Privacy Notice
Last updated: 3 April 2026
This notice explains how Prime Meridian AI collects, uses, stores, and shares personal data. It covers everyone we interact with: website visitors, people who use our tools, prospects we contact, people who attend meetings with us, and clients.
We take data protection seriously. As a business that audits how other organisations use AI, we hold ourselves to the standards we expect of others.
1. Who We Are
Prime Meridian AI is a sole trader business operated by Kris Farebrother, providing AI audit and automation strategy services for professional services firms in the United Kingdom.
Data controller: Kris Farebrother, trading as Prime Meridian AI
Email: kris@primemeridianai.com
ICO registration number: ZC109473
We are registered with the Information Commissioner's Office (ICO) as a data controller.
2. What Data We Collect and Why
We collect different types of personal data depending on how you interact with us. This section explains what we collect, why, and the legal basis we rely on.
2a. When you visit our website
What we collect: Your IP address, device information (browser type, screen resolution), and pages visited. We use Apollo.io's website tracking to associate visits with publicly available company information (company name, industry, size, location). We do not track personal browsing history.
Why: To understand which types of businesses are interested in our services, so we can tailor our content and outreach.
Legal basis: Legitimate interest (understanding our audience). We have assessed that this interest does not override your privacy rights, given the data is limited to business-level identification and no personal profiles are built.
Tracking technologies: The Apollo.io tracker uses browser local storage (not cookies) to associate visits with company information. See Section 9 (Cookies and Similar Technologies) for details and your choices.
2b. When you use our AI Mini-Map tool
What we collect: Your email address, industry, role, team size, AI adoption stage, and the AI opportunity scores generated by the tool.
Why: To deliver your personalised results by email, and (with your agreement) to follow up with relevant content about AI for your sector.
Legal basis: Consent (you choose to provide your email and submit the form). You can withdraw consent at any time by contacting us or using the unsubscribe link in any email.
Where your data goes:
- Brevo (email platform): stores your contact details and sends the results email. Brevo tracks whether the email is opened and whether links are clicked, so we can understand engagement.
- Attio (CRM): if your profile matches our ideal client criteria, we create a contact record to manage any future relationship. Legal basis for CRM storage: legitimate interest (managing business relationships and pipeline).
- Local database: your submission is logged for our records.
2c. When you book a discovery call
What we collect: Your name and email address (via Calendly).
Why: To schedule and prepare for the call.
Legal basis: Consent (you initiate the booking).
Meeting recording: Our discovery calls are recorded and transcribed using Fireflies.ai. You will be informed of this in your booking confirmation email before the call. You can opt out of recording at any time, either by replying to the confirmation email or by asking at the start of the call. See Section 5 (Meeting Recording) for full details.
2d. When we contact you about our services
We may contact business professionals by email to introduce our AI audit services. We do this where we believe there is a genuine and relevant reason to reach out.
What data we use: Your name, work email address, job title, company name, industry, company size, and seniority. This information is sourced from Apollo.io's database of publicly available business contact information.
Why: To reach business owners and decision-makers who may benefit from an AI audit.
Legal basis: Legitimate interest (B2B prospecting). We have conducted a Legitimate Interest Assessment and concluded that:
- We only contact people in business decision-making roles at their work email addresses
- Our emails are relevant to their professional responsibilities
- We provide a clear and immediate opt-out in every email
- We maintain a suppression list and honour all opt-out requests immediately
- The impact on individuals is minimal (one or a small number of professional emails)
Your right to object: You have an absolute right to object to direct marketing. If you ask us to stop, we will do so immediately and suppress your details from all future outreach. Email kris@primemeridianai.com or use the unsubscribe link in any email.
Email tracking: Our outreach emails (sent via Apollo.io) track whether emails are opened and whether links are clicked. This helps us understand engagement and avoid contacting people who are not interested. If you prefer not to be tracked, most email clients allow you to disable image loading, which prevents open tracking.
CRM integration: When a prospect engages with our outreach (replies, clicks, or books a call), their contact details may be synced from Apollo.io to Attio (our CRM) to manage the ongoing relationship.
Note for sole traders and partnerships: Under the Privacy and Electronic Communications Regulations (PECR), we only email sole traders and unincorporated partnerships where we have prior consent. Our cold outreach targets corporate subscribers (limited companies, LLPs) only, using the legitimate interest basis described above.
2e. During an AI Audit engagement
What we collect: Stakeholder interview recordings and transcripts, business process information described during interviews, attendee names and email addresses.
Why: To analyse your business processes and identify AI automation opportunities. This is the core of the AI Audit service.
Legal basis: Contract (to deliver the service you have engaged us to provide) and consent (for recording, obtained before each interview).
AI processing: Interview transcripts are analysed using AI tools (see Section 4) to identify patterns, automation opportunities, and risks. No automated decisions are made about individuals. All analysis is reviewed by a human (Kris Farebrother) before being included in the audit deliverable.
Confidentiality: We treat all information shared during an audit as confidential. We do not share client data with other clients or use it for marketing purposes. We are happy to sign a non-disclosure agreement or data sharing agreement before any engagement begins.
Your data after the audit: You can request deletion of all interview recordings, transcripts, and analysis at any time after the audit is delivered. See Section 8 (Data Retention) for standard retention periods.
2f. When you interact with us via Telegram
We operate a Telegram bot for internal business management. Messages sent to this bot (text, voice notes, or photos) are processed by Claude (Anthropic) to generate responses. This bot is not publicly available and is used solely for our own business operations.
What we collect: Message content, Telegram user ID, and any attachments sent to the bot.
Why: Internal business operations and task management.
Legal basis: Legitimate interest (business operations management).
2g. Internal communications monitoring
We collect messages from our internal Slack workspace for business intelligence and operational record-keeping. This processing relates only to our own business communications and does not involve external individuals' data unless they are mentioned in the course of normal business discussion.
What we collect: Messages from channels our intelligence bot has been invited to.
Why: To maintain a searchable record of business communications and decisions.
Legal basis: Legitimate interest (business operations and record-keeping).
3. Data We Obtain from Third Parties
When we contact you proactively (Section 2d above), your data has not been provided by you directly. Under Article 14 of UK GDPR, we are required to tell you:
Categories of data: Name, work email address, job title, company name, industry, company size, employee count, seniority level, and business location.
Source: Apollo.io, a B2B sales intelligence platform that aggregates publicly available business information from company websites, professional networks, public filings, and other public sources.
When we tell you: We will provide this privacy notice to you at first contact (included as a link in our initial email).
4. AI Tools and Automated Processing
We use artificial intelligence tools as part of our business operations and service delivery. We believe in being transparent about this.
Tools we use and what they process:
| Tool | Provider | What it processes | Purpose |
|---|---|---|---|
| Claude | Anthropic (US) | Interview transcripts, business analysis, workspace data | AI-assisted analysis of audit findings, business operations |
| AuditFlo | Morningside AI (US) | Interview transcripts, research data, audit analysis | Audit workflow platform. Uses Anthropic and OpenAI as sub-processors for AI analysis. |
| OpenAI | OpenAI (US) | Interview transcripts (via AuditFlo) | AI-assisted analysis within AuditFlo's audit workflow |
| Fireflies.ai | Fireflies (US) | Meeting audio, transcripts, attendee details | Meeting recording and transcription |
| Gemini | Google (US) | Business metrics summaries, meeting highlights | Daily business intelligence synthesis |
| Apollo.io | Apollo (US) | Business contact data, website visitor data | Prospecting and website analytics |
Important commitments:
- None of our AI providers use your data to train AI models. Anthropic: opted out of training, 7-day API retention. AuditFlo: explicitly commits to no model training and no data-sharing programmes; its AI sub-processors (Anthropic, OpenAI) auto-delete data within 30-55 days. OpenAI (via AuditFlo): API-tier processing only, data not used for training. Google Gemini: paid API tier, data not used for training or product improvement (logged only for abuse monitoring). Fireflies: contractually prohibits all vendors (including OpenAI and ASR providers) from using data for training, with zero-retention policies.
- No automated decisions are made about you. All AI outputs are reviewed by a human before being acted upon or shared.
- AI tools are used to assist analysis, not to replace human judgement. The AI Audit deliverable is a human-reviewed product.
Data sent to AI providers: When we use Claude to analyse interview transcripts, the transcript text (including speaker names) is sent to Anthropic's servers for processing. Anthropic retains API data for 7 days, then permanently deletes it. Anthropic does not use our data for model training (we have opted out). Anthropic holds SOC 2 Type II and ISO 42001 certifications.
5. Meeting Recording and Transcription
We use Fireflies.ai to record and transcribe business meetings, including discovery calls and audit interviews.
How it works:
- Fireflies joins the video call as a visible participant (you will see it in the call)
- Fireflies sends an email notification approximately one hour before the meeting
- The call is recorded (audio) and transcribed (text with speaker attribution)
- Summaries and action items are automatically extracted
Your rights regarding recording:
- You will always be informed before recording begins
- For discovery calls: recording consent is included in the Calendly booking confirmation
- For audit interviews: verbal consent is obtained at the start of each session
- You can opt out of recording at any time. If you prefer not to be recorded, tell us and we will switch Fireflies off. You will not be disadvantaged in any way.
- You can request deletion of your recording and transcript at any time
Where recording data is stored:
- Fireflies.ai servers (United States, AWS and Google Cloud infrastructure)
- Our local database (United Kingdom and Azure West Europe)
- Attio CRM (meeting notes summary only, United Kingdom / EU data centres)
Retention: Recordings and transcripts are deleted within 90 days of the audit deliverable being provided. You can request earlier deletion at any time.
6. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with the service providers we need to operate our business:
| Service | Provider Location | What they receive | Their privacy policy |
|---|---|---|---|
| Apollo.io | United States | Website visitor data, prospect contact data | apollo.io/privacy |
| Attio | United Kingdom (EU data centres) | Contact details, deal information, meeting notes | attio.com/legal/privacy |
| Brevo | France (EU data centres) | Email addresses, contact attributes | brevo.com/legal/privacypolicy |
| Fireflies.ai | United States | Meeting recordings, transcripts, attendee details | fireflies.ai/privacy-policy |
| AuditFlo | United States | Interview transcripts, research data, audit analysis | auditflo.ai/privacy |
| Anthropic (Claude) | United States | Interview transcripts, business analysis data | anthropic.com/privacy |
| OpenAI | United States | Interview transcripts (via AuditFlo) | openai.com/privacy |
| Google (Gemini) | United States | Business metrics summaries | policies.google.com/privacy |
| Calendly | United States | Name, email (for bookings) | calendly.com/privacy |
| Google Analytics | United States | Page views, traffic sources, site navigation (consent-gated) | policies.google.com/privacy |
| GitHub Pages | United States | Website hosting (no personal data collected) | github.com/privacy |
Where personal data is processed, we have Data Processing Agreements (or equivalent contractual terms) in place with each provider, as required by Article 28 of UK GDPR. These agreements ensure that our processors handle your data only on our instructions and in accordance with applicable data protection law.
7. International Data Transfers
Some of our service providers are based in the United States. When your personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place.
Providers certified under the UK Extension to the EU-US Data Privacy Framework (DPF):
| Provider | DPF Certified | Data Location |
|---|---|---|
| Apollo.io | Yes (UK Extension) | United States |
| Calendly | Yes (UK Extension, participant #6050) | United States (Google Cloud) |
| Fireflies.ai | Yes (UK Extension) | United States (AWS, Google Cloud) |
| Brevo (Sendinblue Inc.) | Yes (UK Extension) | EU (France/Germany). US subsidiary holds DPF certification for any US-bound transfers. |
| Google (Gemini) | Yes (UK Extension) | United States |
| GitHub (Microsoft) | Yes (UK Extension, via Microsoft) | United States. Static website hosting only; no personal data is collected or processed by GitHub Pages. |
DPF certification provides an adequate level of protection recognised by the UK government.
Providers relying on Standard Contractual Clauses:
| Provider | Transfer Mechanism | Data Location |
|---|---|---|
| Anthropic (Claude) | EU SCCs + UK Addendum | United States (AWS) |
| AuditFlo (Morningside AI) | EU SCCs + UK Addendum | United States |
| OpenAI (via AuditFlo) | EU SCCs + UK Addendum | United States |
Anthropic is not DPF-certified. Transfers are protected by Standard Contractual Clauses with the UK Addendum (the ICO-approved mechanism). Anthropic retains API data for 7 days, does not use our data for model training (we have opted out), and holds SOC 2 Type II and ISO 42001 certifications.
AuditFlo (operated by Morningside AI) processes data in the United States. AuditFlo holds SOC 2 Type II and ISO 27001 certifications. When AI processing is required, AuditFlo uses Anthropic and OpenAI as sub-processors under strict data usage policies: no model training, no data sharing, automatic deletion within 30-55 days. A Data Processing Agreement is available on request.
Providers based in the UK or EU (no international transfer required):
| Provider | Location | Data Location |
|---|---|---|
| Attio (CRM) | United Kingdom (London) | EU data centres (Google Cloud) |
| Microsoft Azure | West Europe region | Netherlands (EEA) |
If you would like more information about the specific safeguards in place for any transfer, please contact us.
8. Data Retention
We keep your data only as long as we need it. Here are our standard retention periods:
| Data type | Retention period |
|---|---|
| Website visitor data (Apollo) | 90 days (per Apollo's policy) |
| Mini-Map submissions | 24 months after submission, or until you request deletion or withdraw consent (whichever is sooner) |
| Discovery call bookings | Duration of business relationship |
| Cold outreach contact data | Until you opt out (then suppressed, not deleted, to prevent re-contact) |
| CRM contact records | Duration of business relationship + 6 years (legal/accounting requirements) |
| Meeting recordings and transcripts | 90 days after audit delivery, then deleted |
| AI processing data (Anthropic, direct) | 7 days (Anthropic's API data retention policy) |
| AI processing data (Anthropic + OpenAI, via AuditFlo) | 30-55 days (auto-deleted, not used for training) |
| Business correspondence | Up to 6 years (legal/accounting requirements) |
| Financial records | 6 years (HMRC requirement) |
When data reaches the end of its retention period, it is securely deleted or anonymised.
9. Cookies and Similar Technologies
Our website uses the following tracking and storage technologies:
Apollo.io Website Tracker
- Type: Third-party tracking script
- Purpose: Identifies businesses visiting our website using IP address and publicly available company data
- Storage: Uses browser local storage (not cookies) to maintain a visitor identifier and manage tracking state. Specific keys: anonymous visitor ID (persistent), tracking consent flag (24 hours), event queue (until processed).
- Legal basis: Consent. The tracker only loads if you accept non-essential tracking.
Cookie Consent Preference
- Type: First-party local storage
- Purpose: Remembers whether you accepted or rejected non-essential tracking
- Storage:
pmai_cookie_consentkey in local storage (persistent until you change your preference) - Legal basis: Strictly necessary (required to respect your tracking preference)
Calendly Widget
- Type: Third-party embed (on booking pages)
- Cookies: May set functional cookies required for the booking process
- Legal basis: Strictly necessary (required to provide the booking service you requested)
Your choices: When you first visit our website, a consent banner asks whether you accept or reject non-essential tracking. The Apollo tracker only loads if you accept. You can change your choice at any time by clicking "Cookie Settings" in the footer of any page. Your preference is stored locally on your device and is not sent to our servers.
Google Analytics (GA4)
- Type: Third-party analytics script (Google)
- Purpose: Measures page views, traffic sources, and how visitors navigate the site — so we can understand what content is useful and where visitors come from
- Storage: Uses first-party cookies (
_ga,_ga_*) to distinguish visitors. Cookie lifetime: up to 2 years. - Consent Mode: GA4 runs in Google Consent Mode v2. Analytics storage is denied by default and only granted if you accept non-essential tracking. When denied, no cookies are set and no personally identifiable data is collected.
- Legal basis: Consent. Full tracking only activates if you accept non-essential tracking via the cookie banner.
- Data sharing: We have disabled data sharing with Google for advertising and product improvement purposes. Google processes analytics data under their Ads Data Processing Terms.
10. Your Rights
Under UK GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Ask us to correct inaccurate or incomplete data
- Right to erasure: Ask us to delete your data (subject to legal retention requirements)
- Right to restriction: Ask us to limit how we use your data while a concern is resolved
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interest, including direct marketing. For direct marketing, this is an absolute right and we will comply immediately.
- Right to withdraw consent: Where we rely on your consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
- Rights relating to automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects on you. All AI-assisted analysis is reviewed by a human.
How to exercise your rights: Email kris@primemeridianai.com. We will respond within one month. There is no fee for most requests.
If you are not satisfied: You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the chance to address your concerns before you contact the ICO.
11. Children's Data
Our services are designed for business professionals. We do not knowingly collect or process personal data from children under the age of 18. If you believe we have inadvertently collected data from a child, please contact us at kris@primemeridianai.com and we will delete it promptly.
12. Our Status as Controller or Processor
For most of our processing (website visitors, outreach, CRM, our own business operations), we are the data controller. We decide what data to collect and how to use it.
During client engagements (AI Audits), the position depends on the arrangement:
- We are typically a separate data controller or joint controller with the client, because we determine the methodology, interview approach, and analysis methods.
- Where a client instructs us to process specific data in a specific way, we may act as a data processor under a Data Processing Agreement.
- We will agree the appropriate arrangement with each client before any personal data is shared, and document it in our engagement terms.
13. Data Security
We take appropriate technical and organisational measures to protect your data:
- Data encrypted in transit (HTTPS) and at rest
- Access to systems restricted to authorised personnel (sole trader: Kris Farebrother only)
- Strong passwords and multi-factor authentication on all accounts
- Regular review of third-party service provider security practices
- Local databases stored on encrypted devices
- Server infrastructure hosted in Microsoft Azure with enterprise-grade security
We do not store payment card information. Any payments are processed through third-party payment providers with their own security certifications.
14. Changes to This Notice
We may update this notice from time to time to reflect changes in our practices, services, or legal requirements. The "last updated" date at the top will always show the most recent version.
For significant changes that affect how we use your data, we will make reasonable efforts to notify you directly (for example, by email if we hold your contact details).
15. Working with Regulated Sectors
We work with professional services firms in regulated sectors, including law firms (SRA-regulated), accountancy practices (ICAEW/ACCA-regulated), and recruitment agencies. We understand the heightened data protection expectations in these sectors.
For regulated-sector clients, we offer:
- Non-disclosure agreements and confidentiality agreements before any data is shared
- Data sharing agreements or Data Processing Agreements as appropriate
- Written confirmation that client data is not used for AI model training
- Documented data handling procedures, retention periods, and deletion processes
- Willingness to discuss specific regulatory requirements (SRA confidentiality, ICAEW ethics, etc.)
If you are evaluating us as a vendor and need specific assurances about data handling, please contact kris@primemeridianai.com. We are happy to provide detailed responses to vendor due diligence questionnaires.