Privacy Policy — AgentifAI

01 — Who we areThe data controller.

This privacy policy applies to AgentifAI Limited ("AgentifAI", "we", "us", "our"), a company registered in England & Wales. We are the data controller responsible for the personal data described in this policy.

Legal name

AgentifAI Limited

Company number

17118004 — Registered in England & Wales

Registered address

33 Porthill Gardens, Shrewsbury, Shropshire, SY3 8SB, United Kingdom

Privacy contact

hello@agentifai.co.uk

ICO registration

Application pending under reference C1916788. AgentifAI has submitted registration to the UK Information Commissioner's Office as a data controller and paid the annual data protection fee by Direct Debit. Our full ZA registration number will be published here once issued by the ICO.

02 — ScopeWhat this policy covers.

This policy applies to personal data processed by AgentifAI in three contexts:

Visitors to our website at agentifai.co.uk — including anyone browsing our pages, submitting an enquiry, or interacting with embedded analytics.
Prospective and current clients — individuals at businesses who contact us, enter into an engagement with us, or receive our deliverables.
Data accessed on our clients' behalf — specifically, data held within our clients' Google Ads accounts that we access under their explicit authorisation to deliver diagnostic and advisory services. For this data, our clients are the data controllers and AgentifAI acts as a data processor.

This policy does not cover third-party websites linked from our site, or services operated by our clients.

03 — What we collectPersonal data categories.

Data collected automatically via our website

Analytics data via Google Analytics 4 — anonymised information about pages visited, referral source, approximate geographic location (country / region), device type, browser, session duration, and events. IP addresses are truncated and not stored in full.
Server logs retained by our hosting provider (Netlify) — including IP address, timestamp, and requested URL, used for security monitoring and abuse prevention.

Data you give us directly

Contact information — name, email address, business name, phone number (where provided), and any information you include in the body of an enquiry.
Engagement information — details about your business, commercial objectives, and existing systems, shared during discovery and delivery of our services.
Billing information — invoicing details sufficient to process payment. Payment card numbers are never stored by AgentifAI; payment processing (when applicable) is handled by a regulated third-party provider.

Data we access under client authorisation

Google Ads performance data — campaign, ad group, keyword, search term, ad, and asset-group performance metrics. This may include aggregated user behaviour signals such as click, impression and conversion counts. We do not access personally identifiable information about end-users of our clients' advertising campaigns.
Linked analytics data — where the client links their Google Analytics 4 property to their Google Ads account, we may read session, revenue and conversion data for reporting purposes.

04 — Why we process itPurposes & lawful bases.

Operating the website

Serving pages, preventing abuse and measuring traffic. Lawful basis: legitimate interest — operating a business website and understanding its usage.

Analytics

Understanding how visitors find and use our website. Lawful basis: legitimate interest. No advertising cookies are set from our website.

Responding to enquiries

Answering questions, sending proposals, arranging meetings. Lawful basis: steps taken at your request prior to entering a contract, or legitimate interest in responding to business enquiries.

Delivering engagements

Producing the audits, strategies, roadmaps and advisory work our clients engage us for. Lawful basis: performance of a contract.

Client Google Ads data

Producing diagnostic and strategic output for the client who has authorised access. Lawful basis: performance of a contract (with the client as data controller). AgentifAI acts as a data processor for this category.

Legal & financial obligations

Meeting tax, accounting, and statutory record-keeping requirements. Lawful basis: legal obligation.

05 — Google Ads API dataHow we handle your advertising data.

AgentifAI accesses our clients' Google Ads accounts via the official Google Ads API, under a developer token issued to AgentifAI Limited and under scoped OAuth 2.0 authorisation granted by each client. This section sets out how that data is handled, in line with Google's API policy requirements.

What we access

We access the minimum data required to deliver a client's engagement — typically campaign structure, ad group and keyword performance, search term reports, ad performance, and aggregated conversion data. We do not access billing information, account-level credentials, or user-management settings.

How we store it

Data retrieved from the Google Ads API is stored in a PostgreSQL database hosted within the UK or EEA, partitioned by client customer ID, with row-level security enforcing strict isolation between clients. All data is encrypted in transit (TLS 1.2+) and at rest.

What we never do

We never sell or licence client Google Ads data to any third party.
We never use client Google Ads data to train machine-learning models that operate outside of the specific client's engagement.
We never use one client's data to inform another client's work, beyond anonymised, aggregated benchmarking where explicitly agreed in the engagement letter.
We never share Google Ads data with advertisers, competitors, or adjacent service providers.
We do not modify campaigns, ads, bids, budgets, or targeting settings without the explicit, case-by-case authorisation of the client.

Retention

Data accessed under a client engagement is retained for the duration of that engagement plus 90 days, after which it is deleted unless the client has explicitly authorised continued retention for continuity of service. Clients may request earlier deletion at any time. Tokens granting API access are revoked on completion of the engagement.

Commitment to clients

Your Google Ads data exists on our systems to serve your engagement, and nothing else. When the engagement ends, the data ends with it.

06 — Cookies & similar technologiesWhat we set on your device.

Our website uses a small number of cookies and similar technologies. We do not use advertising cookies, behavioural profiling, or cross-site tracking.

_ga, _ga_*

Google Analytics 4 — distinguishes unique visitors and measures session activity. Expires after 2 years. IP addresses are truncated.

Session cookies

Set by our hosting provider for basic site operation. Expire when you close your browser.

You can disable cookies through your browser settings, or opt out of Google Analytics directly via the Google Analytics opt-out browser add-on. Disabling cookies will not affect your ability to use the website.

07 — Who we share it withSub-processors & recipients.

We use a small number of carefully selected third-party services ("sub-processors") to operate our business. Each is bound by its own data protection obligations. We do not sell personal data to anyone, and we do not share it with advertising networks.

Netlify

Website hosting and delivery. Processes IP addresses and request metadata as part of standard web serving. Data location: US / EEA.

IONOS

Domain registration and email infrastructure. Data location: EEA (Germany).

Google (Analytics & Ads API)

Analytics measurement (website) and API access to client advertising accounts (under authorisation). Data location: global Google infrastructure with EU standard contractual clauses in place.

Anthropic

Provider of the Claude AI models we use for analytical processing. Anthropic does not train on API data passed through their service. Data location: US with EU standard contractual clauses.

Professional advisors

Accountants, lawyers, and auditors where required to meet our legal obligations. Bound by professional confidentiality.

We may disclose personal data where required by law, court order, or binding regulatory request.

08 — International transfersWhere your data goes.

Some of our sub-processors are based outside the UK and EEA. Where personal data is transferred internationally, we rely on appropriate safeguards under UK GDPR Article 46 — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision by the UK government. Copies of the relevant safeguards are available on request.

09 — How long we keep itRetention periods.

Website analytics

Up to 26 months from last interaction, per Google Analytics default.

Enquiry correspondence

Up to 24 months after the last contact, unless the enquiry leads to an engagement (in which case engagement retention applies).

Client engagement records

Duration of the engagement + 6 years to meet statutory record-keeping obligations for contracts and tax.

Client Google Ads data

Engagement duration + 90 days, unless continued retention is explicitly authorised. See Section 05.

Financial records

6 years from end of the accounting period, per HMRC requirements.

10 — Your rightsWhat you can ask us to do.

Under UK GDPR you have the following rights in relation to your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your data, subject to any legal obligations that require us to retain it.
Restriction — ask us to limit how we process your data.
Portability — request a copy of data you have provided to us in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at hello@agentifai.co.uk. We will respond within one month. There is no charge for a reasonable request. We may ask you to verify your identity before disclosing personal data.

If you are unhappy with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ico.org.uk, 0303 123 1113). We would appreciate the opportunity to resolve your concern directly first.

11 — SecurityHow we protect your data.

We maintain technical and organisational measures appropriate to the sensitivity of the data we hold. These include encryption in transit and at rest, principle-of-least-privilege access controls, audit logging, secure credential management, regular backups, and vendor due diligence on all sub-processors. Access to client data is restricted to authorised AgentifAI staff on a need-to-know basis.

No system is perfectly secure, and we cannot guarantee absolute security of data transmitted over the internet. In the unlikely event of a personal data breach that poses a risk to your rights, we will notify the ICO within 72 hours of becoming aware of it, and affected individuals where the risk is high.

12 — ChildrenUnder-18s.

Our services are directed at businesses and are not intended for use by children under 18. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us and we will delete it.

13 — Changes to this policyWhen and how we update it.

We may update this policy from time to time to reflect changes in our practices, services, or legal obligations. The effective date at the top of this page shows the most recent revision. Where changes are material, we will take reasonable steps to notify individuals affected — for example, by email to current clients. The current version will always be available at agentifai.co.uk/privacy.html.

14 — Contact usHow to reach us.

Questions about this policy, requests to exercise your rights, or anything else relating to how we handle personal data — please email hello@agentifai.co.uk. We aim to respond to all data protection enquiries within five working days, and in any case within the statutory one-month window for formal rights requests.