data Controller

Contract Performance (Article 6(1)(b))

We process data necessary to:

Provide and deliver our AI automation services

Manage client accounts and access

Process payments and billing

Communicate about service delivery

Fulfil our contractual obligations

Examples: Processing your contact details to set up your AI chatbot, billing information to invoice you, usage data to provide your service.

Legitimate Interests (Article 6(1)(f))

We process data where necessary for our legitimate business interests, provided these are not overridden by your rights:

Our legitimate interests include:

Marketing and business development: Analysing website traffic, understanding customer needs, improving our services

Service improvement: Testing new features, optimising AI performance, quality assurance

Security and fraud prevention: Protecting our systems, detecting unauthorised access, preventing abuse

Business operations: Internal administration, record-keeping, legal compliance

Customer support: Responding to enquiries, resolving issues, maintaining service quality

Your right to object: You can object to processing based on legitimate interests at any time. See Section 13 for how to exercise this right.

Consent (Article 6(1)(a))

We ask for your explicit consent for:

Marketing communications: Sending promotional emails, SMS, or other direct marketing (you can withdraw consent anytime)

Non-essential cookies: Analytics and marketing cookies on our website

Newsletter subscriptions: Sending industry insights and company updates

Case studies and testimonials: Using your business name or feedback in marketing materials

Withdrawing consent: You can withdraw consent at any time by emailing [email protected], clicking "unsubscribe" in marketing emails, or adjusting cookie settings.

Legal Obligation (Article 6(1)(c))

We process data when required by law:

Tax and accounting: Maintaining financial records for HMRC

Legal proceedings: Responding to court orders or legal requests

Regulatory compliance: Meeting requirements of UK regulatory bodies

4.2 When We Are the Data Processor

When processing data on behalf of our clients:

We act on client instructions only: Our legal basis is our contract with the client (Data Processing Agreement)

Clients determine the lawful basis: Our clients are responsible for having appropriate legal bases for the data they provide to us

We do not determine purposes: Clients decide why and how their customer data is processed through our AI systems

5. HOW WE USE YOUR PERSONAL DATA

5.1 For Prospective Clients and Website Visitors

We use your data to:

Respond to enquiries: Answer questions about our services, provide information

Provide demonstrations: Arrange and conduct product demos, consultations

Send marketing communications: Share information about our services, case studies, industry insights (with your consent)

Improve our website: Analyse traffic, understand user behaviour, optimise content

Manage relationships: Keep records of conversations, follow up on interest

Comply with legal obligations: Maintain records as required by law

5.2 For Clients

We use your data to:

Deliver contracted services: Operate AI chatbots, voice agents, social media management, and other automation services

Manage your account: Provide access to systems, manage configurations, update settings

Process payments: Generate invoices, process payments, maintain financial records

Provide support: Respond to service requests, troubleshoot issues, offer guidance

Improve services: Analyse usage patterns, test new features, optimise AI performance

Communicate about services: Send service updates, maintenance notices, important changes

Ensure security: Monitor for unauthorised access, protect against fraud, maintain system integrity

Meet legal obligations: Comply with tax, accounting, and regulatory requirements

5.3 For Client Customer Data (As Data Processor)

We process end-user data solely to deliver services to our clients:

AI Chatbot Services:

Conduct automated conversations with client customers

Capture and qualify leads

Answer frequently asked questions

Book appointments and services

Route complex enquiries to appropriate staff

Generate conversation transcripts for client review

Analyse conversation quality for service improvement (on client instruction)

AI Voice Agent Services:

Answer inbound telephone calls

Conduct sales or customer service conversations

Schedule appointments and callbacks

Provide information about client services

Route calls as configured by client

Generate call transcripts

Monitor call quality (on client instruction)

Social Media Management:

Create and publish content to client social accounts

Respond to comments and direct messages

Monitor engagement and performance

Generate analytics reports

Manage reputation and reviews

CRM and Business Systems:

Store and organise customer contact information

Track customer interactions and history

Automate follow-up communications

Segment audiences for targeted campaigns

Generate reports on customer behaviour

Important: We only process this data according to our clients' documented instructions. We do not use client customer data for our own purposes.

6. ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

Given the nature of our business, it's essential we're transparent about how AI systems process personal data.

6.1 AI Models We Use

We utilise the following AI technologies:

Anthropic Claude: Advanced language models for natural conversations

OpenAI ChatGPT: Conversational AI for chatbot and content generation

Other AI models: We occasionally test and implement other AI providers based on client needs and service requirements

6.2 How AI Processes Conversations

Real-Time Processing:

When someone interacts with a chatbot or voice agent, their messages/speech are sent to AI models for processing

AI models analyse the content and generate appropriate responses

Conversations are logged and stored in our systems

No human reviews conversations unless specifically requested by clients for quality assurance

Data Used for AI Training:

We prioritise privacy-first AI providers who offer commitments not to use customer data for model training

To the best of our knowledge, Anthropic Claude and OpenAI API services do not use customer data to train their models by default

However, we cannot provide absolute guarantees about third-party AI provider practices

Clients can request that we implement additional safeguards or use specific AI models with stronger privacy guarantees

6.3 Automated Decision-Making

Our AI systems may make automated decisions that affect individuals:

Examples of Automated Decisions:

Qualifying leads based on conversation responses

Routing conversations to appropriate departments

Scheduling appointments based on availability

Providing product/service recommendations

Determining urgency of customer enquiries

Your Rights:

Right to human intervention: You can request human review of automated decisions

Right to explanation: You can ask how a decision was made

Right to challenge: You can dispute an automated decision

No solely automated significant decisions: We do not make decisions that significantly affect individuals (e.g., credit decisions, employment decisions) through fully automated means without human oversight

Contact [email protected] to exercise these rights.

6.4 AI System Limitations

We acknowledge that AI systems:

May make errors: AI can misunderstand context or provide incorrect information

Require human oversight: We encourage clients to review important conversations

Reflect training data: AI responses reflect patterns in training data, which may contain biases

Cannot replace human judgment: Complex, sensitive, or high-stakes matters require human attention

7. DATA SHARING AND THIRD PARTIES

We share personal data only when necessary and with appropriate safeguards.

7.1 AI and Technology Service Providers (Sub-Processors)

GoHighLevel (Primary Platform Provider)

What they do: Provide the core CRM, automation, and hosting platform for all our services

Data shared: All client and end-user data processed through our systems

Location: USA (with global server infrastructure)

Safeguards: Standard Contractual Clauses, robust security practices

Their role: Sub-processor acting on our instructions

Anthropic (AI Model Provider)

What they do: Provide Claude AI models for natural language processing

Data shared: Conversation content sent to AI models for processing

Location: USA

Safeguards: Anthropic's commitment not to train on customer data (per their commercial terms)

Their role: Sub-processor for AI inference

OpenAI (AI Model Provider)

What they do: Provide ChatGPT and GPT models for AI conversations

Data shared: Conversation content sent to API for processing

Location: USA

Safeguards: OpenAI API terms (data not used for training when using API)

Their role: Sub-processor for AI inference

Google Analytics

What they do: Provide website analytics and visitor behaviour insights

Data shared: Website visitor data (IP addresses, browsing behaviour)

Location: USA and EU

Safeguards: Google Analytics Data Processing Terms, anonymised IP addresses

Your control: Manage via cookie settings (see Section 15)

7.2 Payment Processors

We use third-party payment processors to handle financial transactions:

Your payment card details are never stored on our systems

Payment processors comply with PCI-DSS standards

We receive only transaction confirmation and payment status

7.3 Professional Advisors

We may share data with:

Legal advisors: For legal advice and representation

Accountants: For tax and financial compliance

Business consultants: For strategic advice (under strict confidentiality)

7.4 Legal Disclosures

We may disclose personal data when required by law:

Law enforcement: In response to valid legal requests

Courts: To comply with court orders or legal proceedings

Regulatory bodies: To meet regulatory requirements

Protection of rights: To protect our legal rights, prevent fraud, or ensure safety

We will notify you of legal disclosures unless prohibited by law.

7.5 Business Transfers

If we undergo a business transition (merger, acquisition, sale of assets), personal data may be transferred to the new entity. We will:

Notify affected individuals in advance

Ensure the new entity honours this Privacy Policy

Give you options if the new entity has different practices

7.6 Data Sharing Principles

We NEVER:

Sell personal data to third parties

Share data for others' marketing purposes without consent

Transfer data to third parties without appropriate safeguards

Provide client customer data to anyone except as instructed by the client

8. INTERNATIONAL DATA TRANSFERS

8.1 Why Data Leaves the UK

As a UK business using international AI and technology providers, personal data may be transferred to and stored in countries outside the United Kingdom, primarily the United States of America.

Primary Transfer Destinations:

USA: OpenAI, Anthropic, GoHighLevel, Google

European Economic Area (EEA): Some hosting and backup services

Other jurisdictions: As required for AI processing and cloud infrastructure

8.2 Safeguards for International Transfers

We ensure international transfers are protected through:

Standard Contractual Clauses (SCCs):

We use UK-approved Standard Contractual Clauses with third-party processors

These are legal contracts providing appropriate safeguards for data transfers

They ensure UK GDPR-level protection even when data is processed abroad

UK International Data Transfer Agreement (IDTA):

Where applicable, we use the UK IDTA for transfers to countries without adequacy decisions

This ensures continued GDPR-level protection

Third-Party Commitments:

Our AI and technology providers have robust data protection practices

They provide contractual commitments regarding data security and privacy

Many providers hold certifications (e.g., ISO 27001, SOC 2)

Adequacy Decisions:

Where the UK government has determined a country provides adequate protection, we can transfer data freely

Currently applies to EEA countries and certain other jurisdictions

8.3 Your Rights Regarding International Transfers

You have the right to:

Request information about specific international transfers

Obtain copies of the safeguards in place (SCCs, binding corporate rules, etc.)

Object to transfers in certain circumstances (though this may limit our ability to provide services)

Contact [email protected] for information about international transfers.

9. DATA SECURITY

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

9.1 Technical Security Measures

Encryption:

All data transmitted between your browser and our systems is encrypted using SSL/TLS (HTTPS)

Sensitive data stored in databases is encrypted at rest

Backup data is encrypted

Access Controls:

Multi-factor authentication (MFA) for system access where available

Role-based access controls limiting who can access what data

Unique user accounts for all staff (no shared credentials)

Regular access reviews and immediate revocation when staff leave

Network Security:

Firewall protection on all systems

Intrusion detection and prevention systems

Regular security patching and updates

Monitoring for suspicious activity

Application Security:

Secure coding practices

Regular security testing and vulnerability assessments

Input validation to prevent injection attacks

Protection against common web vulnerabilities (OWASP Top 10)

9.2 Organisational Security Measures

Staff Training:

All staff receive data protection training

Regular refresher training on security best practices

Clear policies on handling personal data

Confidentiality agreements with all staff and contractors

Data Minimisation:

We collect only data necessary for specified purposes

Regular reviews to delete unnecessary data

Pseudonymisation where possible

Incident Response:

Documented data breach response procedures

24-hour breach notification process

Regular testing of incident response plans

Designated contacts for security incidents

Vendor Management:

Due diligence on all third-party processors

Contractual security requirements

Regular vendor security assessments

Data Processing Agreements with all processors

Physical Security:

Secure office premises (where applicable)

Controlled access to physical documents

Secure disposal of physical records

9.3 Client Security Responsibilities

When clients access their account systems:

Clients are responsible for: Maintaining confidentiality of login credentials, using strong passwords, notifying us of unauthorised access

We provide: Secure access methods, guidance on best practices, tools to manage user access

9.4 Limitations

While we implement strong security measures:

No system is 100% secure: We cannot guarantee absolute security

Internet transmission risks: Data transmitted over the internet carries inherent risks

Your responsibility: Protect your own devices and credentials

Prompt reporting: Report suspected security issues immediately to [email protected]

10. DATA RETENTION

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law.

10.1 Retention Periods

Marketing and Lead Data:

Prospective clients (no engagement): 3 years from last interaction, then deleted

Prospective clients (ongoing engagement): Retained while engagement continues, then 3 years

Marketing consent records: Retained for 7 years to evidence compliance

Client Contract Data:

During active contract: Retained for duration of service provision

After contract ends: 30 days for operational closure, then moved to archive

Financial records: 6 years after contract end (UK tax law requirement)

Contract documents: 7 years after contract end (limitation period)

Client Customer Data (Processed for Clients):

AI chatbot conversations: 12 months, then deleted (unless client requests different period)

AI voice recordings: 6 months, then deleted (unless client requests different period)

CRM contact data: Retained per client instructions (deleted within 30 days of contract termination)

Social media content: During contract plus 30 days (for archival purposes)

Website and Analytics Data:

Google Analytics: 26 months (Google's default setting)

Server logs: 90 days, then automatically deleted

Cookie data: See Section 15

Correspondence and Communications:

Support tickets: 3 years from ticket closure

General correspondence: 3 years from last communication

Complaint records: 7 years (to evidence resolution)

Call Recordings (Our Own Demos):

Recordings only made when specifically requested by client

Deleted within 90 days unless there is an ongoing business need

10.2 Exceptions to Standard Retention

We may retain data longer when:

Legal obligation requires it: Tax records, legal proceedings, regulatory requirements

Legitimate interests demand it: Unresolved disputes, ongoing investigations, evidence of compliance

Consent given: You have agreed to longer retention

Archived appropriately: Moved to secure archives with restricted access

10.3 Deletion and Anonymisation

When retention periods expire:

Personal data is securely deleted from active systems

Backups are overwritten according to our backup rotation schedule (typically within 90 days)

Where possible, data is anonymised rather than deleted for statistical purposes

Clients are notified before deletion of their customer data (with reasonable notice to download if needed)

10.4 Your Right to Request Early Deletion

You can request deletion of your data before the scheduled retention period ends. See Section 13 for details on exercising your right to erasure.

11. YOUR RIGHTS UNDER UK GDPR

You have significant rights over your personal data. This section explains each right and how to exercise it.

11.1 Right of Access (Subject Access Request)

What it means:

You can request a copy of all personal data we hold about you

You can ask what we're doing with your data

What we provide:

Confirmation of whether we process your data

Copy of your personal data in a portable format (typically PDF or CSV)

Information about purposes, categories of data, recipients, retention periods

Details of any automated decision-making

How to request:

Email [email protected] with subject line "Subject Access Request"

Provide proof of identity (to prevent unauthorised disclosure)

Specify what data you're requesting (if you want specific information)

Our response time:

We will respond within 1 month of receiving your request

May be extended by 2 months for complex requests (we'll explain why)

No charge unless requests are excessive or unfounded

11.2 Right to Rectification

What it means:

You can request correction of inaccurate personal data

You can request completion of incomplete data

Examples:

Correcting a misspelled name

Updating an old email address

Adding missing information to your profile

How to request:

Email [email protected]

Explain what data is incorrect and provide the correct information

We'll update it within 1 month and notify any third parties if necessary

11.3 Right to Erasure ("Right to be Forgotten")

What it means:

You can request deletion of your personal data in certain circumstances

When it applies:

Data no longer necessary for the original purpose

You withdraw consent (where consent was the legal basis)

You object to processing and there are no overriding legitimate grounds

Data was unlawfully processed

Legal obligation requires deletion

When we CAN'T delete:

We need it to comply with legal obligations (e.g., tax records)

For establishment, exercise, or defence of legal claims

We have overriding legitimate interests (e.g., fraud prevention)

Contract performance requires it (e.g., active service agreements)

How to request:

Email [email protected]

Explain why you want deletion

We'll respond within 1 month

11.4 Right to Restriction of Processing

What it means:

You can request we limit how we use your data without deleting it

When it applies:

You contest data accuracy (while we verify)

Processing is unlawful but you don't want deletion

We no longer need it but you need it for legal claims

You've objected to processing (while we verify our legitimate grounds)

What happens:

We'll mark your data as restricted

We'll only process it with your consent, for legal claims, or to protect others

We'll notify you before lifting the restriction

11.5 Right to Data Portability

What it means:

You can receive your data in a structured, commonly used, machine-readable format

You can request we transfer it directly to another provider (where technically feasible)

When it applies:

Processing is based on consent or contract

Processing is carried out by automated means

What you receive:

Data you provided to us (not data we've generated about you)

Common formats: CSV, JSON, XML

How to request:

Email [email protected]

Specify what data you want and format preference

Tell us if you want us to transfer it directly to another provider

11.6 Right to Object

What it means:

You can object to processing based on legitimate interests

You can object to direct marketing at any time

For Direct Marketing:

Absolute right - we must stop immediately

Click "unsubscribe" in marketing emails

Email [email protected]

We'll suppress your data from marketing within 2 business days

For Legitimate Interests:

You must provide reasons related to your particular situation

We'll stop unless we can demonstrate compelling legitimate grounds that override your interests

11.7 Rights Related to Automated Decision-Making

What it means:

You can request human intervention in automated decisions

You can express your point of view

You can challenge automated decisions

How to exercise:

Email [email protected]

Explain which decision you want reviewed

We'll provide a human review within 1 month

11.8 How to Exercise Your Rights

Contact Methods:

Email: [email protected] (preferred method)

Post: AI Bridge Club Ltd, 1 Sandy Lane, Winterley, Sandbach, Cheshire CW11 4RH

Phone: 07366 926333 (for initial enquiries; we'll follow up in writing)

What we need from you:

Proof of identity: To prevent unauthorised disclosure (copy of passport, driving licence, or utility bill)

Specific details: What data, what right, what you want us to do

Clear request: Use simple language so we understand your request

Our response:

We'll acknowledge receipt within 5 business days

We'll respond substantively within 1 month

We may extend by 2 months for complex requests (we'll explain why)

All responses will be in writing (email or post)

No Charge:

Exercising your rights is free of charge

We may charge for excessive, repetitive, or unfounded requests

We may refuse manifestly unfounded requests

11.9 Right to Complain

If you're unhappy with how we've handled your data, you have the right to complain to the UK's supervisory authority:

Information Commissioner's Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Email: [email protected]

We encourage you to contact us first so we can try to resolve your concerns, but you have the right to go directly to the ICO at any time.

12. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies and similar technologies to improve your experience and understand how our site is used.

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and understand how you use the site.

12.2 Types of Cookies We Use

Essential Cookies (Always Active)

Purpose: Enable core website functionality

Examples: Session management, security tokens, load balancing

Can you disable them? No - these are necessary for the website to function

Duration: Session (deleted when you close browser) or 1 year

Analytics Cookies (With Your Consent)

Provider: Google Analytics

Purpose: Understand how visitors use our website

Data collected: Pages visited, time on site, traffic sources, device/browser information, anonymised IP addresses

Helps us: Improve website performance, understand what content is valuable, identify technical issues

Duration: Up to 26 months

Marketing/Advertising Cookies (With Your Consent)

Purpose: Show relevant advertisements, measure campaign effectiveness

Examples: Google Ads, LinkedIn Ads, Facebook Pixel (if used)

Data collected: Pages visited, buttons clicked, conversion events

Helps us: Target ads to interested audiences, measure ROI on advertising

Duration: Varies (typically 90 days to 2 years)

Preference Cookies (With Your Consent)

Purpose: Remember your choices and preferences

Examples: Language preference, region selection, cookie consent choices

Duration: 1 year

12.3 Third-Party Cookies

Some cookies are set by third-party services we use:

Google Analytics: Analytics and performance monitoring

GoHighLevel: If you interact with forms or chatbots

Social media platforms: If we embed social content (rare)

Important: Third-party cookies are governed by those providers' privacy policies, not ours.

12.4 Managing Your Cookie Preferences

When You First Visit:

You'll see a cookie consent banner

You can accept all, reject non-essential, or manage preferences

Your choices are stored for 1 year

Changing Your Mind:

Use the "Cookie Settings" link in our website footer

Adjust preferences in your browser settings

Clear existing cookies through browser settings

Browser Settings: Most browsers allow you to:

Block all cookies

Block third-party cookies only

Delete cookies after each session

Receive alerts before cookies are set

Find browser-specific instructions:

Chrome: Settings > Privacy and Security > Cookies

Firefox: Settings > Privacy & Security > Cookies

Safari: Preferences > Privacy > Cookies

Edge: Settings > Cookies and site permissions

12.5 Consequences of Blocking Cookies

If you block essential cookies:

Website may not function properly

You may not be able to access certain features

If you block analytics cookies:

No impact on functionality

We'll have less information to improve the website

If you block marketing cookies:

No impact on functionality

You may see less relevant advertising (but same amount of ads)

12.6 Other Tracking Technologies

We may use similar technologies:

Web beacons (pixels): Tiny transparent images that track email opens and website visits

Local storage: Browser-based storage for preferences and settings

Session storage: Temporary storage cleared when you close your browser

These are managed similarly to cookies through your browser settings.

12.7 Do Not Track (DNT)

Some browsers offer "Do Not Track" settings. Currently, there is no industry standard for how to respond to DNT signals, so our website does not respond to DNT browser settings. Instead, please use our cookie consent tool to manage your preferences.

13. MARKETING COMMUNICATIONS

13.1 How We Use Your Data for Marketing

With your consent, we may send you:

Information about our AI automation services

Case studies and success stories

Industry insights and best practices

Special offers and promotions

Company news and updates

Invitations to webinars or events

Channels we use:

Email (primary method)

SMS text messages (if you've specifically consented)

Phone calls (for existing clients or if you've expressed interest)

Social media messages (if you've initiated contact)

13.2 How We Obtain Consent

We collect marketing consent through:

Website forms: Checkbox opt-ins when you enquire or download resources

Verbal consent: During phone conversations (documented in our CRM)

Contract acceptance: Agreement to receive service-related communications

Subscription forms: Dedicated newsletter signup

We always:

Use clear language about what you're consenting to

Keep consent separate from other terms and conditions

Provide easy ways to withdraw consent

Keep records of when and how consent was given

13.3 Client Marketing Services

When we provide marketing services to our clients:

Clients are responsible for obtaining appropriate consent from their customers

We send marketing on clients' behalf using their brand and messaging

Recipients can opt out via standard unsubscribe mechanisms

Clients retain liability for compliance with marketing regulations

13.4 Opting Out of Marketing

You can stop receiving marketing at any time:

Email Marketing:

Click "Unsubscribe" at the bottom of any marketing email

We'll process your request within 2 business days

All Marketing:

Email [email protected] with "Unsubscribe" in the subject line

Phone 07366 926333 and ask to be removed

Post to our registered address

What happens after you opt out:

We'll suppress your data from all marketing lists

You'll stop receiving marketing within 5 business days

You'll still receive essential service-related communications (if you're a client)

We'll keep a record that you've opted out (to prevent re-adding you)

13.5 Service Communications (Not Marketing)

Even if you opt out of marketing, we'll still send:

Transactional emails: Order confirmations, invoices, receipts

Service updates: Changes to our services, terms, or policies

Support communications: Responses to your enquiries, service issues

Legal notices: Required notifications under our contract or law

These are not marketing and you cannot opt out while you're a client.

13.6 Frequency of Marketing

We respect your inbox. Typically:

Newsletter: Once per month

Service updates: As needed (not more than twice per month)

Promotional campaigns: Occasional (2-3 per quarter)

You're never spammed: We prioritise quality over quantity

14. CHILDREN'S PRIVACY

14.1 Age Restrictions

Our services are not intended for children under the age of 18. We do not knowingly:

Market to children

Collect personal data from children

Allow children to create accounts or use our services

14.2 If We Discover Children's Data

If we become aware that we've collected personal data from a child under 18 without appropriate parental consent:

We will delete the data as soon as possible

We will take steps to prevent future collection

We will notify relevant parties if required by law

14.3 Parents and Guardians

If you believe we have collected data from your child:

Contact us immediately at [email protected]

Provide proof of your parental relationship

We will investigate and delete the data if appropriate

14.4 Client End-Users

Through AI systems we operate for clients, we may inadvertently interact with minors. We:

Require clients to implement appropriate age verification where necessary

Instruct clients to ensure lawful processing of minors' data

Will delete data upon notification that it relates to a minor without appropriate consent

15. DATA PROCESSING AGREEMENTS AND CLIENT RESPONSIBILITIES

15.1 When We Act as Data Processor

When we provide AI automation services, we process personal data on behalf of our clients. In these situations:

You (the client) are the data controller - you determine purposes and means of processing

We are the data processor - we process data only according to your documented instructions

A Data Processing Agreement (DPA) is required under UK GDPR Article 28

15.2 Data Processing Agreements (DPAs)

What is a DPA? A legally binding contract that governs how we process data on your behalf.

What it includes:

Subject matter, duration, and nature of processing

Types of personal data and categories of data subjects

Your instructions on data processing

Our obligations (security, confidentiality, assistance with rights)

Sub-processor authorisations

Data breach notification procedures

Post-termination data handling

International transfer provisions

When it's signed:

Before we begin processing client customer data

As part of our service onboarding process

Updated when services or processing activities change

Our standard DPA:

We provide a pre-approved standard DPA

Based on ICO model clauses and UK GDPR requirements

May be customised for enterprise clients with specific requirements

15.3 Client Responsibilities as Data Controller

When you use our services, you are responsible for:

Lawfulness of Processing:

Having a lawful basis to collect and process your customers' data

Obtaining appropriate consents where required

Meeting transparency obligations (privacy notices)

Ensuring accuracy of data you provide to us

Individual Rights:

Responding to data subject requests from your customers

Ensuring we have mechanisms to assist you (we'll provide tools and support)

Notifying us promptly of any rights requests affecting data we hold

Data Minimisation:

Providing only data necessary for service delivery

Not sending special category data unless absolutely necessary (and informing us)

Regularly reviewing and cleaning your data

Security:

Maintaining security of your account credentials

Using strong passwords and enabling MFA

Promptly reporting suspected security incidents

Training your staff on proper system use

Compliance:

Complying with all applicable data protection laws

Having appropriate agreements with your own customers

Conducting Data Protection Impact Assessments (DPIAs) where required

Maintaining records of processing activities

15.4 Our Sub-Processors

We use sub-processors to help deliver services. Current sub-processors include:

GoHighLevel (platform and hosting)

Anthropic (AI processing)

OpenAI (AI processing)

Google (analytics and infrastructure)

Sub-Processor Management:

You authorise our use of these sub-processors by accepting our terms

We conduct due diligence on all sub-processors

We enter into contracts ensuring GDPR-level protection

We notify you of any new or changed sub-processors (you may object)

Objecting to Sub-Processors: If we notify you of a new sub-processor and you have reasonable grounds to object:

Notify us within 14 days with your reasons

We'll work with you to find a solution

If no solution is possible, you may terminate the affected service

15.5 Data Security Obligations

We commit to:

Implementing appropriate technical and organisational measures (see Section 9)

Ensuring staff are bound by confidentiality

Assisting you in meeting your security obligations

Providing information needed for audits (subject to confidentiality)

Notifying you of data breaches affecting your data within 24 hours of discovery

15.6 Assisting with Rights and Obligations

We'll assist you in:

Responding to data subject rights requests: Providing tools to access, delete, or export data

Conducting DPIAs: Providing information about our processing activities

Demonstrating compliance: Making available information on our security measures

Breach notification: Promptly informing you of any breaches

We charge for assistance only when:

Requests are excessive or go beyond standard obligations

Significant custom development is required

Fees will be reasonable and agreed in advance

15.7 Post-Termination Data Handling

When our services end:

30-day grace period: Data remains accessible for you to download

Deletion: After 30 days, all client customer data is permanently deleted (unless otherwise agreed)

Backups: Deleted from active systems; backups overwritten within 90 days

Return option: We can return data in standard formats (CSV, JSON) upon request

Certification: We'll provide written confirmation of deletion upon request

15.8 Liability and Indemnification

Our liability:

We're liable for GDPR violations caused by our failure to comply with processor obligations

We're not liable for violations caused by your unlawful instructions

Your liability:

You're liable for GDPR violations arising from your controller responsibilities

You indemnify us against claims arising from your unlawful instructions or non-compliance

15.9 Audit Rights

You have the right to audit our processing:

Standard audits: We provide annual compliance reports (SOC 2, ISO 27001, security questionnaires)

On-site audits: Available for enterprise clients (reasonable notice, mutually agreed scope, may involve cost)

Third-party audits: You may engage independent auditors (subject to confidentiality agreements)

16. DATA BREACH NOTIFICATION

16.1 Our Breach Response Commitment

We take data breaches extremely seriously and have comprehensive procedures to detect, respond to, and notify affected parties.

What is a Personal Data Breach? A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Examples:

Unauthorised access to systems containing personal data

Ransomware attack encrypting data

Loss or theft of devices containing personal data

Accidental disclosure of data to wrong recipients

Insider misuse of data access

16.2 Notification to Supervisory Authority (ICO)

When we notify: If a breach is likely to result in a risk to individuals' rights and freedoms, we must notify the ICO within 72 hours of becoming aware.

What we report:

Nature of the breach

Categories and approximate number of data subjects affected

Categories and approximate number of records affected

Likely consequences

Measures taken or proposed to address the breach

Contact point for more information

16.3 Notification to Affected Individuals

When we notify individuals: If a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals without undue delay.

How we notify:

Direct communication (email, letter, or phone)

Clear, plain language explaining what happened

Practical advice on steps to protect themselves

What we tell you:

Nature of the breach

What data was affected

Likely consequences

Measures we've taken to address it

Contact point for questions or concerns

Steps you can take to protect yourself

16.4 Notification to Clients (When We're the Processor)

If a breach involves client customer data:

We notify the affected client within 24 hours of discovery

We provide detailed information to support the client's own notification obligations

We assist the client in breach response and investigation

We cooperate with any regulatory investigations

16.5 Breach Prevention Measures

We proactively prevent breaches through:

Regular security assessments and penetration testing

Continuous monitoring for suspicious activity

Staff training on security awareness

Incident response drills and tabletop exercises

Security-by-design principles in all systems

Regular backup and disaster recovery testing

16.6 Your Reporting Obligation

If you suspect a data breach involving data we process:

Report immediately to [email protected]

Include as much detail as possible

Don't delay - time is critical for breach response

We'll acknowledge your report within 4 hours

24/7 Emergency Contact: For critical security incidents outside business hours, call 07366 926333 and select the emergency option.

17. CHANGES TO THIS PRIVACY POLICY

17.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect:

Changes in our services or business practices

Changes in data protection laws or regulations

Introduction of new technologies

Feedback from regulatory authorities or users

Best practice developments

17.2 Notification of Changes

For minor changes:

We'll update the "Last Updated" date at the top of this policy

The revised policy takes effect immediately upon posting

We encourage regular review of this policy

For significant changes:

We'll notify you via email (to the address on file) at least 14 days before changes take effect

We'll highlight the key changes

For clients, we may require acknowledgment of updated terms

What constitutes a significant change:

Expansion of data collection or new processing purposes

Changes to data sharing practices

Reduced data security measures

Changes affecting your rights

International transfer changes

17.3 Your Options

If you disagree with changes:

You can exercise your right to object or erasure (see Section 11)

You can stop using our services

Clients may terminate their service agreement in accordance with contract terms

17.4 Continued Use

Continued use of our website or services after changes take effect constitutes acceptance of the revised Privacy Policy.

17.5 Version History

We maintain a record of previous policy versions. Contact [email protected] to request historical versions.

18. CONTACT US

18.1 Data Privacy Enquiries

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data:

Email: [email protected] (preferred method - fastest response)
Phone: 07366 926333 (Monday-Friday, 9am-5pm GMT)
Post: Data Privacy Team, AI Bridge Club Ltd, 1 Sandy Lane, Winterley, Sandbach, Cheshire CW11 4RH

Expected Response Times:

Email acknowledgment: Within 1 business day

Substantive response: Within 5 business days for general enquiries

Subject access requests: Within 1 month (as required by law)

18.2 Security Incidents

For suspected data breaches or security incidents:

Emergency Email: [email protected]
Emergency Phone: 07366 926333 (24/7 for critical incidents)

Please include:

Your contact information

Description of the incident

What data may be affected

When you discovered it

Any steps you've already taken

18.3 Complaints

If you're unhappy with how we've handled your personal data:

First, contact us: We want to resolve your concerns. Email [email protected] with details of your complaint.

Then, if unresolved: You have the right to complain to the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113
Website: www.ico.org.uk
Email: [email protected]

18.4 General Business Enquiries

For non-privacy related matters (service enquiries, sales, support):

Website: https://aibridgeclub.com/contact-us
Main Phone: 07366 926333
General Email: [email protected]

19. LEGAL JURISDICTION AND SUPERVISORY AUTHORITY

19.1 Governing Law

This Privacy Policy and all matters relating to it are governed by the laws of England and Wales.

Any disputes arising from this Privacy Policy will be subject to the exclusive jurisdiction of the courts of England and Wales.

19.2 Supervisory Authority

The Information Commissioner's Office (ICO) is the UK's independent regulatory authority for data protection. The ICO:

Upholds information rights in the public interest

Enforces UK GDPR and Data Protection Act 2018

Investigates complaints about data handling

Can issue fines for non-compliance

You have the right to lodge a complaint with the ICO at any time, regardless of whether you've raised concerns with us first.

19.3 Regulatory Compliance

We are committed to:

Full compliance with UK GDPR and Data Protection Act 2018

Cooperation with ICO investigations and audits

Implementing ICO guidance and recommendations

Maintaining up-to-date knowledge of data protection requirements

20. SPECIAL CONSIDERATIONS FOR HEALTHCARE SECTOR CLIENTS

Given that many of our clients operate in healthcare-related sectors (dental practices, chiropractic clinics, medical facilities), we want to address specific considerations:

20.1 Health Data Protection

Special Category Data: Health information is "special category data" under UK GDPR, requiring:

Stronger legal basis (usually explicit consent or necessary for healthcare purposes)

Enhanced security measures

Greater transparency

More careful handling

Our Approach:

We advise clients to implement disclaimers discouraging sharing of health information via chatbots

When health data is necessarily processed, we apply heightened security

We encourage clients to conduct Data Protection Impact Assessments (DPIAs)

We assist with compliance but cannot provide legal advice

20.2 Client Obligations for Healthcare Data

Healthcare providers using our services must:

Ensure appropriate legal basis exists (consent, legitimate interest, or legal obligation)

Provide clear privacy notices to their patients

Obtain necessary consents before implementing AI systems

Consider whether DPIAs are required

Comply with professional body guidelines (GDC, GCC, GMC, etc.)

Understand NHS data protection requirements if applicable

20.3 Accidental Health Data Collection

If patients share health information through chatbots despite disclaimers:

We treat it as special category data immediately

We apply enhanced security and restricted access

We delete it in accordance with agreed retention periods (typically shorter)

We do not use it for any purpose beyond the client's instructions

20.4 Professional Standards

We recognise that healthcare professionals are subject to additional professional obligations beyond GDPR. Our services are designed to support, not replace, professional judgment and obligations regarding patient confidentiality.

21. GLOSSARY OF KEY TERMS

Data Controller: The entity that determines the purposes and means of processing personal data. For our own business operations, we are the controller. For client customer data, our clients are controllers.

Data Processor: An entity that processes personal data on behalf of a data controller. When processing client customer data through our AI systems, we are the processor.

Data Processing Agreement (DPA): A contract between controller and processor that governs the processing of personal data.

Data Subject: An individual whose personal data is being processed. This could be you as a website visitor, client contact, or end-user of AI systems.

Personal Data: Any information relating to an identified or identifiable individual. Examples: names, email addresses, IP addresses, conversation content.

Special Category Data: Sensitive personal data requiring extra protection. Includes health data, racial/ethnic origin, religious beliefs, sexual orientation, trade union membership, genetic/biometric data.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, deletion, etc.

Sub-Processor: A third party engaged by a processor to carry out processing activities. GoHighLevel, Anthropic, and OpenAI are our sub-processors.

Legitimate Interests: A lawful basis for processing where it's necessary for legitimate purposes, provided it doesn't override individual rights and freedoms.

UK GDPR: The UK General Data Protection Regulation - the UK's version of data protection law post-Brexit.

ICO: Information Commissioner's Office - the UK's data protection supervisory authority.

Standard Contractual Clauses (SCCs): EU/UK-approved contract terms that enable lawful international data transfers.

APPENDIX: QUICK REFERENCE GUIDE

Your Key Rights at a Glance

Right What You Can Do How to Exercise It Access Get a copy of your data Email [email protected] Rectification Correct inaccurate data Email [email protected] Erasure Request deletion Email [email protected] Restriction Limit how we use your data Email [email protected] Portability Receive data in portable format Email [email protected] Object Stop certain processing Email [email protected] Withdraw Consent Stop consented activities Click unsubscribe or email us Complain Report concerns to ICO www.ico.org.uk or 0303 123 1113

Key Contact Information

Data Privacy: [email protected]
Security Incidents: [email protected]
General Enquiries: [email protected]
Phone: 07366 926333
ICO: www.ico.org.uk | 0303 123 1113

Our Sub-Processors

GoHighLevel (platform/hosting) - USA

Anthropic Claude (AI) - USA

OpenAI (AI) - USA

Google Analytics (website analytics) - USA/EU

Data Retention Quick Reference

Lead data (no engagement): 3 years

Client contracts: 6-7 years after end

Chatbot conversations: 12 months

Voice recordings: 6 months

Financial records: 6 years

Website logs: 90 days

This Privacy Policy was last updated in December 2024 and is version 1.0

If you have read this entire policy, thank you for taking the time to understand how we protect your privacy. We're committed to earning and maintaining your trust through responsible data practices.

For questions or concerns, please don't hesitate to contact us at [email protected].

AI Bridge Club Ltd
Company Number: 16889036
1 Sandy Lane, Winterley, Sandbach, Cheshire CW11 4RH
Tel: 07366 926333

© 2024 AI Bridge Club Ltd. All rights reserved.