Status: Draft. Legal review required before public publication. Surfaced at /privacy on the marketing site.
Last updated: 2026-05-11.
Effective date: To be confirmed at first publication.
Standard Intelligence Limited ("Standard Intelligence", "we", "us") provides an AI governance platform for organisations subject to the EU AI Act and the UK AI Bill. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies to the marketing website, the product, and any communication you have with us.
1. Who is the data controller
The data controller for personal data we process about visitors, prospects, and our employees is Standard Intelligence Limited, a company registered in England and Wales under number 16737890. Our registered office is in the United Kingdom.
For personal data that customers upload into the product (including data about their own users and AI-system descriptions), the customer is the data controller and Standard Intelligence is the data processor. The terms of that relationship are set out in our Data Processing Agreement (see /dpa).
You can contact us at:
- General enquiries and data-protection requests:
privacy@standardintelligence.com - Legal:
legal@standardintelligence.com - Postal: Available on request.
A formal Data Protection Officer will be appointed before commercial launch and named here.
2. What personal data we collect
We collect the minimum data needed to operate the service. The categories are:
- Account data. Email, name, and a Zitadel identifier when you sign up. Workplace and role only if you provide them voluntarily.
- Authentication data. Session tokens stored in
httpOnlycookies, sign-in event logs, multi-factor preferences if you enable them. - Usage data. Pages viewed, features used, error reports, request metadata (IP at the edge only, user agent). No keystroke or session-replay tracking.
- Customer compliance content. AI-system descriptions, evidence files, classification decisions, and audit-chain entries. This is content you create deliberately to use the service. We treat it as confidential and do not use it to train models.
- Communications. Anything you send us via email, contact forms, or chat. Sales-call notes when applicable.
- Billing data. Stripe stores card details, billing address, and tax identifiers. We only hold the references needed to reconcile invoices.
- Marketing-prospect data. Name, email, company, role, consent record, and consent timestamps, captured through HubSpot contact forms.
We do not knowingly collect special-category personal data (health, biometric, political opinion, etc.) and ask you not to upload such data into customer compliance content. The product is not directed at children.
3. Why we use it (lawful basis)
| Purpose | Lawful basis |
|---|---|
| Providing the product to authenticated users | Contract performance (GDPR Art 6(1)(b)) |
| Authenticating you and protecting against abuse | Legitimate interest (security) |
| Billing, fraud prevention, and tax records | Legal obligation (UK tax law) and contract performance |
| Service-reliability monitoring (error tracking) | Legitimate interest (service reliability) |
| Marketing communications you have consented to | Consent (GDPR Art 6(1)(a)) |
| Compliance with EU AI Act and UK AI Bill record-keeping obligations | Legal obligation |
We do not sell personal data and do not engage in behavioural advertising. We do not use customer compliance content to train AI models, full stop.
4. How long we keep it
Retention periods per data class are listed in our Retention Schedule. The summary:
- Identity and account data is held for the lifetime of your account, plus up to 30 days for soft-delete reversal, then anonymised.
- Customer compliance data (AI-system records, evidence, classification decisions, audit chain) is retained for the tenant lifetime plus ten years, to satisfy EU AI Act Articles 12 and 18 record-keeping obligations.
- Billing records are retained for seven years after the contract ends, to satisfy UK tax record-keeping obligations.
- Application logs are retained for 30 days at the platform; Sentry error events for 90 days; transactional email logs for 30 days.
- Marketing data is retained until you withdraw consent or for 36 months without activity, whichever is sooner.
5. Who we share it with
We share personal data only with the sub-processors listed in our published register. The headline categories:
- Infrastructure: Vercel (hosting), Neon (database), Sentry (error tracking), Inngest (job orchestration). All EU-hosted.
- Authentication and email: Zitadel (identity), Resend (transactional email). Both EU-hosted.
- Payments: Stripe (EU Dublin).
- AI services: Anthropic (Claude inference, US) and Mistral (embeddings, EU). Both contractually configured for zero data retention; Anthropic transfers are covered by Standard Contractual Clauses with supplementary measures. No personal data is included in payloads by service design; customers can disable AI features at the tenant level.
- Content management: Sanity (marketing CMS, EU). Holds SI staff editor accounts only, no customer data.
- Regulatory corpus: Neo4j Aura (EU Frankfurt). Holds SI-owned regulatory text and embeddings, no customer data.
- Marketing CRM: HubSpot (EU Frankfurt). Holds prospect and contact data, never customer compliance content.
We do not transfer customer compliance content outside the EU/UK other than the controlled, deliberate transfers to Anthropic for LLM inference described above. Where transfers occur, we rely on UK adequacy decisions where available, otherwise on Standard Contractual Clauses with supplementary technical measures.
We may disclose personal data to a regulator or court if we are legally required to do so. We notify you of any such request unless we are prohibited from doing so by law.
6. Your rights
If we hold personal data about you, you have the right to:
- Access the data we hold about you (Art 15).
- Rectify inaccurate data (Art 16).
- Erase your data (Art 17), subject to retention obligations we are legally required to meet.
- Restrict or object to processing in certain circumstances (Art 18 and 21).
- Receive a portable copy of data you provided (Art 20).
- Withdraw consent at any time where consent is the lawful basis.
- Lodge a complaint with the UK Information Commissioner's Office (
ico.org.uk) or your local supervisory authority.
To exercise any of these rights, email privacy@standardintelligence.com. We respond within one calendar month. If a request is complex or we receive a high number, we may extend by up to two further months and will tell you why. We may need to verify your identity before responding.
7. Security
We apply appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS 1.2 or higher) and at rest (provider-managed for Neon, Vercel, Sanity, Resend); strict access controls at the database layer; multi-factor authentication for staff accounts; secrets management through 1Password and OIDC; the tenant-isolation invariant described in docs/system/auth.md §Tenant isolation. Security testing and incident response are documented in our internal runbooks.
If we discover a personal-data breach that is likely to affect your rights, we will tell you within 72 hours of becoming aware of it, as required by the UK GDPR. We will also report to the relevant supervisory authority within the same period.
8. Cookies and similar technologies
We use a small number of cookies. The full list and your choices are described at /cookies.
9. Changes to this policy
We will tell you in advance about any material changes to this policy through the product, by email if you are a customer, or by a notice on the marketing site. The "Last updated" date at the top of this document tracks every published change. A change log is maintained internally.
10. Children
Standard Intelligence is a business-to-business product. We do not knowingly market to, or collect data from, anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.