Skip to main content

Privacy

Privacy policy

How Learn AI, a trading style of The AI Consultancy (London) Ltd, collects, processes, stores, and retains personal data. Includes the lawful basis for processing AI Readiness Assessment submissions and the retention schedule for those records.

Effective date: 13 May 2026.

1. Who we are

The AI Consultancy (London) Ltd is the data controller for personal data collected through learn-ai.io. Learn AI is a trading style (sub-brand) of the same company.

  • Legal name: The AI Consultancy (London) Ltd
  • Companies House number: 16138782
  • VAT registration: GB 513 7583 86
  • ICO registration: 77829110T
  • Registered office: 20 Wenlock Road, London N1 7GU, United Kingdom
  • Telephone: 020 3355 0558
  • Privacy contact: privacy@learn-ai.io
  • General contact: ai@theaiconsultancy.ai

The AI Consultancy (London) Ltd is a company registered in England and Wales.

2. What personal data we collect and why

We collect personal data through one route: the AI Readiness Assessment at /ai-readiness-assessment. The Assessment is the only personal data flow on the site. The rest of the site is brochure content.

2a. AI Readiness Assessment

The Assessment is a structured questionnaire about your firm’s AI posture. Every submission writes the following fields to our Supabase database:

  • Company name (text, required): identifies your firm in the personalised report.
  • Your name (text, required): addresses the report and any follow-up email to you.
  • Work email (text, required): sends you the personalised report and any follow-up.
  • Role (single choice: Managing Partner, Operations Director, Finance Director, HR Director, Other senior leader): calibrates the report for your seniority and remit.
  • Sector (single choice: Legal, Finance and Accounting, Consulting and Advisory, HR and Recruitment, Marketing or Agency, Other): calibrates the report for the regulators and pressures specific to your sector.
  • Headcount band (single choice: 1 to 20, 21 to 50, 51 to 100, 101 to 250, 251 to 500, Over 500): calibrates the report for firm size.
  • Tools in regular use (multi-choice: ChatGPT, Microsoft Copilot, Claude, Google Gemini, sector-specific tools, none): calibrates the report for your current tool footprint.
  • Has an AI policy, has trained staff on AI use, has a register of approved use cases, has an AI risk register (yes / no each, required): four components of the governance maturity score.
  • Primary business goals and current pain points (free text, up to 1,000 characters each, optional): shape the report’s recommended use cases.
  • Consent to process the information and consent to be contacted with the report (must both be true to submit): the lawful basis for processing the submission and sending the report email.

Two further fields are recorded for operational purposes: a unique submission id (UUID) generated when you submit, and a timestamp recording when you submitted.

A hidden honeypot field on the form deters automated bot submissions. It is never displayed to a human user. If a value is detected, the submission is rejected and nothing is stored.

We do not collect special category data (as defined in UK GDPR Article 9). We do not collect payment information.

2b. Technical and analytics data

We use Plausible Analytics, an EU-hosted, cookie-free analytics service that records aggregate page views and outbound link clicks without setting cookies or tracking individuals. Plausible does not store an IP address against a visitor record.

The Vercel platform (our hosting provider) logs request metadata, including IP address, in its standard operational logs. These logs are retained per Vercel’s standard retention policy and are not joined to Assessment submissions.

The Assessment form uses browser session storage to remember your progress across the form steps if you navigate between pages. Session storage is local to your browser, is not transmitted to our servers, and is cleared automatically when you submit the form or close the browser tab.

3. Lawful basis for processing

Under UK GDPR Article 6, we rely on the following lawful bases:

  • Article 6(1)(a) consent for collecting and storing your Assessment submission, for generating the personalised report by sending your inputs to Anthropic (Claude Sonnet 4.6), and for emailing the report to you via Resend. Two explicit consent checkboxes on the Assessment form are required; submission is blocked unless both are ticked.
  • Article 6(1)(f) legitimate interests for retaining the submission for up to 24 months to support follow-up enquiries and repeat-engagement context, for anonymising the submission after the retention window, for aggregate analytics via Plausible, and for IP-address-based rate-limiting and abuse prevention.

You may withdraw consent at any time by emailing privacy@learn-ai.io. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4. How we use your data

We use Assessment submissions to do the following, and nothing else:

  1. Generate your personalised Readiness Assessment report.
  2. Email the report to you at the address you provided.
  3. Email you once, if operationally useful, to confirm receipt of the report or to invite you to book an Executive AI Briefing as a follow-on conversation.
  4. Retain the submission for up to 24 months so that, if you re-engage Learn AI, we have the context of your earlier Assessment.
  5. Aggregate (anonymously) what kinds of firms are submitting, for our own service-quality monitoring. The aggregate view contains no identifying fields.
  6. Defend a legal claim, or comply with a lawful request from a regulator (HM Revenue & Customs, the Information Commissioner’s Office, the Companies House registrar, a court), if and only if we are legally required to do so.

We do not use Assessment submissions to train any AI model. We do not sell, rent, or share Assessment submissions with third parties for marketing purposes. We do not run advertising campaigns against Assessment submitters.

5. Who we share your data with

We share Assessment data with a small set of named processors who operate the technical infrastructure of the site. Each processor is contractually bound to act only on our instructions and to apply appropriate technical and organisational measures.

  • Anthropic PBC. Receives the structured Assessment inputs to generate the personalised report using Claude Sonnet 4.6. UK / EU data terms apply. Privacy policy: anthropic.com/legal/privacy.
  • Supabase Inc. Stores the complete Assessment submission, including consent fields and the generated report, in a managed Postgres database with row-level security enabled. EU-hosted. Privacy policy: supabase.com/privacy.
  • Resend (Resend, Inc.). Delivers the report email. Receives your name, work email, company name, and the generated report markdown. EU-hosted. Privacy policy: resend.com/legal/privacy-policy.
  • Vercel Inc. Hosts and serves the site. Receives all web traffic; logs request metadata including IP address. Privacy policy: vercel.com/legal/privacy-policy.
  • Plausible Insights OÜ. Cookieless analytics. Receives aggregate page-view and event metadata only; no personal data. EU-hosted. Privacy policy: plausible.io/privacy.
  • Upstash, Inc. Rate-limits the Assessment Server Action to deter abuse. Processes IP address only, transiently, and does not retain beyond the rate-limit window. EU region. Privacy policy: upstash.com/trust/privacy.pdf.
  • HubSpot, Inc. Customer relationship management for engaged prospects only; not used for Assessment submitters who do not engage further. Privacy policy: legal.hubspot.com/privacy-policy.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not transfer Assessment submissions to a third country outside the UK or EEA without an adequate transfer mechanism in place.

6. How long we keep your data

  • Assessment submission (Supabase): up to 24 months from submission, then anonymised. The personal-data columns are overwritten and the report markdown deleted, while the row is kept for operational arithmetic.
  • Report email log (Resend): up to 30 days (Resend’s standard message-log retention), then deleted automatically by Resend.
  • HubSpot contact (if you engage further): until you ask us to delete it, or 36 months after the last interaction, whichever is sooner, then deleted via the HubSpot GDPR delete process.
  • Plausible aggregate analytics: Plausible’s standard retention; no individual record exists.
  • Vercel operational logs: Vercel’s standard retention, then deleted automatically by Vercel.
  • Upstash rate-limit cache: sliding window of one hour, then expired automatically.

If you request erasure, we follow the internal runbook and complete the deletion within one calendar month of receipt (extendable by up to two further months if the request is complex, in which case we will notify you within the first month). See section 8.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  1. Right of access. Ask us for a copy of the personal data we hold about you.
  2. Right to rectification. Ask us to correct inaccurate or incomplete data.
  3. Right to erasure. Ask us to delete your personal data. See section 8.
  4. Right to restriction of processing. Ask us to limit how we use your data while a dispute is resolved.
  5. Right to data portability. Ask us for a copy of your Assessment submission in a structured, machine-readable format (JSON).
  6. Right to object. Object to processing based on legitimate interests at any time.
  7. Rights related to automated decision-making and profiling. The Assessment report is generated with the assistance of an AI model (Anthropic Claude Sonnet 4.6) and is intended as informational diagnostic output. It is not a solely automated decision with legal or similarly significant effect. If you believe an output has had such an effect on you, contact us at privacy@learn-ai.io and we will investigate.
  8. Right to withdraw consent. Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, email privacy@learn-ai.io. We respond within one calendar month. We do not charge a fee for a reasonable first request.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

8. Erasure and deletion

To request erasure, email privacy@learn-ai.io from the address you used to submit the Assessment. We will verify your identity by matching the request address to a stored submission record (or, where the addresses do not match, by asking for a non-identifying corroborating signal such as the submission month and the company name). We will then delete the record from Supabase, add your email to the Resend suppression list, delete any associated HubSpot contact via the HubSpot GDPR delete process, and confirm completion in writing within one calendar month.

9. Cookies and similar technologies

This site does not use tracking cookies. Plausible Analytics is cookieless and does not set, read, or store any cookies on your browser. We do not run advertising or remarketing pixels.

The Assessment form uses browser session storage to remember your in-progress answers as you navigate between steps. Session storage is local to your browser, is not transmitted to our servers, and is cleared automatically when you submit the form or close the browser tab.

See the cookie notice at /cookies for the full statement.

10. Security

All connections to learn-ai.io are encrypted using HTTPS (TLS 1.2 or above). Assessment submissions are stored with row-level security enabled in Supabase, which means anonymous and authenticated end-user roles cannot read or modify the submissions table. Only the server-side service role key, which is held in Vercel’s environment variable store and is never exposed to the browser, can write to the table.

Access credentials are scoped per environment (Production and Preview keys are separate where the provider supports separation) and are not committed to the source repository.

11. Changes to this policy

When we make a material change to this policy, the updated version replaces this page at the same URL with a new effective date at the top. We flag material changes at the top of the page for at least 30 days. If you have an active engagement with us and a change materially affects your data, we will tell you directly by email.

12. Contact us

For privacy questions, exercising any of the rights above, or to request erasure:

  • Email: privacy@learn-ai.io
  • Post: The AI Consultancy (London) Ltd, 20 Wenlock Road, London N1 7GU, United Kingdom

For general enquiries about Learn AI services: