Privacy Policy

1. Introduction

1.1 Who We Are

This Privacy Policy explains how MCGRAY SOLUTIONS LTD, trading as SprintSpeak ("we", "us", "our"), collects, uses, and protects your personal data.

Contact Details:

• Email: contact@sprintspeak.com
• Website: sprintspeak.com
• Address: International House, 109-111 Fulham Palace Road, London, W6 8JA

1.2 Scope of This Policy

This policy applies to:

• Visitors to our website (sprintspeak.com)
• People who request quotes or information
• Clients who engage our services
• Anyone who communicates with us

1.3 Data Controller

MCGRAY SOLUTIONS LTD is the data controller for the personal data we process. This means we determine why and how your data is processed.

1.4 Our Commitment

We are committed to protecting your privacy and complying with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• EU General Data Protection Regulation (EU GDPR) where applicable
• Privacy and Electronic Communications Regulations (PECR)

2. What Personal Data We Collect

We collect different types of personal data depending on your interaction with us.

2.1 Quote Request Information

When you request a quote through our website:

• Name - To address you and identify your request
• Email address - To respond to your inquiry
• Company name (optional) - To understand your business context
• Project description - To assess requirements and provide accurate quotes
• Any files or documents you upload - To understand your needs

Legal basis: Legitimate interests (responding to business inquiries)

2.2 Client Project Information

When you become a client:

• Contact details - Name, email, phone number, company details
• Business information - Company size, industry, target audience
• Project requirements - Detailed specifications, integrations needed, use cases
• Training data - Content, FAQs, documents you provide for chatbot development
• Platform credentials - Access to accounts where we build your AI assistant
• Communications - Emails, messages, meeting notes, feedback
• Payment information - Processed by Stripe (see Section 3.3)

Legal basis: Contract performance (necessary to deliver our services)

2.3 Website Usage Information

When you visit our website, we automatically collect:

• Technical data - IP address, browser type and version, device type, operating system
• Usage data - Pages visited, time spent on pages, links clicked, referring website
• Location data - Approximate geographic location based on IP address
• Cookie data - See Section 10 for detailed cookie information

Legal basis: Legitimate interests (improving website functionality and user experience)

2.4 Marketing Communications (If You Consent)

If you opt in to receive marketing:

• Email address
• Name
• Communication preferences
• Interaction with our emails (opens, clicks)

Legal basis: Consent (which you can withdraw at any time)

2.5 Data We Don't Collect

We do NOT collect:

• Payment card details (handled securely by Stripe)
• Sensitive personal data (health, race, religion, political opinions, etc.)
• Data from children under 16

3. How We Use Your Personal Data

3.1 Service Delivery

We use your data to:

• Respond to quote requests and inquiries
• Provide consultations and assess project requirements
• Build, configure, and deploy your AI assistant
• Set up integrations with your systems
• Communicate about project progress and milestones
• Provide demonstrations and gather feedback
• Deliver training and documentation
• Provide support during and after development

3.2 Business Operations

We use your data to:

• Process payments and maintain financial records
• Manage client relationships
• Maintain business records for legal and tax compliance
• Improve our services and methodologies
• Analyze service performance and client satisfaction

3.3 Legal Obligations

We process data to:

• Comply with UK tax and accounting requirements
• Respond to legal requests and regulatory inquiries
• Establish, exercise, or defend legal claims
• Prevent fraud and abuse

3.4 Marketing (With Your Consent)

With your explicit consent, we may:

• Send you information about our services
• Share industry insights and best practices
• Notify you about special offers or new features

You can opt out at any time using the unsubscribe link in emails or by contacting us.

3.5 Anonymized Data

We may use anonymized or aggregated data (where you cannot be identified) for:

• Industry research
• Service improvement
• Statistical analysis
• Marketing materials

This data is not considered personal data as it cannot identify you.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

4.1 Contract Performance

When processing is necessary to fulfill our contractual obligations to you, including:

• Delivering AI assistant development services
• Providing managed service support
• Processing payments

4.2 Legitimate Interests

When processing serves our legitimate business interests and doesn't override your rights:

• Responding to quote requests and business inquiries
• Improving our website and services
• Analyzing service performance
• Preventing fraud
• Marketing to businesses (B2B)

4.3 Consent

When you have explicitly agreed to processing, such as:

• Marketing communications (you can withdraw consent at any time)
• Non-essential cookies
• Case study participation

4.4 Legal Obligations

When required by law, such as:

• Tax and accounting record keeping
• Responding to legal requests
• Regulatory compliance

5. Who We Share Your Data With

We only share your personal data when necessary for service delivery or legal compliance.

5.1 Third-Party Service Providers

Stripe (Payment Processing)

• What we share: Transaction information, email address
• Why: To process payments securely
• Location: USA (protected under EU-US Data Privacy Framework)
• Their privacy policy: stripe.com/privacy

Vercel (Website Hosting)

• What we share: Website usage data, IP addresses
• Why: To host and deliver our website
• Location: USA and Europe
• Their privacy policy: vercel.com/legal/privacy-policy

Email Service Provider [To be specified based on final setup]

• What we share: Email communications, contact details
• Why: To manage business communications
• Location: To be confirmed based on provider
• Their privacy policy: Will be linked when provider is confirmed

5.2 AI Platform Providers (During Development)

Voiceflow, Make.com, Chatbase, Botpress, and similar platforms

• What we share: Project data, training content, configurations
• Why: To build your AI assistant on these platforms
• Important: For Build & Handover clients, we transfer full ownership of your platform account to you
• Their privacy policies: Check respective platform providers

5.3 Professional Advisors

We may share data with:

• Solicitors and legal advisors
• Accountants and tax advisors
• Business consultants

Only when necessary for professional advice and subject to confidentiality obligations.

5.4 Business Transfers

If we sell, merge, or restructure our business, your data may be transferred to the new owner, subject to the same privacy protections.

5.5 Legal Requirements

We may disclose data when required by law, court order, or regulatory authority, or to:

• Prevent fraud or criminal activity
• Protect our legal rights
• Enforce our Terms of Service

5.6 With Your Consent

We may share data for case studies or testimonials, but only with your explicit written consent (which you can revoke).

6. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA).

6.1 Transfers to the USA

We use US-based services including Stripe and Vercel. These transfers are protected by:

• EU-US Data Privacy Framework - Many US companies are certified under this framework
• Standard Contractual Clauses - Approved by the European Commission
• Adequacy decisions - Where applicable

6.2 Safeguards

We ensure appropriate safeguards are in place for all international transfers:

• Contractual protections
• Technical security measures
• Compliance with UK and EU data protection laws

6.3 Your Rights

You have the right to obtain information about safeguards protecting your data in international transfers.

7. How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes outlined in this policy.

7.1 Quote Requests (Non-Clients)

• Retention period: 12 months from last contact
• Why: To respond to follow-up inquiries and business opportunities
• After expiry: Automatically deleted unless you become a client

7.2 Active Clients

• Retention period: Duration of service relationship plus handover period
• Project data: Retained until successfully transferred to your control
• Communications: Retained throughout relationship

7.3 Former Clients - Build & Handover

• Business records (contracts, invoices, quotes): 6 years from end of financial year (UK tax law requirement)
• Project data on our systems: Deleted after handover completion
• Email communications: 6 years for legal and contractual purposes
• Platform data: Transferred to client at handover (not retained by us)

7.4 Former Clients - Managed Service

• Business records: 6 years from cancellation date
• Project data: Deleted after handover completion
• Service records: Retained for warranty and support purposes for 6 months after cancellation

7.5 Marketing Data

• Active subscribers: Until you unsubscribe
• Unsubscribed: Moved to suppression list (retained to prevent re-adding)
• Inactive: Removed after 2 years of no engagement

7.6 Website Analytics

• Retention period: 26 months (if using Google Analytics)
• Can be deleted earlier upon request

7.7 Legal Claims

Data may be retained longer if required for legal claims, disputes, or investigations.

8. Your Rights Under Data Protection Law

You have the following rights regarding your personal data:

8.1 Right of Access

You can request:

• Confirmation that we process your data
• A copy of your data
• Information about how we use it

How: Email contact@sprintspeak.com with "Data Access Request" in the subject line

8.2 Right to Rectification

You can request correction of:

• Inaccurate personal data
• Incomplete personal data

How: Email us with the corrections needed

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your data when:

• No longer necessary for the original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing based on legitimate interests
• Data was unlawfully processed
• Required by law

Exceptions: We may retain data when required for:

• Legal obligations (e.g., tax records)
• Establishment, exercise, or defense of legal claims
• Contractual obligations

8.4 Right to Restrict Processing

You can request we limit processing when:

• You contest the accuracy of data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

8.5 Right to Data Portability

You can request:

• Your data in a structured, commonly used, machine-readable format
• Direct transfer to another controller (where technically feasible)

Applies to: Data processed by automated means based on consent or contract

8.6 Right to Object

You can object to processing based on:

• Legitimate interests (including profiling)
• Direct marketing (we'll stop immediately)

8.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

8.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.

8.9 How to Exercise Your Rights

Contact us:

• Email: contact@sprintspeak.com
• Subject line: Include which right you're exercising (e.g., "Data Access Request")
• Provide: Your name, email, and enough detail to locate your data

Response time: We will respond within 30 days (may extend to 60 days for complex requests)

Verification: We may request identification to verify your identity before responding

Free of charge: Unless requests are manifestly unfounded or excessive

9. Your Right to Complain

If you're unhappy with how we handle your data, you have the right to complain to a supervisory authority.

9.1 UK Residents

Information Commissioner's Office (ICO)

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9.2 EU Residents

Contact your local data protection authority in your country.

9.3 Our Preference

We'd appreciate the chance to address your concerns directly before you contact a regulator. Please email us at contact@sprintspeak.com.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better experience.

10.2 Types of Cookies We Use

Essential Cookies (No Consent Required)

• Session cookies - Keep you logged in, remember your actions
• Security cookies - Protect against fraud and abuse
• Load balancing cookies - Distribute traffic across servers

Non-Essential Cookies (Require Consent)

• Analytics cookies - Google Analytics to understand website usage
• Preference cookies - Remember your currency selection
• Marketing cookies - If we use remarketing (currently: NO)

10.3 Cookie Details

| Cookie Name | Purpose | Duration | Type |

|-------------|---------|----------|------|

| _vercel_* | Session management | Session | Essential |

| currency_preference | Remember selected currency | 30 days | Preference |

| _ga | Google Analytics | 2 years | Analytics |

| _gid | Google Analytics | 24 hours | Analytics |

10.4 Managing Cookies

Browser settings:

You can control cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Privacy, search, and services > Cookies

Our cookie banner:

You can accept or reject non-essential cookies through the banner that appears on your first visit.

Impact of rejecting cookies:

• Essential cookies cannot be disabled (website won't function)
• Rejecting analytics cookies won't affect functionality
• You may need to reset preferences on each visit

10.5 Google Analytics

We use Google Analytics to understand how visitors use our site.

Data collected:

• Pages visited
• Time on site
• Browser and device type
• General geographic location

IP anonymization: Enabled (last octet of IP address is removed)

Opt-out: Install the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout

11. Data Security

11.1 How We Protect Your Data

We implement appropriate technical and organizational measures:

Technical measures:

• HTTPS/SSL encryption for all website communications
• Secure password policies
• Regular security updates and patches
• Access controls and authentication
• Regular backups
• Firewall and intrusion detection

Organizational measures:

• Staff training on data protection
• Confidentiality agreements
• Access limited to authorized personnel only
• Regular security reviews
• Incident response procedures

11.2 Payment Security

• We do NOT store payment card details
• Stripe handles all payment processing (PCI DSS Level 1 certified)
• Payment data is encrypted in transit and at rest

11.3 Platform Security

• AI platforms (Voiceflow, Make.com, etc.) maintain their own security measures
• We follow platform security best practices
• Client accounts are secured with strong passwords and, where available, two-factor authentication

11.4 No Absolute Security

While we take security seriously, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

11.5 Data Breach Notification

In the event of a data breach affecting your data:

• We will notify you within 72 hours (if high risk to your rights)
• We will notify the ICO as required by law
• We will take immediate action to contain and remedy the breach

12. Client Data as Data Processor

12.1 Your Responsibilities as Data Controller

When your AI assistant processes personal data of your customers, YOU are the data controller. This means:

You must:

• Have a valid legal basis for processing
• Provide a privacy policy to your customers
• Obtain necessary consents
• Respond to data subject requests from your customers
• Ensure lawful processing

We are the data processor during development, following your instructions.

12.2 Data Processing Agreement

For projects involving customer personal data, we will enter into a Data Processing Agreement (DPA) with you outlining:

• Scope and purpose of processing
• Security measures
• Sub-processors
• Data breach procedures
• Your rights as controller

12.3 Training Data

Training data you provide (FAQs, documents, etc.):

• Remains your property
• Is used solely to build your AI assistant
• Is not used to train our general models or benefit other clients
• Is deleted from our systems after handover (Build & Handover)

13. Third-Party Websites

Our website may contain links to third-party websites. This Privacy Policy does not apply to those websites.

We are not responsible for:

• Privacy practices of third-party websites
• Content on third-party websites
• Your interactions with third-party websites

We recommend: Review the privacy policy of any website you visit.

14. Children's Privacy

14.1 Age Restriction

Our services are intended for businesses and are not directed at children under 16 years of age.

14.2 No Knowingly Collection

We do not knowingly collect personal data from children under 16.

14.3 Parental Discovery

If you believe we have collected data from a child under 16, please contact us immediately at contact@sprintspeak.com, and we will delete it promptly.

15. Changes to This Privacy Policy

15.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in the law
• New services or features
• Feedback and improvements

15.2 Notification

Minor changes: Updated "Last Updated" date at the top

Significant changes: We will notify you by:

• Email (if you're a client or have provided your email)
• Prominent notice on our website
• At least 30 days before changes take effect

15.3 Your Continued Use

Continued use of our services after changes take effect constitutes acceptance of the updated policy.

15.4 Version History

Previous versions of this policy are available upon request.

16. Contact Us

16.1 Privacy Questions

If you have questions about this Privacy Policy or our data practices:

Email: contact@sprintspeak.com

Subject line: "Privacy Inquiry"

Address: International House, 109-111 Fulham Palace Road, London, W6 8JA

16.2 Data Protection Officer

[If you appoint a DPO in the future, add contact details here]

16.3 Response Time

We aim to respond to all privacy inquiries within 5 business days for general questions, and within 30 days for data subject requests.

17. Legal Information

17.1 Governing Law

This Privacy Policy is governed by the laws of England and Wales.

17.2 Supervisory Authority

Our lead supervisory authority is the UK Information Commissioner's Office (ICO).

17.3 ICO Registration

ICO Registration: Pending (application in progress)

IMPORTANT LEGAL NOTICE:

This Privacy Policy has been drafted to comply with UK GDPR, EU GDPR, and UK Data Protection Act 2018. However, it has not been reviewed by a qualified data protection solicitor.

MCGRAY SOLUTIONS LTD strongly recommends having this policy reviewed by a UK data protection lawyer before use with actual clients or website visitors.

This policy should be read in conjunction with our Terms of Service and Cookie Policy.

*End of Privacy Policy*

Document Status: DRAFT - Pending Legal Review & ICO Registration

Last Reviewed: November 07, 2025

Next Review Due: Upon ICO registration and before first client engagement