Privacy Policy

Last updated: 20 May 2026

1. Who We Are

Grace Blackwell Consulting Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales under company number 14589076, with our registered office at 124 City Road, London, EC1V 2NX, United Kingdom.

For any data protection enquiries, please contact us at: privacy@graceblackwell.ai

2. The Law That Applies

This privacy policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your personal data in accordance with these laws.

3. What Data We Collect

3.1 Website

We collect personal data through our website contact form:

• Your name
• Your email address
• Your organisation name (if provided)
• The content of your message

3.2 HEX 165 Platform

When you use the HEX 165 compliance platform (hex165.graceblackwell.ai), we process the following data:

• Account data — name, email address, organisation name, role, hashed password
• System model data — AI agent names, tool names, architecture patterns, and configuration metadata submitted via the HEX 165 scanner. Source code is not transmitted to the platform.
• Documentation inventory — filenames and keyword match results from documentation scans. Document contents are not transmitted.
• Assessment data — compliance evaluations, classification results, questionnaire answers, targeted questions, and generated reports
• Chat interactions — messages exchanged with the AI compliance assistant within the platform
• Technical data — API access tokens (stored as hashed values), login timestamps

We do not collect any special category data (such as health information, racial or ethnic origin, political opinions, or biometric data).

4. How We Use Your Data

4.1 Website

We use the personal data you provide solely to:

• Respond to your enquiry or request
• Provide information about our services that you have asked about
• Manage our relationship with you

4.2 HEX 165 Platform

We process platform data to:

• Provide the compliance assessment service you have engaged us for
• Evaluate your AI systems against applicable regulatory frameworks
• Generate compliance reports and remediation guidance
• Provide AI-assisted compliance guidance via the chat assistant
• Authenticate your access and maintain account security

5. Lawful Basis for Processing

Website contact form: We process your personal data on the basis of legitimate interest (Article 6(1)(f) UK GDPR). Our legitimate interest is to respond to enquiries received through our website and to provide information about our services to prospective clients who have contacted us.

HEX 165 Platform: We process platform data on the basis of contractual necessity (Article 6(1)(b) UK GDPR) — processing is necessary to perform the compliance assessment service you have engaged us to provide.

You have the right to object to processing based on legitimate interest at any time. See Section 9 below for details of your rights.

6. How Long We Keep Your Data

Website: We retain your contact form data for no longer than 12 months from the date of your last interaction with us, unless there is a legitimate business reason to retain it for longer (for example, if we enter into a contract with you or your organisation). After this period, your data is securely deleted.

Platform: We retain platform data for the duration of the engagement. You may delete individual assessments or your entire account at any time via the self-service data management page within the platform. Upon account deletion, all associated data (account details, assessments, reports, chat history, and uploaded system models) is permanently removed.

7. Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party. We may share your data with:

• Our email hosting provider, solely for the purpose of delivering and storing communications (data processed within the UK or EEA only)
• Anthropic (as a sub-processor) — chat messages sent via the platform's AI compliance assistant are processed by Anthropic's Claude API to generate responses. Only the chat message content and relevant assessment context are transmitted. Anthropic does not use this data for training. Anthropic's data processing is governed by their Privacy Policy.

Any third-party processors we use are bound by data processing agreements that comply with UK GDPR requirements.

8. International Transfers

Website and platform infrastructure: Your platform data is hosted on Hetzner in Nuremberg, Germany (EU). No platform data is transferred outside the EEA.

Chat assistant: Chat messages processed by Anthropic's Claude API may be processed in the United States. Where data is transferred outside the UK/EEA, appropriate safeguards are in place as required by UK GDPR (Standard Contractual Clauses).

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — You may request a copy of the personal data we hold about you.
• Right to rectification — You may ask us to correct any inaccurate or incomplete data.
• Right to erasure — You may request that we delete your personal data where there is no compelling reason for us to continue processing it.
• Right to restrict processing — You may ask us to suspend the processing of your data in certain circumstances.
• Right to object — You may object to our processing of your data where we are relying on legitimate interest as the legal basis.
• Right to data portability — You may request a copy of your data in a structured, commonly used, and machine-readable format.

To exercise any of these rights, please email us at privacy@graceblackwell.ai. We will respond to your request within one month.

HEX 165 Platform users: You can exercise your rights to access, portability, and erasure directly via the "Your Data" page within the platform. This provides self-service data export (JSON) and account/assessment deletion without needing to contact us.

10. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

12. Contact Us

Grace Blackwell Consulting Ltd
124 City Road, London, EC1V 2NX, United Kingdom
Email: privacy@graceblackwell.ai