01Who we are and how to contact us
FLUIS.ai is a sole trader business based in the United Kingdom.
| Detail | Value |
|---|---|
| Trading name | FLUIS.ai |
| Business form | Sole trader (United Kingdom) |
| Registered business address | Available on request — privacy@fluis.ai |
| VAT registration | Available on request |
| ICO registration (data protection fee) | Available on request |
| Primary contact email | hello@fluis.ai |
| Privacy & data protection enquiries | privacy@fluis.ai (falls back to hello@fluis.ai) |
| Data Protection Officer (DPO) | Not currently appointed. FLUIS handles data protection enquiries directly via privacy@fluis.ai. A DPO is not mandatory under ICO criteria for our size and processing activities. |
We are the data controller for personal data we collect about visitors to this website, prospects, and end-users of our public-facing demos (e.g. the voice widget on this page).
When we deliver paid services to a client business, we typically act as a data processor for the personal data that client uploads into our systems (e.g. the contacts our voice agent or AI chat books on the client's behalf). The client remains the data controller for that data. Our Data Processing Agreement (DPA), available on request, sets out the controller-processor terms.
02What personal data we collect and how we use it
We collect only what we need to deliver the service you asked for or to operate our business responsibly. The table below maps each category of personal data we may hold to its purpose.
| Category | Examples | Purpose |
|---|---|---|
| Identity + contact data | Name, business email, business phone, company name, role/title | Account creation, demo booking, support, billing, sending you the service you signed up for |
| Demo + enquiry data | Form submissions, calendar bookings, voice-widget conversations on this site | Responding to your enquiry, scheduling a call, demonstrating the agent live |
| Service + usage data | Pages visited, features used, timestamps, IP address, device + browser type | Operating the service, debugging, fraud prevention, service improvement |
| Transaction + billing data | Billing address, subscription tier, invoice history, partial payment instrument metadata (last 4 of card via our payment processor — we do not store full card numbers) | Charging the agreed monthly fee, issuing invoices, accounting, tax reporting |
| Voice + call data (when you use the voice agent demo) | Audio recordings of your conversation with the demo agent, transcripts, derived metadata (call duration, sentiment markers) | Powering the live AI voice response, tuning the agent's quality, generating the transcript you can review. See §5 for the retention + deletion mechanics. |
| Chat data (when you use the chat agent demo) | Message contents, conversation history within a session, derived metadata | Powering the AI chat response, tuning agent quality, transcript review. See §5. |
| Marketing preferences | Whether you opted in to receive marketing email, and from which channel | Sending you marketing material only with a valid lawful basis (see §3) |
| Client-side processing data (B2B clients only) | Contacts, leads, bookings, and conversation transcripts your AI agent handles on your behalf in production | We process this strictly as your data processor under your instructions. See our DPA. |
We do not knowingly collect personal data from children under 16. Our services are sold to businesses, not consumers, and our public marketing is not directed at minors.
03Our lawful bases for processing
Under Article 6 of the UK GDPR, every processing activity needs a lawful basis. For each category of activity above, ours are:
| Activity | Lawful basis (Article 6) | Why |
|---|---|---|
| Delivering the service you signed up for | Contract — Art. 6(1)(b) | We can't fulfil your subscription without processing your account and service data. |
| Demo bookings + sales calls | Legitimate interest — Art. 6(1)(f) | Operating a sales process for our own business. You can object at any time (see §9). |
| Voice + chat agent demos on this site | Consent — Art. 6(1)(a) + contract for paid usage | You explicitly initiate the demo. We tell you at the start that the conversation is recorded and processed by AI. |
| Billing, invoicing + tax reporting | Legal obligation — Art. 6(1)(c) | HMRC and Companies Act recordkeeping rules. |
| Service analytics + product improvement | Legitimate interest — Art. 6(1)(f) | We need to understand how the service is used to keep it working and to improve it. We use the minimum data necessary; aggregate where we can. |
| Marketing email to existing customers (soft opt-in) | Legitimate interest — Art. 6(1)(f) + PECR Reg. 22(3) soft opt-in | You bought a similar service; we may send you relevant updates with an unsubscribe link on every email. |
| Marketing email to non-customer prospects | Consent — Art. 6(1)(a) + PECR consent | You actively opted in (e.g. ticked a clear box on a form). You can withdraw consent at any time. |
| Security, fraud + abuse prevention | Legitimate interest — Art. 6(1)(f) | Protecting our systems and your data from attack and misuse. |
For special category data (e.g. health information, biometric data), we additionally rely on Article 9. We do not currently process voice as biometric data for speaker identification — see §5.
04How we use AI and LLM providers
Our voice and chat agents are powered by large language models ("LLMs") supplied by third-party AI providers. Your conversation with our agent is transmitted to the LLM provider so it can generate a response.
The LLM provider(s) we currently use:
- AI / LLM providers including Anthropic (Claude), OpenAI (GPT), and the LLM infrastructure bundled with GoHighLevel, depending on the specific feature. We will update this list as the stack changes.
Training data posture: we require, by contract with our LLM providers, that your conversation data is not used to train their public models. For paid Anthropic and OpenAI APIs this is the default contractual position. For GoHighLevel-routed AI features we rely on the LeadConnector / GHL terms, which prohibit such training without consent.
Automated decision-making + profiling (Article 22): our AI agents are conversational and assistive. They do not make decisions that have legal or similarly significant effects on you without a human in the loop. For example, the agent may qualify a lead or suggest a booking time — a human at your business confirms the booking. If we ever introduce a feature that does involve solely automated decision-making with legal effect, we will obtain your explicit consent and disclose it here first.
Output accuracy: AI-generated content (transcripts, summaries, recommendations) can be incomplete or wrong. We provide it as-is and require clients to keep a human in the loop for any decision that depends on it. See §7 of our Terms & Conditions.
05Voice agents, call recordings and transcripts
When you talk to our voice agent on this site, or call a phone number that routes through our voice agent on a client's system, your conversation is recorded.
- Encrypted in transit and at rest. Recordings and transcripts are encrypted while travelling between systems and while stored.
- Access is limited. Only your team (if you're a client) and our internal tuning engineer have access to transcripts. We do not sell, share, or otherwise disclose recordings to third parties beyond the sub-processors named in §6.
- Auto-deletion after 90 days unless you (or our client whose agent you spoke to) explicitly elect to retain them for longer. Production retention is configurable per client; the default is 90 days.
- No voiceprint / biometric identification. We process voice as audio for the purpose of conversation. We do not extract a voiceprint or use the recording to identify you biometrically. If this changes, we will obtain your explicit consent and complete a Data Protection Impact Assessment first.
- UK call-recording disclosure. Under UK PECR, we and our clients must tell you that the call is being recorded and why. The voice agent does this at the start of the conversation.
- HIPAA-compatible setup is available as a configuration option for medical clients on appropriate contracts. It is not the default. If your industry requires HIPAA, BAA, or other healthcare-grade controls, contact us before going live.
If you have spoken to a voice agent on a third-party client's phone line and want your recording deleted, contact privacy@fluis.ai with the date, time, and phone number you called from. We will work with the client business that operates that line to honour your request.
06Sub-processors and recipients of your data
We share your personal data with third-party service providers ("sub-processors") only as needed to deliver the service. Each is contractually required to protect your data to UK GDPR standards. The current list:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| GoHighLevel / LeadConnector | Booking calendar, form embeds, CRM, voice agent + chat agent platform, call routing | United States | UK Extension to the EU–US Data Privacy Framework + Standard Contractual Clauses |
| LiveKit | Real-time voice transport for the in-browser voice agent demo | United States | Standard Contractual Clauses + UK IDTA |
| jsDelivr CDN (via Cloudflare) | Delivery of the LiveKit JavaScript SDK loaded by your browser when you open the voice demo | Global CDN edge | Cloudflare DPA; transit-only, not a long-term recipient |
| Netlify | Static hosting of this website + SSL termination | United States (Netlify) / European edge nodes | Netlify DPA + SCCs |
| Let's Encrypt | Issuing the SSL certificate that secures this site | Internet Security Research Group (US) | Standard CA practices; no personal data shared beyond the public certificate metadata |
| Google Fonts | Delivery of the typefaces used on this site (Anton, Inter, JetBrains Mono, Cormorant Garamond). Your browser fetches these directly from Google's CDN; Google receives your IP address as part of that request. | United States (Google LLC) | UK Extension to the EU–US Data Privacy Framework + Standard Contractual Clauses |
| AI / LLM providers (per §4) | Generating AI responses for voice and chat agents (Anthropic, OpenAI, and the LLM infrastructure bundled with GoHighLevel) | US / UK | UK Extension to the EU–US Data Privacy Framework + Standard Contractual Clauses |
We do not currently use Google Analytics, Mixpanel, Segment, advertising pixels, or third-party retargeting tools on fluis.ai. If we add any in future, we will update this policy and (where required) add a cookie consent banner before activation.
07International data transfers and safeguards
Some of our sub-processors are based in the United States, including GoHighLevel, LiveKit, and (depending on configuration) our LLM provider. When personal data is transferred outside the UK / EEA, we rely on one or more of the following transfer mechanisms required by UK GDPR Chapter V:
- The UK Extension to the EU–US Data Privacy Framework for transfers to US-based recipients certified under the framework.
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for any transfer not covered by the framework.
- Supplementary measures where the risk assessment indicates the legal framework alone is not sufficient — typically encryption in transit and at rest, access logging, and contractual restrictions on government access requests.
We complete an internal Transfer Risk Assessment ("TRA") for each US transfer involving personal data and update it when sub-processors change. The current TRA is available on request to privacy@fluis.ai.
08How long we keep your data
We keep personal data only as long as we need it for the purpose it was collected, or as long as we are legally required to. Specifically:
| Data category | Retention period | After which |
|---|---|---|
| Demo enquiry data (form, calendar booking) | Up to 24 months from your last interaction | Anonymised or deleted |
| Voice agent recordings + transcripts (this site's demo) | 90 days | Auto-deleted unless explicitly retained |
| Chat agent transcripts (this site's demo) | 90 days | Auto-deleted unless explicitly retained |
| Client account + billing data | Duration of contract + 7 years after termination | Required by HMRC / Companies Act |
| Client production CRM data (where we are processor) | Per client instructions; default 30 days after contract termination | Deleted from our systems; the client may export beforehand |
| Marketing consent records | Until consent withdrawn + 2 years in evidential storage | Deleted |
| Service usage + analytics logs | 12 months | Aggregated to anonymous statistics or deleted |
| Security + audit logs | 12–24 months depending on incident relevance | Deleted |
Where data is anonymised rather than deleted, the anonymisation is irreversible and the resulting data is no longer personal data under the UK GDPR.
09Your rights and how to exercise them
You have eight specific rights under the UK GDPR:
- The right to be informed — about how we use your data (this policy).
- The right of access — to a copy of the personal data we hold about you (a "Subject Access Request" or "SAR").
- The right to rectification — to correct inaccurate or incomplete data.
- The right to erasure — to ask us to delete your data ("right to be forgotten"). Some exceptions apply for data we are legally required to keep (e.g. billing records).
- The right to restrict processing — to ask us to pause processing while a dispute is resolved.
- The right to data portability — to receive your data in a structured, machine-readable format and have it transmitted to another controller.
- The right to object — to processing based on legitimate interests, and to direct marketing at any time.
- Rights related to automated decision-making + profiling — see §4 for our current stance.
How to exercise these rights: email privacy@fluis.ai with a short description of what you want. We will reply within 30 days (extendable by a further 60 days for complex requests, with a written explanation).
Identity verification. For requests other than basic enquiries, we may ask you to confirm your identity to make sure we don't disclose data to the wrong person. We will ask for the minimum information needed.
Fees. Most rights are exercised free of charge. We reserve the right to charge a reasonable administrative fee or refuse to act on requests that are manifestly unfounded or excessive (e.g. repetitive). If we do, we will tell you why in writing.
11Changes to this policy
We may update this Privacy Policy from time to time as our services, sub-processors, or the law evolve. The Last updated date at the top of this page shows when the current version came into effect.
If we make a material change — for example, adding a new sub-processor in a non-adequate country, changing the lawful basis for a major processing activity, or introducing solely automated decision-making with legal effect — we will give you advance notice: typically by email to active customers, and by a visible banner on this site for at least 30 days. We will keep an archived copy of the previous version available on request.
12How to complain to the ICO
If you believe we have not handled your personal data lawfully, please contact us first at privacy@fluis.ai so we have a chance to put things right.
You also have the right at any time to lodge a complaint with the UK supervisory authority:
| Detail | Value |
|---|---|
| Authority | Information Commissioner's Office (ICO) |
| Helpline | 0303 123 1113 |
| Online complaint form | ico.org.uk/make-a-complaint/ |
| Postal address | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF |
| Website | ico.org.uk |
Questions about this Privacy Policy?
For any question about how we handle your personal data, or to exercise any of your GDPR rights, please email our privacy team. We respond within 30 days.
privacy@fluis.aiNot sure who to email? Try hello@fluis.ai — we'll route it.
Back to fluis.ai