process zero GDPR statement
last updated
10 December 2025
At process zero, we recognise that using AI to automate business processes often involves handling personal data. We take our responsibility under the UK General Data Protection Regulation (UK GDPR) seriously, and we are committed to protecting your data and maintaining transparency in how it is used.
Our GDPR statement explains how we protect personal data when we deliver AI automation, AI strategy consulting, and support services. We process personal data only when it is necessary, for lawful purposes, and in ways that respect your rights and expectations.
Whether we are supporting your AI strategy session, developing automation workflows, or integrating intelligent systems into your operations, we ensure that:
- We only process personal data that is necessary for the task at hand.
- You, or your organisation, remain in control of your data.
- All data is handled securely, lawfully, and transparently.
- Personal data is not used beyond the purpose for which it was provided.
This helps protect both your business and the individuals whose data may be involved in the services we deliver.
our commitment to data protection¶
Process Zero is committed to:
- Ensuring security and confidentiality of any data processed by our AI agents or automation systems
- Processing data lawfully, fairly, and transparently
- Minimising data exposure through closed-loop, on-premise, open-source AI models
- Building all solutions with privacy-by-design principles
- Ensuring clients always remain in full control of their data
- Acting strictly under client instruction when processing project data
- Maintaining clear and documented compliance procedures
Our goal is to deliver automation that reduces operational workload without increasing data risk.
our role as data controller and data processor¶
Depending on the activity, Process Zero may act as:
data controller
We act as a controller when processing data relating to our own operations, including:
- Website enquiries
- Free 60 min discovery call bookings
- Client onboarding
- Marketing and communications
data processor
We act as a processor when delivering AI and automation services where our systems, tools, or custom-built agents interact with client networks, systems, or datasets.
In these circumstances:
- The client defines what data may be accessed or processed
- We act only under documented instructions
- A Data Processing Agreement (DPA) governs all processing activities
- The client remains the Data Controller at all times
what data we process¶
For client AI/automation projects:
Depending on the scope of the engagement, we may process:
- Operational datasets required for automated workflows
- Employee, supplier, or customer records stored in client systems
- System logs, process data, or operational metadata
- Information required to configure or train private LLMs
- Integration data, API data, or workflow-level information
We only process data that the client has explicitly authorised.
For website enquiries and initial contact:
- Name
- Email address
- Company details
- Information shared during intro calls, enquiry forms, or Discovery sessions
For analytics and service optimisation:
- Website analytics and behaviour
- Marketing engagement data
You may opt out of marketing at any time.
why we process data¶
We process personal data for reasons such as:
- Building and deploying AI agents or LLM systems
- Delivering automation, consultancy, and technical support
- Integrating systems with client environments
- Providing ongoing maintenance and improvement of deployed agents
- Responding to enquiries and managing client relationships
- Meeting legal or regulatory obligations
We never use client data to train public AI models, and we do not share data with external AI providers unless explicitly authorised in writing.
lawful bases for processing¶
Our lawful bases include:
Contractual necessity
Required to deliver agreed services
Legitimate interests
Improving services, security, and analytics
Consent
Used for marketing communications
Legal obligation
Compliance with UK law
data retention¶
- Data accessed or processed for client project work is retained only for the duration of the engagement unless otherwise agreed.
- Temporary data used for testing, model configuration, or debugging is securely deleted once no longer required.
- Business records and enquiry information are retained in line with statutory requirements.
data security¶
Because our agents may interact with internal and sometimes sensitive business data, Process Zero enforces strong security controls, including:
- Encryption of data in transit and at rest
- Role-based access control and multi-factor authentication
- Secure development and deployment practices
- Segmented infrastructure for client-specific environments
- No transfer of client data to external LLMs unless authorised
- Privacy-by-design embedded in all AI systems
- Secure deletion processes for all temporary data
Where agents or models are deployed within a client's own infrastructure, the client retains full technical control.
third parties and sub-processors¶
Process Zero does not sell personal data.
We may engage carefully selected sub-processors when necessary (e.g., secure hosting providers, specialised tooling), each of whom must comply with UK GDPR and maintain appropriate security standards.
Any sub-processor used within a client engagement will be documented transparently in the DPA.
your rights under UK GDPR¶
You have the right to:
Access your data
Request a copy of the personal data we hold about you
Request correction or deletion
Update inaccurate data or request erasure
Restrict or object to processing
Limit how we use your personal data
Withdraw consent
Where processing is based on consent
Data portability
Receive your data in a structured format
Lodge a complaint
Contact the ICO if your rights are violated
To exercise these rights, please contact us at the details below.