Privacy Policy

Who We Are

Evans Automate AI Ltd ("Evans Automate", "we", "us", "our") is a UK-registered company providing AI automation systems and services to local businesses across the United Kingdom.

We are the data controller responsible for the personal data we collect through this website (evansautomate.co.uk), our services, and any communications with you. As data controller, we are registered with and regulated by the Information Commissioner's Office (ICO) under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.

Data We Collect

We collect personal data in the following ways:

Information you give us directly:

• First and last name
• Business name and type
• Email address
• Phone number
• Details about your business challenges or requirements
• Any additional information you choose to share via our contact form or in correspondence

Information collected automatically:

• IP address and approximate geographic location
• Browser type and version
• Pages visited and time spent on our website
• Referring website or source
• Device type (desktop, mobile, tablet)

Information collected as part of our services:

• Business contact details for automation system configuration
• Customer contact data provided by clients for the purpose of setting up and operating agreed automation services (SMS, email, webchat systems)
• Call and communication logs generated by our systems on behalf of clients

We do not collect or process any special category data (such as health information, racial or ethnic origin, political opinions, religious beliefs, or biometric data) through our website or standard services. We do not knowingly collect data from individuals under the age of 18.

How We Use Your Data

We use personal data only for the specific purposes for which it was collected. These include:

• Responding to enquiries — to reply to messages submitted through our contact form or sent directly to us by email
• Booking and managing demo calls — to schedule, confirm and follow up on free consultation calls via Calendly
• Delivering our services — to set up, configure and operate AI automation systems on behalf of clients, including missed call text-back, webchat, review requests and appointment automations
• Service communications — to send updates, reports, invoices and information directly related to our service agreement
• Improving our website and services — to understand how visitors use our website and identify areas for improvement
• Legal and compliance obligations — to comply with applicable UK law, including tax and accounting requirements

We will never use your data for unsolicited marketing, sell it to third parties, or use it for any purpose not described in this policy without first obtaining your explicit consent.

Legal Basis for Processing

Under UK GDPR, we must have a valid legal basis for processing your personal data. We rely on the following lawful bases:

• Contract (Article 6(1)(b)): Processing is necessary to enter into or perform a contract with you — for example, setting up and operating the automation services you have agreed to
• Legitimate interests (Article 6(1)(f)): Processing is necessary for our legitimate business interests — for example, responding to enquiries from prospective clients and improving our website — where those interests are not overridden by your rights
• Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation — for example, retaining financial records for HMRC purposes
• Consent (Article 6(1)(a)): Where we ask for your consent for a specific purpose, such as optional marketing communications, we will obtain this separately and clearly. You may withdraw consent at any time

Where we act as a data processor on behalf of our clients (for example, processing their customers' contact data to operate SMS or email automation systems), we do so under a data processing agreement and strictly on documented instructions from our client as data controller.

Data Sharing

We do not sell, rent or trade personal data. We share data only in the following limited circumstances:

• Service providers and sub-processors: We use trusted third-party tools to operate our business and deliver our services. These include GoHighLevel (CRM and automation platform), Formspree (form submission processing), Calendly (appointment booking), Twilio (SMS delivery), and Google Workspace (email and documents). Each provider is contractually obligated to handle data securely and only for the purpose we specify
• Legal requirements: We may disclose data where required to do so by law, court order, or at the request of a regulatory authority such as the ICO or HMRC
• Business transfer: In the event of a merger, acquisition or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify you in advance if this occurs

All third parties we work with are required to comply with applicable data protection law and to implement appropriate technical and organisational security measures.

Data Retention

We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law. Our retention periods are as follows:

• Enquiry and contact form data: 12 months from the date of last contact, unless you become a client
• Client account and service data: For the duration of the service agreement, plus 6 years after termination (in line with UK limitation periods for contractual claims)
• Financial and invoicing records: 7 years from the end of the relevant tax year, as required by HMRC
• Website analytics data: Up to 26 months in anonymised or aggregated form
• Marketing consent records: Until consent is withdrawn, plus 1 year thereafter

When data is no longer required, we delete or securely anonymise it in accordance with our data retention schedule. You may request earlier deletion of your data subject to our legal obligations — see Section 7 below.

Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month
• Right to rectification: You may ask us to correct any inaccurate or incomplete personal data we hold
• Right to erasure ("right to be forgotten"): You may ask us to delete your personal data where there is no longer a legitimate reason for us to hold it, subject to any legal obligations we have to retain it
• Right to restrict processing: You may ask us to pause processing of your data in certain circumstances — for example, while we verify its accuracy
• Right to data portability: You may request a copy of data you have provided to us in a commonly used, machine-readable format, where processing is based on consent or contract
• Right to object: You may object to processing based on our legitimate interests, and we will stop unless we have compelling legitimate grounds to continue
• Rights related to automated decision-making: We do not make solely automated decisions that produce significant legal or similarly significant effects on individuals. Where automated systems are used as part of our client services, meaningful human oversight is maintained

To exercise any of these rights, contact us at jon@evansautomate.co.uk. We will respond within one month. We may need to verify your identity before processing your request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Cookies

Our website uses cookies — small text files stored on your device — to help us understand how visitors use the site and to improve your experience.

Types of cookies we use:

• Essential cookies: Necessary for the website to function. These cannot be disabled
• Analytics cookies: Help us understand visitor behaviour in aggregate and anonymous form (e.g. pages visited, time on site). We use this data only to improve the website
• Third-party cookies: Tools embedded on our site (such as Calendly booking widgets and Formspree forms) may set their own cookies. Please refer to those providers' privacy policies for details

You can control and disable cookies through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of the website. By continuing to use our website, you consent to our use of cookies as described above.

AI & Automated Systems

As an AI automation business, we use and deploy automated systems on behalf of our clients. This section explains how these systems interact with personal data and how we ensure compliance with the UK GDPR and the Data (Use and Access) Act 2025.

Client-facing automations: Where we operate automated systems on behalf of a client — such as SMS follow-up sequences, AI webchat tools, or appointment reminder workflows — we do so as a data processor acting on the client's documented instructions. The client remains the data controller for their customers' personal data, and we process it solely to deliver the agreed service.

No significant automated decision-making: Our systems are used to automate communications and workflows, not to make significant decisions about individuals. No automated decision produced by our systems carries legal or similarly significant consequences for any individual. Human oversight and review remain available at all times.

Transparency: Where our automated systems contact individuals on behalf of a client (for example, sending an SMS after a missed call), those messages will identify the business sending them. Individuals always have the ability to opt out of further automated contact.

GDPR compliance in client systems: All automation systems we build are designed with GDPR compliance by default, including opt-out handling, data minimisation, and appropriate retention limits. We advise clients on their obligations as data controllers and provide documentation on request.

Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, alteration or disclosure. These include:

• Encrypted data transmission (HTTPS/TLS) across all web communications
• Access controls ensuring only authorised personnel can access personal data
• Use of reputable, security-certified third-party platforms (GoHighLevel, Google Workspace, Twilio)
• Regular review of security practices and third-party data processing agreements
• Secure disposal of data that is no longer required

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will notify affected individuals without undue delay where required by law.

No method of transmission over the internet is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

International Data Transfers

Some of the third-party services we use may process or store data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements for international data transfers, including:

• Transfers to countries with UK adequacy regulations in place
• Use of UK International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses where adequacy decisions do not apply
• Ensuring sub-processors maintain equivalent levels of data protection to those required under UK law

The primary third-party services we use (GoHighLevel, Twilio, Google Workspace, Calendly, Formspree) are each subject to contractual data processing terms and maintain appropriate international transfer mechanisms.

Contact & Complaints

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have a concern about how we have handled your personal data, please contact us:

We aim to respond to all data protection enquiries within 5 working days and to fulfil all data subject requests within one calendar month of receipt.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

This Privacy Policy was last reviewed and updated on 18 March 2026. We may update it from time to time to reflect changes in the law, our services or business practices. We will notify clients of material changes. The current version will always be available at evansautomate.co.uk/privacy.html.