Privacy Policy

2. What Information Do We Collect? (When We're Controller)

2.1 Information You Provide Directly

When you interact with Bramforth AI as a potential or current business customer, we collect:

Contact Information:

• Full name
• Business name and role/title
• Email address
• Phone number
• Business address

Business Information:

• Company size and sector
• Business needs and pain points
• Services you're interested in
• Preferred contact methods and times

Account and Billing Information:

• Username and password (hashed, never stored in plain text)
• Billing address and VAT number
• Payment information (processed by Stripe - we never see your card details)
• Invoice history and payment records

Communications:

• Emails you send us
• Phone call recordings (with advance notice)
• Meeting notes from sales calls or support sessions
• Feedback and survey responses

Marketing Preferences:

• Newsletter subscription status
• Marketing consent preferences
• Communication channel preferences

2.2 Information We Collect Automatically

When you visit our website, we automatically collect:

Technical Information:

• IP address and approximate location (country/city level)
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system
• Screen resolution and browser window size

Usage Information:

• Pages you visit and time spent on each
• Links you click
• Files you download (e.g., case studies, whitepapers)
• Search queries on our site
• Referral source (how you found us)

Cookies and Similar Technologies:

We use cookies for:

• Essential website functionality
• Analytics to improve our website (Google Analytics)
• Marketing attribution (if you've consented)

You can control cookies through your browser settings. See Section 10 for details.

2.3 Information From Third Parties

We may receive information about you from:

• LinkedIn: If you connect with us or interact with our content
• Google/Microsoft: If you use social login on our platform
• Business partners and referrers: Who recommend our services

We only accept third-party data where we believe they have a lawful basis to share it with us.

3. How Do We Use Your Information? (When We're Controller)

3.1 Our Processing Purposes and Legal Bases

We use your personal information for the following purposes, each with a lawful basis under UK GDPR:

3.2 Legitimate Interests Assessment

Where we rely on legitimate interests, we've balanced our interests against your privacy rights and ensured:

• We use minimal data necessary
• You have reasonable expectations we'd process this data
• Our interests don't override your fundamental rights
• You can object at any time

3.3 Marketing Communications

What we send:

• Product updates and new features
• Industry insights and best practices for AI automation
• Case studies and success stories
• Event invitations and webinar announcements

How to opt out:

• Click "unsubscribe" in any marketing email
• Email privacy@bramforth.ai with "Unsubscribe" in the subject
• Update your preferences in your account dashboard

4. Who Do We Share Your Information With?

We share your information only as described below. We do not sell your personal data.

4.1 Service Providers (Sub-Processors)

We use trusted third-party companies to help us deliver our services:

4.2 Legal and Compliance

We may share your information:

• With regulators: To comply with legal obligations (e.g., ICO, HMRC)
• With law enforcement: In response to valid legal requests
• With professional advisors: Lawyers, accountants, auditors (under confidentiality obligations)

4.3 Business Transfers

If we're acquired or merge with another company, your information may be transferred to the new owner. We'll notify you and ensure they honor this Privacy Policy.

5. International Data Transfers

5.1 Where Is Your Data Processed?

Primary storage: European Union (Ireland and Germany)

Some processing occurs in the United States through providers like:

• Vercel (website hosting)
• Stripe (payment processing)
• Mailgun (email delivery)
• Google Workspace (internal business systems)

5.2 How We Protect International Transfers

For transfers to the United States and other countries without UK adequacy decisions, we use:

Standard Contractual Clauses (SCCs): EC-approved contracts requiring US providers to protect your data to UK GDPR standards

Supplementary measures:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments
• Contractual commitments to challenge government data requests

UK International Data Transfer Agreement (IDTA): Post-Brexit UK framework ensuring continued protection

5.3 Transfer Impact Assessments

We've conducted Transfer Impact Assessments for all US providers and determined that with our supplementary measures, the transfers provide appropriate safeguards.

Your rights: You can request copies of relevant SCCs and transfer safeguards by emailing privacy@bramforth.ai.

6. How Long Do We Keep Your Information?

6.1 General Retention Principles

We keep data only as long as necessary for the purposes described in this policy. Retention periods depend on:

• Legal and regulatory requirements (e.g., tax records for 7 years)
• Contract obligations
• Our legitimate business interests
• Your preferences and rights

6.2 Specific Retention Periods

6.3 Deletion Process

After retention periods expire:

• Deletion: We securely delete data so it cannot be recovered
• Anonymization: Some data may be anonymized for statistical analysis (no longer personal data)
• Backups are overwritten within 90 days
• Legal hold data is retained until the matter concludes

You can request earlier deletion by exercising your right to erasure (see Section 9).

7. How Do We Keep Your Information Safe?

7.1 Technical Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access, multi-factor authentication for staff
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Daily encrypted backups stored securely
• Password security: Passwords hashed using bcrypt (never stored in plain text)

7.2 Organizational Measures

• Staff training: Regular data protection and security training
• Confidentiality agreements: All staff and contractors sign NDAs
• Access restrictions: Data access limited to authorized personnel only
• Vendor management: Sub-processors vetted for security practices
• Incident response plan: Documented procedures for data breaches

7.3 Certifications (Planned)

We're working toward:

• ISO 27001 (Information Security Management)
• SOC 2 Type II (Security and Confidentiality)

7.4 Data Breach Notification

If we suffer a data breach affecting your personal information:

• We'll notify you within 72 hours of becoming aware
• We'll notify the ICO if the breach poses risks to your rights
• We'll provide: Details of the breach, likely consequences, and our remedial actions

8. When We Act as Data Processor

8.1 Who Controls Your Data?

When you call a business using our voice agents:

• The business (Controller) decides: What data to collect, how to use it, how long to keep it, who to share it with
• Bramforth (Processor) follows instructions: We only process data as instructed by the business
• Your rights: You must contact the business (Controller) to exercise privacy rights

8.2 What Data We Process (As Processor)

When you call a business using our voice agents, we may process:

For Healthcare Clients:

• Your name and phone number (caller ID)
• Call recordings (audio) and transcripts (text)
• Appointment booking details (date, time, service type)
• Health-related information you voluntarily share (e.g., "I need a consultation for hair loss")
• CRM data from the clinic (if you're a returning patient)

For Non-Healthcare Clients:

• Your name and phone number
• Call recordings and transcripts
• Enquiry details (e.g., technical support questions, your technical level)
• Account information for personalized service

8.3 Our Obligations as Processor

Under our Data Processing Agreements (DPAs) with business customers, we:

• ✅ Process data only on their documented instructions
• ✅ Keep data secure using measures described in Section 7
• ✅ Only use approved sub-processors (see table below)
• ✅ Help them respond to data subject rights requests
• ✅ Notify them within 48 hours if we detect a security incident
• ✅ Delete or return data within 30 days of contract termination

8.4 Sub-Processors for Voice Agent Services

When providing voice agent services, we use these additional sub-processors:

8.5 International Transfers (Voice Agent Data)

Healthcare client data:

• Core data stored in EU (Ireland, Germany)
• Some AI processing in US (Retell AI, Twilio, OpenAI/Anthropic)
• Protected by: UK GDPR-approved Standard Contractual Clauses, UK IDTA, and supplementary measures
• Transfer Impact Assessments: Conducted and documented

Your rights regarding US transfers: The business you're calling (Controller) can object to these transfers. Refer to their privacy notice or contact them directly.

8.6 Healthcare Data Protections

When processing health information (UK GDPR Article 9 "special category data"), we implement:

• Enhanced encryption and access controls
• Healthcare-specific staff training and confidentiality agreements
• Faster breach notification (24 hours vs 48 hours standard)
• Stricter data minimization (only essential health information captured)
• Regular security assessments focused on healthcare compliance

8.7 Your Rights (When We're Processor)

If you're calling a business that uses our voice agents:

• ✅ Right to access your call recordings and transcripts
• ✅ Right to correction of inaccurate information
• ✅ Right to deletion of your call data
• ✅ Right to object to AI processing (and request human handling)
• ✅ Right to complain to the ICO if you believe your data is mishandled

How to exercise these rights:

1. Contact the business you called first (they're the Controller)
2. The business will coordinate with us to fulfill your request
3. We'll respond to their request within 2 business days
4. If you can't reach the business, contact us at privacy@bramforth.ai and we'll assist

8.8 Data Retention (As Processor)

We retain voice agent call data according to our DPA with each business customer:

Standard retention (unless instructed otherwise):

• Call recordings and transcripts: Configurable per customer (0, 7, 30, or 90 days); default 30 days
• Appointment data: Up to 3 months after appointment
• CRM synced data: Duration of service + 30 days
• Security logs: 12 months

Automatic deletion: Data is automatically deleted per these schedules.

8.9 DPA Availability

Business customers who use our voice agent services execute a Data Processing Addendum (DPA) that includes:

• UK GDPR Article 28 requirements
• Standard Contractual Clauses for international transfers
• Security obligations and breach notification procedures
• Sub-processor list and change notification rights
• Audit rights and compliance certifications

Current/prospective business customers: Contact info@bramforth.ai to request our DPA.

9. Your Privacy Rights

Under UK GDPR, you have the following rights:

9.1 Right of Access (Article 15)

What it means: You can request a copy of the personal data we hold about you.

How to exercise: Email privacy@bramforth.ai with subject "Subject Access Request"

What you'll receive:

• Copy of your personal data in a common format (PDF or CSV)
• Details of how we use your data and who we share it with
• How long we'll keep your data
• Your rights regarding your data

Response time: 1 month (may extend to 2 months for complex requests)

9.2 Right to Rectification (Article 16)

What it means: You can request correction of inaccurate or incomplete data.

How to exercise: Email privacy@bramforth.ai with subject "Rectification Request"

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What it means: You can request deletion of your personal data.

How to exercise: Email privacy@bramforth.ai with subject "Deletion Request"

When we must comply:

• Data is no longer necessary for the original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there's no overriding legitimate interest
• Data was unlawfully processed
• Legal obligation requires deletion

Exceptions (we may refuse deletion if):

• We need to comply with legal obligations (e.g., tax records for 7 years)
• We need to establish, exercise, or defend legal claims

9.4 Right to Restrict Processing (Article 18)

What it means: You can request we stop processing your data (but still store it).

When available:

• You're contesting data accuracy (we pause processing during verification)
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing (pending verification of legitimate interests)

9.5 Right to Data Portability (Article 20)

What it means: You can receive your data in a machine-readable format and transfer it to another service.

Applies when:

• Processing is based on consent or contract
• Processing is automated

Format: JSON, CSV, or XML (your choice)

9.6 Right to Object (Article 21)

What it means: You can object to processing based on legitimate interests or for marketing.

How to exercise: Email privacy@bramforth.ai with subject "Objection"

Marketing objections: We'll stop immediately (no questions asked)

Legitimate interests objections: We'll stop unless we can demonstrate compelling legitimate grounds that override your interests

9.7 Rights Related to Automated Decision-Making (Article 22)

What it means: You have the right not to be subject to automated decisions with significant effects.

Our stance: We don't use automated decision-making that significantly affects you (see Section 12).

9.8 Right to Withdraw Consent

Where we process data based on your consent, you can withdraw consent at any time:

• Click "unsubscribe" in marketing emails
• Email privacy@bramforth.ai
• Update preferences in your account dashboard

Note: Withdrawal doesn't affect the lawfulness of processing before withdrawal.

9.9 Right to Complain

If you believe we've mishandled your data, you can:

1. Contact us first: privacy@bramforth.ai - we'll investigate and respond
2. Complain to the ICO:
   • Information Commissioner's Office (ICO)
   • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
   • 🌐 https://ico.org.uk
   • 📞 0303 123 1113

9.10 How to Exercise Your Rights

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and understand how you use the site.

10.2 Cookies We Use

Strictly Necessary Cookies (No Consent Required):

• Session management (keeping you logged in)
• Security (preventing fraud)
• Load balancing (distributing traffic)

Preference Cookies (Consent Required):

• Language settings
• Display preferences (e.g., dark mode)

Analytics Cookies (Consent Required):

• Google Analytics: Understanding how visitors use our site (IP anonymization enabled)
• Hotjar: Heatmaps and session recordings (used occasionally for UX research)

Marketing Cookies (Consent Required):

• LinkedIn Insight Tag: Measuring effectiveness of LinkedIn ads
• Google Ads: Conversion tracking for ad campaigns

10.3 Managing Your Cookie Preferences

Cookie banner: When you first visit bramforth.ai, you can accept or reject optional cookies

Change preferences anytime:

• Click "Cookie Settings" in the footer of our website
• Adjust browser settings:
  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security
  • Safari: Preferences > Privacy

10.4 Do Not Track (DNT)

We don't currently respond to DNT browser signals as there's no agreed industry standard. If a standard emerges, we'll update this policy.

10.5 Third-Party Links

Our website contains links to third-party websites (e.g., case studies, partner sites). We're not responsible for their privacy practices. Please review their privacy policies before providing personal information.

11. Children's Privacy

Age restriction: Our services are not intended for children under 18.

We do not knowingly collect data from children under 18. If we discover we've inadvertently collected such data, we'll delete it immediately.

Exception: Healthcare Services

When acting as a processor for healthcare clients, children's data may be processed as part of legitimate healthcare services (e.g., pediatric clinics). In these cases:

• The clinic (Controller) is responsible for obtaining parental consent
• We process children's data only as instructed by the clinic
• Enhanced protections apply (minimal data collection, strict access controls)

Parents/Guardians: If you believe we've collected your child's information, contact privacy@bramforth.ai immediately.

12. Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal or similarly significant effects on you.

Our AI Voice Agents:

• Assist with appointment booking and enquiries
• Do not make decisions that significantly affect you (e.g., loan approvals, medical diagnoses)
• Always allow you to speak with a human by pressing a button or requesting a callback

Business Customers:

We may use automated systems to qualify sales leads (e.g., company size, industry) but this doesn't significantly affect you. You can contact us at any time to discuss your needs with a human.

13. Changes to This Privacy Policy

13.1 Updates

We may update this Privacy Policy to:

• Reflect changes in our services
• Comply with new legal requirements
• Improve clarity and transparency

When we make material changes:

• We'll update the "Last Updated" date at the top
• We'll notify business customers by email
• For significant changes, we may require re-acceptance

13.2 Review History

You can request previous versions of this Privacy Policy by emailing privacy@bramforth.ai.

14. Contact Information

15. Legal Basis Summary

Quick reference for our legal bases for processing:

FAQ for Quick Reference