Company: MINARIK AI
Registered Address: 1st Floor, 3 Orchard Place, London, SW1H 0BF, United Kingdom
Privacy Contact: Thomas Minarik, [email protected]
Effective Date: 1 January 2025
Version: 1.0
We process personal data to deliver AI growth consulting services. This policy explains what we process, why, our lawful bases, how we protect data, your rights, and how to contact us. It applies to our own marketing/sales and to work we do for clients.
We act as a Controller for our own business operations (e.g., website, sales/marketing, hiring, billing).
We act as a Processor when a client instructs us to process personal data on their behalf (e.g., implementing an AI workflow in their stack). In those cases we sign a Data Processing Agreement (DPA) with Article 28 terms.
This policy covers all personal data we process in the UK and, where applicable, the EU/EEA. "Personal data" means any information relating to an identified or identifiable person. The UK GDPR and the Data Protection Act 2018 govern how we handle that data; the UK GDPR retains the core GDPR principles post-Brexit.
We apply the data protection principles: lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; and accountability. We maintain records and evidence of compliance.
We rely on one or more of the following lawful bases when processing personal data (Article 6 UK GDPR): consent, contract, legal obligation, legitimate interests, or vital interests (rare). We document the lawful basis for each purpose in our Record of Processing Activities (ROPA).
We rely on consent or legitimate interests, and comply with PECR rules for direct marketing. You can opt out at any time.
Name, work email, phone, role, company.
Meeting notes, webforms, website analytics, email interactions.
Prospect lists, CRM extracts, support tickets, transcripts or call notes, and other datasets supplied by clients for an engagement.
We do not seek to process this. If a client's use case touches special category data (e.g., health or ethnicity), we require a DPIA and explicit lawful basis before processing.
We keep personal data only as long as necessary for the purposes collected, then securely delete or anonymise it under our retention schedule. Typical examples:
| Data Category | Retention Period |
|---|---|
| Sales enquiries | 24 months from last interaction |
| Client project data (Processor) | 90 days post-project (or per contract) |
| Marketing lists | Until opt-out or 24 months inactivity |
| Billing records | 6 years (legal/accounting requirement) |
Individuals have rights to access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. We respond within one month of receipt; for complex or multiple requests we may extend by up to two further months, notifying you within the first month. We may request identity verification and have the right to refuse manifestly unfounded/excessive requests.
We implement layered controls appropriate to the risk, including:
Where we transfer personal data outside the UK:
We prefer destinations covered by UK adequacy regulations (including the UK-US Data Bridge for US organisations certified to the UK extension of the Data Privacy Framework).
If there is no adequacy decision, we use IDTA or the UK Addendum to EU SCCs, and perform a Transfer Risk Assessment (TRA).
For the UK-US Data Bridge, we verify the recipient's current certification and note the ICO's considerations.
We maintain an up-to-date list of sub-processors and require:
Article 28 terms (DPA), confidentiality, security obligations, and no training on our prompts/data without explicit permission.
Notice and a chance to object before onboarding material new vendors (where we act as Processor).
If we become aware of a personal data breach, we assess the risk to individuals. Where a breach is likely to result in a risk to people's rights and freedoms, we notify the ICO without undue delay and within 72 hours of becoming aware; if notification is late, we will explain the delay. We also notify affected individuals without undue delay where the risk is high, and we maintain a breach log.
Because we build and operate AI workflows, we apply extra controls:
We only send direct marketing where we have a lawful basis (consent or legitimate interests) and PECR permits it (e.g., "soft opt-in" for existing customers). We provide clear opt-out in every message and maintain suppression lists.
We maintain:
We are not required to appoint a statutory DPO at present; if our processing changes (e.g., large-scale monitoring or special category processing), we will reassess. We have appointed a Privacy Lead to oversee compliance.
Unless exempt, organisations processing personal data must pay the ICO data protection fee and keep their registration current.
We publish a separate Privacy Notice and Cookie Policy explaining what we collect on our website, our lawful bases, retention, cookie categories, and your choices (including consent tools).
Email: [email protected]
Postal: 1st Floor, 3 Orchard Place, London, SW1H 0BF, United Kingdom
If you have unresolved concerns, you can raise them with the ICO: ico.org.uk or 0303 123 1113.
We review this policy at least annually or when our processing changes. The latest version is always available on our website.
We only collect what we need, keep it secure, and delete it when we are done.
You control your data: access, correct, delete, or object at any time.
We do not train AI models on your data without explicit permission.
For US transfers, we prefer UK-US Data Bridge recipients or use IDTA/SCC Addendum plus TRA.
If things go wrong, we act fast and tell the ICO within 72 hours where required.