When you engage us for consulting services, some research, analysis, and drafting work may be supported by AI tools. In these cases, data processed by AI is limited to what is strictly necessary for the specific task. We do not input client personal data into consumer-grade AI tools. Only enterprise-grade tools with written data processing agreements and appropriate UK GDPR safeguards are used in connection with client-identifiable information.

Our Aria platform uses AI-assisted analysis to support governance and compliance scoring. When you use Aria, the data you input is processed within our Microsoft Azure-hosted environment, which is located in the UK and EU. AI processing within Aria operates under a data controller and processor relationship, and our Data Processing Agreement (DPA) sets out the full terms of that processing. A copy of our DPA is available to Aria subscribers on request.

For consulting engagements, AI-assisted processing of personal data is carried out on the basis of contract (Article 6(1)(b)) where it is necessary to deliver the agreed service, or legitimate interests (Article 6(1)(f)) where it supports delivery without overriding your privacy rights. Where we rely on legitimate interests, we complete and retain a Legitimate Interests Assessment (LIA).

For Aria platform users, the lawful basis for processing is set out in our Terms of Service and DPA. We do not use your data for AI model training without your explicit consent. Where AI tools are provided by third parties such as Microsoft or Anthropic, those providers process data under their own data processing agreements, which we have reviewed and confirmed meet the requirements of UK GDPR and the Data (Use and Access) Act 2025.

We currently use the following AI sub-processors: Microsoft Azure — cloud infrastructure and Copilot services, data centres located in the UK and EU, governed by Microsoft's Online Services Data Processing Agreement. Anthropic — Claude AI (enterprise tier), governed by Anthropic's data processing addendum, with model training on customer data disabled. Both providers have been assessed for UK GDPR compliance before being approved for use with any client or user data.

We review our sub-processor list at minimum annually and whenever we add or change a material provider. Aria subscribers will be notified of any material changes to our sub-processor list with reasonable advance notice, in accordance with the terms of our DPA. The current sub-processor list is available to clients and subscribers on request, and this notice will be updated promptly whenever changes occur.

We do not input more personal data into AI tools than is required for the specific task. Where AI tools offer settings to limit data retention or to opt out of data being used for model improvement, we enable those settings as standard. We do not retain personal data in AI tool sessions beyond what is necessary for the task in progress. AI tools approved for use with client data are configured to the most privacy-protective settings available.

For Aria platform users, data retention periods are set out in our Terms of Service and DPA. For consulting engagements, personal data processed through AI tools is subject to our standard data retention schedule, which complies with UK GDPR storage limitation principles. You can request deletion of your data at any time, and we will action this within the statutory timeframe, including issuing deletion instructions to relevant sub-processors where applicable.

Under UK GDPR and the Data (Use and Access) Act 2025, you have the right to access the personal data we hold about you, to request correction or deletion, to restrict or object to processing, and to receive your data in a portable format. You also have the right not to be subject to solely automated decision-making that has a significant effect on you. We do not make material decisions about individuals using AI without human review.

To exercise any of your rights, contact us at [[email protected]]. We will acknowledge within 72 hours and respond in full within one calendar month. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at www.ico.org.uk. Our ICO registration number is [ZC011851]. This notice is reviewed at minimum every six months and whenever our AI processing activities change.