Privacy Policy

1. Data Controller

The data controller for this website is:

Jeffrey Brook
AI Business Strategy
Sole trader (autónomo)
Alicante, Spain
[email protected]

For all data protection enquiries, contact us at the email address above. We will respond within 30 days.

2. What Data We Collect

We collect and process the following categories of personal data:

• Website URLs — submitted by you for scanning and strategic analysis
• Email addresses — provided when you request a scan, purchase a report, or subscribe to communications
• Payment information — card details and billing information processed securely by Stripe. We do not store card numbers on our systems
• Scan results and report data — the strategic intelligence generated from analysing your submitted URL
• IP addresses — collected automatically when you access our services, used for security and rate limiting
• Usage data — pages visited, features used, and interaction patterns. Collected via Plausible Analytics, which does not use cookies or collect personal data

Important: Our website audit and strategic intelligence services analyse only publicly available information — the same data any visitor or search engine can access. We do not require access to your internal systems, databases, or private information.

3. Lawful Basis for Processing

We process your personal data under the following lawful bases (Article 6 UK/EU GDPR):

• Consent (Article 6(1)(a)) — when you submit a website URL for our free diagnostic scan. You may withdraw consent at any time by contacting us
• Performance of a contract (Article 6(1)(b)) — when you purchase a Strategic Intelligence Report or subscribe to Monthly Monitoring. Processing is necessary to deliver the service you have paid for
• Legitimate interest (Article 6(1)(f)) — for service improvement, security monitoring, and fraud prevention. Our legitimate interest is balanced against your rights and does not override your fundamental freedoms
• Legal obligation (Article 6(1)(c)) — for retaining payment records as required by tax and accounting law

4. How We Use Your Data

We use your personal data to:

• Generate and deliver strategic diagnostic scans and intelligence reports
• Process payments and issue receipts
• Send transactional emails (order confirmations, report delivery notifications)
• Improve and develop our services
• Protect against fraud, abuse, and unauthorised access
• Comply with legal and regulatory obligations
• Generate anonymised, aggregated sector intelligence — we analyse patterns across scans within the same industry to improve benchmarking and sector insights. Individual businesses are never identified in aggregated data

We will never sell your personal data to third parties. Aggregated sector intelligence derived from anonymised scan data may be used to improve our services and provide sector benchmarking to other clients. No individual business can be identified from this aggregated data.

5. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

• Scan results and report data — 24 months from date of generation, then deleted
• Email addresses — retained until you unsubscribe or request erasure
• Payment records — 7 years from date of transaction, as required by Spanish tax law (Ley General Tributaria) and UK financial record-keeping obligations
• IP addresses and security logs — 12 months, then deleted

When retention periods expire, data is permanently deleted from our systems and any backups within 30 days.

6. Third-Party Processors

We share personal data with the following third-party processors, each of which is bound by data processing agreements:

• Stripe — payment processing. Stripe is PCI DSS Level 1 certified. EU data processed in Stripe’s European data centre. Stripe Privacy Policy
• Google Cloud Platform — application hosting and report storage. Region: europe-west1 (Belgium). Data remains within the EU/EEA. Google Cloud Privacy Policy
• Plausible Analytics — privacy-focused, cookie-free web analytics. Plausible does not collect any personal data, does not use cookies, and is GDPR compliant by design. Plausible Data Policy
• Resend — transactional email delivery (scan results, order confirmations, report notifications). Resend Privacy Policy

7. Cookies

We do not use cookies. Our analytics provider (Plausible) is entirely cookie-free. No consent banner is required.

8. International Data Transfers

Your data is primarily processed within the EU/EEA:

• Application hosting — Google Cloud europe-west1 (Belgium)
• Payment processing — Stripe European data centre
• Email delivery — Resend processes data in accordance with EU Standard Contractual Clauses where applicable
• Analytics — Plausible processes and stores all data within the EU. No international transfer

We do not transfer personal data outside the EU/EEA unless adequate safeguards are in place, including EU Standard Contractual Clauses or adequacy decisions by the European Commission.

9. Your Rights

Under UK GDPR, EU GDPR, and LOPDGDD, you have the following rights:

• Right of access (Article 15) — request a copy of the personal data we hold about you
• Right to rectification (Article 16) — request correction of inaccurate or incomplete data
• Right to erasure (Article 17) — request deletion of your personal data where there is no compelling reason for continued processing
• Right to restriction of processing (Article 18) — request that we limit how we use your data
• Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If your request is complex, we may extend this by a further two months, but we will inform you within the initial 30-day period.

You have the right to lodge a complaint with a supervisory authority:

• Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
• UK: Information Commissioner’s Office (ICO) — ico.org.uk
• Or any EU/EEA supervisory authority in your country of residence

10. Automated Decision-Making

Our strategic diagnostic and intelligence reports are generated using AI-powered analysis. This processing produces scores, grades, and recommendations based on publicly available information about your business.

This automated processing does not produce legal effects or similarly significantly affect you. The reports are advisory in nature and do not constitute legal, financial, or regulatory advice. You are free to act on or disregard any findings.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (Google Cloud default encryption)
• Access controls limiting data access to authorised personnel only
• Regular security reviews and vulnerability assessments
• Rate limiting and abuse prevention on all public endpoints

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Article 33 UK/EU GDPR) and will notify you directly if the risk is high (Article 34).

12. Children’s Data

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via our website. The “Last updated” date at the top of this policy indicates the most recent revision.

14. Contact

For any questions about this privacy policy or your personal data:

Jeffrey Brook
AI Business Strategy
[email protected]

We aim to resolve all enquiries within 30 days.