Privacy Notice

Version 3.0 | February 2026

Introduction

Pierworks AI Limited ('we', 'us', 'our') is committed to protecting your privacy. This notice explains how we collect, use, and protect your personal data when you use our services or interact with us.

Pierworks AI Limited is a company registered in England and Wales (Company No. 16970272), whose registered office is at The Croft, Lower Street, East Dean, East Sussex, BN20 0DE.

We are registered with the Information Commissioner's Office (ICO). Registration number: ZC082551.

Who We Are

We are the data controller for the personal data described in this notice. This means we decide how and why your data is processed.

What Data We Collect

We collect and process the following categories of personal data:

Website Visitors

• Technical data: IP address, browser type, device information
• Usage data: pages visited, time spent, referral source
• Contact form submissions: name, email, message content

Prospective Clients

• Contact details: name, email, phone number
• Business information: company name, role, sector
• Communication records: emails, call notes
• Enquiry details: your requirements and interests

Clients

All of the above, plus:

• Questionnaire responses
• Discovery session and interview recordings (where consent is given)
• Staff interview notes (Comprehensive tier engagements)
• Information about your business operations, software, and processes
• Financial information: invoices, payment records
• Deliverables and correspondence

Individuals Within Client Organisations

When we conduct an assessment for a client organisation, we may process personal data about individuals within that organisation who are not the primary client contact. This includes:

• Staff members identified during discovery: names, roles, responsibilities, and their interaction with technology and AI tools within the practice
• Decision-makers identified during discovery: names, roles, and information about their professional decision-making responsibilities and preferences as they relate to technology adoption and governance (see Stakeholder Analysis below)

This data is collected through the pre-engagement questionnaire (completed by the client) and the discovery session (where the client provides information about their team and operations). We do not collect personal data about individuals within client organisations from any source other than the client itself and publicly available professional information (such as regulatory register entries).

How We Use Your Data

Purpose	Data Used	Lawful Basis
Responding to enquiries	Contact details, enquiry content	Legitimate interests
Providing quotes and proposals	Contact and business details	Pre-contractual steps
Delivering assessment services	All client data categories	Contract performance
Stakeholder analysis (see below)	Decision-maker professional information	Legitimate interests
Invoicing and payment	Contact and financial details	Contract performance / Legal obligation
Sending service updates	Contact details	Legitimate interests
Marketing (with consent)	Contact details	Consent
Improving our services	Usage and feedback data	Legitimate interests
Legal/regulatory compliance	As required	Legal obligation

Legitimate interests: Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights. Our legitimate interests include: operating and improving our business, communicating with clients and prospects, ensuring the security of our services, and conducting stakeholder analysis to deliver effective advisory services.

Stakeholder Analysis

As part of our RADAR methodology, we analyse information about key decision-makers within client organisations to understand how recommendations should be framed and presented. This analysis may include:

• Professional decision-making responsibilities and authority
• Technology adoption preferences and concerns expressed during discovery
• Communication preferences relevant to report presentation
• Professional priorities as they relate to the governance and operational areas covered by our assessment

This analysis constitutes profiling within the meaning of UK GDPR Article 4(4), because it involves automated processing of personal data to evaluate aspects of an individual's professional behaviour and preferences.

However, it does not fall within UK GDPR Article 22(1) (automated individual decision-making) because:

• The analysis is not solely automated — it is reviewed and interpreted by our named consultant
• It does not produce decisions about the individuals analysed — it informs how we present recommendations to the client organisation
• It does not produce legal or similarly significant effects on the individuals analysed

Lawful basis: Legitimate interests (Article 6(1)(f)). Our legitimate interest is delivering an effective advisory service that communicates recommendations in a way decision-makers can act on. We have conducted a balancing test and concluded that this interest is not overridden by the rights of the individuals concerned, given that: the analysis relates to professional (not personal) attributes, it is used solely within the specific engagement, it is retained as an internal working document and is never disclosed to the client or any third party, and it is subject to a defined retention period.

Your rights: If you are an individual within a client organisation and wish to exercise your data protection rights in relation to stakeholder analysis, please contact us using the details below. You have the right to object to processing based on legitimate interests, and we will cease processing unless we have compelling legitimate grounds.

Use of AI Tools

We use artificial intelligence tools to assist with research, analysis, and report preparation as part of our service delivery. You should be aware that:

• We use enterprise-grade AI services with appropriate data protection agreements in place. Our primary AI service provider is Anthropic (Claude API), with whom we maintain a Data Processing Agreement
• Your data is not used to train, retrain, or improve any AI models. We use services with training explicitly disabled and have contractual confirmation of this
• Data submitted to the Anthropic API is processed on infrastructure operated by Anthropic. Anthropic's current data processing infrastructure is located in the United States, with appropriate safeguards in place (see International Transfers below)
• Before any client data is submitted to AI services, we apply automated redaction of personal identifiers including email addresses, phone numbers, National Insurance numbers, dates of birth, and similar personal data. Staff names and the client practice name are retained where necessary for the methodology to function
• Human oversight and professional judgement are applied to all AI-assisted outputs before delivery. The named consultant reviews, validates, and where necessary modifies all findings and recommendations
• You may request that we do not use AI tools for your engagement. Please raise this before work commences, as it may affect the timeline and fee

Recording of Sessions

With your consent, we record discovery sessions and interviews conducted as part of our assessment engagements. Recordings are:

• Used solely for the purpose of ensuring accuracy of our notes and analysis
• Stored securely with encryption at rest and in transit, with primary storage in the UK
• Retained for 6 years in line with our engagement records retention policy
• Not shared with any third party
• Securely destroyed at the end of the retention period

You may decline recording at any point. Where you decline, we rely on written notes, which you may review for accuracy.

Lawful basis for recording: Consent (UK GDPR Article 6(1)(a)). You may withdraw consent at any time by contacting us, though this will not affect the lawfulness of processing carried out before withdrawal.

Who We Share Data With

We do not sell your personal data. We may share your data with:

Recipient Category	Purpose	Safeguards
Cloud storage providers (Microsoft 365)	Secure file storage and email	UK data centres; encryption at rest; DPA in place
Video conferencing providers (Zoom)	Remote discovery sessions and meetings	Standard Contractual Clauses; encryption in transit
AI service providers (Anthropic)	Research and analysis assistance within RADAR methodology	Enterprise DPA; training opt-out confirmed; automated PII redaction before submission
Payment processors	Processing payments	PCI DSS compliant
Professional advisers	Legal, accounting, insurance	Professional confidentiality obligations
Associate consultants	Assisting with service delivery (where engaged)	Equivalent confidentiality and data protection obligations
Regulators/authorities	Where legally required	Legal obligation

International Transfers

Our primary data storage is in the UK (Microsoft 365 with UK data residency). Some of our service providers process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place:

• Adequacy decisions: transfers to countries the UK has deemed adequate (e.g., EEA)
• Standard Contractual Clauses: approved contract terms for transfers to other countries. Our AI service provider (Anthropic) processes data on US-based infrastructure under Standard Contractual Clauses incorporated into our Data Processing Agreement
• Supplementary measures: additional technical and organisational protections where required, including automated PII redaction before data is submitted to AI services

You may request details of specific safeguards by contacting us.

How Long We Keep Data

Data Category	Retention Period	Reason
Website analytics	26 months	Industry standard for analytics
Prospect enquiries (no engagement)	2 years from last contact	Follow-up and business development
Client engagement records (reports, correspondence, extraction data)	6 years from engagement end	Professional requirements; limitation periods
Discovery session recordings	6 years from engagement end	Part of engagement records
Internal working papers (including stakeholder analysis)	6 years from engagement end	Professional records; may be required for PI insurance or regulatory purposes
Financial records	7 years	Tax and accounting requirements
Marketing consent records	Duration of consent + 2 years	Demonstrating valid consent

At the end of the retention period, data is securely deleted or anonymised.

Your Rights

Under UK data protection law, you have the following rights:

Right of Access

You can request a copy of the personal data we hold about you. We will respond within one month.

Right to Rectification

You can ask us to correct inaccurate or incomplete data.

Right to Erasure

You can ask us to delete your data in certain circumstances, such as when it is no longer needed for the original purpose. This right does not apply where we need to keep data for legal or professional reasons.

Right to Restriction

You can ask us to restrict processing of your data while we verify its accuracy or consider your objection.

Right to Data Portability

You can request your data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to Object

You can object to processing based on legitimate interests, including the stakeholder analysis described above. We will stop processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision-Making and Profiling

Our RADAR methodology uses AI-assisted analysis as part of a structured assessment process. This includes profiling of decision-makers within client organisations as described in the Stakeholder Analysis section above.

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on any individual. Where AI tools are used in our analysis, the output is always reviewed, validated, and where necessary modified by a named consultant before any recommendation is made or any report is delivered. The named consultant accepts professional responsibility for the report content.

The stakeholder analysis described above constitutes profiling but does not fall within Article 22(1) because it is not solely automated and does not produce legal or similarly significant effects on the individuals analysed.

If you have concerns about how automated processing or profiling affects you, please contact us and we will explain the processing and your options.

To exercise any of these rights, contact us at paul@pierworks.ai. We may need to verify your identity before responding.

Cookies

Our website does not currently use cookies or any tracking technologies. If this changes in future — for example, if we add analytics or a contact form — we will update this notice and provide appropriate controls.

Marketing

We may send you information about our services if you have given consent, or you are an existing client and the information relates to similar services (soft opt-in under the Privacy and Electronic Communications Regulations 2003).

You can opt out at any time by clicking 'unsubscribe' in any marketing email, or by contacting us at paul@pierworks.ai.

Security

We take the security of your data seriously. Our measures include:

• Encryption of data at rest and in transit
• Secure, access-controlled cloud storage with primary data residency in the UK
• Automated redaction of personal identifiers before data is submitted to AI services
• Regular software updates and security patches
• Strong passwords and multi-factor authentication
• Confidentiality obligations on all personnel and associates
• Regular review of security practices

While we take all reasonable precautions, no data transmission over the internet is completely secure. We cannot guarantee absolute security but will notify you and the ICO of any breach as required by law.

Children's Data

Our services are not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Changes to This Notice

We may update this notice from time to time. We will notify you of significant changes by posting the updated notice on our website and emailing you directly (for clients). The 'last updated' date at the top of this notice indicates when it was last revised.

Complaints

If you have concerns about how we handle your data, please contact us first at paul@pierworks.ai. We will try to resolve your concerns.

You also have the right to lodge a complaint with the Information Commissioner's Office:

Contact Us

For any questions about this privacy notice or how we handle your data:

Pierworks AI Limited. Registered in England and Wales. Company No. 16970272. Registered office: The Croft, Lower Street, East Dean, East Sussex, BN20 0DE.

Last updated: February 2026

← Back to Pierworks AI