Last updated: 27 April 2026
1. Data Controller
ATTOH Digital is a trading name of ATTOH Intelligence, a company registered in England and Wales. We are the data controller responsible for your personal data as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Data We Collect
We collect and process the following categories of personal data:
2.1 Information you provide
- Contact details: name, email address, phone number, company name, and job title — provided when you submit an enquiry, use our contact form, or engage with our AI assistant (MAYA).
- Business information: sector, company size, turnover, business challenges, and service requirements — provided when you use our tools or onboard as a client.
- Communication data: messages sent through MAYA chat, the contact form, email correspondence, or Telegram.
2.2 Information we collect from public sources
- Companies House data: company registration details, officer information, filing history, SIC codes, and accounts data — sourced from the Companies House public API. This is publicly available information.
- Public business information: website content, LinkedIn company pages, and other publicly available business data used for market intelligence.
2.3 Information collected automatically
- Technical data: IP address, browser type, device type, operating system, and referral source.
- Usage data: pages visited, tools used, session duration, and interaction patterns.
2.4 Information stored in our systems
- Client records: company profiles, engagement history, agent activity logs, pipeline status, compliance assessments, and financial matching data — stored in our Supabase database infrastructure.
- Prospect data: enriched business profiles, scoring data, and outreach history.
3. How We Use Your Data
We use your personal data for the following purposes:
- To respond to your enquiries and provide our services, including AI-powered business intelligence, compliance checking, finance matching, and supplier procurement.
- To route your request to the appropriate specialist agent or team member within our system.
- To perform automated company analysis using publicly available Companies House data.
- To generate AI-processed insights, recommendations, and reports relevant to your business.
- To improve our platform, tools, algorithms, and intelligence outputs.
- To send you relevant updates about our services (only with your explicit consent).
- To comply with legal and regulatory obligations.
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined by the UK GDPR:
| Basis | When it applies |
|---|
| Legitimate interest | For B2B communications, market analysis, company intelligence using public data (Companies House), and service improvement. We have assessed that these interests do not override your fundamental rights. You may object at any time. |
| Consent | For marketing communications, email outreach campaigns, social media content featuring your business, and newsletter subscriptions. You may withdraw consent at any time. |
| Contract | Where processing is necessary for the performance of a contract with you or to take pre-contractual steps at your request. |
| Legal obligation | Where processing is necessary to comply with UK law, including financial regulations, anti-money laundering requirements, and tax obligations. |
5. Third-Party Processors
We do not sell your personal data. We use the following third-party processors to deliver our services. All processors are bound by data processing agreements and appropriate safeguards:
| Processor | Purpose | Location |
|---|
| Supabase | Database hosting and authentication | EU (Frankfurt) |
| Netlify | Website and portal hosting | US (with EU CDN nodes) |
| n8n | Workflow automation and agent orchestration | EU (Germany) |
| Anthropic | AI language processing (Claude) | US |
| Companies House | Public company data API (UK Government) | UK |
| Blotato | Social media content publishing | EU |
| Lemlist | Email outreach and sequencing | EU (France) |
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions recognised by the UK Government.
We may also share data with:
- Partner businesses: where you have requested a specific service (e.g., finance matching, R&D tax credits, supplier procurement) that involves a third-party provider. We will always inform you before sharing.
- Legal authorities: where required by law, regulation, or to protect our legal rights.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Client data: retained for the duration of the business relationship plus 6 years after termination, in accordance with UK legal, tax, and regulatory requirements.
- Prospect data: retained for 12 months from the date of last engagement. If no interaction occurs within that period, your data is securely deleted.
- Enquiry data: retained for 24 months unless you become a client.
- Companies House data: public data is refreshed periodically and does not constitute personal data under most circumstances.
- Analytics data: aggregated and anonymised within 90 days.
7. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion of your data where there is no compelling reason to continue processing (the "right to be forgotten").
- Right to restriction: request restriction of processing in certain circumstances, such as while we verify the accuracy of your data.
- Right to data portability: request transfer of your data in a structured, commonly used, machine-readable format.
- Right to object: object to processing based on legitimate interests or direct marketing at any time.
- Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
To exercise any of these rights, contact us at hello@attoh.digital. We will respond within 30 days. There is no fee for making a request unless it is manifestly unfounded or excessive.
8. Cookies
We use a minimal cookie approach:
- Session authentication cookies: essential cookies required for portal login and session management. These are strictly necessary and do not require consent.
- No tracking cookies: we do not use third-party tracking cookies, advertising cookies, or behavioural profiling cookies.
- No analytics cookies: we do not use Google Analytics, Facebook Pixel, or equivalent tracking technologies.
Because we only use strictly necessary cookies, no cookie consent banner is required under the Privacy and Electronic Communications Regulations (PECR).
9. AI Processing
Our platform uses artificial intelligence (powered by Anthropic's Claude) to process business data and generate insights. This includes:
- Automated company analysis based on publicly available data.
- AI-generated recommendations for finance, compliance, procurement, and growth strategy.
- Natural language processing for chat-based interactions with our AI assistant (MAYA).
AI processing is used to assist human decision-making, not to make automated decisions with legal or similarly significant effects. All AI outputs are subject to human review where they affect client outcomes.
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest.
- Row-level security (RLS) policies on all database tables.
- Role-based access controls with principle of least privilege.
- Regular security reviews and access audits.
- Secure authentication with session management and automatic timeouts.
11. Children's Data
Our services are designed for business-to-business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. Material changes will be communicated via email where appropriate. We encourage you to review this page periodically.
13. Contact and Complaints
If you have questions about this privacy policy, wish to exercise your rights, or want to make a complaint about how we handle your data, contact us at:
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):