Privacy Policy — Cardinal AI Systems

1. Who We Are

Cardinal AI Systems Ltd ("we," "us," "our") is a company incorporated in England and Wales. We are the data controller for personal data collected through this website (cardinalaisystems.com) and in the course of our business activities.

Entity	Detail
Company Name	Cardinal AI Systems Ltd
Registered Jurisdiction	England & Wales
Website	cardinalaisystems.com
Data Controller Email	privacy@cardinalaisystems.com
Principal Contact	ronke@cardinalaihq.com

2. Data We Collect

2.1 Information You Provide Directly

When you complete an enquiry form, request an evaluation, or contact us directly, we may collect:

Full name and job title
Business email address and telephone number
Organisation name and sector
Details of the challenge or project you describe
Portfolio size or other professional context you voluntarily provide

2.2 Information Collected Automatically

When you visit our website, we or our third-party service providers may automatically collect:

IP address and approximate geographic location
Browser type, version, and device information
Pages visited, time on page, and referral source
Cookie identifiers (see Section 10)

2.3 Information from Third Parties

We may receive limited professional information about you from publicly available sources such as LinkedIn or company registries, where this is relevant to evaluating a potential engagement.

3. How We Use Your Data

Purpose	Data Used	Basis
Responding to your enquiry or evaluation request	Name, email, organisation, challenge description	Contract / Legitimate Interest
Assessing strategic fit for engagement	Organisation, sector, portfolio context	Legitimate Interest
Communicating about our services	Name, email, professional context	Legitimate Interest / Consent
Improving our website and services	Usage data, anonymised analytics	Legitimate Interest
Complying with legal obligations	Any data required by applicable law	Legal Obligation
NDA management and confidentiality	Name, contact details, engagement data	Contract

We do not use your personal data for automated decision-making or profiling in ways that produce legal or similarly significant effects.

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases:

Contract (Article 6(1)(b)): Where processing is necessary to take steps at your request prior to entering into a contract, or to perform a contract with you.
Legitimate Interests (Article 6(1)(f)): Where we have a genuine business interest that is not overridden by your rights — for example, responding to professional enquiries, improving our services, or maintaining business records.
Legal Obligation (Article 6(1)(c)): Where processing is required to comply with a legal obligation to which we are subject.
Consent (Article 6(1)(a)): Where you have given clear, specific consent — for example, to receive marketing communications. You may withdraw consent at any time.

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

Meridian AI Systems: Our affiliated African operations entity, where an enquiry has cross-jurisdictional relevance and you have been informed.
Service providers: Technology platforms (email, CRM, hosting) acting as data processors under strict contractual obligations.
Legal or regulatory requirements: Where we are required to disclose information by law, court order, or regulatory authority.
Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity.

Our client engagements operate under confidentiality agreements. Information shared in the context of an NDA-governed engagement is handled under the terms of that agreement, which take precedence over this general privacy policy to the extent they are more protective of your information.

6. Retention Periods

Data Category	Retention Period	Reason
Enquiry and evaluation submissions	3 years from last contact	Legitimate interest in potential re-engagement
Active client engagement data	Duration of engagement + 7 years	Legal and contractual obligations
NDA-governed engagement data	As specified in the NDA	Contractual obligation
Website analytics (anonymised)	26 months	Standard analytics retention
Legal and financial records	7 years	Companies Act / HMRC requirements
Marketing consent records	Until consent is withdrawn + 1 year	Demonstrating compliance

We review data held on our systems annually and securely delete data that exceeds its retention period.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of Access: To request a copy of the personal data we hold about you.
Right to Rectification: To request correction of inaccurate or incomplete data.
Right to Erasure: To request deletion of your data where there is no compelling reason for continued processing.
Right to Restrict Processing: To request that we limit how we use your data in certain circumstances.
Right to Data Portability: To receive your data in a structured, machine-readable format where technically feasible.
Right to Object: To object to processing based on legitimate interests or direct marketing.
Rights related to automated decision-making: To not be subject to solely automated decisions that have significant effects on you.

To exercise any of these rights, contact us at privacy@cardinalaisystems.com. We will respond within one month of receiving a valid request. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. International Data Transfers

Cardinal AI Systems operates globally. Where we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the ICO or European Commission
Adequacy decisions where the destination country provides equivalent protection
Binding Corporate Rules where applicable within our group structure

Transfers to our Meridian AI Systems operations in Nigeria are governed by appropriate contractual safeguards in accordance with the UK GDPR international transfer framework.

9. Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

Encryption of data in transit (TLS/HTTPS) and at rest
Access controls limiting data access to authorised personnel only
Regular security reviews of our systems and third-party providers
Confidentiality obligations binding all personnel who handle personal data

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

10. Cookies

Our website uses cookies and similar technologies. Please refer to our Cookie Policy for full details of the cookies we use, their purpose, and how to manage your preferences.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this page will always reflect the most recent revision.

For material changes, we will take reasonable steps to notify affected individuals where we hold contact information. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.

12. Contact & Data Protection Enquiries

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Channel	Contact
Privacy Enquiries	privacy@cardinalaisystems.com
Principal	ronke@cardinalaihq.com
Telephone	+44 7884 578 512
Regulator (UK)	Information Commissioner's Office · ico.org.uk