Your data is never used to train AI models. Any data processed on your behalf is used solely to deliver your automation — full stop.

Privacy Policy for Praxail

Last Updated: 03/11/2025

Praxail Ltd. (“Praxail”, “we”, “us”, or “our”) respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, share, and safeguard personal information when you visit our websites, contact us, or use our consulting and implementation services that optimise, systemise, and automate business processes using technologies such as LLMs, automation platforms, cloud services, DevOps, and web development (together, the “Services”).

If you have questions, please contact us via our contact page or the details in Section 17.

1. Who We Are and Scope

Praxail Ltd. is registered in the United Kingdom and provides AI automation, consultancy, and implementation Services to clients globally. This policy applies to:

Visitors to our websites and online properties;
Prospective, current, and former clients and their representatives;
Individuals who communicate with us (e.g., enquiries, support, events, webinars);
Individuals whose data our clients ask us to process on their behalf in connection with a project.

Unless we say otherwise, Praxail acts as a data controller for personal data we determine the purposes and means of processing for (e.g., our websites, marketing, CRM). When we process personal data on a client’s documented instructions (e.g., within an automation project), we act as a data processor and the client is the controller. Role-specific terms are further described in Section 8.

2. Applicable Laws

For UK residents, we process personal data in accordance with the UK GDPR and the Data Protection Act 2018. Where we target or serve individuals in the EEA, we also comply with the EU GDPR. Local laws may also apply in other jurisdictions.

3. Information We Collect

3.1 Information you provide directly

Business contact details (name, work email, phone, employer, job title/role).
Account/Project information (if relevant): project requirements, documentation, integrations, test data, credentials you expressly provide for set-up (typically via secure channels), statements of work, support requests.
Marketing preferences and communications (newsletter opt-ins, event registrations, surveys).
Billing and transactional data (invoices, payment confirmations, VAT/tax metadata). We do not store full card numbers on our systems.

3.2 Information collected automatically

Usage/technical data about your visit: IP address, device identifiers, browser/OS, pages viewed, timestamps, referring/exit pages, and interaction logs.
Cookies and similar technologies for essential functionality, analytics, and (if applicable) advertising — see Section 12.

3.3 Information from third parties

Service providers (e.g., analytics, CRM, communications).
Public sources (e.g., company registers, professional profiles) and event partners.
Client-provided data (e.g., end-customer contact lists, workflow logs) when we perform Services as a processor (see Section 8).

3.4 Special category data and children

We do not intentionally collect special categories of personal data (e.g., health, biometric, religious) or data about children. If a project requires this (rare), we will only process it on documented client instructions and with appropriate safeguards.

4. Purposes and Legal Bases (UK/EU)

We process personal data only where we have a lawful basis:

Provide and improve the Services (scoping, design, deployment, maintenance, support, training; usage analytics and troubleshooting) — Contract; Legitimate Interests.
Client and vendor management (onboarding, compliance, invoicing, record-keeping) — Contract; Legal Obligation; Legitimate Interests.
Security and abuse prevention (access controls, monitoring, incident response) — Legitimate Interests; Legal Obligation.
Communications (responding to enquiries; operational and administrative messages) — Contract; Legitimate Interests.
Marketing (newsletters, thought leadership, event invitations) — Consent where required; Legitimate Interests otherwise.
Compliance (audit, tax, regulatory, and dispute handling) — Legal Obligation; Legitimate Interests.

Where consent is our legal basis (e.g., some marketing cookies or non-essential email), you may withdraw it at any time — see Section 14.

5. How We Use AI/LLMs and Automation

We design and implement automation solutions that may leverage LLMs and other AI components. Our practices include:

No model training on your data. We do not use your data to train, fine-tune, or evaluate any AI model — on our behalf or otherwise. Any data processed on your behalf is used solely to deliver your automation.
Input and output handling. Prompts, context data, and generated outputs may be processed by third-party model providers to return results. We minimise and pseudonymise where feasible and instruct providers not to use client data to train their models.
Data minimisation. We only access the fields and systems strictly necessary to build and run your automation. Temporary data (e.g. workflow inputs/outputs during testing) is deleted once the engagement phase is complete, unless explicitly retained for monitoring under your instruction.
Logging. For reliability and support, we may retain limited, access-controlled logs of prompts and outputs within the project environment. Where possible, logs are truncated or masked to avoid unnecessary personal data.
Evaluation and testing. We use synthetic or anonymised data for testing by default. If client data is required for acceptance testing, this occurs strictly under the contract and client instructions.
Human oversight. We do not conduct solely automated decision-making that produces legal or similarly significant effects about individuals in our own capacity as controller.

For processor projects, see the role-based terms in Section 8.

6. Security

We implement administrative, technical, and physical safeguards proportionate to risk, including:

Encryption in transit: TLS 1.2 or higher on all connections.
Encryption at rest: AES-256 where applicable.
Infrastructure: Hosted on cloud providers with ISO 27001 certification (including Cloudflare and AWS-backed services).
Secrets management: Credentials and keys are stored in environment variables or dedicated secrets managers — never in source code or version control.
Access controls: Access to client environments is granted on a least-privilege basis, scoped to what is strictly necessary for your project. Credentials are rotated at the end of each engagement unless an ongoing retainer requires continued access.
Environment separation: Development, test, and production environments are kept separate with appropriate access controls.
Incident response: In the event of a confirmed data breach affecting your data, we will notify affected controllers within 72 hours of becoming aware, in line with UK GDPR requirements. We maintain an internal incident log and conduct a root-cause review following any security event.
Compliance roadmap: We are building towards SOC 2 Type II certification and are reviewing Cyber Essentials. If your organisation requires specific certifications before onboarding, please contact us — we can often address requirements contractually in the interim.

No system is perfectly secure. We maintain vendor due diligence and secure SDLC practices and will notify affected parties and regulators where required by law.

7. Data Retention

We keep personal data only as long as necessary for the purposes set out here or as required by law. Typical periods include:

Data Category	Example	Retention
Website analytics	Pseudonymised interaction data	12–26 months (tool-default or shorter)
Enquiries & sales conversations	Emails, forms, notes	24 months from last interaction
Client/project records	SOWs, configs, tickets	Contract term + up to 6 years (UK limitation & tax)
Access logs & security records	Auth logs, audit trails	12–24 months unless needed longer for security
Marketing lists	Name, email, preferences	Until you opt out or become inactive (periodic suppression)
Processor project data	Client-provided datasets	As instructed by the client; typically deleted within 30–90 days after project closure unless law requires longer

We may anonymise data for statistics, in which case we may retain it indefinitely.

8. Our Role as Controller vs. Processor

Controller (our websites, CRM, marketing, vendor management). We determine purposes and means, and this policy applies in full.
Processor (client projects). We process personal data only on the client’s documented instructions, under a Data Processing Addendum (DPA) that includes confidentiality, security, sub-processor and international transfer terms, assistance with data subject requests, and deletion/return at end of engagement. Our DPA is available upon request.

9. Sharing Your Information

We do not sell personal data. We may share personal data with:

Service providers/sub-processors (hosting, communications, analytics, logging/monitoring, ticketing, model/AI providers, source-control/CI, document management) under written agreements requiring appropriate safeguards and use only on our instructions.
Professional advisers (lawyers, accountants, insurers) under duties of confidentiality.
Corporate transactions (merger, acquisition, reorganisation) subject to continuity of protections.
Legal/regulatory authorities where required to comply with law or to protect rights, safety, and security.

We maintain a current list or description of key sub-processor categories and will provide details on request. We will give advance notice of material changes where required by our DPA.

10. International Transfers

We operate internationally and may transfer personal data outside the UK/EEA (e.g., to cloud or model providers). Where we do so, we rely on adequacy regulations, the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, and EU Standard Contractual Clauses (as relevant), plus risk-based and technical measures (e.g., encryption, access restrictions). You can contact us for more information about these safeguards.

11. Your Responsibilities (Client Projects)

If you provide Praxail with personal data relating to third parties (e.g., your customers or staff) in a project, you are responsible for ensuring you have a lawful basis and appropriate transparency notices in place, and for supplying accurate, relevant, and proportionate data.

12. Cookies and Similar Technologies

We use essential cookies for site functionality and may use analytics and (where applicable) advertising or social media cookies. Where required, we will present a cookie consent banner and honour your choices. You can also manage cookies in your browser. For details of the cookies we use, see our Cookie Policy (to be published at /cookie-policy).

13. Do-Not-Track

Our Services do not currently respond to browser “Do-Not-Track” signals. You can manage tracking through cookie choices and browser settings.

14. Your Rights (UK/EU)

Subject to conditions and exemptions, you have the following rights over your personal data:

Access to a copy of your data and information about our processing.
Rectification of inaccurate or incomplete data.
Erasure (right to be forgotten) in certain circumstances.
Restriction of processing in certain circumstances.
Objection to processing based on legitimate interests and to direct marketing at any time.
Data portability for data you provided to us, where processing is based on consent or contract and carried out by automated means.
Withdraw consent where processing relies on consent (e.g., certain marketing or cookies).

We may need to verify your identity before fulfilling a request. We aim to respond within one month (extendable where complex). To exercise your rights, use the contact details in Section 17.

Individuals outside the UK/EEA may have similar rights under local law.

15. Marketing

You can opt out of marketing emails at any time via the unsubscribe link in the message or by contacting us. Operational or service messages related to a contract are not marketing.

16. Third-Party Sites and Integrations

Our website and project environments may link to third-party sites or integrate with third-party tools. Their privacy practices are governed by their own policies, which we encourage you to review.

17. Contact, Complaints, and Data Protection Authority

Contact Praxail:

Web form: Contact Form
Email: contact@praxail.com
Postal: Praxail Ltd, 124 City Road, London, EC1V 2NX, United Kingdom

UK Supervisory Authority:
You have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk. We would appreciate the opportunity to address your concerns first.

If required by law, we will appoint an EU representative and update this notice with their details.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business developments. The updated version will be indicated by a revised “Last Updated” date and will be effective when posted. Where changes are material, we will provide additional notice as appropriate.