§ Legal / 01

Privacy Policy.

How we handle personal data across our AI products and consulting work. Written to be read — not to be hidden behind.

Effective date15 January 2026
Last updated15 January 2026
Version1.0
JurisdictionEngland & Wales · UK GDPR

§ 01Who we are.

This Privacy Policy applies to Dilr.ai Ltd (“Dilr”, “we”, “us”), a company registered in England and Wales under company number 16842656, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Dilr.ai operates a portfolio of AI products (Dilr Voice, Seek Brilliance, Studio Precision) and provides AI consulting services to enterprises. This policy covers all of them — our public website, our product platforms, our consulting engagements, and any data we process in the course of those activities.

For the purposes of UK and EU data protection law, Dilr.ai Ltd is the data controller of personal data we collect directly (for example, when you book a call with us or use our marketing site). When we process personal data on behalf of a customer — inside one of our products, or as part of a consulting deliverable — we act as a data processor, and the terms of our Data Processing Agreement apply. See the DPA →

§ 02Data we collect.

We only collect data we need. We don't run ad tracking. We don't sell data. Here's the full list.

CategoryWhat it includesSource
Contact dataName, work email, company name, role — when you book a call, sign up to a product trial, or email us.Direct
Account dataFor product users: login identifier, authentication tokens, organisation membership, usage role.Direct
Product usageSession logs, feature interactions, error traces, performance metrics. Pseudonymised where possible.Automatic
Voice & transcript dataFor Dilr Voice customers: call audio, transcripts, and agent decisions processed strictly under customer instruction. We are the processor.Customer
Learning dataFor Seek Brilliance customers: learner progress, assessments, instructional content. Processed under customer instruction.Customer
Consulting materialsInterview notes, documents, and artefacts shared with us during an engagement. Treated under NDA by default.Customer
Technical dataIP address, browser type, device info, approximate location (country-level). Used for security and analytics only.Automatic
CommunicationsAny email, call, or written correspondence between us — retained for the life of the relationship plus legal hold periods.Direct

We do not collect special category data (health, biometrics, political opinions, etc.) unless a consulting engagement specifically requires it — in which case a separate written agreement governs that processing.

§ 03How we use it.

We use personal data to:

  • Deliver the products and services you've asked us to deliver.
  • Run our consulting engagements — interviews, analysis, roadmap delivery.
  • Operate, secure, and improve our platforms — including debugging, performance monitoring, and preventing abuse.
  • Communicate with you about your account, your engagement, or changes to these terms.
  • Comply with legal, regulatory, and contractual obligations.
  • Send occasional updates about our work — only to people who've opted in, and with a one-click unsubscribe in every message.

We do not use personal data to train foundation models. We do not share customer data with model vendors for training purposes. Any model fine-tuning we do on customer data happens only under explicit written instruction, on isolated infrastructure, under the DPA.

§ 04Lawful basis.

Under UK GDPR, we rely on one of the following lawful bases for each processing activity:

  • Contract — to deliver a service or product you've engaged us for.
  • Legitimate interest — to run and secure our business, communicate with customers, and prevent fraud — balanced against your rights and expectations.
  • Consent — for marketing communications and optional analytics cookies. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, and regulatory requirements.

§ 05Who we share with.

We share personal data only with carefully selected sub-processors who support our operations. A full, current list is available in our DPA. Categories include:

  • Cloud infrastructure — AWS (London, eu-west-2) and Google Cloud (europe-west2) for hosting, storage, and compute.
  • Model providers — OpenAI, Anthropic, and other foundation model APIs, used strictly under processor terms and without training consent.
  • Telephony — Twilio and LiveKit for Dilr Voice call connectivity.
  • Observability — Datadog and Sentry for logging and error tracing.
  • Business operations — Google Workspace (email, docs), Stripe (billing), and a small number of productivity tools.
  • Professional advisors — accountants, lawyers, insurers — under professional confidentiality.

We do not sell personal data. We do not share it with advertisers. We do not pool customer data across tenants.

§ 06International transfers.

Our primary processing is within the UK and EU. Where data must leave the UK/EEA — for example, to a US-based sub-processor — we rely on:

  • UK International Data Transfer Addendum (IDTA) and/or the EU Standard Contractual Clauses (SCCs), 2021 version, with UK Mandatory Clauses.
  • Transfer risk assessments documented per sub-processor.
  • Technical safeguards — encryption in transit and at rest, data minimisation, and access controls — layered on top of contractual protections.

For EU customers: where required, processing can be restricted to EU-located infrastructure. Ask us during scoping.

§ 07Retention.

We keep personal data only as long as we need it for the purpose it was collected:

  • Prospect enquiries — 24 months after last contact, then deleted unless you've asked for removal earlier.
  • Customer records — for the life of the contract, plus 6 years to meet UK accounting and contractual obligations.
  • Product usage logs — 90 days for operational logs, 13 months for aggregated analytics.
  • Voice and transcript data (Dilr Voice) — retention is configured per-tenant; default is 30 days, maximum configurable on request. Customer remains the controller.
  • Backups — encrypted backups rotate on a 35-day cycle.

§ 08Your rights.

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Ask us to delete your data (“right to be forgotten”), subject to our legal obligations to retain certain records.
  • Restrict or object to processing — including opting out of marketing at any time.
  • Receive your data in a portable format.
  • Not be subject to solely automated decisions with legal or similarly significant effects without meaningful human review.
  • Withdraw consent where we rely on it.
  • Complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

To exercise any of these rights, email privacy@dilr.ai. We aim to respond within 7 business days and always within the statutory 30-day window.

§ 09Security.

We take security seriously — quietly, not performatively. Our core controls:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Single sign-on and MFA enforced for all internal access to customer systems.
  • Role-based access control with least-privilege defaults; access reviews quarterly.
  • Segregated tenancy — customer data is logically isolated; no cross-tenant queries permitted.
  • Centralised audit logging with 13-month retention.
  • Annual penetration testing by an independent CREST-accredited firm.
  • Incident response plan with a 72-hour breach notification commitment for controller incidents.
  • Background-checked staff. No offshore data access. No shared credentials.

We maintain an up-to-date security overview and will share it under NDA on request.

§ 10Cookies.

Our marketing website uses a minimal set of cookies:

  • Strictly necessary — session identifiers, CSRF protection. Cannot be disabled.
  • Analytics — we use privacy-respecting, cookieless analytics (Plausible). No cross-site tracking. No user fingerprinting.
  • Functional — remembering your preferred view mode, if you've set one.

We do not run third-party ad networks, retargeting pixels, or social-network trackers on our site.

§ 11Children.

Our products and services are B2B. We do not knowingly collect personal data from anyone under 18. Seek Brilliance is deployed in educational settings under customer control, and the customer (the institution) is the controller for any learner data. We act as processor under the DPA.

§ 12Changes to this policy.

We update this policy when our practices change or the law changes. Material changes will be announced on this page and, for customers, by email at least 30 days before they take effect. The version number and effective date at the top of this document always reflects the current version.

§ 13How to reach us.

Data protection contact

Email
privacy@dilr.ai
General
contact@dilr.ai
Phone
+44 7586 383920
Post
Data Protection, Dilr.ai Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Company No.
16842656 · England & Wales
Supervisory
Information Commissioner's Office (ICO) — ico.org.uk

This document is provided for transparency and does not constitute legal advice. Customers with specific regulatory questions should consult their own counsel. For consulting engagements in regulated sectors, additional contractual terms apply.