Privacy Policy
**Last updated: May 2026**
This Privacy Policy explains how **TalentLeap AI Ltd** (“we”, “us”, “our”) collects, uses, stores and protects personal data when you visit [talentleap.ai](https://talentleap.ai), use the TalentLeap CRM at [app.talentleap.ai](https://app.talentleap.ai), participate in our training programme, or receive communications from us.
We are the data controller for the data we collect about you. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
## 1. Who we are
TalentLeap AI Ltd is registered in England and Wales. For data protection matters, contact:
**Email:** simon@talentleap.ai
**Postal address:** Available on request.
## 2. The data we collect
We collect and process the following categories of personal data:
**From visitors to our website:**
– Browser type, device type, IP address (anonymised) for analytics.
– Cookies (essential and optional, see Cookie Notice below).
– Any information you submit via contact forms or demo bookings.
**From training programme clients:**
– Names, business email addresses, phone numbers, billing addresses, payment details (processed via Stripe).
– Your business information: company name, sector, headcount, recruitment niche.
– Communications you exchange with us (email, WhatsApp, video calls if recorded).
**From CRM users:**
– All the above, plus your business operational data: candidate records you create, client contacts you manage, communications you send through the platform.
**From data subjects whose information is processed in your CRM:**
If you are a recruitment business using the TalentLeap CRM to process candidate or contact data, we act as the data processor for that data. You remain the data controller. We process such data only on your documented instructions and in accordance with the Data Processing Agreement signed with you.
**From newly incorporated UK companies (Companies House data):**
We use the official Companies House Public Data API and Streaming API to identify newly incorporated UK businesses in the recruitment sector that may benefit from our services. The data we process includes:
– Company name, registration number, date of incorporation, SIC codes, registered office address.
– Director names, dates of birth (month and year only), nationality, and service addresses, all of which are publicly available on the Companies House register.
We may then enrich this public data with business email addresses and direct phone numbers obtained through third-party data providers (such as Lusha) under their applicable terms.
Companies House data is public and we process it under the legitimate interest legal basis for B2B prospecting (UK GDPR Article 6(1)(f)). You can object at any time (see “Your rights” below).
## 3. How we use your data
We use your data to:
– Deliver the Services you have purchased (training programme, CRM platform).
– Process payments and manage billing.
– Send transactional emails (sign-in codes, receipts, training session reminders, system notifications).
– Provide customer support and respond to queries.
– Send marketing communications about our products and similar services, where you have given consent or where we have a legitimate interest in doing so and you have not opted out.
– Improve the Services through aggregated, anonymised analytics.
– Comply with our legal obligations (tax, accounting, regulatory).
We do not use your data to train AI models. We do not sell your data to third parties. We do not share your data for the marketing purposes of others.
## 4. Legal bases for processing
Under UK GDPR we process personal data under the following legal bases:
– **Contract:** to deliver the training programme or CRM subscription you have purchased.
– **Legitimate interest:** for B2B marketing communications to business contacts, fraud prevention, service improvement, and identifying potential customers (including via Companies House public data).
– **Consent:** for optional cookies, marketing emails to consumers, and any sensitive data processing.
– **Legal obligation:** for tax records, accounting, and lawful disclosures to authorities.
## 5. Where your data is stored
We store data within the UK and the European Economic Area:
– **Database and CRM data:** Supabase, hosted in EU-North (Sweden).
– **Email communications:** Google Workspace (UK and EU servers).
– **Payment processing:** Stripe (UK and EU servers, PCI-DSS compliant).
– **Backups:** EU servers only.
Where data may be transferred outside the UK or EU (for example, if a sub-processor uses US infrastructure), we ensure appropriate safeguards are in place such as Standard Contractual Clauses or an adequacy decision.
## 6. How long we keep your data
– **Active customer records:** for the duration of the customer relationship and for 6 years thereafter (to meet HMRC and contract law requirements).
– **Marketing prospects:** for up to 24 months from the last meaningful interaction, after which we delete or anonymise.
– **Companies House-derived prospect data:** for up to 12 months from the date of company incorporation, after which records that have not converted to active customers are deleted.
– **Communications:** for as long as the related business purpose requires, typically 3 years.
– **Anonymised analytics data:** retained indefinitely.
## 7. Your rights
Under UK GDPR you have the following rights, which you can exercise at any time by emailing simon@talentleap.ai:
– **Right of access:** request a copy of the personal data we hold about you.
– **Right to rectification:** correct any inaccurate or incomplete data.
– **Right to erasure:** ask us to delete your data (subject to lawful exceptions).
– **Right to restriction:** ask us to limit how we process your data.
– **Right to data portability:** receive your data in a structured, commonly used format.
– **Right to object:** object to processing under legitimate interest, including marketing.
– **Right to withdraw consent:** withdraw any consent you have given us, at any time.
– **Right to complain:** lodge a complaint with the Information Commissioner’s Office (ICO) at [ico.org.uk](https://ico.org.uk).
We respond to all rights requests within one month and at no cost to you.
## 8. Cookies and tracking
Our website uses essential cookies (to keep you signed in) and optional analytics cookies (to understand site usage). You can manage your cookie preferences at any time via the cookie banner on the website.
We do not use third-party advertising or remarketing cookies.
## 9. Security
We protect your data with industry-standard measures:
– Encryption in transit (TLS) and at rest (AES-256).
– Multi-factor authentication on all administrative accounts.
– Strict access controls on a need-to-know basis.
– Regular backups and disaster-recovery procedures.
– Security audits and penetration testing on an annual basis.
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and you without undue delay, in accordance with UK GDPR.
## 10. Children
Our Services are not directed at, or intended for, anyone under the age of 18. We do not knowingly collect data from children.
## 11. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects when it was last revised. Material changes will be notified to existing customers by email.
## 12. Contact
For any questions about this Privacy Policy, to exercise your rights, or to make a complaint:
**TalentLeap AI Ltd**
Email: simon@talentleap.ai
Website: [talentleap.ai](https://talentleap.ai)
You also have the right to complain to:
**Information Commissioner’s Office (ICO)**
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Phone: 0303 123 1113
Website: [ico.org.uk](https://ico.org.uk)
