This Privacy Policy explains how ConfigurAI collects, uses, stores and protects your personal information when you visit configurai.com, courses.configurai.com, subscribe to the newsletter, enrol in a cohort, book an AI Audit, request corporate training, or otherwise interact with ConfigurAI.
ConfigurAI is committed to protecting your privacy and handling your personal data transparently and lawfully under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who we are
Data Controller: Orgesa Meli, trading as ConfigurAI
Location: Twickenham, London, United Kingdom
Email: support@configurai.com
ICO Registration: registration in progress; number to be added once issued.
If you have any questions about this policy, want to exercise your data rights, or wish to raise a concern about how your personal data is handled, contact support@configurai.com.
2. What this policy covers
This policy applies to personal data collected through:
- The ConfigurAI website (configurai.com) and course portal (courses.configurai.com)
- Newsletter subscriptions
- Cohort enrolment, AI Audit bookings, and corporate training enquiries
- Communications by email, video call, or written correspondence
- Forms, surveys, and feedback you submit
- Cookies and analytics on the website
It does not cover websites operated by third parties, even where linked from ConfigurAI's site. Their privacy practices are governed by their own policies.
3. The personal data we collect
ConfigurAI collects the following categories of personal data:
Identity and contact information: name, email address, business name, job title, country of residence.
Transaction information: billing address, payment confirmation details (the full card number is never seen or stored by ConfigurAI), invoice records.
Service information: responses to pre-cohort audit questions, AI Audit interview transcripts, cohort participation records, feedback submitted, content of any communications with ConfigurAI.
Corporate enquiry data: if you submit the enquiry form on the Corporate page, ConfigurAI collects your name, work email, organisation, role, team size, preferred call time, and message. This data is sent to a Google Apps Script endpoint and stored in a Google Sheet in Orgesa's Google Drive. It is used solely to respond to your enquiry, usually within one business day.
Booking data: after you purchase an AI Audit through Stripe, you are redirected to Calendly to choose an interview slot. Calendly processes your name, email, and the slot you book.
Email correspondence: messages you send to support@configurai.com, including any details you choose to include in those messages. Email is hosted by Google Workspace.
Marketing preferences: consent to receive the newsletter or other communications, opt-out records.
Technical information: IP address, browser type, device type, referrer page, pages visited, time spent on pages. This is collected via cookies and analytics tools described in Section 6.
ConfigurAI does not knowingly collect special category personal data (such as health, religion, or biometric data). You should not submit any such data through forms, prompts, or AI tools in connection with ConfigurAI's services.
4. How and why we use your personal data
ConfigurAI uses personal data for the following purposes and on the following lawful bases under UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Delivering cohorts, AI Audits, and corporate training you have booked | Contract (Article 6(1)(b)) |
| Issuing invoices and keeping financial records | Legal obligation (Article 6(1)(c)). HMRC requires retention of financial records for at least 5 years after the relevant Self Assessment submission deadline. |
| Sending the weekly newsletter to people who have signed up | Consent (Article 6(1)(a)) under UK GDPR and PECR Regulation 22 |
| Sending updates about ConfigurAI services to existing paying customers | Legitimate interests (Article 6(1)(f)). Direct marketing to existing customers, with an opt-out in every message under the PECR commercial soft opt-in. |
| Responding to enquiries, support requests, and feedback | Legitimate interests (Article 6(1)(f)) or pre-contractual steps (Article 6(1)(b)) |
| Improving the website and content through analytics | Consent (Article 6(1)(a)) for non-essential cookies |
| Operating strictly necessary website functions (session security, payment processing, fraud prevention) | Legitimate interests (Article 6(1)(f)) |
| Defending legal claims, complying with regulators, and protecting ConfigurAI's lawful rights | Legitimate interests (Article 6(1)(f)) or legal obligation (Article 6(1)(c)) |
You can withdraw consent at any time by contacting support@configurai.com or using the unsubscribe link in any newsletter.
5. Cookies and tracking
ConfigurAI uses a small number of cookies and similar technologies on configurai.com. A consent banner appears when you first visit, letting you accept or reject non-essential cookies. You can change your preference at any time by clicking Cookie settings in the footer of any page.
Consent storage. Your choice is saved in your browser's localStorage under the key configurai_cookie_consent with a value of either accepted or rejected. This is stored only in your browser, never transmitted to a ConfigurAI server, and can be cleared at any time through your browser's storage settings or by clicking Cookie settings.
Strictly necessary cookies are used for essential website functions such as session security and payment processing. These do not require consent.
Analytics. Google Analytics 4 is loaded on the website to help ConfigurAI understand how visitors use the site. ConfigurAI is in the process of gating analytics behind explicit consent; until that work is complete, Google Analytics may collect pseudonymous usage data on first visit before you make a choice. If you reject non-essential cookies, no further analytics collection should occur from that browser, but you can also block analytics at the browser level if you prefer.
Marketing pixels. No advertising pixels are currently used. ConfigurAI does not run Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking, TikTok Pixel, or any equivalent cross-site marketing tracker on configurai.com.
Third-party embedded services. Some pages embed services from Stripe, Calendly, Beehiiv, Loom, and the Google fonts CDN. When you interact with these embeds, the third party may set its own cookies on its own domain. Those cookies are governed by the relevant third party's privacy policy, summarised below in Section 6.
Cross-site tracking. ConfigurAI does not engage in cross-site tracking. Nothing on configurai.com follows you to other websites.
6. Third-party tools we use
ConfigurAI uses the following third-party tools to operate its services. Each tool processes personal data only for the specific purpose described and under a written data processing agreement where applicable.
Stripe (payment processing). Stripe processes card payments for AI Audit purchases (£197) on behalf of ConfigurAI. Personal data shared includes name, billing address, and email. The full card number is never seen or stored by ConfigurAI. Stripe is based in Ireland and the United States; transfers are protected by the UK Extension to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. See stripe.com/privacy.
Calendly (interview booking). After a successful Stripe checkout for an AI Audit, you are redirected to Calendly to choose a Zoom interview slot. Calendly processes your name, email, and chosen timeslot. Operated by Calendly LLC, based in the United States, certified under the UK Extension to the EU-U.S. Data Privacy Framework. See calendly.com/legal/privacy-notice.
Systeme.io (cohort checkout and course hosting). Processes customer name, email, and course progress for the AI Cohort programmes hosted at courses.configurai.com. Operated by Systemeio Ltd, based in Ireland (European Economic Area), covered by UK adequacy regulations. See systeme.io/privacy-policy.
Beehiiv (newsletter delivery). Stores subscriber email, name (optional), and engagement metadata for the weekly newsletter. Based in the United States. Transfers are protected by Standard Contractual Clauses and the UK International Data Transfer Addendum. See beehiiv.com/privacy.
Google (Workspace, Apps Script, Sheets, Gmail, Analytics). ConfigurAI uses several Google services. Gmail hosts the support@configurai.com inbox, so any email you send to that address is processed by Google. The Corporate enquiry form on configurai.com submits to a Google Apps Script endpoint which writes responses to a private Google Sheet in Orgesa's Google Drive. Google Analytics 4 is loaded on the website (see Section 5 for consent status). Google is based in the United States and Ireland. Transfers to the United States are protected by the UK Extension to the EU-U.S. Data Privacy Framework. See policies.google.com/privacy.
Zoom (live calls). Processes participant names, emails, and any recordings or transcripts made during cohort calls or AI Audit interviews. You will be informed before any session is recorded. Transfers to the United States are protected by Standard Contractual Clauses and the UK International Data Transfer Addendum. See zoom.com/trust/privacy.
Anthropic (Claude) (AI tooling used in back-office operations). ConfigurAI uses Claude for internal tasks such as drafting and synthesis. Where any client personal data is processed through Claude, ConfigurAI uses the Anthropic API or commercial tier with training switched off and short retention periods configured. Anthropic is based in the United States. Transfers are protected by Standard Contractual Clauses. See anthropic.com/legal/privacy.
Loom (video walkthroughs). Used for delivering recorded walkthroughs to clients. Processes video, transcripts, and viewer metadata. Operated by Atlassian, based in the United States, certified under the UK Extension to the EU-U.S. Data Privacy Framework. See atlassian.com/legal/privacy-policy.
Website hosting. The configurai.com static website is served from a third-party static hosting provider. Beyond standard request logs (IP address, user agent, timestamp) retained for security and abuse prevention according to the provider's policy, no personal data is stored at the hosting layer. The specific hosting provider will be confirmed in this entry once the production deployment is finalised.
7. International data transfers
Some of the third-party tools listed above process personal data outside the United Kingdom, primarily in the United States and the European Economic Area.
For transfers to countries the UK has determined provide adequate protection (including the EEA), no additional safeguards are required.
For transfers to the United States, ConfigurAI relies on:
- The UK Extension to the EU-U.S. Data Privacy Framework, where the recipient is certified under that framework
- The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as a fallback
- A documented Data Protection Test confirming the transfer is safe and proportionate
If you would like more information about specific transfer mechanisms used for any tool, please contact support@configurai.com.
8. How long we keep your personal data
ConfigurAI keeps personal data only for as long as necessary for the purposes described in this policy.
| Data category | Retention period |
|---|---|
| Newsletter subscribers | Until you unsubscribe. After unsubscribing, only a hashed email is kept on a suppression list as proof of opt-out. |
| Customer and cohort records | Duration of the programme plus 6 years (to allow for any contractual claims under the Limitation Act 1980). |
| Financial records (invoices, payments) | At least 5 years after the relevant Self Assessment submission deadline (HMRC requirement for sole traders). |
| Zoom recordings | 12 months after the relevant cohort closes, or until the cohort access window ends, whichever is later. |
| Loom videos | Lifetime of the relevant programme, or 24 months by default. |
| Corporate enquiry form responses (Google Sheets) | 24 months after last contact, then deleted. Active engagements remain until the relationship ends, plus the customer-record period above. |
| Email correspondence (Gmail) | 24 months after last contact. Threads that form part of an active engagement are retained for the duration of that engagement. |
| Calendly booking records | Deleted after the booked interview has been delivered and the resulting report sent. |
| Cookie consent choice (browser localStorage) | Held in your browser until you clear it or change your choice via Cookie settings. |
| Claude API prompts | 7 days (Anthropic default for commercial API). |
| Website analytics (Google Analytics 4) | 2 months. |
| Complaints records | At least 3 years. |
At the end of these periods, personal data is securely deleted or anonymised.
9. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right to be informed about how your data is collected and used (this policy fulfils that right).
- Right of access to a copy of the personal data ConfigurAI holds about you.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") in certain circumstances.
- Right to restrict processing in certain circumstances.
- Right to data portability to obtain and reuse your data across different services.
- Right to object to processing based on legitimate interests or for direct marketing.
- Rights regarding automated decision-making and profiling, including the right to obtain human review of any significant decision made solely by automated means.
To exercise any of these rights, contact support@configurai.com. ConfigurAI will respond within one calendar month, free of charge. The response window may be extended by two further months if the request is complex, and you will be informed of any extension. If ConfigurAI needs further information to verify your identity or clarify your request, the response clock pauses until that information is received.
10. Direct marketing and the newsletter
If you sign up to the ConfigurAI newsletter, you will receive weekly emails about AI for professionals and business owners. You can unsubscribe at any time using the link in any newsletter or by emailing support@configurai.com.
ConfigurAI relies on your explicit consent (a single opt-in tick at sign-up) for all newsletter delivery. The newsletter sender identity is always clearly stated. ConfigurAI does not share your email with third parties for their marketing.
If you are an existing paying customer, ConfigurAI may also send you occasional updates about similar ConfigurAI products and services under the PECR commercial soft opt-in, with an opt-out available in every message.
11. AI tools: specific notice and disclaimer
ConfigurAI provides training and consultancy on the practical use of AI tools, including ChatGPT, Claude, and others. The following notice applies to all content, recommendations, and discussions involving AI tools.
Informational purposes only
All content provided by ConfigurAI through training cohorts, one-to-one AI Audits, corporate sessions, the newsletter, recordings, downloads, and any related materials is provided for general informational and educational purposes only. It does not constitute, and must not be relied upon as, legal, financial, tax, medical, regulatory, or other professional advice. You should obtain your own independent professional advice before acting on any information provided.
No endorsement of AI tools
ConfigurAI references and discusses a range of AI tools, models, providers, and platforms for educational purposes. ConfigurAI does not recommend, endorse, certify, vet, or accept any responsibility for any specific AI tool, model, platform, provider, or third-party service, including those mentioned in cohorts, sessions, newsletters, recordings, or written materials. The inclusion of any tool is illustrative only and does not constitute a recommendation to use that tool for any specific purpose.
Your responsibility when using AI tools
You are solely responsible for:
- Selecting, evaluating, and using any AI tool.
- The inputs, prompts, files, and data you choose to submit to any AI tool.
- Reviewing and verifying any output you generate, including for accuracy, bias, hallucinations, intellectual property issues, and confidentiality.
- Ensuring that your use of any AI tool complies with applicable laws (including UK GDPR, the EU AI Act where relevant, copyright law, and any sector-specific regulation).
- The consequences of acting on AI output.
AI-specific risk acknowledgement
AI tools present privacy and operational risks including, without limitation:
- Inputs and prompt history may be stored, logged, or used to train future models depending on the provider's policy and your account tier.
- Outputs may be inaccurate, fabricated ("hallucinated"), out of date, biased, or infringe third-party rights.
- Third-party processing, including transfer outside the United Kingdom, typically occurs whenever you use a cloud-hosted AI tool.
- Special category personal data (health, biometric, sexual orientation, religion, ethnic origin, political views, genetic data, trade union membership) should not be input into any AI tool without an appropriate lawful basis under Article 9 UK GDPR and a Data Protection Impact Assessment.
- Some AI tools' consumer tiers materially differ from their commercial or API tiers with respect to retention and training. You should review the terms applicable to your specific account.
You must not input personal data of third parties, confidential information, or special category data into AI tools without an appropriate lawful basis and contractual protection. ConfigurAI accepts no responsibility for any consequence of doing so.
No warranties
ConfigurAI makes no representations or warranties, express or implied, as to the accuracy, completeness, suitability, or fitness for any particular purpose of the information provided. To the maximum extent permitted by law, ConfigurAI excludes all liability for any loss or damage (including indirect, consequential, special, or punitive loss, and loss of profits, goodwill, data, or business opportunity) arising from your use of, or reliance on, the content provided by ConfigurAI or any AI tool discussed by ConfigurAI.
Nothing in this policy excludes or limits liability for death or personal injury caused by negligence, fraud, or any liability that cannot lawfully be excluded under English law.
12. Children
ConfigurAI's services are intended for individuals aged 18 and over. ConfigurAI does not knowingly collect personal data from children under 18. If a corporate training programme involves participants under 18, the corporate client is responsible for obtaining all necessary consents and complying with applicable child-safeguarding and data-protection requirements.
13. How we keep your data secure
ConfigurAI takes appropriate technical and organisational measures to protect personal data, including:
- Encrypted connections (HTTPS) on all websites and forms
- Strong, unique passwords with two-factor authentication on all business accounts
- Access controls limiting personal data access to the data controller and authorised processors
- Regular review of third-party processors and their security postures
- Secure deletion of personal data at the end of its retention period
- Use of reputable, certified processors with documented data protection agreements
No system can be guaranteed completely secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, ConfigurAI will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
14. Complaints
If you are unhappy with how your personal data has been handled, you can raise a concern directly with ConfigurAI by emailing support@configurai.com. ConfigurAI will acknowledge your complaint within 30 days and provide a substantive response without undue delay.
If you are not satisfied with ConfigurAI's response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Online: ico.org.uk/make-a-complaint
You are entitled to complain to the ICO at any time, regardless of whether you have first raised the matter with ConfigurAI.
15. Changes to this policy
ConfigurAI may update this Privacy Policy from time to time to reflect changes in legal requirements, business practices, or the tools used. The "Last updated" date at the top of the policy will indicate when the most recent changes were made.
Material changes will be communicated by email to active customers and through a notice on the website. Continued use of ConfigurAI services after the effective date of any changes constitutes acceptance of the updated policy.
16. Contact
For any questions about this Privacy Policy, your personal data, or your rights:
Email: support@configurai.com
Subject line for data requests: Privacy Request, [your name]
This Privacy Policy is provided for informational purposes. It is not legal advice. ConfigurAI recommends seeking independent legal advice for any specific data protection question relating to your circumstances.