Civika AI Ltd
Effective Date: 10 June 2025
Last Updated: 30 March 2026
1. Who We Are
Civika AI Ltd is the data controller of your personal data.
Registered address: Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP, United KingdomCompanies House number: SC850935
Email: connect@civikaai.com
Civika AI Ltd is a Scottish AI governance company providing responsible AI governance frameworks, advisory services, and decision infrastructure to public sector and regulated organisations.
2. What Data We Collect
We may collect the following categories of personal data:
Identity Data: name, title, and business name where applicable.Contact Data: email address and phone number.
Technical Data: IP address, browser type, time zone, and device identifiers collected through website analytics.
Behavioural Data: page interactions, click patterns, scroll depth, and session recordings collected through Microsoft Clarity where you have given consent to analytics cookies.
Usage Data: information about how you use our website, services, or digital tools.
Marketing Data: your preferences in receiving marketing communications from us.
Correspondence Data: the content of emails, enquiries, or consultation notes you share with us directly.
We do not collect special category personal data as defined under UK GDPR Article 9, such as health data, racial or ethnic origin, political opinions, or biometric data, through our website or standard service delivery.
3. How We Collect Your Data
We collect personal data through the following methods:
Direct interactions: when you complete a contact form, sign up to our newsletter, enquire about services, or correspond with us by email.Automated technologies: cookies and analytics tools that collect technical and usage data as you interact with our website. See our separate Cookies Policy for full details.Third-party platforms: where you subscribe to our newsletter through Beehiiv, MailerLite, or SendFox, those platforms collect your data on our behalf subject to their own privacy terms and our Data Processing Agreements with them.
4. Legal Basis for Processing
Under UK GDPR, we rely on the following lawful bases for processing your personal data:
Consent: where you have opted in to receive marketing communications or newsletter content from us. You may withdraw consent at any time.Contract: where processing is necessary to deliver services you have requested or to take steps prior to entering into a contract with us.Legitimate Interests: where we have a legitimate business interest in processing your data, such as understanding how our website is used or improving our services, and where that interest is not overridden by your rights and interests.Legal Obligation: where we are required to process your data to comply with a legal or regulatory obligation.
5. How We Use Your Data
We use your personal data to:
deliver and manage services or digital products you have requested; respond to enquiries and provide support; send marketing emails and newsletters where you have given consent; analyse website usage and improve our site and services; comply with legal and regulatory requirements; administer our business operations including invoicing and record keeping.
6. Sharing Your Information
6.1 What We Do Not Do
Civika AI Ltd does not sell, rent, or trade your personal data to any third party under any circumstances.
6.2 Third-Party Processors
We share personal data only with trusted third-party service providers who process data on our behalf as data processors. A Data Processing Agreement is in place with each provider. These are listed in full in Section 7 of this policy.
In summary, data may be shared with the following categories of processor:
Email and productivity services: Microsoft 365 Business Basic, covering business email and document storage.Email marketing platforms: SendFox, MailerLite, and Beehiiv, for newsletter and marketing communications only, and only where you have provided consent to receive such communications.AI tools: Claude (Anthropic), ChatGPT (OpenAI), and Google Gemini Pro, used to support service delivery and business operations as described in Section 15.Content and presentation tools: Gamma and Napkin.AI, used for business content creation.Website platform: WordPress with Thrive Themes, for website hosting and functionality.
6.3 Professional Advisers
We may share personal data with professional advisers including legal advisers, accountants, and insurance providers where this is necessary for the operation of the business. All professional advisers are bound by confidentiality obligations.
6.4 Legal Requirements
We may disclose personal data to government bodies, regulators, or law enforcement agencies where we are legally required to do so, including to the Information Commissioner's Office, HMRC, or Police Scotland.
6.5 Business Transfers
In the event that Civika AI Ltd is sold, merged, or transferred to another entity, personal data held by the company may be transferred as part of that transaction. We will notify affected individuals in advance where reasonably practicable and where permitted by law.
6.6 No Other Sharing
Personal data is not shared with any other third party without your explicit prior consent, except as described in this section.
7. International Transfers and Third-Party Data Processors
7.1 Our Approach
Civika AI Ltd uses a small number of carefully selected third-party tools and platforms to deliver our services and operate our business. Each provider has been selected on the basis that they offer documented data protection commitments appropriate to UK GDPR requirements. Where these providers process data outside the United Kingdom, we ensure that adequate safeguards are in place as described below.
7.2 Our Third-Party Processors
The following providers process data on our behalf as data processors. A Data Processing Agreement is in place with each provider.
Microsoft 365 Business Basic (Microsoft Corporation). Purpose: business email (connect@civikaai.com), document storage (OneDrive for Business), and team communications. Data location: primarily UK and EEA data centres with standard contractual clauses in place for any transfers beyond these regions. DPA: microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
SendFox (AppSumo). Purpose: email marketing communications. Data location: United States. Transfer mechanism: Standard Contractual Clauses. DPA: sendfox.com/dpa.
MailerLite. Purpose: email marketing communications and audience management. Data location: European Union and United States. Transfer mechanism: Standard Contractual Clauses. DPA: mailerlite.com/legal/data-processing-agreement.
Beehiiv. Purpose: newsletter distribution and subscriber management (responsible-ai-insights.beehiiv.com). Data location: United States. Transfer mechanism: Standard Contractual Clauses. DPA: confirmed in place.
Gamma. Purpose: AI-assisted presentation and content creation. Data location: United States. Transfer mechanism: Standard Contractual Clauses. DPA: confirmed in place.
Napkin.AI. Purpose: AI-assisted visual content creation. Data location: United States. Transfer mechanism: Standard Contractual Clauses. DPA: confirmed in place.
Microsoft Clarity (Microsoft Corporation). Purpose: website behaviour analytics including session recordings, heatmaps, and visitor interaction data to help us understand and improve how visitors use civikaai.com. Data location: United States. Transfer mechanism: Standard Contractual Clauses. DPA: covered under existing Microsoft 365 Business Basic Data Processing Agreement. Privacy terms: privacy.microsoft.com/privacystatement.
WordPress and Thrive Themes. Purpose: website hosting and functionality for civikaai.com. Data location: dependent on hosting provider. Please refer to your hosting provider's privacy terms for data location details.
7.3 Artificial Intelligence Tools
The following AI tools are used to support service delivery, content creation, and business operations. Each is used under a paid subscription with enhanced data protection provisions. None of these providers use paid-subscription inputs to train their models by default.
Claude (Anthropic, paid subscription). Purpose: drafting, research, and content development. Data location: United States. Transfer mechanism: Standard Contractual Clauses. Privacy terms: privacy.anthropic.com.
ChatGPT (OpenAI, paid subscription). Purpose: drafting, research, and content development. Data location: United States. Transfer mechanism: Standard Contractual Clauses. Privacy terms: openai.com/privacy.
Google Gemini Pro (Google DeepMind, paid subscription). Purpose: drafting, research, and content development. Data location: United States and global Google infrastructure. Transfer mechanism: Standard Contractual Clauses. Privacy terms: policies.google.com.
7.4 What We Do Not Do
We do not sell personal data to any third party. We do not transfer personal data to any provider that does not have a Data Processing Agreement or equivalent data protection commitment in place. We do not input special category personal data, financial data, contact data such as email addresses or phone numbers, or sensitive client information into any AI tool.
7.5 Personal Cloud Storage
Civika AI Ltd does not use personal consumer cloud storage accounts for business data. Business documents are stored exclusively in OneDrive for Business under our Microsoft 365 Business Basic subscription, which carries a full Data Processing Agreement with Microsoft.
7.6 Staying Current
We review our processor list and associated data protection agreements annually and whenever we adopt a new tool or platform. If you have questions about a specific provider or transfer mechanism, please contact us at connect@civikaai.com.
8. Data Retention
We retain your personal data only for as long as necessary for the purpose for which it was collected, subject to the following specific retention periods:
Newsletter and marketing data: retained until you unsubscribe, or after 24 months of inactivity, whichever is sooner.Client and enquiry data: retained for six years from the date of last contact or completion of services, to comply with tax and legal obligations.Website analytics data: anonymised or deleted after 12 months.Correspondence data: retained for six years unless you request earlier deletion and we have no legal obligation to retain it.
When data is no longer required, it is securely deleted or anonymised.
9. Your Rights
9.1 Your Rights Under UK GDPR
As a data subject under UK GDPR, you have the following rights in relation to your personal data held by Civika AI Ltd:
Right of access: you have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request.
Right to rectification: you have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to erasure: you have the right to request that we delete your personal data where there is no legitimate reason for us to continue processing it.
Right to restrict processing: you have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest its accuracy.
Right to data portability: where we process your data on the basis of consent or contract and by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to object: you have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately.
Right not to be subject to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, where this produces a legal or similarly significant effect on you. Civika AI Ltd does not currently make solely automated decisions about individuals.
Right to withdraw consent: where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
9.2 How to Exercise Your Rights
To exercise any of the above rights, please contact us at connect@civikaai.com with the subject line Data Rights Request. Please include your full name and sufficient information to identify the data you are requesting.
We will acknowledge your request within five working days and respond in full within one calendar month of receipt, as required by UK GDPR Article 12. In complex cases we may extend this by a further two months, in which case we will notify you within the first calendar month.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
9.3 Complaints
If you are unhappy with how we have handled your personal data or a rights request, you have the right to lodge a complaint with the Information Commissioner's Office, the UK supervisory authority for data protection.
ICO website: ico.org.ukICO helpline: 0303 123 1113ICO postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would always prefer the opportunity to address your concerns directly before you contact the ICO, and invite you to contact us at connect@civikaai.com in the first instance.
10. Cookies
We use cookies and similar technologies on our website for analytics, functionality, and where you have given consent, marketing purposes.
When you first visit our website you will be presented with a cookie banner allowing you to accept all cookies, reject non-essential cookies, or customise your preferences. Non-essential cookies are not activated until you have given your consent.
For full details of the cookies we use, the purposes for which we use them, and how to manage your preferences, please see our separate Cookies Policy at civikaai.com/website-cookies-policy.
11. Data Security
11.1 Our Approach
Civika AI Ltd takes the security of personal data seriously. As a company whose work centres on governance and responsible decision-making, we hold ourselves to a higher standard than the minimum required by law. The measures below reflect our current technical and organisational arrangements as a small, remote-first business.
11.2 Technical Measures
Email and communications: all business email is hosted on Microsoft 365 Business Basic (connect@civikaai.com), which includes encryption in transit and at rest, multi-factor authentication capability, and Microsoft's enterprise-grade security infrastructure.
Document storage: business documents are stored exclusively in OneDrive for Business under our Microsoft 365 Business Basic subscription. OneDrive for Business provides encryption at rest and in transit, access controls, and version history. Personal consumer cloud storage accounts are not used for business data.
Website: civikaai.com is hosted on WordPress with SSL encryption in place. Access to the WordPress administration panel is protected by password and limited to authorised users only.
Device security: business work is conducted on password-protected devices. We apply operating system and software updates promptly to maintain security patch levels.
AI tools: all artificial intelligence tools used by Civika AI Ltd are paid subscription services with enhanced data protection provisions. We do not use free-tier AI tools for any work involving client or business data. See Section 15 for full details.
11.3 Organisational Measures
Data minimisation: we collect and process only the personal data necessary for the specific purpose for which it was collected.
Access controls: as a sole director company, access to personal data is limited to SuMani (Sudha Mani), Director, and any contractors or placement students engaged under a signed Data Protection and Confidentiality Agreement.
AI prompting practice: our default practice when using AI tools is to anonymise or pseudonymise information before inputting it into any AI system. We do not input email addresses, phone numbers, bank details, financial data, health data, or special category personal data into any AI tool.
Confidentiality agreements: any contractor, placement student, or adviser who accesses personal data in the course of working with Civika AI Ltd is required to sign a Data Protection and Confidentiality Agreement before commencing work.
11.4 Current Limitations and Honest Disclosure
Civika AI Ltd is an early-stage company. We do not currently hold formal ISO 27001 certification, a dedicated Information Security Management System, or a full-time data protection function. We are a sole director business operating with lean infrastructure appropriate to our current scale.
What we do have is a documented and deliberate approach to data handling, a compliant tool stack with Data Processing Agreements in place with all third-party processors, and a commitment to reviewing and improving our security posture as the business grows. We are working towards Cyber Essentials certification as part of our commitment to continuous improvement in information security.
We believe transparency about our current position is more appropriate than overstating our capabilities, particularly given the nature of our work in AI governance.
11.5 Data Breach Response
In the event of a personal data breach, Civika AI Ltd will assess the risk to individuals without undue delay. Where the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify the affected individuals directly.
We maintain an internal record of any data breaches, including those that do not meet the threshold for ICO notification, as required by UK GDPR Article 33(5).
11.6 Reporting a Security Concern
If you become aware of or suspect a data security issue involving your personal data held by Civika AI Ltd, please contact us immediately at connect@civikaai.com. We will acknowledge your report within 48 hours and investigate promptly.
12. Third-Party Links
Our website may include links to third-party websites, plugins, or applications. Clicking on these links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our data processing activities, our tool stack, or applicable law. The latest version, with the date of the most recent update, will always be available at civikaai.com/privacy-policy.
Where changes are material, we will notify active contacts and newsletter subscribers by email before the changes take effect. Continued use of our website after changes are published constitutes acceptance of the updated policy.
14. Contact and Data Controller Details
14.1 Data Controller
The data controller for personal data processed through this website and in connection with Civika AI Ltd services is:
Civika AI Ltd Registered in Scotland Companies House number: SC850935
Registered address: Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP, United Kingdom
14.2 Data Protection Contact
Civika AI Ltd does not meet the threshold requiring the appointment of a Data Protection Officer under UK GDPR Article 37. We are not a public authority, we do not carry out large-scale systematic monitoring of individuals, and we do not process special category data at scale.
All data protection queries, rights requests, and complaints should be directed to:
SuMani (Sudha Mani), DirectorEmail: connect@civikaai.comSubject line: Data Rights RequestResponse time: acknowledgement within five working days, substantive response within one calendar month.
14.3 ICO Registration
Civika AI Ltd is in the process of registering with the Information Commissioner's Office as a data controller. ICO registration is a legal requirement and completion of registration is a priority action for the company. This section will be updated with our ICO registration number upon completion.
If you have any questions about our data protection obligations in the interim, please contact us at connect@civikaai.com.
15. Use of Artificial Intelligence Tools
15.1 Tools We Use
Civika AI Ltd uses the following artificial intelligence tools in the course of delivering services, creating content, and managing business operations:
Claude (Anthropic, paid subscription)ChatGPT (OpenAI, paid subscription)Google Gemini Pro (Google DeepMind, paid subscription)Gamma (AI-assisted presentation tool)Napkin.AI (AI-assisted visual content tool)
All tools are used under paid subscriptions which include enhanced data protection provisions. None of the above providers use paid-subscription user inputs to train their models by default.
15.2 What Data We Process Through AI Tools
In the course of using these tools, we may process the following categories of data:
Business names and organisation names, where relevant to the work being undertaken. Individual names, only where operationally necessary and where no anonymised alternative is practical. Our own business content including draft documents, frameworks, and written materials. Publicly available information relevant to research or analysis tasks.
We do not input the following into any AI tool: email addresses, phone numbers, bank details, financial data, health data, or any special category personal data as defined under UK GDPR Article 9.
15.3 Our Default Practice
Our default approach is to anonymise or pseudonymise information before using it in AI tool prompts. Where individual or organisation names are used, this is limited to what is strictly necessary for the task. We review this practice regularly and formalise anonymisation requirements within our client engagement process.
15.4 Legal Basis
Where personal data is processed through AI tools, the legal basis is legitimate interests (UK GDPR Article 6(1)(f)), specifically the legitimate interest in delivering efficient, high-quality services. We have assessed that this processing does not override the rights and interests of the individuals concerned, given the limited categories of data involved, the use of paid-subscription tools with enhanced data protection terms, and our default anonymisation practice.
Where client personal data is processed through AI tools as part of a specific engagement, this will be disclosed in the relevant service agreement and the legal basis will be contract (UK GDPR Article 6(1)(b)) or consent (UK GDPR Article 6(1)(a)) as appropriate.
15.5 Third-Party AI Provider Terms
Each AI provider operates under its own privacy policy and data processing terms. We encourage you to review these directly:
Anthropic (Claude): privacy.anthropic.comOpenAI (ChatGPT): openai.com/privacyGoogle DeepMind (Gemini): policies.google.comGamma: gamma.app/privacyNapkin.AI: napkin.ai/privacy
15.6 Human Oversight
No AI-generated output is used in client deliverables, published content, or business decisions without human review and judgement. AI tools support our work; they do not replace professional oversight.
15.7 Opt-Out
If you are a client or prospective client and wish to request that your information is not processed through third-party AI tools, please contact us at connect@civikaai.com. We will accommodate this request where operationally possible and document the arrangement in your service agreement.
© 2025-2026 Civika AI Ltd. All rights reserved.