Legal
Privacy Policy
Last updated: 14 May 2026 · Version 2026-05-14
Who I am
This site is operated by Chris Garlick, an AI implementation partner based in the United Kingdom. I am the sole data controller for the personal data described here.
Website: chrisgarlick.com · General contact: chris@chrisgarlick.com · Privacy enquiries and data-subject requests: privacy@chrisgarlick.com
What data I collect and why
The contact form at /contact
When you submit the form at /contact, I collect your name, email address, business name, industry, number of employees, revenue range, a description of your biggest operational bottleneck, and optionally how you found this site.
I use this data to respond to your enquiry and assess whether my services are a fit.
Lawful basis: Legitimate interest (UK GDPR Article 6(1)(f)). You are contacting me about my services; I need your details to respond.
The AI readiness audit at /audit
When you submit the form at /audit, I collect your name, email, company name, website, sector, team size, your stated bottleneck, and any optional details you choose to share (budget range, six-month goal, sector-specific tooling). I also record your IP address and browser user-agent to prevent abuse of the form.
I use this data to produce a personalised AI readiness audit, which is delivered to you as a PDF within 24 hours of submission.
Lawful basis: Contract (UK GDPR Article 6(1)(b)). You are requesting a service from me and I need this data to deliver it.
The only automated email you will ever receive from /audit is the audit PDF itself. Any further conversation about your audit is personal correspondence sent manually by me from my own inbox. There is no automated marketing sequence and no marketing list.
The site audit tool at /tools/site-audit
When you submit a URL for a free technical audit, I record the URL, your IP address, and the resulting score data so I can investigate abuse and improve the tool. I do not collect your email at this step.
Lawful basis: Legitimate interest (UK GDPR Article 6(1)(f)).
Resource downloads at /resources
When you request a free resource at /resources, I collect your email and any optional name, company, and sector. The download itself is delivered to you transactionally. Marketing-style emails are only sent if you tick the explicit consent box.
Lawful basis: Contract for the download itself; Consent (UK GDPR Article 6(1)(a)) for any subsequent marketing email, which you can withdraw at any time using the link in any such email.
Analytics
This site uses Google Analytics 4, loaded via Google Tag Manager, to understand how visitors find and use the site. GA4 sets cookies in your browser and records pseudonymous data including page views, referrer URLs, approximate location (city level), browser, and device type.
I do not link analytics data to your form submissions or personally identify visitors. Google may process this data in the United States under its published Data Processing Addendum.
Who processes your data on my behalf (sub-processors)
Anthropic (AI content generation) — when you submit the /audit form, your submission is sent to the Claude API to generate the audit content. Anthropic processes data in the United States under its published Data Processing Addendum and is configured for zero-retention mode: your data is not retained by Anthropic and is not used for model training.
Resend (transactional email delivery) — processes your name and email address to send confirmation, audit, and resource-delivery emails. US-based, Standard Contractual Clauses in place.
Google (Google Analytics 4 + Google Tag Manager) — processes pseudonymous analytics data as described above.
DigitalOcean (hosting) — server logs may contain IP addresses in transit. UK and EU hosting regions used where applicable.
I do not sell, rent, or share your personal data with anyone else.
How long I keep your data
Contact form submissions: retained until the purpose is fulfilled, then deleted within 90 days unless there is a legal reason to retain them.
Audit submissions (/audit): retained for 90 days if the audit was never sent (abandoned in workflow); 24 months if the audit was sent and there was no further engagement; up to 7 years if you went on to become a client (for HMRC and contract-record reasons). After 7 years, client records are anonymised.
Resource-download leads: retained while marketing consent is active and for 24 months after consent is withdrawn or last engagement.
Site audit logs (/tools/site-audit): retained for 12 months for abuse-prevention purposes, then deleted.
Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, object to processing of, and port your data, as well as the right to withdraw consent for any processing that relies on consent.
The fastest way to remove your audit data is the deletion link in the bottom of the audit-delivery email I send you. One click, no login, no need to email me first.
For any other rights request, or if you have lost the deletion link, email privacy@chrisgarlick.com from the email address you submitted with. I will action your request within 30 days.
If you are not satisfied with my response, you can complain to the Information Commissioner's Office (ICO): ico.org.uk
Changes
I will update this page if anything changes. The "last updated" date and version number at the top reflect the most recent revision. For audit submissions, the privacy notice version that was live at the time of your submission is recorded with your data, so you can always check exactly which version of the policy you agreed to.