Privacy Policy

InstackAI ("we", "us", "our") is committed to protecting the privacy and personal data of everyone who visits our website or interacts with our services. This Privacy Policy explains what personal information we collect, the legal basis on which we process it, how we use and store it, and the rights available to you under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR).

This policy applies to all personal data processed in connection with the InstackAI website (instackai.com), our contact and booking forms, and our client communications. By using our website, you acknowledge that you have read and understood this policy.

InstackAI is a B2B AI engineering firm registered as a Limited Liability Partnership (LLP) in India. For the purposes of UK and EU data protection laws, InstackAI acts as the data controller in respect of personal data collected through this website. For data-related matters, please contact us via our website.

While our corporate headquarters are in India, we are deeply committed to protecting the privacy of our predominantly European client base and strictly adhere to the standards set by the UK GDPR and the EU GDPR. Where we process personal data on behalf of our clients as part of a custom infrastructure engagement, we act as a data processor. In those circumstances, the processing is governed by a separate, bespoke data processing agreement (DPA).

Contact form submissions: When you complete and submit our contact form, we collect your full name, company name, and email address. We use this information solely to evaluate your enquiry and respond to it.

Discovery call bookings: When you book a technical audit or discovery call via our scheduling portal, you provide your name and email address, and optionally additional context about your business. This information is processed by our secure scheduling partner; we receive a copy of the booking confirmation.

Communications: If you contact us directly, we collect and retain the content of that correspondence and your email address.

Technical data: Our enterprise cloud infrastructure may automatically collect standard server log data, including your IP address, browser type, operating system, referring URL, and page request timestamps. This data is used solely for security monitoring and infrastructure performance purposes and is not linked to your identity.

Note: We do not collect payment card information through this website. We do not use third-party advertising networks, social media pixels, or behavioural tracking technologies.

We rely on the following legal bases under UK/EU GDPR to process your personal data:

Legitimate interests (Article 6(1)(f)): Processing your contact form submission or booking enquiry to assess whether we can assist you and to respond to you is in our legitimate interest as a business. We have assessed that this interest is not overridden by your rights and freedoms.

Consent (Article 6(1)(a)): Where we send you follow-up marketing communications beyond the initial response to your enquiry, we rely on your consent. You may withdraw consent at any time by contacting us through our website or by replying "unsubscribe" to any such communication.

Legal obligation (Article 6(1)(c)): Where we are required by law to retain certain records — for example, for tax or regulatory purposes — we process the minimum personal data required to fulfil that obligation.

To respond to your enquiry: Contact form and email data is used to evaluate your business situation and provide a relevant response within 24 hours. We do not use automated decision-making or profiling in assessing enquiries.

To manage scheduled calls: Booking data is used to confirm, reschedule, or cancel technical audits and to prepare appropriately for the conversation.

To improve our website: Anonymised, aggregated technical data may be used to understand how visitors navigate the site and to identify technical errors. This data cannot be used to identify individual visitors.

To send service updates: Where you have consented, we may occasionally send information about our services, new architectural capabilities, or relevant industry content. The frequency of such communications is low, and you may opt out at any time.

We will never sell, rent, or trade your personal data to third parties for marketing purposes.

Contact form submissions are securely stored in enterprise-grade, encrypted databases that are fully compliant with EU/UK data protection standards. Access to the database is strictly limited to authorised InstackAI engineering personnel via role-based access controls.

We implement rigorous technical and organisational security measures to protect your personal data, including encrypted data transmission (TLS/HTTPS), robust access controls, and secure credential management.

No method of electronic transmission or storage is 100% secure. While we take the protection of your data seriously, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay.

We retain contact and enquiry data for a period of 24 months from the date of collection, or for as long as the business relationship is active. After this period, data is deleted securely unless we are required by law to retain it for longer.

This website uses a single item of local storage to remember your preferred colour theme (light or dark mode). This is a functional storage item, not a tracking cookie, and does not contain any personally identifiable information. It is set only after your first visit and persists until you clear your browser's local storage.

We do not use any first-party or third-party tracking cookies, advertising cookies, or analytics cookies. A privacy banner is displayed on your first visit to give you full transparency and control over storage on your device. Your choices are saved locally. You can update your preferences at any time by clearing your browser's local storage.

Cloud Infrastructure: Our website and client-facing interfaces are hosted on SOC 2 Type 2 certified cloud architecture. This infrastructure may process technical data (IP addresses, server logs) strictly for hosting and security purposes.

Database Systems: Client and contact data is managed via GDPR-compliant database providers processing data securely.

Scheduling Partners: Discovery call bookings are managed via a secure third-party scheduling platform, which processes information under its own rigorous privacy standards.

We review all third-party sub-processors periodically and maintain strict data processing agreements where required to ensure they meet our enterprise security expectations.

As an Indian LLP, the personal data we collect through this website is processed by our team in India. We also utilise enterprise-grade cloud infrastructure that may route data through servers globally.

Because India is located outside of the United Kingdom and the European Economic Area (EEA), any data you provide constitutes an international transfer. To ensure your data remains protected to European standards, we implement appropriate safeguards, primarily by relying on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) and the European Commission. We also ensure our enterprise sub-processors are bound by these same strict mechanisms.

You may request information about the specific safeguards applicable to any international transfer of your data by contacting us through our website.

Under UK and EU GDPR, you have the following rights in relation to your personal data:

Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.

Right to rectification: You may request that inaccurate or incomplete personal data be corrected.

Right to erasure: You may request the deletion of your personal data where there is no longer a legitimate reason for us to hold it.

Right to restrict processing: You may request that we limit how we use your data in certain circumstances, for example while a complaint is being investigated.

Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may request a copy of your data in a structured, machine-readable format.

Right to object: You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us via our website. There is no charge for making a request. We may ask you to verify your identity before processing the request.

If you have a concern about how we handle your personal data, we encourage you to contact us first through our website so that we can try to resolve the matter directly.

If you remain dissatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. If you are based in the EU, you may contact your local data protection supervisory authority.

We may update this Privacy Policy from time to time to reflect changes in our architectural practices, technology, legal requirements, or for other operational reasons. The date at the top of this page reflects when the policy was last revised.

Where changes are material, we will take reasonable steps to notify affected individuals. Continued use of our website following any update constitutes acceptance of the revised policy.

For any questions, requests, or complaints relating to this Privacy Policy or the processing of your personal data, please use the contact form on our website at instackai.com/contact.