Privacy Policy

iPaha Ltd ("iPaha", "we", "us", or "our") is a software and AI consultancy registered in England and Wales. We provide AI systems, custom software development, smart business websites, and system integration services to UK small service businesses.

For the purposes of UK data protection law, iPaha Ltd is the data controller responsible for your personal data collected through our website (ipaha.co.uk), our client portal, and any services we provide.

We collect personal data in the following ways:

2.1 Data you provide directly

• Contact form submissions: Full name, business name, business type, email address, phone number (optional), description of your operational challenge, services of interest, budget range, timeline, and how you heard about us.
• Consultation bookings: Contact details and scheduling preferences submitted through our booking system (Cal.com or Calendly).
• Client portal: Email address used to authenticate access; messages and communications sent through the portal; support tickets submitted.
• Email correspondence: Name, email address, and any information included in emails you send to us at hello@ipaha.co.uk.
• Newsletter sign-up: Email address, if you choose to subscribe to our Insights publication.

2.2 Data collected automatically

• Analytics data: Pages visited, time spent, referring URLs, browser type, device type, and approximate geographic location (via Google Analytics 4). This data is anonymised and aggregated.
• Technical data: IP address, browser and device information, and session data collected via cookies and similar technologies.
• Chatbot interactions: Queries submitted to our AI chatbot. These are processed to generate responses and may be reviewed to improve the service. No personally identifiable information is required to use the chatbot.

2.3 Data from third parties

• We may receive basic profile information (name, job title, company) if you connect with us via LinkedIn.
• If you were referred to us by a third party, we may receive your contact details for the purpose of following up on that referral.

We use your personal data only for the purposes described at the time of collection, or as permitted by law. Specifically:

We will never sell your personal data to third parties or use it for purposes incompatible with those stated above without your explicit consent.

Under UK GDPR, we process personal data on the following legal bases:

• Contractual necessity (Article 6(1)(b)): Processing required to perform a contract with you — including providing our services, managing the client portal, and invoicing.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including responding to enquiries, improving our services, and operating our website securely. We always balance these interests against your rights.
• Legal obligation (Article 6(1)(c)): Processing required to comply with applicable law, including financial record-keeping obligations.
• Consent (Article 6(1)(a)): For newsletter subscriptions and non-essential cookies, where you have given clear, specific, and freely withdrawable consent.

We share your data only where necessary and with appropriate safeguards in place. We do not sell your data. Current third-party processors include:

Each processor is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards. We will update this list as our technology stack evolves.

Disclosure to authorities

We may disclose your data to law enforcement or regulatory authorities where required by applicable law, or to protect the rights, property, or safety of iPaha Ltd, our clients, or the public.

We retain personal data only as long as necessary for the purposes it was collected, or as required by law:

• Consultation enquiries (not converted to clients): 12 months from last contact, then securely deleted.
• Client project data: Duration of the project plus 7 years (to comply with UK HMRC financial record-keeping requirements).
• Invoices and financial records: 7 years from the end of the financial year, as required by the Companies Act 2006.
• Client portal data: Duration of the active client relationship plus 2 years.
• Newsletter subscribers: Until you unsubscribe. We conduct annual list hygiene to remove inactive subscribers.
• Website analytics: 26 months (Google Analytics default), after which data is automatically deleted.
• Chatbot queries: 30 days for monitoring purposes, then deleted. No personally identifiable data is retained.

When your data is no longer required, we securely delete or anonymise it. You may request earlier deletion subject to our legal obligations — see Section 7.

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, email hello@ipaha.co.uk with the subject line "Data Rights Request".

• Right of access (Article 15): You may request a copy of the personal data we hold about you (a "Subject Access Request"). We will respond within 30 days.
• Right to rectification (Article 16): You may request that inaccurate or incomplete data be corrected.
• Right to erasure / "right to be forgotten" (Article 17): You may request deletion of your data where we no longer have a lawful basis to retain it. Note that we may be required to retain certain data by law (e.g. financial records).
• Right to restriction of processing (Article 18): You may ask us to restrict how we process your data in certain circumstances.
• Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests, including direct marketing. We will stop unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making: We do not make solely automated decisions that produce significant legal effects. Our AI chatbot provides information only and does not make decisions about individuals.

Our website uses cookies and similar technologies. A cookie is a small text file stored on your device. For full details, see our Cookie Policy. In summary:

• Strictly necessary cookies: Required for the website to function (e.g. session cookies, security tokens, client portal authentication). These do not require consent.
• Analytics cookies: Google Analytics 4, used to understand how visitors use our site. We have enabled IP anonymisation. These require your consent.
• Preference cookies: Remember your choices (e.g. cookie consent preferences). These require consent.

You can manage your cookie preferences at any time by clearing your browser cookies or adjusting your browser settings. Withdrawing consent for analytics cookies will not affect website functionality.

We take the security of your personal data seriously and implement appropriate technical and organisational measures including:

• HTTPS encryption for all data in transit (TLS 1.2+)
• Secure, encrypted storage for all data at rest
• Access controls — data is accessible only to those who need it
• Regular security reviews of our third-party service providers
• Passwordless authentication for the client portal (one-time codes)
• API keys and credentials stored in environment variables, never in code

No method of data transmission over the internet is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by UK GDPR Article 34.

Our website and services are intended for business owners and professionals. We do not knowingly collect personal data from individuals under the age of 16. Our client portal requires email authentication and is intended exclusively for adults.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at hello@ipaha.co.uk and we will delete such data promptly.

Some of our third-party service providers are located outside the UK/EEA (notably Vercel and Anthropic, both US-based). Where data is transferred internationally, we ensure appropriate safeguards are in place:

• UK adequacy regulations (where applicable)
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• The UK International Data Transfer Agreement (IDTA) where required
• Transfers to countries with UK adequacy decisions

You can request details of the specific safeguards we rely on for any particular transfer by contacting hello@ipaha.co.uk.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify active clients by email.

We encourage you to review this policy periodically. Continued use of our website or services after changes have been made constitutes acceptance of the updated policy.

For any questions, requests, or concerns about this policy or how we handle your personal data, please contact us:

Right to lodge a complaint

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection authority:

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We would always prefer the opportunity to address your concerns directly before you contact the ICO — please reach out to us first.