Privacy Policy
1. Who We Are and Scope
Trilogy Research Ltd (UK) is the controller for data processed via our websites, forms, chatbots, AI voice agents, emails, and services. We comply with UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), EU GDPR, and PECR. DUAA is commencing in stages. Contact: via this website or by post: 2 Bedford Mews, London N2 9DF, United Kingdom.
2. Our role as controller or processor
Controller for our own operations (website, enquiries, marketing, security, billing). Processor when delivering client services under a data processing agreement and documented instructions, including sub-processor controls.
3. Data we collect
Identity and business contact data; consent records; enquiry and account data; voice/AI data (call audio, transcripts, chatbot logs, metadata such as time, duration, numbers, device/network); technical data. Cookies: essential cookies operate without consent under PECR; certain non-personalised analytics/service-improvement cookies may operate without prior consent under DUAA; EU/EEA users remain subject to ePrivacy consent rules. Lawful enrichment from public sources with notice where required.
4. Why we use your data and lawful bases
Service delivery, support, and security (contract; legitimate interests). Relationship and billing (contract; legal obligation; legitimate interests). Direct marketing where permitted (consent or legitimate interests, applying PECR/ePrivacy). Legal/regulatory duties and defence of claims (legal obligation; legitimate interests). Consent used and recorded where required.
5. AI, recordings, logging, and automation
Conversational AI (speech-to-text, analysis, voice generation) is used to deliver and monitor services. Calls and chatbot sessions may be recorded or logged for service, quality, training, security, and compliance - only where lawful and with required notice/consent. No solely automated decisions with legal or similarly significant effects. If ever used, DUAA safeguards will apply (clear notice, human review, right to contest), and special-category data will not be used for such decisions. Lawful bases assessed case-by-case.
6. Marketing rules and your choices
Consent taken where required for emails, SMS/WhatsApp, and human or AI-initiated calls/messages. Legitimate interests may be used for B2B direct marketing where permitted; PECR rules still apply. Unsubscribe at any time (email link; reply “STOP” to SMS/WhatsApp; or email us). TCPA applies to US-applicable contacts only.
7. Sharing your data
Trusted processors for hosting, telephony, AI/chatbot platforms, analytics, security, and support tools; professional advisers; group entities. All bound by contract, confidentiality, and data-protection terms. No sale of personal data.
8. International transfers
We use UK-approved transfer tools (IDTA or EU SCCs with UK addendum) and apply any updated DUAA transfer tests/guidance in force. Additional measures used where needed. Summaries of safeguards available on request subject to redactions.
9. Security, LLM safeguards, and retention
Controls include encryption, least-privilege access, staff training, vendor due diligence, and audit/logging. Raw personal data (e.g., names, numbers, emails) is not placed into language-model prompts unless essential; by default it is routed to secure CRM fields (e.g., GoHighLevel) outside LLM context. Retention: marketing consents up to 6 years after last interaction or until withdrawn (plus any audit/defence period); suppression (“do-not-contact”) records kept indefinitely; enquiry logs (incl. AI context notes) 12 months from last interaction, extendable to 18 months while active; call recordings/chatbot logs/transcripts 30–90 days for service/training/compliance then deletion; other records only as needed for stated purposes or law.
10. Your rights, complaints, and updates
Rights: access, rectification, erasure, restriction, objection (including to marketing), portability, and withdrawal of consent. We may verify identity and make reasonable, proportionate searches. We operate an internal data-protection complaints process and will respond without undue delay. UK complaints: Information Commissioner’s Office (ICO). EEA complaints: your local authority. We will update this notice as DUAA provisions commence and give prominent notice of material changes.
We use your details only to respond to your enquiry or request. If you choose to stay in touch, we may send occasional, relevant updates or insights we believe are genuinely useful to your professional interests. You can unsubscribe or opt out at any time. We value your privacy and interest in our services - this is a short summary of our approach. Please refer to our full Terms and Privacy Policy below:
