Privacy Policy

1. Who We Are and How to Read This Notice

The BespokeWorks Client Portal is operated by BespokeWorks AI Limited, a company registered in England and Wales under company number 14553823 (“BespokeWorks”, “we”, “us”, or “our”).

Under UK data protection law, the same organisation can act in different capacities for different categories of personal data. This notice therefore has two parts:

• Part A — Portal-user data (we are controller). Personal data about the people who administer a Portal account on behalf of a client: names, business email addresses, login and session records, support correspondence, and audit-log entries recording actions taken in the Portal. We decide why and how this data is processed and therefore act as controller for it.
• Part B — Client-uploaded data (we are processor). Personal data that a client uploads to or generates within the Services, including personal data about the client’s own end-customers, staff, or suppliers. We process this data only on the client’s documented instructions under our Data Processing Agreement. The client is the controller for that data; this notice describes our role as processor, but the client’s own privacy notice is the primary source of information for their data subjects.

Part C covers matters common to both (international transfers, your rights, security, complaints).

Part A — When we are controller

A1. Categories of portal-user data

• Identity: name, role, organisation.
• Contact: business email address, and where you supply it, phone number.
• Account: workspace slug, password hash (bcrypt), multi-factor seeds where enabled, password-change timestamps.
• Usage: login timestamps, IP address, user-agent string, pages visited, audit-log entries recording actions you take in the Portal.
• Support: the content of messages you send to our support channels and our replies.

A2. Purposes and lawful bases (Article 6 UK GDPR)

• Providing the Portal (authentication, account management, session management): lawful basis is performance of the contract between BespokeWorks and the client you represent (Article 6(1)(b)), or our legitimate interests where you are not the contracting party (Article 6(1)(f)). Our specific legitimate interest is operating a secure multi-tenant SaaS; we have assessed that this does not override your rights because the data is limited to what is needed to run the account.
• Security, abuse prevention, audit (logging, rate limiting, anomaly detection, investigating incidents): legitimate interests (Article 6(1)(f)) in keeping the Services secure for all users.
• Complying with legal obligations (responding to data subject requests, regulator correspondence, retaining accounting records): Article 6(1)(c).
• Service communications (password resets, account notifications, security alerts): Article 6(1)(b) / 6(1)(f). We do not use portal-user email addresses for direct marketing without a separate opt-in.

A3. Retention for portal-user data

• Active account data: for the duration of the account plus 90 days after closure, to allow recovery.
• Login / IP / audit logs: 12 months from the date of the event.
• Support correspondence: 24 months from the date of the last message in a thread.
• Accounting records relating to a Portal account: 6 years, as required by section 388 Companies Act 2006 and HMRC record-keeping rules.
• Backup copies: restored-from-backup data is purged on the standard backup rotation, which is a maximum of 35 days after the primary deletion.

A4. Automated decision-making and profiling

We do not make decisions about portal users that have legal or similarly significant effects on them based solely on automated processing within the meaning of Article 22 UK GDPR. Rate-limiting and suspension actions are reviewed by a human before any account is disabled beyond an automatic short-term throttle.

A5. Recipients of portal-user data

Portal-user data is disclosed to the sub-processors listed in our DPA (for example, Google Cloud for hosting, Hostinger for transactional email). We do not sell portal-user data. We will disclose it to regulators, law-enforcement authorities, or courts where required by law, and to professional advisers where needed for our legitimate interests.

Part B — When we are processor

B1. Scope

When a client uploads personal data to the Services, or the Services generate content that contains personal data of the client’s own end-customers, staff, or suppliers, the client is the controller and BespokeWorks is the processor. Our processing is governed by the DPA, which sets out the categories of data, purposes, and our Article 28 obligations.

B2. Article 14 notice — if you are an end-customer

If you are a data subject (for example, a customer of a business that uses our Services, whose data we process on that business’ behalf), the business is the primary point of contact for information about how your data is used and for exercising your rights. You should contact that business in the first instance. You may also contact us at contact@bespokeworks.ai and we will pass your request to the controller promptly.

B3. Source of client-uploaded personal data

Where we process personal data about end-customers, we typically obtain it from the controller-client directly (via upload or API integration) or from third-party platforms that the client has connected to the Services. The client is responsible for providing the Article 14 notice to its own data subjects where we are processor.

B4. Retention for client-uploaded data

Retention of client-uploaded personal data is governed by the DPA and by the controller’s own retention schedule. On termination of the client account, we delete or return the data within ninety (90) days unless the client instructs otherwise or law requires a longer retention (for example, section 58 and Schedule 11 of the Value Added Tax Act 1994 for VAT records).

B5. Special category and criminal offence data

The Services are not designed to process special category data (Article 9 UK GDPR) or criminal offence data (Article 10 UK GDPR). Clients are instructed not to upload such data. If voice recordings or free-text conversations incidentally capture information that would be special category (for example, a customer disclosing a health condition during a voice interaction), the client remains responsible for identifying an Article 9(2) condition and for any DPIA obligation.

Part C — Matters common to both roles

C1. International transfers

Some of our sub-processors are located in or transfer personal data to countries outside the UK. Where the destination is not covered by UK adequacy regulations, we rely on the UK International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses (the “UK Addendum”), or on the UK International Data Transfer Agreement (“IDTA”), issued by the ICO. Specific mechanisms apply per sub-processor:

• Google Cloud / Firebase (data can be stored in EEA or US regions): UK adequacy where the EEA region is used; UK Addendum where US regions are used.
• Anthropic, OpenAI, OpenRouter, Pinecone (US): UK Addendum to EU SCCs, with a Transfer Risk Assessment completed by BespokeWorks.
• Hostinger (EEA): UK adequacy.

A copy of the relevant transfer mechanism is available on request under Article 46(1) UK GDPR.

C2. Your rights

You have the following rights under UK GDPR. Where we are processor, please contact the controller-client first; we will assist the client in responding. Where we are controller, contact us directly.

• Right to be informed (Articles 13 and 14) — satisfied by this notice.
• Right of access (Article 15).
• Right to rectification (Article 16).
• Right to erasure (Article 17), subject to legal retention rules.
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20), where processing is based on consent or contract.
• Right to object (Article 21) to processing based on legitimate interests.
• Right to withdraw consent (Article 7(3)), where consent is our lawful basis. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right not to be subject to solely automated decisions with legal or similarly significant effects (Article 22).

We will respond to verified requests within one month, extendable by up to two further months for complex or numerous requests.

C3. Cookies

The Portal uses a single strictly-necessary, first-party session cookie (named session, lifetime 7 days, HTTP-only, Secure) to keep you signed in. This cookie is exempt from consent under regulation 6(4)(b) of PECR because it is strictly necessary to provide a service you have requested. We do not use analytics, advertising, or third-party tracking cookies. If this changes, we will publish a separate Cookie Policy and add a consent banner before enabling any non-essential cookie.

C4. Security

We maintain technical and organisational measures appropriate to the risk, including TLS 1.2+ in transit, AES-256 encryption at rest for databases and backups, bcrypt password hashing, role-based access control with least-privilege defaults, pseudonymisation of identifiers where feasible, MFA on administrator accounts, audit logging, monthly vulnerability scanning, and documented incident response procedures. Personal data breaches that are likely to result in a risk to the rights and freedoms of data subjects are notified to the ICO within 72 hours of becoming aware, and to affected individuals where the risk is high. A fuller description of our security measures is set out in Annex II of the DPA.

C5. Children

The Portal is a business-to-business tool and is not intended for use by children under 13. We do not knowingly collect personal data directly from children. Where a client uses the Services in a way that may involve children’s data (for example, a chatbot interacting with a consumer of unknown age), the client remains responsible for applying the ICO’s Age-Appropriate Design Code.

C6. Changes to this Notice

We may update this Privacy Policy from time to time. Where a change is material, we will give notice by email to the account holder and by updating the version and effective date at the top of this document at least thirty (30) days before it takes effect.

C7. How to complain

If you are not satisfied with how we handle your personal data, you can complain to the UK Information Commissioner’s Office, the supervisory authority for the UK. Complaints can be made at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would appreciate the chance to address your concern first: please contact contact@bespokeworks.ai.