Privacy policy
Version 1.0 · Effective from: 11 May 2026
Applies to: curiaai.co.uk and all Curia AI client and prospect communications
1. Who we are
Curia AI is a trading name operated by: Curia AI Limited
Registered in England and Wales. Company Number: 17080354
Registered address: Fairmead, Iford Fields, Lower Westwood, BA15 2BQ.
We are the data controller for all personal data collected through this website, our outreach activities, and our client and prospect database.
If you have any questions about this policy or how we handle your personal data, contact us at jcromack@curiaai.co.uk
2. Who this policy covers
This policy applies to personal data we hold about the following categories of individuals:
- Website contacts – Website visitors who submit a form (download request or assessment request)
- Prospects – Professionals at UK charities and not-for-profit organisations whose details are publicly available or who have engaged with Curia AI
- Mailing list contacts – Individuals who have consented to receive communications from us or who have expressed an interest in our services
- Clients – Individuals and organisations who have purchased or engaged Curia AI services
We work exclusively with UK charities, not-for-profit organisations, and those operating in or serving the charitable sector. We do not target or knowingly hold data about private individuals acting in a personal capacity.
3. What personal data we hold and where it comes from
3.1 Data you provide directly
When you complete a form on this website, we collect:
- First name and last name
- Organisation name
- Professional email address
- Consent record (whether you agreed to receive updates from us)
- The resource or service you requested
3.2 Data we hold in our prospect and contact database
We maintain a database of professionals at UK charities and not-for-profit organisations who are likely to be interested in AI governance services. This database contains professional contact details only:
- Full name
- Job title and seniority
- Organisation name and sector
- Professional email address (organisational, not personal)
- Professional telephone number
- Organisation size and type (charity, housing association, etc.)
- Any record of prior contact or expressed interest
We hold this data from the following sources:
- Publicly available information – including charity sector directories, Companies House, Charity Commission registers, LinkedIn profiles, conference speaker lists, published reports, and sector event attendee lists where details are publicly disclosed
- Direct engagement – individuals who have contacted us, downloaded a resource, attended an event, or otherwise indicated an interest in our services
- Sector intelligence – we may compile contact details from publicly available sector publications and databases relevant to UK charity leadership
Important: We hold professional details only. We do not hold personal email addresses, home addresses, personal phone numbers (unless publicly available and not on the TPS), or any sensitive personal data (as defined under UK GDPR Article 9). All contacts in our database are professionals acting in their organisational capacity.
4. How we use personal data
The table below sets out each purpose for which we use personal data, the lawful basis under UK GDPR, and what this means in practice.
| Purpose | Lawful basis | Who this applies to | Your right to object |
|---|---|---|---|
| Fulfilling a resource download or assessment request you made | Performance of a contract/legitimate interests | Website form contacts | N/A – necessary to fulfil your request |
| Adding you to our mailing list following expressed interest in our services (e.g. form submission, event attendance, direct contact) | Legitimate interests (B2B marketing to relevant professionals) | Anyone who has engaged with Curia AI or its services | Yes – opt out at any time. Every email includes an unsubscribe link. |
| Contacting professionals at relevant organisations who have not previously engaged with us, where their details are publicly available | Legitimate interests (B2B prospecting) | Prospect database contacts | Yes – ask us to remove you at any time. We will not contact you again. |
| Sending service updates, governance guidance, and sector news to our mailing list | Legitimate interests (for existing contacts)/consent (where given) | Mailing list subscribers | Yes – unsubscribe at any time via any email we send or by contacting us directly. |
| Managing client relationships and delivering contracted services | Performance of a contract | Clients | N/A – necessary for the contract |
| Processing payments for services | Performance of a contract | Paying clients | N/A – necessary for the contract |
| Maintaining records for legal, regulatory, and accounting purposes | Legal obligation | Clients and paying contacts | N/A – required by law |
Legitimate interests note: Where we rely on legitimate interests as our lawful basis, we have assessed that our interests in maintaining professional B2B contact for services directly relevant to the recipient’s role are proportionate and do not override individual rights. All contacts are professionals in organisations we serve, and every communication includes a clear and easy way to opt out. A Legitimate Interests Assessment (LIA) is available on request.
5. Our mailing list
Anyone who has shown an interest in Curia AI’s services will be added to our mailing list. This includes:
- Individuals who have submitted a website form (with or without the consent checkbox ticked, on the basis of legitimate interests for B2B contacts)
- Individuals who have contacted us directly
- Individuals who have attended an event or session where Curia AI was present
- Individuals at organisations in our prospect database who we have contacted and who have not asked to be removed
All mailing list communications will:
- Clearly identify Curia AI as the sender
- Include a one-click unsubscribe link in every email
- Be relevant to AI governance, data governance, and charity sector practice
- Not be sold or shared with any third party for marketing purposes
If you wish to be removed from our mailing list at any time, you can unsubscribe via any email we send, or contact us directly at jcromack@curiaai.co.uk. We will action all removal requests within 5 working days and will not contact you again.
6. Payment processing
When you pay for Curia AI services, payment is processed by a third-party payment processor. We use: Stripe or similar service provider which will be made clear at point of payment.
Payment processors act as independent data controllers for the financial and payment card data you provide during a transaction. This means:
- We do not store, process, or have access to your full card number, bank account details, or payment credentials
- All payment data is handled directly by the payment processor under their own privacy policy and security standards
- Payment processors are typically PCI DSS compliant, meaning they meet the industry standard for card data security
The payment processor’s privacy policy governs how your payment data is used. Please review their policy before completing a transaction.
We retain a record of the transaction (amount, date, organisation, invoice reference) for our accounting and legal obligations. We do not retain any payment card or bank account data.
7. Who we share data with
We do not sell, rent, or share personal data with third parties for their own marketing purposes under any circumstances.
We use the following third-party services to operate our website and business. Each acts as a data processor, processing data only on our instructions:
Email and CRM platform
We use an email platform to manage our mailing list and prospect database. It stores contact names, email addresses, and engagement history. Data may be processed outside the UK under appropriate transfer mechanisms.
Payment processor
Processes payment transactions. See Section 6 for full details.
Web hosting (IONOS)
This website is hosted on infrastructure that logs standard web server data (IP address, browser type, pages visited) for security and performance. This data is not shared with us in identifiable form.
Google Fonts
Fonts are loaded from Google’s servers. Your browser IP address may be logged by Google as part of this standard web request. No personal data is transferred to Google for tracking purposes.
We use Google Analytics tracking technology on this website.
8. How long we keep data
| Category | Retention period | Reason |
| Website form contacts (download / assessment) | 24 months from submission, or until you ask us to delete it | Reasonable business follow-up period for B2B contacts |
| Prospect and contact database | Held indefinitely while the contact remains professionally active and relevant, or until they ask to be removed | Legitimate interests in maintaining an accurate and current professional contact database for relevant outreach |
| Mailing list subscribers | Until you unsubscribe or ask to be removed | Consent or legitimate interests, depending on original basis |
| Client records | Duration of engagement plus 6 years | UK statutory limitation period for contract claims |
| Accounting and financial records | 7 years from end of financial year | HMRC legal requirement |
We review our prospect database at least annually to remove individuals who are no longer in relevant roles, whose organisations have ceased to exist, or who have asked to be removed.
9. Your rights under UK GDPR
You have the following rights in relation to the personal data we hold about you:
- Access – Right of access – ask for a copy of the personal data we hold about you
- Rectification – Right to rectification – ask us to correct inaccurate or incomplete data
- Erasure – Right to erasure – ask us to delete your data (subject to legal retention obligations)
- Restriction – Right to restriction – ask us to limit how we use your data while a dispute is resolved
- Object – Right to object – object to processing based on legitimate interests, including all direct marketing. We will always honour objections to marketing immediately and without question.
- Portability – Right to data portability – ask for your data in a structured, machine-readable format
- Withdraw consent – Right to withdraw consent – where we rely on consent, you can withdraw it at any time without affecting prior lawful processing
To exercise any right, email jcromack@curiaai.co.uk. We will respond within one calendar month. We will not charge a fee for reasonable requests.
10. The right to complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would always prefer to resolve concerns directly. Please contact us first and we will respond promptly.
11. Data security
We take appropriate technical and organisational measures to protect personal data, including:
- HTTPS encryption across all pages of this website
- Access to contact and prospect data restricted to authorised Curia AI personnel
- Use of reputable third-party processors with appropriate security certifications
- Annual review of data held in our prospect database
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.
12. International data transfers
Some of our third-party processors are based outside the UK. Where this is the case, transfers are made under one of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
- An adequacy decision by the UK Secretary of State
- The processor’s participation in a recognised data transfer framework
We do not transfer personal data to countries without an adequate level of protection unless one of the above safeguards is in place.
13. Cookies
You can find our cookie policy here.
14. Changes to this policy
We may update this policy to reflect changes in our practices or applicable law. The version number and effective date at the top of this document will always reflect the most recent revision.
For material changes affecting your rights, we will take reasonable steps to notify individuals whose data we hold, including via our mailing list.
15. Contact us
For any questions about this policy, to exercise your rights, or to ask to be removed from our database or mailing list:
Email: jcromack@curiaai.co.uk
We aim to respond to all data-related enquiries within 5 working days, and within the statutory one-month deadline for formal rights requests.