Privacy Policy

Kensley Ltd ("Kensley", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website (kensley.ai) and platform (the "Service").

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

1.1Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up using Google or Microsoft, we receive your name and email address from those services via our authentication provider, Clerk.

1.2Payment Information

When you subscribe to a paid plan, payment details are collected and processed by Stripe. We do not store your full credit card number, CVV, or other sensitive payment data on our servers. We receive from Stripe a confirmation of payment, your billing address, and a truncated card reference for display purposes.

1.3Usage Data

We collect information about how you use the Service, including pages visited, features used, postcodes searched, documents generated, and timestamps of activity. This data is used to improve the Service and provide support.

1.4Planning Data You Input

When you use the Service, you may input postcodes, site addresses, proposal descriptions, consultant notes, and other planning-related information. This information is processed to provide the features of the Service, including AI-powered document generation and site analysis.

1.5Technical Data

We collect technical information including your IP address, browser type, operating system, device information, and referring URLs. This data is collected automatically through server logs and cookies.

2. How We Use Your Information

2.1We use your personal data for the following purposes:

• (a)To provide, maintain, and improve the Service;
• (b)To process payments and manage your Subscription;
• (c)To authenticate your identity and maintain account security;
• (d)To send you service-related communications, including billing notifications, security alerts, and product updates;
• (e)To respond to your enquiries and provide customer support;
• (f)To analyse usage patterns and improve the Service;
• (g)To comply with legal obligations.

2.2Our lawful bases for processing your personal data are:

• (a)Performance of a contract (Article 6(1)(b) UK GDPR) — processing necessary to provide the Service under our Terms of Service;
• (b)Legitimate interests (Article 6(1)(f) UK GDPR) — processing necessary for our legitimate interests in improving the Service, preventing fraud, and ensuring security, where such interests are not overridden by your rights;
• (c)Consent (Article 6(1)(a) UK GDPR) — where you have given specific consent, such as for marketing communications;
• (d)Legal obligation (Article 6(1)(c) UK GDPR) — processing necessary to comply with applicable law.

3. AI Data Processing

3.1When you use the AI Features of the Service (including "Generate" and "Ask Kensley"), the planning-related text you input is transmitted to third-party AI providers for processing. This is necessary for the AI Features to function.

3.2Our current AI providers include:

• (a)Groq Inc. — for document generation using the Llama language model
• (b)Anthropic — for AI research assistance

3.3The data transmitted to AI providers consists solely of:

• (a)Postcode and site address
• (b)Proposal description
• (c)Application type
• (d)Consultant notes
• (e)Selected policy and precedent card references

3.4We do NOT transmit to AI providers:

• (a)Your name, email address, or account details
• (b)Your payment information
• (c)Your IP address or device information
• (d)Any information that directly identifies you personally

3.5Our AI providers are contractually prohibited from:

• (a)Using your inputs to train, improve, or fine-tune their AI models
• (b)Retaining your inputs beyond the duration necessary to process the request
• (c)Sharing your inputs with any third party
• (d)Using your inputs for any purpose other than generating the requested output

3.6AI processing occurs in real-time. Your inputs are transmitted, processed, and the output is returned to you within seconds. No persistent copy of your inputs is retained by the AI provider after the response is delivered.

3.7We maintain a Data Processing Agreement (DPA) with each AI provider, which includes Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where data is processed outside the United Kingdom.

4. Data Sharing

4.1We share your personal data with the following categories of third parties:

• (a)Clerk (authentication) — to manage your account and sign-in
• (b)Stripe (payments) — to process Subscription payments
• (c)Groq Inc. / Anthropic (AI processing) — to provide AI Features
• (d)Hetzner Online GmbH (hosting) — our infrastructure provider

4.2We may also share your personal data:

• (a)With professional advisers (lawyers, accountants) where necessary;
• (b)With law enforcement or regulatory authorities where required by law;
• (c)In connection with a merger, acquisition, or sale of all or part of our business.

4.3We do not sell your personal data to third parties. We do not share your personal data for advertising or marketing purposes with third parties.

5. International Data Transfers

5.1Your personal data may be transferred to and processed in countries outside the United Kingdom, including:

• (a)The United States — where our AI providers (Groq Inc., Anthropic) and payment processor (Stripe) are located
• (b)The European Union / European Economic Area — where our hosting provider (Hetzner) operates

5.2Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• (a)Standard Contractual Clauses (SCCs) approved by the ICO
• (b)The UK International Data Transfer Addendum
• (c)Adequacy decisions by the UK Government where applicable

6. Data Retention

6.1We retain your account information for as long as your account is active. Upon account deletion or termination, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

6.2Payment records are retained for 7 years in accordance with UK tax and accounting requirements.

6.3Usage logs are retained for 12 months for the purpose of service improvement and security.

6.4Planning data you input (postcodes, proposals, consultant notes) is stored for as long as the associated project exists in your account. Deleting a project permanently removes the associated data.

7. Your Rights

7.1Under the UK GDPR, you have the following rights:

• (a)Right of access — to request a copy of the personal data we hold about you
• (b)Right to rectification — to request correction of inaccurate personal data
• (c)Right to erasure — to request deletion of your personal data
• (d)Right to restrict processing — to request limitation of processing
• (e)Right to data portability — to receive your data in a structured, commonly used format
• (f)Right to object — to object to processing based on legitimate interests
• (g)Rights related to automated decision-making — to not be subject to decisions based solely on automated processing that produce legal or significant effects

7.2To exercise any of these rights, please contact us at privacy@kensley.ai. We will respond to your request within 30 days.

7.3You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

8. Automated Decision-Making

8.1The AI Features of the Service involve automated processing of planning data to generate outputs including site analyses, policy relevance scores, precedent scores, confidence ratings, and planning documents.

8.2These automated outputs are provided as professional aids and do not constitute automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR.

8.3All outputs of the AI Features are subject to human review before use. The Service is designed to support, not replace, professional judgement.

9. Security

9.1We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

9.2These measures include:

• (a)Encryption of data in transit (TLS/SSL)
• (b)Access controls and authentication
• (c)Regular security monitoring
• (d)Secure hosting infrastructure

9.3While we take reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure.

10. Children

10.1The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

11. Changes To This Policy

11.1We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service.

11.2The "Last updated" date at the top of this policy indicates when the most recent changes were made.

12. Contact

12.1For any questions about this Privacy Policy or our data practices, please contact us at:

Kensley Ltd Email: privacy@kensley.ai