Privacy & Cookie Policy

Who we are

Lancs AI is a business automation and AI consultancy based in Lancashire, UK. We help small and medium-sized businesses save time by building practical, tailored automation solutions.

Business name: Lancs AI
Location: Lancashire, United Kingdom
Contact email: hello@lancsai.co.uk
Website: lancsai.co.uk

If you have any questions about how we handle your personal data, please get in touch using the contact details above.

What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. It covers:

• Data collected through our website
• Data collected when you enquire about or use our services
• Data processed as part of delivering automation services to clients
• Our use of cookies and similar tracking technologies

We are committed to handling your data responsibly and in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The data we collect and why

1. When you visit our website

When you browse our website, we collect basic analytics data to help us understand how people use the site and improve it. This is handled through Google Analytics and may include:

• Pages visited and time spent on them
• How you arrived at the site (e.g. a search engine or a link)
• Your approximate location (country or region level — not your precise address)
• Device type and browser

This data is aggregated and does not directly identify you. We rely on legitimate interest as our legal basis — understanding how our website performs is a reasonable business need, and this use is not likely to have any negative impact on you.

Google Analytics data is retained for 26 months before being automatically deleted.

You can opt out of Google Analytics tracking at any time using the Google Analytics Opt-out Browser Add-on.

2. When you fill in our contact or enquiry form

If you submit an enquiry through our website, we collect:

• Your name
• Your email address
• Your phone number (if provided)
• Your business name
• The content of your message or enquiry

We use this information to respond to your enquiry and to assess whether we may be able to help you. Enquiries are stored in a secure internal log.

Our legal basis is legitimate interest — responding to people who contact us is a necessary and proportionate use of their data.

If your enquiry does not lead to us working together, we will retain your contact details for up to 2 years from your last contact with us, after which they will be deleted.

3. When you book a call or meeting

We use Calendly to allow you to book a call with us. When you use Calendly, you provide your name and email address directly to Calendly, and we receive a notification of the booking.

Calendly acts as a data processor on our behalf. You can read Calendly's own privacy policy at calendly.com/privacy.

Our legal basis is pre-contractual steps — scheduling a call is part of establishing whether we can work together.

4. When you become a client

If we enter into a working relationship with you, we collect and store:

• Your name and contact details
• Your business name, address, and relevant business information
• Details of the workflows and processes we discuss and build for you
• Contract and project documentation
• Correspondence (emails, messages, meeting notes)

This information is stored securely in our internal systems, which are hosted on our own infrastructure in the UK. We do not use cloud-based storage for sensitive client records without your knowledge.

Our legal basis is contractual necessity — we need this information to deliver the services you have engaged us for.

Client records are retained for 6 years from the end of our working relationship, in line with standard professional services practice and the limitation period for contract claims under UK law.

5. Invoicing and payments

We maintain financial records for all work carried out, including your name, business details, and payment records. These are required by HMRC and must be retained for a minimum of 6 years.

If you pay by recurring payment, we may use GoCardless to manage this. GoCardless processes payment data on our behalf as a regulated payment provider. You can read GoCardless's privacy policy at gocardless.com/privacy.

Our accounting and bookkeeping is managed using FreeAgent, which stores invoice and financial data. FreeAgent's privacy policy is available at freeagent.com/privacy.

Our legal basis for processing financial data is legal obligation (HMRC requirements) and contractual necessity.

6. Data we process as part of your automation services

When we build automations for your business, those automations may process data belonging to your customers or staff — for example, routing form submissions, processing email enquiries, or updating records in your systems.

In these situations, you remain the data controller for your customers' data, and we act as a data processor on your behalf. This relationship is governed by a Data Processing Agreement (DPA) which forms part of our client contract. The DPA sets out exactly what data we access, why, how it is protected, and what happens in the event of a breach.

How your automation infrastructure is hosted

Depending on the nature of your workflows and the sensitivity of the data involved, we offer two hosting approaches:

Cloud-hosted (VPS)
Your automation workflows are hosted on a virtual private server managed by Lancs AI. The server is located within the UK or EEA. Lancs AI is responsible for server security, software updates, monitoring, and availability. This option is well suited to simpler workflows and clients where rapid deployment is a priority.

On-premises server
For clients handling sensitive data, or where more powerful local processing is required (for example, to run AI models within your workflows), we install and configure a dedicated physical server within your own business premises. In this arrangement, your data never leaves your site — it is processed entirely within your own network.

Lancs AI retains remote management access to on-premises servers for the purposes of maintenance, updates, and support. This access is established via an encrypted VPN connection and is limited to the Lancs AI staff directly responsible for your account. The scope of remote access is documented in your client contract.

The specific hosting arrangement for your engagement is agreed in advance and documented in your Data Processing Agreement.

AI model processing

Some automation workflows make use of AI models to analyse data or generate outputs — for example, to categorise enquiries or draft responses. Where this is the case, Lancs AI uses locally hosted AI models running on our own or your on-premises hardware. This means your data is not transmitted to external AI providers as part of automated processing.

If a workflow requires the use of a third-party AI service, this will be discussed with you explicitly before implementation and documented in your DPA. Your data will only be processed by external AI services where you have been informed and agreed.

If a specific automation requires data to pass through any third-party tool, we will discuss this with you explicitly before building it.

Who we share your data with

We do not sell your personal data or share it with third parties for marketing purposes.

We share data only with the following categories of third-party processors, where necessary to operate:

Where processors are based outside the UK, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or recognised adequacy decisions). For clients using our on-premises hosting option, automation workflows run entirely on hardware within your own premises and are not processed by any external hosting provider.

Your rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right to access — You can request a copy of the personal data we hold about you.
• Right to correction — You can ask us to correct any inaccurate or incomplete data.
• Right to erasure — You can ask us to delete your personal data in certain circumstances, for example if we no longer need it and there is no legal reason to retain it.
• Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
• Right to data portability — You can ask for your data in a structured, machine-readable format in certain circumstances.
• Right to object — You can object to us processing your data where we rely on legitimate interest as our legal basis.
• Right to withdraw consent — Where we process data based on your consent (such as non-essential cookies), you can withdraw that consent at any time.

To exercise any of these rights, please contact us at hello@lancsai.co.uk. We will respond within one month.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

How we keep your data secure

We take the security of personal data seriously. Our measures include:

• On-premises hosting — where a client's workflows are hosted on-site, data remains within their own network at all times. Remote management is conducted exclusively via an encrypted VPN connection, with access limited to authorised Lancs AI staff
• Cloud-hosted (VPS) environments — servers are maintained with current security patches, access controls, and monitoring. Servers are located within the UK or EEA
• Self-hosted AI processing — where AI models are used within client workflows, we use locally hosted models to ensure data is not transmitted to external AI providers
• Encrypted website traffic — all traffic to our website uses HTTPS
• Principle of least access — personal data is accessible only to those directly involved in delivering your services
• Regular review — the tools, services, and infrastructure we rely on are reviewed periodically to ensure they continue to meet our security standards

In the unlikely event of a data breach that is likely to affect your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

Cookie policy

What are cookies?

Cookies are small text files that are placed on your device when you visit a website. They help websites remember information about your visit.

The cookies we use

Essential cookies

These cookies are necessary for the website to function and cannot be switched off. They include session cookies that keep the site working as you navigate between pages. These do not require your consent.

Analytics cookies (Google Analytics)

We use Google Analytics to understand how visitors use our website. Google Analytics sets the following cookies:

These cookies are only set with your consent. You can accept or decline them using our cookie banner when you first visit the site.

Third-party cookies (Calendly)

If you use our booking system, Calendly may set cookies to enable the booking widget to function correctly. These are governed by Calendly's own cookie policy.

Managing cookies

You can control and delete cookies through your browser settings. Please note that disabling cookies may affect the functionality of some parts of our website. You can also use the Google Analytics Opt-out Browser Add-on to prevent Google Analytics from collecting your data.

Changes to this policy

We may update this policy from time to time, for example if we introduce new tools or services. The "last updated" date at the top of this page will always reflect the most recent version. We encourage you to review this policy periodically.