// Legal

Privacy Policy

Last updated: June 2026

This policy explains how Varsuite handles personal data. We only collect what we need to build great things for you, and we are upfront about recorded discovery sessions, AI processing, cookies and your rights. It is written to meet the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

Varsuite Media Group Ltd (“Varsuite”, “we”, “us”, “our”) is the data controller for the personal data described in this policy, except where we act as a processor on a client’s behalf as explained below. We are a company registered in the United Kingdom under company number [Company number to be inserted], with our registered office at [Registered office address to be inserted].

We have not appointed a statutory Data Protection Officer, as we are not required to. Accountability for privacy sits with our management team. For any question about this policy, or to exercise your rights, you can reach our privacy contact by email at hello@varsuite.co.uk.

Scope and our role

This notice covers the personal data we handle as a data controller, meaning where we decide why and how it is processed. That includes the data of our prospects, clients, the people who work for our clients, website visitors and contacts.

When we process personal data on a client’s behalf to deliver a service, for example data inside a system or AI agent we build and operate for them, we act as that client’s data processor rather than the controller. In those cases the client decides the purposes of processing and our handling is governed by our data processing terms. See our Data Processing Addendum for how we act as a processor.

What we collect

Depending on how you work with us, we may collect:

• Contact details, such as your name, email address, telephone number and business name
• Business information you share about your organisation, how it operates and what you want us to build
• Discovery recordings and their transcripts, captured only with your consent
• Account and portal usage data, such as your login details, the actions you take in your customer portal, support tickets and the messages you send to your agent terminal
• Website and product usage data needed to run, secure and improve what we build and host
• Billing and payment information, including invoicing details, your VAT number where applicable and a record of payments (card details are handled by our payment providers, not stored by us)
• Data you connect to us through integrations, which may contain personal data belonging to you, your staff or your own customers

How we collect it

We collect personal data in three main ways. We collect it directly from you when you contact us, request a quote, engage us for work, attend a discovery session or use your portal. We collect some of it automatically when you use our websites and the products we build, including through cookies and similar technologies. We also receive data through the integrations you choose to connect, where you direct data from your own systems and third-party platforms into the services we operate for you.

Special category and criminal offence data

Our services are not designed to process special category data (such as data about health, ethnicity, religious beliefs or biometrics) or data about criminal offences. Please do not provide such data through integrations, recordings or your agent terminal without first agreeing appropriate arrangements with us, so that we can put the right protections in place. Where any special category or criminal offence data is processed, we do so only under an appropriate condition in the UK GDPR and the Data Protection Act 2018, and with suitable safeguards.

Recorded conversations

To build effective systems and AI agents, we may record discovery conversations, but only ever with your explicit consent. We use these recordings and their transcripts to understand your business and to build, train and improve the processes and agent we deliver to you.

You can decline to be recorded, and you can ask us to delete a recording, which we will do unless we are required to keep it to meet a legal obligation or to establish, exercise or defend a legal claim. Where a session involves other people, you agree to make them aware that the session is being recorded. We keep recordings and transcripts only for as long as they are needed for your project and for our legal obligations, after which they are deleted or anonymised.

Why we use your data and our lawful bases

We use your data to deliver and support our services, to build and operate your systems and AI agent, to keep what we host secure, to handle billing, and to communicate with you about your work. Under the UK GDPR we always have a lawful basis for doing so. The bases we rely on are:

• Performance of a contract (Article 6(1)(b)), to scope, build, host, operate and support the services you engage us for, to manage your account and portal, and to invoice you
• Legitimate interests (Article 6(1)(f)), to run and grow our business responsibly, including securing and improving our services, preventing fraud and misuse, keeping records, and contacting business prospects, in each case balanced against your rights and interests
• Consent (Article 6(1)(a)), for recording discovery conversations, for non-essential cookies, and for certain marketing messages, which you can withdraw at any time
• Legal obligation (Article 6(1)(c)), to meet our accounting, tax, reporting and other legal duties

Where any special category or criminal offence data is processed, we rely in addition on an appropriate condition under Article 9 or Article 10 of the UK GDPR and the Data Protection Act 2018, as set out in the section above.

Where we rely on legitimate interests, those interests are running a secure and reliable service, understanding and improving how our products perform, protecting our business and clients from fraud and abuse, and developing new business. We have considered the impact on you and do not use your data in ways you would not reasonably expect. You can object to processing based on legitimate interests, as described under Your rights below.

AI processing

Building and running your agent involves processing your business information with AI systems. We apply appropriate safeguards, limit access to what is necessary, and use your data to serve you. We do not use your personal data to train general-purpose AI models for unrelated purposes, and we choose providers and settings intended to prevent your data being used to train their general models.

We do not make decisions that produce legal effects, or similarly significant effects, about individuals solely by automated means without appropriate safeguards. Our agents are overseen by our team, and you remain in control of how an agent is used and what it acts on. Where an automated feature could affect individuals, we put suitable checks and human oversight in place.

Marketing and electronic messages

We may send you marketing about our services where you have consented, or where we are permitted to do so under the soft opt-in rules in the Privacy and Electronic Communications Regulations (PECR), for example to existing clients about similar services. We will always give you a clear and simple way to opt out.

You can ask us to stop sending marketing at any time by using the unsubscribe link in any message, or by emailing hello@varsuite.co.uk, and we will stop. We keep a record of your marketing preferences and any objection or withdrawal of consent so that we can honour your choice, and we hold those records for as long as needed to do so. Opting out of marketing does not affect the service messages we need to send you to run your account.

Cookies

Our website uses essential cookies that are needed for it to function, for example to keep you signed in and to keep the site secure. These are always on because the site cannot work properly without them.

Any analytics or other non-essential cookies are only set with your consent. You can give, refuse or change your cookie choices at any time, and withdrawing consent will not affect the lawfulness of anything done before you withdrew it.

Who we share data with

We share personal data only where we need to in order to run our services, and only with categories of recipient such as:

• Hosting, infrastructure and AI providers that help us build, host, secure and operate what we deliver
• Payment providers that process invoicing and payments
• Professional advisers, such as accountants, lawyers and insurers, where reasonably needed

These selected sub-processors act on our instructions and are bound by appropriate confidentiality and data protection obligations. A current list of the categories of provider we use is available on request. We may also disclose personal data where we are required to by law, by a court, or by a regulator, or to establish, exercise or defend legal claims. We never sell personal data.

International transfers

We aim to keep personal data within the UK or the European Economic Area where possible. Where data is transferred outside the UK, we make sure it is protected to a standard recognised by UK law. We rely on UK adequacy regulations where they apply, and otherwise on the UK International Data Transfer Agreement, or the International Data Transfer Addendum to the EU Standard Contractual Clauses, together with any additional safeguards that are needed. You can ask us for more detail about the safeguards in place.

Security

Security is part of how we work. We maintain appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access. These include scanning the code we build for vulnerabilities, monitoring live systems around the clock, encrypting data in transit, applying access controls, and limiting access to your information to those who genuinely need it. No system can be guaranteed to be perfectly secure, but we work to keep risk low and to respond quickly if something goes wrong.

Retention

We keep personal data for as long as it is needed to provide our services and to meet our legal, accounting or reporting obligations. When data is no longer needed for those purposes, it is deleted or anonymised. Retention periods vary by the type of data and the reason we hold it, and we can tell you more about a specific case on request.

Your rights

Under UK data protection law you have rights over your personal data. Depending on the circumstances, these include the right to:

• Access the personal data we hold about you
• Have inaccurate data rectified
• Have your data erased in certain circumstances
• Restrict how we process your data
• Object to direct marketing at any time, which we will always honour
• Object to processing based on our legitimate interests, which we will assess against a balancing test
• Receive your data in a portable format, where the right to data portability applies
• Withdraw consent at any time, where we rely on consent

The right to object to direct marketing is absolute. If you object to direct marketing, we will stop sending it. Objections to other processing based on our legitimate interests are assessed against a balancing test, and we will stop unless we have compelling legitimate grounds to continue or need to process the data for legal claims.

To exercise any of these rights, email hello@varsuite.co.uk. We will respond within one month, although we may extend this for complex requests and will tell you if we do. Exercising your rights is free of charge, except where the law allows us to charge a reasonable fee or to refuse a request that is clearly unfounded or excessive. We may need to verify your identity before we act.

Complaints

If you have a concern about how we handle your personal data, please contact us first at hello@varsuite.co.uk so we can try to put it right. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. Where applicable, our ICO registration number is [ICO registration number to be inserted]. You can reach the ICO at ico.org.uk.

Children

Our services are aimed at businesses and are not directed at children. We do not knowingly collect personal data from children through our services. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

Changes to this policy

We may update this policy from time to time to reflect changes in our services, our practices or the law. When we do, we will revise the date shown at the top of this page, and where the changes are significant we will take reasonable steps to bring them to your attention. Please check back from time to time so you stay informed.

Contact

For any privacy question, or to exercise your rights, email hello@varsuite.co.uk. We have not appointed a statutory Data Protection Officer, so please send all privacy queries to this address.