Skip to content

Legal

Privacy policy

This notice explains how Governance AI Ltd handles personal data when you visit this website or contact us by email. We keep what we collect to a minimum and tell you plainly why we hold it.

Last updated 31 May 2026.

Who we are

Governance AI Ltd ("we", "us", "our") is the data controller for the personal data described in this notice. We are a company registered in England and Wales, company number 16359543, based in London and Birmingham, United Kingdom. You can reach us about anything in this notice at hamada@governanceai.io.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What this notice covers

This notice covers the public marketing website at governanceai.io and email enquiries sent to us. It does not cover any separate product or client engagement we deliver under its own contract and data-processing terms; those are governed by the agreement we put in place with you.

The personal data we collect

This is a marketing website. It has no account sign-up, no login and no online payments, so the data we collect is limited:

  • Email enquiries. When you email us, we receive your name, email address and anything you choose to put in your message.
  • Technical website data. Like most websites, our hosting provider may automatically log standard technical information for security and reliability, for example your IP address, browser type and the pages you request. This is used to keep the site running and protect it from abuse, not to build a profile of you.
  • Preferences stored on your device. We may store a light/dark theme preference locally in your browser. This is a preference setting, not a tracking identifier. See our cookie notice for detail.

We do not knowingly collect special category data through this website, and we ask that you do not include sensitive personal information in an unsolicited email.

How we use your data and our lawful bases

Under the UK GDPR we must have a lawful basis for each use of your personal data. Ours are:

  • Responding to your enquiry. Lawful basis: our legitimate interests (Article 6(1)(f)) in answering people who get in touch and in discussing whether we can help. Where your enquiry leads towards an engagement, we may also rely on steps taken at your request before entering a contract (Article 6(1)(b)).
  • Operating and securing the website. Lawful basis: our legitimate interests in keeping the site available, performing and protected from misuse.
  • Meeting our legal obligations. Lawful basis: legal obligation, where we are required to retain or disclose information by law.

Where we rely on legitimate interests, we have considered your rights and freedoms and limited what we collect accordingly. You can object to processing based on legitimate interests at any time (see "Your rights" below).

Analytics and measurement

We measure how this website is used so we can improve it. By default we use privacy-first, cookieless analytics (PostHog, hosted in the European Union) that set no cookies, store nothing on your device, and are not designed to identify you. Where any of this involves personal data, our lawful basis is our legitimate interests (Article 6(1)(f)) in understanding and improving the site; because the measurement does not identify individuals, the impact on your privacy is low. You can opt out at any time from our cookie settings.

With your consent, we may also use Google Analytics, which sets cookies and shares data with Google as a separate controller, including transfers outside the UK (see "International transfers"). It is off by default and runs only if you accept it; our lawful basis is your consent (Article 6(1)(a)), and you can withdraw it at any time from our cookie settings. We do not use advertising cookies on this website.

Who we share your data with

We do not sell your personal data and we do not share it for advertising. We rely on a small number of service providers to run the website and our email, for example a website hosting provider, an email provider and our privacy-first analytics provider (PostHog, in the EU). These providers act as our processors and may only use your data on our documented instructions. If you consent to Google Analytics, Google receives analytics data as a separate controller; you can withdraw that consent at any time.

We may also disclose information where we are required to do so by law, or to establish, exercise or defend legal claims.

International transfers

We aim to keep personal data within the UK or the European Economic Area wherever practicable. Where a provider processes data outside the UK, we rely on a lawful transfer mechanism recognised under UK data protection law, such as UK adequacy regulations or the International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), together with appropriate safeguards. For example, if you consent to Google Analytics, your data is shared with Google and may be transferred to the United States under such a mechanism. You can ask us for more detail about the transfers relevant to you.

How long we keep your data

We keep personal data only for as long as we need it for the purpose we collected it:

  • Email enquiries are kept for as long as needed to deal with your enquiry and any follow-up, and then for a reasonable period afterwards in case you come back to us. We review and remove correspondence we no longer need.
  • Technical website logs are kept for a short period for security and diagnostics, in line with our provider's retention settings.

Your rights

Under the UK GDPR you have rights over your personal data. Subject to the conditions in the legislation, you can:

  • ask for a copy of the personal data we hold about you (access);
  • ask us to correct data that is inaccurate or incomplete;
  • ask us to erase your data ("right to be forgotten");
  • ask us to restrict how we use your data;
  • object to processing based on our legitimate interests;
  • ask us to port certain data to you or another controller, where that right applies;
  • where we rely on consent for anything, withdraw that consent at any time, without affecting processing already carried out.

To exercise any of these rights, email us at hamada@governanceai.io. We will respond within one month, and we will not charge you a fee unless your request is clearly unfounded or excessive.

Automated decision-making

This website does not make automated decisions about you that produce legal or similarly significant effects.

How to complain

We would prefer the chance to put things right, so please contact us first at hamada@governanceai.io. You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk or by calling its helpline.

Changes to this notice

We may update this notice from time to time. When we do, we will change the "Last updated" date at the top of the page. Material changes will be made clear on this page.