Privacy Policy
Last updated: 24 April 2026
This policy explains how AI Capable collects, uses, and protects your personal data when you visit our site, book a discovery call, or become a client. It's written in plain English because you shouldn't need a law degree to understand what's happening with your data.
1. Who we are
AI Capable is a sole trader business operated by Laurence Malpass, trading as AI Capable. We are the “controller” of your personal data under the UK GDPR and the Data Protection Act 2018.
Privacy contact: laurence@aicapable.co.uk
Website: aicapable.co.uk
We are registered with the UK Information Commissioner's Office under registration number C1918409.
2. What data we collect
We only collect data you give us directly. We do not buy data, track you across the web, or build advertising profiles.
When you book a discovery call (via Calendly):
- Name, email, and anything you add to the booking form.
When you complete our pre-discovery intake form:
- Name and email (required)
- Role, industry, team size, current tools (optional)
- A description of a workflow that eats more time than it should (optional)
- What a good outcome would look like for you (optional)
When you become a client:
- Additional information needed to deliver coaching and handle billing — session notes, invoice details, correspondence.
- Audio/video recordings of your coaching sessions, recorded by default via Google Meet with your consent. You can opt out before any session.
When you visit the website:
- Aggregate, anonymous analytics (page views, referrer, country, device type) via Vercel Web Analytics. No cookies are set. No individual tracking.
3. Why we use your data, and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Responding to your discovery call booking | Legitimate interests (replying to your enquiry) |
| Preparing for and delivering your discovery call | Consent (the tick-box on the intake form) |
| Providing coaching services and sending invoices | Contract |
| Keeping records required by HMRC and other authorities | Legal obligation |
| Sending occasional marketing emails (new programmes, resources, insights) | Consent (the marketing opt-in tick-box) |
| Running cookieless website analytics | Legitimate interests |
| Responding to a rights request or defending a legal claim | Legal obligation / legitimate interests |
You can withdraw consent at any time — see Section 7.
4. Who we share your data with
We use a small number of trusted providers to run the business. Each is bound by a data processing agreement and appropriate safeguards. We do not sell your data, and we do not share it for anyone else's marketing purposes.
| Provider | Purpose | Based in |
|---|---|---|
| Google Workspace (Google LLC) | USA | |
| Calendly LLC | Discovery call bookings | USA |
| Airtable Inc. | Intake form responses and client records | USA |
| Vercel Inc. | Website hosting and aggregate analytics | USA |
| Stripe Inc. (once enabled) | Payment processing | USA / Ireland |
We may also share data with our accountant, HMRC, legal advisors, or law enforcement where required by law.
5. International transfers
Some of our providers are based outside the UK, primarily in the USA. Where personal data leaves the UK we rely on the UK's approved safeguards — the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — together with adequacy decisions such as the UK–US Data Bridge where applicable.
6. How long we keep your data
| Category | Retention |
|---|---|
| Prospects who never become clients | 12 months from your last interaction, then deleted |
| Clients | 6 years from the end of our engagement (HMRC record-keeping requirement) |
| Session recordings | Duration of your engagement + 90 days, then deleted |
| Marketing contacts | Until you unsubscribe or withdraw consent |
| Website analytics | Aggregated only — no individual records retained |
7. Your rights
Under UK GDPR you have the right to:
- Access — get a copy of the data we hold on you
- Rectification — correct anything that's wrong
- Erasure — ask us to delete your data
- Restriction — pause processing while a dispute is resolved
- Portability — get your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time, with no effect on past processing
- Complain to the ICO — at ico.org.uk or on 0303 123 1113
To exercise any right, email laurence@aicapable.co.uk. We'll respond within one month. There's no charge unless a request is manifestly unfounded or excessive.
8. Cookies and tracking
We don't use cookies. We use Vercel Web Analytics, which records aggregate, anonymous information about site usage without storing anything on your device. No cross-site tracking, no ad networks, no profiling.
9. Security
We use reasonable technical and organisational measures to protect your data — strong passwords, two-factor authentication, encrypted connections, and providers that meet recognised security standards (SOC 2 / ISO 27001).
No system is perfectly secure. If a breach occurs that's likely to put your rights at risk, we'll notify the ICO within 72 hours and contact you directly where the law requires it.
10. Children
AI Capable is a professional coaching service aimed at adults. We don't knowingly collect data from anyone under 18. If you believe we have, email us and we'll delete it.
11. Automated decision-making
We don't use automated decision-making or profiling that produces legal or similarly significant effects on you. Every decision about whether to work with someone is made personally by Laurence.
12. Changes to this policy
If we make material changes we'll update the “last updated” date at the top and, where the change affects how we use existing data, contact affected people directly.
Questions? Email laurence@aicapable.co.uk.