Privacy Policy

Last updated: 23 September 2025

1. Introduction

Struan.ai Ltd ("Struan.ai", "we", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share personal data when you use our website and services, including the Struan Surge managed AI service.

We are the data controller for website and marketing data. When we process personal data on behalf of our business customers as part of delivering the Service, we act as a data processor. We comply with UK GDPR, the Data Protection Act 2018, and PECR. If you are in the EU, we also consider EU GDPR where relevant.

Who we are

  • Company: Struan.ai Ltd (Company No. SC858161)
  • Address: 15 Blairbeth Drive, Glasgow, G44 4RU, United Kingdom
  • Contact: [email protected]

2. What we collect

Information you give us

  • Contact details: name, work email, phone, job title, company.
  • Enquiry and onboarding data: information you supply in forms, emails, or calls.
  • Calculator and assessment data: When you use our cost savings calculator or other assessment tools, we collect job descriptions, role specifications, salary information, company details, and any other business information you provide. We also retain the analysis outputs and recommendations generated by these tools.
  • Customer Data for service delivery: documents, messages, records and configuration we process on your instruction.

Information we collect automatically

  • Usage and device data: IP address, browser, device, pages viewed, timestamps.
  • Tool interaction data: How you interact with our calculators and assessment tools, including time spent, fields completed, and results viewed.
  • AI interaction logs: Queries and responses from Surge employees for quality assurance and improvement.
  • Cookies and similar tech: consent-based analytics and functional cookies. See Cookies section.

Information from third parties

  • Business contact details from referrals, partners, public sources, and events.

We do not seek special category data. Please do not send it unless strictly necessary and agreed. When submitting job descriptions or business information to our tools, please avoid including unnecessary personal data about individuals.

3. How we use data and lawful bases

PurposeDataLawful basisRetention
Provide and operate the ServiceContact, account, configuration, Customer DataContract necessity; legitimate interests for B2B interactionsContract term, then delete/return per DPA
AI knowledge processingDocuments, embeddings, vector databasesContract necessity for service deliveryContract term + 30 days for deletion
Provide calculator and assessment resultsJob descriptions, role details, company information, calculator inputs and outputsLegitimate interests in providing requested analysis and demonstrating service value24 months from submission
Sales intelligence and prospect understandingCalculator inputs, outputs, business needs analysisLegitimate interests in understanding prospect needs to provide relevant solutions and improve services24 months from last interaction
Service improvement and developmentAggregated and anonymised calculator usage patternsLegitimate interests in improving our tools and servicesIndefinitely when anonymised
Support and operationsContact, usage, logsLegitimate interestsUp to 6 years for support records
Analytics and site improvementUsage, cookiesConsent for non-essential cookies; legitimate interests for securityAnalytics up to 26 months; logs a few months
Sales and marketingBusiness contact data, calculator submissionsConsent or legitimate interests; soft opt-in for existing customers under PECR24 months from last interaction, or until you opt out
Legal compliance and fraud preventionAny relevantLegal obligation; legitimate interestsAs required by law (e.g. invoices 6 years)

We will not use personal data for new incompatible purposes without notice and, where needed, consent.

Additional detail on calculator data use

When you use our calculators or assessment tools, we process this information to:

  • Generate immediate analysis and recommendations
  • Understand your business needs and automation potential
  • Provide relevant follow-up information and proposals
  • Improve our understanding of market requirements
  • Develop better automation solutions
  • Create aggregated insights about automation opportunities across industries

4. AI and machine learning processing

To power our Surge AI employees with client-specific knowledge, we use advanced AI systems including Google Vertex AI. This involves:

How we process your data with AI

  • Creating searchable indexes of your documentation through embedding generation
  • Storing embeddings in vector databases for rapid knowledge retrieval
  • Processing natural language queries to access relevant information
  • Generating responses based on your specific knowledge base

Data isolation and security

  • Each client's data is completely isolated in separate knowledge bases
  • No client data is used to train general AI models
  • Surge employees only access the specific client knowledge they are assigned to
  • All AI processing maintains strict data segregation

Your rights regarding AI processing

Under UK GDPR Article 22, you have the right to object to automated decision-making. While our Surge employees use AI to assist with tasks, important decisions always include human oversight. You can request human review of any automated processing by contacting us.

5. Cookies and similar technologies

We use cookies to make the site work and to measure performance.

Categories

  • Strictly necessary – security, consent storage, basic site functions.
  • Functional – preferences, calculator session data.
  • Analytics – Google Analytics via Cloudflare Zaraz, only with consent.
  • Marketing – currently not used on our site. If we add them, we will ask for consent first.

Consent and control

  • We obtain consent for non-essential cookies via a banner.
  • You can change choices at any time via our cookie settings link or your browser.
  • Blocking some cookies may affect functionality.

Example cookies

(illustrative – see banner for current list)

NamePurposeTypeExpiry
_cf_bmBot management and anti-abuseStrictly necessary30 minutes
_gaSite analytics (GA4 via Zaraz)Analytics2 years
_ga_*Session analyticsAnalytics30 minutes
consent_storeRemembers cookie choicesFunctional1 year
calculator_sessionMaintains calculator stateFunctionalSession
CalendlySessionBooking convenienceFunctional21 days

6. Sharing and processors

We share personal data with trusted service providers who help us run the website and Service. Typical categories include hosting/CDN, analytics, CRM, email, scheduling, automation, and AI platform providers. We ensure contracts and safeguards are in place and that they only process data for our stated purposes.

Calculator and assessment data may be shared with:

  • Our CRM system for lead management
  • Analytics platforms for aggregated insights
  • AI providers for processing and analysis
  • Our sales and customer success teams

Key sub-processors

  • Google Cloud Platform (Vertex AI) – AI knowledge processing and RAG systems. Data processed in European data centres (Netherlands or Germany)
  • Cloudflare – CDN, security, and performance services
  • Other providers – A complete list of sub-processors is available on request

We will notify customers of material changes to sub-processors as required by our Data Processing Agreement.

We do not sell personal data. We may share data to comply with law, to protect rights and safety, or as part of a business transfer.

7. International transfers

Your data is primarily stored and processed within the UK and European Economic Area (EEA).

AI knowledge processing locations

For our Surge AI employees, knowledge processing using Google Vertex AI occurs in:

  • Primary processing: European data centres (Netherlands - europe-west4, or Germany - europe-west3)
  • Alternative option: US data centres (available upon request with appropriate safeguards)

Enterprise clients can request specific regional processing where technically feasible.

Safeguards for international transfers

Where we transfer personal data outside the UK or EEA, we use appropriate safeguards including:

  • UK International Data Transfer Agreement (IDTA)
  • UK Addendum to EU Standard Contractual Clauses (SCCs)
  • Transfer risk assessments
  • Additional technical and organisational measures

Contact us if you want details of specific safeguards for your data transfers.

8. Retention

General retention periods

  • Calculator and assessment tool submissions: up to 24 months from submission.
  • Enquiries and leads: up to 24 months from last interaction.
  • Marketing contacts: until you opt out or 24 months of inactivity.
  • Contracts, invoices, and tax records: 6 years.
  • Website analytics: up to 26 months.
  • Service data: for the contract term, then delete or return per the DPA, with limited backup retention before secure removal.

AI-generated data retention

  • Document embeddings and vector databases: Retained for the contract duration
  • AI knowledge bases: Deleted within 30 days after contract termination
  • AI interaction logs: 90 days for quality assurance and improvement
  • Aggregated AI performance metrics: Retained indefinitely when fully anonymised

We delete or anonymise data when no longer needed. You may request deletion of your calculator submissions or AI-processed data at any time by contacting us.

9. Your rights

You have rights under UK GDPR, including:

  • Access: Request a copy of your personal data and information about how we process it
  • Rectification: Correct inaccurate or incomplete personal data
  • Erasure: Request deletion of your data (including calculator submissions and AI-generated embeddings)
  • Restriction: Limit how we process your data in certain circumstances
  • Objection: Object to processing, including direct marketing and use of calculator data for sales purposes
  • Data portability: Receive your data in a structured, machine-readable format where applicable
  • Withdraw consent: Withdraw consent at any time where we rely on it

Rights regarding automated processing

Under Article 22 of UK GDPR, you have the right not to be subject to decisions based solely on automated processing. While our Surge AI employees use automated systems:

  • Important decisions always include human oversight
  • You can request human review of any automated processing
  • You can opt out of certain automated processing where feasible

To exercise rights, email [email protected]. We may need to verify identity. We aim to respond within one month. You can complain to the UK ICO if unhappy, but please contact us first.

10. Children

Our Services are for business users. They are not directed at under-18s. We do not knowingly collect children's data. If we learn we have such data, we will delete it.

11. Security

We apply administrative, technical, and organisational measures to protect your data:

  • Encryption in transit and at rest for all data
  • Access controls with role-based permissions
  • Security monitoring and intrusion detection
  • Regular security training for all staff
  • Isolated AI knowledge bases per client
  • Regular security audits and penetration testing

Calculator submissions and AI-processed data are encrypted and access is restricted to authorised personnel. No system is perfect, but we work to prevent, detect, and respond to incidents. We will notify customers without undue delay where a notifiable personal data breach occurs.

12. Marketing

We send B2B marketing based on consent or legitimate interests, and use PECR soft opt-in for existing customers. Every message includes an easy opt-out. We do not share your details with third-party advertisers. If you submit information to our calculators, we may follow up with relevant information about our services unless you opt out.

13. Changes to this notice

We will update this policy as needed and change the date above. For material changes we will provide additional notice through email or prominent website notice.

14. Contact

Questions or requests: [email protected]
Postal address: Struan.ai Ltd, 15 Blairbeth Drive, Glasgow, G44 4RU, United Kingdom