Privacy Policy

ELSA AI Website Privacy Statement — Effective Date: 5 October 2025

Who we are

ELSA AI Ltd (“ELSA AI”, “we”, “us”, “our”) provides consultancy services to help organisations implement the GenAI Assure™ methodology.

1) Data Controller & Contact

  • Controller: ELSA AI Ltd, 124 City Road, London, England, EC1V 2NX
  • Data Protection Contact: contact@elsaai.co.uk
  • Complaints: You can contact us, or complain to your local data protection authority (e.g., UK ICO: ico.org.uk).

2) What Personal Data We Collect

  • Website & communications: name, work email, phone, company, job title, message content, meeting notes.
  • Account & billing (if applicable): billing contact, address, PO numbers, VAT/Tax IDs.
  • Events & downloads: registrations, attendance, preferences.
  • Technical data: IP address, device/browser info, pages viewed, referrers, cookie IDs.

3) How We Collect It

  • Directly from you (forms, email, calls, meetings).
  • Automatically via cookies/analytics (see Cookies).
  • From third parties (event platforms, referrals, LinkedIn, processors we use on your instruction).

4) Why We Use Personal Data (Purposes & Legal Bases)

  • Provide and improve our services (consulting delivery, support, QA) — Performance of contract / Legitimate interests.
  • Pre-sales & enquiries (responding to requests, demos, proposals) — Legitimate interests.
  • Meetings, events, newslettersConsent (where required) / Legitimate interests.
  • Billing & accountingLegal obligation / Performance of contract.
  • Security, fraud prevention, service integrity Legitimate interests / Legal obligation.
  • RecruitmentLegitimate interests / Consent (where required).

5) AI-Specific Disclosures

We may process business contact details and communications to deliver GenAI Assure™ services (e.g., drafting policies, risk registers, evidence maps).

If we use AI tooling in delivery, we:

  • limit inputs to the minimum necessary and avoid special category data;
  • prefer private/workspace or self-hosted models where feasible;
  • apply access controls and logging;
  • do not allow providers to train on your data by contract where available;
  • redact or pseudonymise where appropriate.

If you share content for analysis (documents, prompts), you are responsible for ensuring you have a lawful basis to do so. We’ll process it as a processor under our services agreement and Data Processing Addendum (DPA).

6) Sharing Your Data

We share personal data only with:

  • Service providers (processors): hosting, email, CRM, analytics, meeting tools, document management, e-signature.
  • Professional advisers: legal, accounting, insurance.
  • Event partners (if you register for a co-hosted session).
  • Authorities where required by law.

All processors are bound by contract (DPAs) and only act on our instructions.

7) International Transfers

If data is transferred outside the UK/EU, we use lawful transfer tools (e.g., UK IDTA/EU SCCs and additional safeguards). You can request a copy of the relevant clauses.

8) Retention

We keep personal data only as long as needed for the purpose collected, then delete or anonymise it. Typical periods: enquiries (12–24 months), contracts (7 years for tax), recruiting (12 months unless you consent to a talent pool).

9) Your Rights

You may have the right to access, rectify, erase, restrict, object, or port your personal data, and to withdraw consent where processing relies on consent. Contact contact@elsaai.co.uk. We’ll respond within applicable legal timeframes.

10) Cookies & Analytics

  • We use necessary cookies for site operation and optional analytics to improve content.
  • Where required, we present a cookie banner to collect your preferences (Accept / Reject / Manage).
  • You can change preferences anytime via Cookie Settings in the footer and/or your browser settings.

Summary of tools (examples—replace with your stack):

  • Analytics: [e.g., Plausible/GA4] (IP truncation; aggregated reports).
  • Tag Manager: [e.g., GTM] (no personal data storage).
  • Session tools/Hotjar (if used): disabled by default; consent required.

11) Security

We implement organisational and technical measures appropriate to risk, including access controls, MFA/SSO for admin systems, encryption in transit/at rest (where supported), least-privilege, logging, and vendor oversight.

12) Children

Our services target businesses and are not directed at children. We do not knowingly collect children’s data.

13) Third-Party Links

Our site may include links to third-party sites or services. Their privacy policies apply to their processing.

14) Changes to This Policy

We may update this notice to remain accurate and compliant. Material changes will be highlighted on this page with a new “Last updated” date.

15) How to Contact Us

Short-form Privacy Notice (for forms & footers)

“By submitting this form, you acknowledge ELSA AI will process your details to respond to your enquiry and, if you opt in, to send updates about GenAI Assure™. We won’t sell your data. You can opt out anytime. See our full Privacy Policy for your rights, retention, cookies, and international transfers.”