Privacy Policy | AdvisoryAI

Section 01

Introduction

This Privacy Policy describes how AdvisoryAI ("AdvisoryAI", "we", "us" or "our") collects, uses, stores, and protects personal data in connection with our AI platform for UK financial advisory firms. It applies to: visitors to our website at advisoryai.io; contacts at advisory firms considering or using AdvisoryAI; and individuals who request demos, trials, or other services from us.

AdvisoryAI processes two distinct categories of personal data: (1) data about our business contacts and website visitors, where we act as a Data Controller; and (2) financial and client data uploaded to the Platform by our advisory firm customers, where we act as a Data Processor on behalf of those firms.

This Policy primarily addresses our obligations as Data Controller. For information about how we process client data on behalf of advisory firms (as Data Processor), please refer to our Data Processing Agreement (DPA), available upon request from team@advisoryai.com.

We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant FCA data handling guidance.

Section 02

Who We Are (Data Controller)

The Data Controller for personal data collected through our website and sales activities is:

Company Name: AdvisoryAI
Country: United Kingdom
Email: team@advisoryai.com
ICO Registration: Registered with the Information Commissioner's Office

For enquiries relating to personal data processed on behalf of an advisory firm customer (as Data Processor), please contact the relevant advisory firm directly, as they are the Data Controller for such data.

Section 03

Personal Data We Collect

Information you provide directly:

Contact information: name, email address, phone number, job title, firm name, FCA reference number (where provided).
Account registration details: username, password (hashed), notification preferences.
Billing information: name, billing address, VAT number (payment card data is never stored by us — processed directly by our payment provider).
Communications: support requests, feedback, correspondence, demo and trial enquiries.
Firm-specific information: suitability report templates, compliance framework documents, integration credentials (stored in encrypted form).

Information collected automatically:

Usage data: Platform features used, pages visited, session duration, click paths, and error logs.
Technical data: IP address, browser type and version, operating system, device type, and time zone.
Cookie data: as described in Section 10.

Data processed as Data Processor (on behalf of advisory firm customers):

Client meeting audio recordings and transcripts (processed temporarily to generate meeting notes, then deleted unless the firm elects to retain them).
Client financial data extracted from CRM integrations (e.g. Intelliflo, XPlan).
Suitability report drafts and compliance check results.

This data is processed solely on behalf of, and under the instructions of, the advisory firm customer. We do not use this data for our own purposes or to train our AI models for other customers.

Section 04

How We Use Your Data & Legal Basis

To provide and manage the Platform (Legal basis: Performance of a Contract) — account management, processing payments, API connections, and delivering support.
To send service and account communications (Legal basis: Performance of a Contract) — billing notifications, security alerts, service updates, and maintenance notices.
To improve the Platform (Legal basis: Legitimate Interests) — analysing aggregated, anonymised usage patterns to improve features and performance. We never use identifiable client data for this purpose.
To respond to demo and trial requests (Legal basis: Pre-contractual steps / Legitimate Interests) — evaluating prospective firm customers and demonstrating the Platform.
To send marketing communications (Legal basis: Consent, or Legitimate Interests under PECR soft opt-in for existing customers) — product news, case studies, FCA regulatory updates, and event invitations. You can opt out at any time.
To comply with legal obligations (Legal basis: Legal Obligation) — maintaining financial records, responding to lawful authority requests, and complying with FCA-related obligations.
To prevent fraud and maintain security (Legal basis: Legitimate Interests / Legal Obligation) — detecting suspicious activity, enforcing our Terms of Service, and protecting our systems and customers.

Section 05

Financial & Client Data — Special Provisions

AdvisoryAI recognises that the financial data processed through the Platform on behalf of advisory firms is of an exceptionally sensitive nature, including client financial circumstances, investment objectives, risk assessments, and personal financial details. We apply the highest standards of confidentiality and security to this data.

Our specific commitments for financial and client data processed as Data Processor are:

No AI training on your data: We will never use your firm's client data, meeting recordings, report drafts, or AI Outputs to train, fine-tune, or evaluate our AI models for use by other firms.
Minimal retention of recordings: Client meeting audio recordings are automatically deleted after transcription and note generation, typically within 24 hours, unless your firm specifically opts to retain them.
UK-based storage: All financial and client data is stored exclusively on ISO 27001-certified servers located in the United Kingdom.
Strict access controls: Access to customer data by AdvisoryAI staff is restricted to a minimum number of authorised personnel, solely for support and security purposes, and is logged and audited.
Data Processing Agreement: A full UK GDPR-compliant DPA is available to all advisory firm customers. Please contact team@advisoryai.com to request a copy.
FCA data handling: We design our data processing practices to be compatible with FCA data handling requirements and guidance, including FCA Consumer Duty data considerations.

Section 06

Sharing Your Personal Data

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We may share data with the following categories of recipients only where strictly necessary:

Technology sub-processors: Cloud infrastructure providers, payment processors, email delivery services, and security monitoring tools. All sub-processors are bound by UK GDPR-compliant data processing agreements.
Integration partners: Where you have connected the Platform to a third-party service (such as Intelliflo or Zoom), data is shared solely to enable the functionality you have requested.
Professional advisers: Solicitors, accountants, and auditors who provide professional services to AdvisoryAI, subject to professional confidentiality obligations.
Regulatory authorities: Where required by law, court order, or the FCA or ICO. We will notify you prior to any such disclosure unless prohibited by law.
Business transferees: In connection with any merger, acquisition, or business sale. Data rights will be preserved in any such transaction.

We maintain a current register of all sub-processors. Advisory firm customers may request a copy of this register at any time by contacting team@advisoryai.com.

Section 07

International Data Transfers

AdvisoryAI is based in the United Kingdom. All financial and client data processed through the Platform is stored exclusively on UK-based servers and is not transferred internationally.

Some of our technology sub-processors (for example, certain email and analytics tools) may process data outside the UK. In all such cases, we ensure appropriate safeguards are in place, including:

UK adequacy decisions recognising the destination country's data protection standards.
UK International Data Transfer Agreements (IDTAs) or the UK Addendum to Standard Contractual Clauses.
Certification under recognised frameworks such as the UK Extension to the EU-US Data Privacy Framework.

Critically, we do not transfer client meeting recordings, financial data, or suitability report content to any jurisdiction outside the UK at any point in our processing pipeline.

Section 08

Data Retention

We retain personal data only for as long as necessary. Our key retention periods are:

Meeting recordings: Automatically deleted within 24 hours of transcription, unless the customer firm has elected to retain them.
Transcripts and meeting notes: Retained within the Platform for the duration of the customer's subscription, then deleted within 30 days of account termination.
Suitability report drafts and compliance check results: Retained within the Platform for the subscription period, then deleted within 30 days of termination.
Customer account data: Retained for the duration of the subscription and for 7 years thereafter for legal and accounting compliance.
Prospective customer data: Retained for up to 3 years from last engagement, or until deletion is requested.
Financial records: Retained for 7 years in accordance with HMRC requirements.

When retention periods expire, all personal data is securely and permanently deleted using industry-standard methods. We can provide certificates of deletion for financial and client data on request.

Section 09

Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you as Data Controller.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of personal data where processing is no longer necessary.

Right to Restrict Processing

Request restriction of processing in specific circumstances.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests, including direct marketing.

To exercise any of these rights, contact team@advisoryai.com. We will respond within one calendar month. Identity verification may be required before processing your request.

Note for client data rights: If you are the client of an advisory firm using AdvisoryAI and wish to exercise your data rights in relation to data held within the Platform, you should contact your advisory firm directly (as the Data Controller). AdvisoryAI will assist the firm in responding to your request.

Section 10

Cookies & Tracking Technologies

Our website uses cookies and similar technologies. We use the following categories:

Strictly Necessary: Essential for website and Platform functionality. Cannot be disabled.
Functional: Remember your preferences (language, session state, notification settings) to improve your experience.
Analytics: Anonymised data about website usage patterns to help us improve content and navigation. We use privacy-respecting analytics tools with IP anonymisation.
Marketing: Track the effectiveness of our marketing campaigns. Set only with your explicit consent via our cookie banner.

A cookie consent banner is presented to all first-time visitors to our website. You can manage or withdraw your cookie consent at any time through our Cookie Settings panel (accessible from the website footer) or via your browser settings.

Note: we do not use cookies or tracking technologies within the Platform itself in relation to your advisory firm's client data.

Section 11

Security Measures

Given the sensitivity of the financial data processed through the Platform, we apply rigorous security measures:

All data in transit encrypted with TLS 1.2+ (HTTPS enforced across all endpoints).
All data at rest encrypted with AES-256 encryption on ISO 27001-certified UK infrastructure.
Role-based access controls with principle of least privilege applied throughout.
Multi-factor authentication (MFA) enforced for all AdvisoryAI staff accessing production systems.
MFA available and strongly recommended for all customer accounts.
Regular penetration testing by independent third-party security specialists.
Automated anomaly detection and 24/7 security monitoring.
Formal incident response plan with defined escalation procedures.
Regular staff security awareness training, including data handling for financial data.
Vendor security assessments conducted for all sub-processors with access to personal data.

In the event of a personal data breach, we will notify the ICO within 72 hours and, where required, notify affected advisory firms within 48 hours to allow them to meet their own reporting obligations. We will provide full details of the breach, the data affected, and the steps we have taken to mitigate harm.

Section 12

Children's Privacy

The AdvisoryAI Platform is a professional B2B service designed exclusively for use by FCA-authorised financial advisory firms and their adult professional staff. We do not knowingly process personal data relating to individuals under the age of 18 as website visitors or Platform users.

If you believe that a minor's data has been inadvertently submitted to our systems, please contact us immediately at team@advisoryai.com and we will take prompt action to delete such data.

Note: Advisory firms may process data relating to minor clients (for example, Junior ISA holders) through the Platform. In such cases, the advisory firm is responsible as Data Controller for ensuring appropriate legal bases and safeguards are in place for processing such data.

Section 13

Marketing Communications

We may send marketing communications including product updates, industry insights, FCA regulatory briefings, case studies, and event invitations. We do so only where:

You have provided explicit consent; or
You are an existing customer and we are contacting you about similar products or services (PECR soft opt-in), from which you may opt out at any time.

You can unsubscribe at any time by clicking "Unsubscribe" in any email, updating your preferences in your account settings, or contacting team@advisoryai.com. Unsubscribing from marketing will not affect transactional service emails.

We will never share your contact details with third-party marketers.

Section 14

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, FCA guidance, our data processing practices, or our business. The "Last Updated" date at the top of this page will reflect any changes.

Where changes are material — particularly changes affecting how we process client financial data — we will notify affected customers by email at least 30 days in advance, and will update our Data Processing Agreement accordingly.

We recommend reviewing this Policy periodically. Your continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

Section 15

Contact Us & Supervisory Authority

For all privacy-related enquiries, requests to exercise your rights, or Data Processing Agreement requests:

Email: team@advisoryai.com — please mark your email "Data Privacy Request"
Response time: We confirm receipt within 5 business days and respond fully within 30 days.

Advisory firms wishing to raise data protection matters in relation to the Platform's processing of their client data are encouraged to contact us via the above email for prompt resolution.

Right to Lodge a Complaint — ICO: If you are not satisfied with our response to a privacy concern, or believe we are processing your data contrary to UK GDPR, you have the right to complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Phone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

FCA Data Standards: Advisory firms who have concerns about how our data processing aligns with FCA data handling requirements should contact us at team@advisoryai.com. We are committed to maintaining practices consistent with FCA guidance and will engage transparently with any such enquiry.

We would always appreciate the opportunity to resolve concerns directly before any formal regulatory referral.