How I work with your data

Last reviewed: 6th June 2026

This page is for prospects and current clients. It explains how I handle your data when we work together — not as a website visitor, but as a paying client.

The binding terms live in your engagement contract. This page is the readable summary.

My role

When you hire me to deliver consulting work, I usually act as a data processor under UK GDPR. You are the data controller — you decide what data is processed, why, and on what lawful basis. I process the data on your written instructions, under the terms of our engagement contract, which includes the data processing terms required by Article 28 of UK GDPR.

In a few specific cases — for example, when I propose a new prospect to add to our pipeline, or when I take a copy of a public dataset for analysis — I may act as a data controller. Those cases are exceptions and they are handled under my own Privacy Policy.

Confidentiality

Everything you share with me during an engagement is confidential by default. I do not discuss your business with other clients, with prospects, or with the public. I do not name you in marketing materials unless you have given written permission. I do not use anonymised insights from your engagement in my writing unless the anonymisation is genuinely robust.

The exception is the case-study process. If you are happy to be named in a case study, we agree the wording in writing before anything is published. If you prefer anonymisation, the case study reads as “a global corporate travel leader” rather than your name.

AI tools and sub-processors

I am an AI-native marketing consultancy. The AI tools I use in client work are part of the productivity layer of the business — they are not the strategy layer, but they handle a meaningful portion of the day-to-day work.

The AI tools I commonly use during client engagements:

  • Anthropic Claude (the LLM behind most of my AI-assisted work)
  • OpenAI ChatGPT (less frequently — when a specific feature is better there)
  • Adobe Firefly (for visual asset generation when the sketchbook is not the right tool)
  • Notebook LM (for grounded retrieval over client documents)

When I use these tools on your data:

  • I use enterprise / paid tiers that do not train models on submitted data
  • I avoid pasting personal data (your customer names, employee details, etc.) into prompts unless we have explicitly agreed it
  • Where I do need to use real personal data — for example, to analyse a customer file — I either: (a) anonymise it first, or (b) use a tool with an in-place data processing arrangement that satisfies UK GDPR
  • I keep a written record of what AI tools touch your data, available to you on request

If you would prefer no AI tools touch your work at all, that is a constraint we can accommodate — flag it before the engagement begins and we set up the workflow accordingly. The cost may be slightly higher because some of the productivity layer disappears.

Other sub-processors

Beyond AI tools, the standard sub-processors involved in client work:

  • Google Workspace — email, document storage during the engagement
  • Mailchimp — pipeline tracking and contact management
  • Ionos — for any client materials hosted publicly under my account
  • Project-specific tools, named in the engagement contract

All sub-processors have written data processing agreements in place. The current list is in your engagement contract and updated when sub-processors change.

Retention

During the engagement: I hold your data for as long as it is operationally needed. After the engagement closes:

  • Working files (briefs, drafts, intermediate documents) — deleted within 90 days of engagement close, unless you specifically ask me to retain them
  • Final deliverables (your strategy doc, your audit report, your marcomms plan) — held indefinitely as part of the case study archive, fully accessible to you on request
  • Personal data inside client systems I had access to — access is revoked at engagement close; I do not export or retain copies
  • Invoicing and accounting records — retained for 6 years per HMRC requirements

If you want a different retention arrangement, write it into the engagement contract and I will follow it.

Security

  • All devices used for client work are encrypted at rest
  • All cloud accounts use two-factor authentication
  • Passwords are managed in a dedicated password manager
  • Sensitive client data is not stored on portable media
  • Public network access (cafes, etc.) is via a paid VPN where client data is being handled

Breaches

If a personal data breach occurs that affects your data, I notify you within 24 hours of becoming aware of it, with: what happened, what data was affected, the steps I am taking to contain and remedy it, and what (if anything) I need from you. This is in line with the controller-notification timeline UK GDPR places on data processors.

If you need to notify the ICO (the controller’s responsibility), I support that process with whatever information you need.

Questions

If you have questions about anything on this page, email info@inlikeawhippet.co.uk.