Privacy Policy

1. Who we are

Marks AI is operated by Mark Lovelady from Scotland, United Kingdom. A UK private limited company (Marks AI Trading Ltd) is in formation in May 2026 and will become the data controller once incorporated; until then, Mark Lovelady acts as data controller in a personal capacity. Either way, the contact route and the way we handle your personal data do not change.

Contact for any privacy enquiry: [email protected].

2. What this policy covers

This policy applies to:

• Visitors to marksai.co.uk — including any sub-domains we operate (e.g. platform.marksai.co.uk, analytics.platform.marksai.co.uk).
• Marks AI clients — businesses we deliver websites, audits, automation, or fractional technical work to under a written agreement.
• Marks AI platform users — individuals authorised by a client to use a tool we have built or hosted on their behalf.

Each Marks AI client website (for example a customer-facing site we have built) carries its own privacy policy under that business's name. This policy does not replace those.

3. Information we collect on marksai.co.uk

3.1 Information you give us directly

If you contact us via the website, by email, or via WhatsApp, we will hold the message content, your name, your email or phone number, and any other details you choose to share, for as long as needed to respond and to keep an accurate record of the conversation. If we agree to work together, that record forms part of our client file.

3.3 WhatsApp Business and the Meta Cloud API

Marks AI operates WhatsApp Business numbers via the Meta WhatsApp Cloud API on behalf of its clients. When you message a Marks AI-operated business number:

• What we collect: the content of your messages (text, attachments), your WhatsApp display name and phone number, message timestamps and delivery status, and metadata about the conversation (which business number, which channel).
• Why: to respond to your enquiry, fulfil any service the client has agreed with you, draft reply suggestions for a human to review (using AI tooling — see "Third-party processors" below), and keep a record of the conversation.
• Our role: Marks AI is a data processor for the operating client (the business you are messaging); the client is the data controller. The exception is when you message Marks AI itself on a marksai.co.uk number — there we are both controller and processor.
• Retention: active conversation history is held for the duration of the engagement plus 24 months. You can ask for your messages to be deleted at any time — see Data Deletion Instructions.
• Opt-out: reply with "STOP", "UNSUBSCRIBE", or "OPT OUT" at any time to stop further messages from a Marks AI-operated number. Reply with "DELETE" to request your message history with that number be removed (see Data Deletion Instructions).
• Meta's role: WhatsApp itself is operated by Meta Platforms Ireland Limited. Messages travel through Meta's infrastructure and are subject to Meta's WhatsApp Business Policy and Meta's privacy policy.

3.2 Information collected automatically

We use a small, deliberate analytics stack:

• Plausible (self-hosted) — privacy-respecting page-view counts. No cookies, no cross-site tracking, no personal identifiers. Hosted by us at analytics.platform.marksai.co.uk; data does not leave our infrastructure.
• Cloudflare — hosts the website (Cloudflare Pages) and provides DDoS protection. Cloudflare may log request metadata (IP address, user-agent, country) for security and abuse prevention. See Cloudflare's privacy notice at cloudflare.com/privacypolicy.

marksai.co.uk does not currently use Google Analytics, advertising cookies, or other cross-site tracking on its own pages. Some Marks AI client websites do use these tools — where they do, those sites display their own cookie banner and privacy policy.

4. Information we collect from clients

When we work with a client, we collect and process information about the client's business (domains, accounts, copy, brand assets, customer data shared with us for the work) under the written agreement we sign with that client. The client remains the data controller for their customers' personal data; Marks AI acts as a data processor for that data and only handles it for the agreed purposes.

Client engagements that involve customer personal data are covered by a Data Processing Addendum (DPA) signed alongside the main engagement letter.

5. How we use information

We use the information described above to:

• Reply to enquiries and conduct prospect / client conversations.
• Deliver the services we have agreed with a client (build, host, monitor, audit, automate).
• Improve the website and the platform — for example by understanding which pages are read, which links are followed, and which forms convert. This is done in aggregate via Plausible; we do not profile individual visitors.
• Meet legal, accounting, and tax obligations (record-keeping, invoicing, fraud prevention).
• Communicate operational updates to active clients (incident notices, invoice reminders, scheduled work).

5.1 Our lawful bases

We only process personal data where we have a lawful basis to do so under UK GDPR. In practice we rely on:

• Contract — to deliver the services a client has agreed with us, and to administer that engagement.
• Legal obligation — to meet record-keeping, accounting, and tax requirements.
• Consent — where you have actively opted in (for example to a mailing list); you can withdraw consent at any time.
• Legitimate interests — to respond to enquiries, run and secure the website and platform, and understand in aggregate how the site is used.

Where we rely on legitimate interests, we apply a three-part test before processing:

• Purpose — there is a genuine and specific benefit to us or to you (for example, replying to an enquiry you sent us, or protecting the site from abuse).
• Necessity — the processing is a reasonable and targeted way to achieve that purpose, and there is no less intrusive alternative.
• Balance — that interest is not overridden by your interests, rights, and freedoms. We do not use legitimate interests to profile individual visitors, and you can object at any time (see "Your rights" below).

The UK's Data (Use and Access) Act 2025 sets out a list of recognised legitimate interests — for example, disclosures to a public body that requests data to carry out a public-interest task, safeguarding national security, responding to an emergency, or detecting and preventing crime. Where a processing activity falls squarely within one of these recognised legitimate interests, the Act treats the balancing test above as already met, so we do not have to carry it out separately. We will still only rely on this where the activity genuinely fits one of the recognised categories.

6. Third-party processors

We rely on a small set of third-party services to run Marks AI. Each one only receives the data it needs for the agreed purpose:

• Cloudflare — website hosting, DNS, DDoS protection.
• Hetzner Online GmbH — server hosting in Germany for the Marks AI platform.
• Google (Workspace, Drive, Gmail, Tag Manager, Analytics for client sites) — communications and, for client sites that use them, advertising-aware analytics. Where we use Google products on a client site, that site's own privacy policy lists them.
• WorkOS — authentication for the Marks AI platform and any platform-side admin surface a client uses.
• Postmark / Resend / AWS SES — transactional email delivery for the platform and for client sites we operate.
• Anthropic, OpenAI, Google AI — large language model APIs used inside our platform. Inputs sent to these models are limited to the scope of the agreed work and are not used by the providers to train their public models when we use their commercial / enterprise APIs.

We do not sell, rent, or trade personal data with anyone.

7. International transfers

Some of the processors above are based outside the United Kingdom (for example Cloudflare, Anthropic, OpenAI in the United States). Where personal data is transferred outside the UK, we rely on the UK government's adequacy decisions, the UK International Data Transfer Agreement, or Standard Contractual Clauses, as applicable.

8. How long we keep information

• Website analytics (Plausible) — aggregated only, retained for 24 months.
• Enquiry messages — kept for the duration of the conversation plus 24 months, unless a client engagement begins in which case they form part of the client file.
• Active client files — kept for the duration of the engagement plus 6 years (UK accounting / tax requirement).
• Server logs — kept for 30 days unless retained longer for incident investigation.

9. Your rights under UK GDPR

You have the right to:

• Ask what personal data we hold about you (a subject access request, or "SAR"). When you make a SAR we will carry out reasonable and proportionate searches for the data we hold about you and respond within one month. If a request is complex, or you have made a number of requests, we may extend that period by up to a further two months and will tell you why within the first month.
• Ask us to correct anything that is wrong.
• Ask us to delete data we no longer have a lawful basis to keep.
• Ask us to restrict or object to certain processing.
• Ask for a copy of data you have given us, in a portable format.
• Withdraw any consent you have given us at any time.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you think we have handled your data unlawfully.

To exercise any of these rights, email [email protected]. We will reply within one calendar month.

10. Your right to complain

If you think we have handled your personal data unfairly or unlawfully, please tell us first. The quickest way is our dedicated data-protection complaint form, or you can email [email protected].

We will acknowledge your complaint within 30 days and respond substantively in that time; if the matter is complex we will keep you updated on our progress. This reflects our duty under the UK's Data (Use and Access) Act 2025 to handle data-protection complaints promptly.

If you are not satisfied with how we deal with your complaint, you can escalate it to the UK Information Commissioner's Office (ico.org.uk). You can complain to the ICO at any time, but raising it with us first usually gets it resolved faster.

11. Cookies on marksai.co.uk

marksai.co.uk does not set tracking cookies. Cloudflare may set a small number of strictly necessary cookies for bot protection and load balancing; these are essential for the site to function and are removed when you close your browser unless you have interacted with a Cloudflare challenge.

If you visit a Marks AI client website (for example one ending in .thetyresoldier.co.uk), that site will display its own cookie banner and operate its own analytics under its own privacy policy.

12. Security

We take security seriously. The Marks AI platform is hosted on infrastructure we control, encrypted in transit (HTTPS / TLS 1.2+) and at rest where the underlying provider supports it, with secrets managed through sops-nix and access gated by WorkOS / AuthKit single sign-on. We monitor the platform with self-hosted Prometheus, Grafana, and alerting; security incidents are investigated and disclosed in line with UK law.

13. Changes to this policy

We may update this policy as the platform and the services we offer change. The "Last updated" date at the top of the page reflects the most recent change. Material changes that affect how we process your personal data will be notified to active clients directly.

14. Data deletion

You can request deletion of personal data we hold about you at any time. Step-by-step instructions, including how to request deletion of WhatsApp message history, are on our Data Deletion Instructions page.

15. Contact

For any privacy enquiry, data subject request, or complaint: [email protected].