We only collect what we need. We do not sell your data. We do not share it with advertisers. This policy explains what we collect, why, and what rights you have.
Paragon AI ("we", "us", "our") is a trading name of Michael Gilliver, a sole trader based in Wrexham, Wales. We provide AI-powered business automation and growth services to trades businesses in the United Kingdom. We act as data controller for personal data we collect through our website and in connection with our client relationships.
Where we process personal data on behalf of our clients through our AI agents, we act as data processor and our clients are the data controller. See Section 7.
| Business name | Paragon AI |
| Location | Wrexham, Wales |
| Contact | [email protected] |
| Website | paragonai.co.uk |
| Legal structure | Sole trader |
| ICO Registration Number | C1900966 |
This policy applies to: visitors to our website; prospective clients who book a demo or contact us; subscribed clients; and end users (your customers) whose data is processed by our agents on your behalf.
This policy does not apply to third-party websites linked from our site. We are not responsible for their privacy practices.
Our services are primarily directed at UK businesses. This policy is written to reflect our obligations under UK GDPR and the Data Protection Act 2018.
Our current service configuration does not include audio recording. Where our voice AI infrastructure providers transiently process audio to generate transcripts, that processing is governed by their data processing agreements (see Section 8).
Business contact information from publicly available sources (including Google Maps and trade directories), collected via Phantombuster, used solely for our own outreach activities where we have a lawful basis and where applicable marketing rules permit. This data is not shared with clients.
We do not store payment card details. All payment processing is handled by Stripe. We receive only a transaction reference and subscription status. Stripe's privacy policy governs payment data: stripe.com/gb/privacy
| Purpose | Data used | Legal basis |
|---|---|---|
| Deliver and manage AI agent services | Business info, booking data, call logs | Contract performance |
| Process payments and manage subscriptions | Name, email, Stripe token | Contract performance |
| Send monthly reports and operational updates | Name, email, performance data | Contract performance |
| Provide monthly growth consultations | Business data, usage metrics | Contract performance |
| Respond to enquiries and support requests | Name, email, communications | Legitimate interests / pre-contract steps |
| Improve our services | Aggregated, anonymised data only | Legitimate interests |
| Send marketing to existing clients | Name, email | Legitimate interests (soft opt-in, B2B) |
| Send marketing to prospects | Name, email | Legitimate interests (B2B, PECR compliant) |
| Comply with legal obligations | Financial and business records | Legal obligation |
| Prevent fraud and protect our systems | Usage data, IP address | Legitimate interests |
| Website analytics | Anonymised visitor data | Consent / Legitimate interests |
Our AI agents make limited automated decisions, for example whether to book a job directly or escalate for human review. Our services are not intended to make solely automated decisions that produce legal or similarly significant effects on individuals. Where human review is requested, this can be arranged. If you believe an automated outcome has affected you meaningfully, contact us to request a manual review.
We may use data collected through our services to improve our AI systems and service quality. Where we do so:
You have the right to object to your data being used in this way. To opt out, email [email protected] with the subject "Opt out of anonymised training data". This will not affect your access to the Services.
Calls handled by our AI voice agent are transcribed in real time. Our agents are configured to confirm they are AI if asked directly — this is mandatory in every deployment. Where call recording is enabled in a client's configuration, we will notify the client, who is responsible for disclosing this to callers under applicable rules.
Outbound SMS messages sent by our agents are sent from numbers connected to the client's account. Clients are responsible for ensuring they have the right to contact recipients under UK PECR. Opt-out requests (STOP replies) are processed promptly and recipients are removed from further automated communications.
When Paragon AI processes personal data belonging to your customers on your behalf:
We use the following sub-processors. Each is subject to appropriate data processing terms and required to handle data in compliance with UK GDPR. We will notify active clients of material changes to this list.
| Provider | Purpose | Data processed |
|---|---|---|
| Stripe | Payment processing | Name, email, payment token |
| GoHighLevel | CRM, SMS, calendar automation | Client and customer contact data, bookings |
| VAPI / Bland.ai | AI voice infrastructure | Call transcripts, call metadata |
| Google Calendar | Appointment scheduling | Calendar data, booking details |
| Instantly.ai | Cold email (our own outreach only) | Prospective client email addresses |
| Phantombuster | Lead data collection (our own outreach only) | Publicly available business contact data |
| BuildMyAgent.io | AI chat widget on website | Visitor messages, interaction data |
| Google Analytics | Website analytics (where enabled) | Anonymised visitor behaviour |
We do not sell your data to any of these providers or any third party. We do not authorise sub-processors to use your data for their own marketing or general AI model training.
Several of our sub-processors are based in or process data in countries outside the UK, including the United States. Where personal data is transferred outside the UK, we seek to ensure appropriate safeguards are in place, which may include UK adequacy decisions, UK International Data Transfer Agreements (IDTAs), or Standard Contractual Clauses with UK addendums.
Details of safeguards applicable to specific provider transfers are available on request by emailing [email protected].
| Data type | Retention period | Reason |
|---|---|---|
| Client account and subscription data | Duration of contract + 6 years | UK legal requirement (HMRC) |
| Financial and payment records | 7 years from transaction date | HMRC legal obligation |
| Call transcripts and logs | 12 months | Service delivery and dispute resolution |
| SMS interaction logs | 12 months | Service delivery and compliance |
| Monthly report data | 24 months | Growth consultation and benchmarking |
| Demo enquiries (non-converted) | 24 months | Legitimate interests (follow-up) |
| Marketing contact data | Until opt-out or 36 months inactivity | Legitimate interests |
| Website analytics | 26 months (anonymised after 13 months) | Trend analysis |
| Support and email communications | 3 years | Dispute resolution |
After the relevant period, data is securely deleted or anonymised where technically feasible. You may request earlier deletion subject to legal retention requirements under Section 13.
We implement appropriate technical and organisational measures including:
No transmission of data over the internet is completely secure. In the event of a breach affecting your rights, we will notify you and the ICO as required by law.
Our website uses the following types of cookies:
Our site includes a third-party AI chat widget (BuildMyAgent.io). This script may set cookies or access browser storage. Please refer to their privacy policy for details.
You can manage cookie preferences through your browser settings or by contacting [email protected].
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data |
| Erasure (Art. 17) | Ask us to delete your data, subject to legal retention obligations |
| Restriction (Art. 18) | Ask us to pause processing in certain circumstances |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7) | Withdraw consent for any consent-based processing at any time |
| Automated decisions (Art. 22) | Request human review of any significant automated decision |
To exercise any right, email [email protected] with the subject "Data Rights Request". We will respond within one calendar month. We may request proof of identity. There is no charge unless requests are manifestly unfounded or excessive.
Our services are directed at business customers and are not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact [email protected] and we will delete it promptly.
We review and update this policy periodically. When we make material changes, we will update the date at the top of this page and notify active clients by email at least 14 days before changes take effect. Where changes are required immediately by law or security requirements, we may apply them sooner.
For privacy questions or data rights requests:
Email: [email protected]
Subject: Privacy / Data Rights Request
We aim to respond to all privacy queries promptly and will respond to formal data rights requests within one calendar month.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF