Our GDPR Commitment
Last updated: May 2026 · Porikka Consulting Ltd, registered in England & Wales
GDPR is not a box we tick. It is a core part of how we build everything — for ourselves and for every client we work with.
What GDPR means in practice for us
The General Data Protection Regulation (GDPR) is the UK and EU law that governs how organisations collect, store, and use personal data. As a company that builds AI systems for UK and EU businesses, we take it seriously — not just as a legal requirement, but as a genuine commitment to the people whose data flows through the systems we build.
Here is what that looks like in practice:
All data we handle — including contact form submissions and any client project data — is stored on servers physically located in the UK or EU. No data is transferred to the United States.
We only collect data we actually need. On this website, that means your name, email, and message when you contact us. Nothing else.
We do not use Facebook Pixel, Google Ads tracking, or any behavioural advertising tools. We removed the third-party tracking that was previously on this site.
We keep enquiry data for 24 months and then delete it. We do not hold onto data indefinitely "just in case."
You can ask us to show you, correct, or delete your data at any time. We respond within 30 days, without making it difficult.
If we use any third-party services to process your data (for example, an email provider), we will list them here and ensure they meet GDPR standards.
GDPR in the AI systems we build
Every AI agent we design for a client is built with data protection in mind from the start — not bolted on at the end. In practice this means:
- We recommend and use EU/UK-hosted models and infrastructure wherever possible, so your customer data never crosses international borders unnecessarily.
- We advise clients on their obligations under the EU AI Act and UK AI regulation guidance, particularly around transparency and human oversight.
- We design data flows so that only the minimum data required reaches the AI model — a principle called data minimisation.
- We help clients document their AI systems for GDPR purposes, including Data Protection Impact Assessments (DPIAs) where required.
- We do not recommend US Big Tech AI providers for use cases involving sensitive personal data, precisely because of the data sovereignty risks they create.
Our lawful basis for processing your data
When you contact us through our website, our lawful basis for processing your data is legitimate interests — specifically, the legitimate interest in responding to your business enquiry. We do not rely on "consent" as a basis for basic contact form responses, because doing so would mean asking you to tick a box just to receive a reply, which is unnecessary and unhelpful.
If we ever want to send you marketing emails or add you to a newsletter, we will ask for your explicit consent at that point.
Data breach response
In the unlikely event of a data breach affecting personal data, we will notify the ICO within 72 hours as required by UK GDPR, and notify affected individuals without undue delay if the breach is likely to result in a risk to their rights and freedoms.
Our Data Protection contact
We do not currently require a formal Data Protection Officer (our processing activities are not high-risk at scale), but if you have any data protection concerns, email hello@porikka.com — a real person will respond.
You also have the right to complain to the Information Commissioner's Office (ICO) at any time if you believe your data has been mishandled.
Subprocessors
Currently, the only subprocessors involved in handling data submitted through this website are:
- Our hosting provider — EU/UK server infrastructure (Hetzner or equivalent). Processes: storing form submissions. Location: EU.
- Google Fonts — serves font files only. We do not believe this constitutes personal data processing, but we disclose it in the interest of transparency.
We will update this list if we add further subprocessors.