GDPR Policy

Last updated: 2026

1. Lawful basis

We process personal data on the basis of legitimate interest (for our services) and contract (for client engagements). Marketing communications are sent only with consent.

2. Data minimisation

We collect only the data we need to deliver our services and operate our business.

3. AI vendor handling

When AI tools are used in client work, we ensure appropriate Data Processing Agreements are in place. We avoid sending PII to AI vendors that do not offer enterprise data protection terms.

4. Sub-processors

A current list of sub-processors is available on request via privacy@aivirgins.com.

5. Data subject rights

You have the right to access, rectify, erase, restrict and object to processing of your personal data. To exercise these rights, contact privacy@aivirgins.com.

6. International transfers

Where personal data is transferred outside the UK/EEA, we use appropriate safeguards including Standard Contractual Clauses.

7. Breach notification

In the unlikely event of a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours where required.