Privacy Policy
Last updated: 28 March 2026
1. Who We Are
ClearRun provides AI automation services to UK small businesses. We are currently operating as a sole trader based in the United Kingdom and will incorporate as ClearRun Ltd when our first paying client signs. This policy will be updated with the company number and registered address at that point.
For data protection queries, please contact us at privacy@clearrun.uk. For anything else, hello@clearrun.uk.
ICO registration number: [to be inserted after registration]
For data we collect about website visitors, prospective clients, and our own contacts, we act as the data controller. For data we process on behalf of our clients (their customers', suppliers', or employees' data flowing through our automations), we act as a data processor under a separate Data Processing Agreement with each client.
2. What Data We Collect
We collect and process the following types of personal data:
2.1 Information You Provide
- Contact form submissions: Your name, email address, company name, industry, and any message you send us.
- Email correspondence: Any information you share with us via email.
- Booking information: Details provided when booking an automation audit or consultation call.
2.2 Information Collected Automatically
- Website analytics: Pages visited, time on site, referring source, browser type, device type, and approximate geographic location (city level). We do not use this data to identify individuals.
- Cookies: See section 8 below for details on the cookies we use.
3. Why We Collect Your Data
We collect and process personal data for the following purposes:
- To respond to your enquiry: When you contact us through our website or by email, we use your details to reply and provide information about our services.
- To deliver our services: If you become a client, we process your data as necessary to fulfil our contract with you.
- Legitimate interest for B2B marketing: We may send relevant information about our services to business contacts. You can opt out at any time.
- Website improvement: We use analytics data to understand how visitors use our site and to improve the experience.
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined by UK GDPR:
- Consent: Where you have given clear consent, for example by submitting a contact form.
- Contract: Where processing is necessary to fulfil a contract with you or to take steps at your request before entering a contract.
- Legitimate interest: Where processing is necessary for our legitimate business interests, such as B2B marketing, provided your rights do not override those interests.
5. How We Use AI and Third-Party Processors
To run our website and deliver our services we rely on a small number of third-party processors. The current list:
| Vendor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic | AI processing (Claude API) | US | UK-US Data Bridge |
| OpenAI | AI processing (GPT API) where used | US | UK-US Data Bridge |
| Netlify | Website + contact-form hosting | US | UK-US Data Bridge |
| Cloudflare | Email routing + DNS | US + global edge | UK-US Data Bridge |
| Google Workspace | Our business email + calendar | US + EU | UK-US Data Bridge |
| Notion | Internal CRM / project records | US | UK-US Data Bridge |
| Brevo | Email sending | EU | UK adequacy |
| Calendly | Booking calls | US | UK-US Data Bridge + SCCs |
| Stripe | Payments (once engaged) | UK + US | UK adequacy + SCCs + PCI DSS L1 |
| Railway / Supabase / Twilio | Running automations for paying clients | US (Supabase EU region available) | UK-US Data Bridge / SCCs |
- Before any client data is processed by a new sub-processor, we notify the client in writing.
- We do not use client data to train AI models. Anthropic and OpenAI commit, via their API terms, that API data is not used to train models by default.
- All international transfers rely on the UK-US Data Bridge, UK adequacy decisions, or the UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU SCCs.
6. Data Sharing
We do not sell your personal data. We may share your data with:
- Service providers: Such as our website hosting provider (Netlify), email service, and analytics platform, who process data on our behalf under strict agreements.
- AI API providers: As described in section 5, only with your knowledge and where necessary to deliver our services.
- Legal requirements: Where we are required to do so by law or to protect our legal rights.
7. Data Retention
- Contact form enquiries: 24 months from last contact.
- Prospect / marketing contacts: 12 months from last meaningful contact; opted-out entries retained on a suppression list (email + reason) indefinitely to prevent re-contact.
- Discovery / audit bookings: 12 months from call date.
- Signed client contracts and invoices: Term of the contract plus 6 years (HMRC record-keeping).
- Client operational data we process as a processor: Deleted or returned within 30 days of contract termination, per our DPA.
- Automation run logs: 12 months rolling.
- Security event logs: 24 months.
- Incident / breach records: At least 5 years, for regulator evidence.
Our full retention schedule is documented internally at legal/DATA_RETENTION_POLICY.md and available on request.
8. Cookies
Our website currently sets no cookies and does not use browser-based analytics or tracking. The only third-party requests the site makes are to Google Fonts for typography.
If we introduce analytics in future we will update this policy, choose a cookieless tool where possible (such as Plausible), and — if any non-essential cookies are set — add a consent banner that asks for your permission first.
You can control cookies generally through your browser settings.
9. Your Rights
Under UK GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data (subject to legal obligations).
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a machine-readable format.
- Right to object: Object to processing based on legitimate interest, including direct marketing.
To exercise any of these rights, contact us at hello@clearrun.uk. We will respond within one month.
10. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.
11. International Transfers
Some of our service providers (including AI API providers) may process data outside the UK. Where this happens, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in compliance with UK GDPR.
12. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.
13. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us:
- Email: hello@clearrun.uk