BOURN PRIVACY POLICY

Last updated: 1 February 2026

1. Background

This notice (Privacy Notice) tells you how we look after your personal data when you visit our website at https://bourn.ai/ (Website), where you are a prospective customer of our business, or where you are another type of business contact, such as a supplier or service provider to our business.

This notice sets out what information we collect about you, what we use it for and whom we share it with. It also explains your rights under data protection laws and what to do if you have any concerns about your personal data.

This Privacy Notice does not generally apply to personal data processed by us on behalf of our business customers in our capacity as a processor, where such processing is governed by the relevant customer’s own privacy notice and contractual arrangements.

We may sometimes need to update this Privacy Notice to comply with new business practices or legal requirements. You should check this Privacy Notice regularly to see whether any changes have occurred.

2. Who We Are and Other Important Information

We are BOURN TECHNOLOGIES LTD (‘we’ ‘us’ or ‘our’), registered in England and Wales with company number15582429 with our registered address at 3rd Floor, 86-90 Paul Street, London, EC2A 4NE.

For all visitors to our website, we act as the data controller in respect of personal data collected through the website, meaning that we determine the purposes for which and how that data is processed. In some circumstances, particularly where we provide services to business customers, we may act as a processor on behalf of those customers who will be the controller of the relevant personal data. In such cases, our processing activities are governed by contractual arrangements and the instructions of the relevant controller.

We are registered with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters, under registration number C1480913.

3. Contact Details

If you have any questions about this Privacy Notice or about how we collect, use, or otherwise process personal data, please get in touch using the following details:

  • Email address: privacy@bourn.ai‍
  • Postal address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

4. The Information we Collect About You

Personal data means any information which does (or could be used to) identify a living person. We have set out below the categories of personal data that we collect about you, and the sources from which that data is obtained.

Type of personal data:

Depending on the nature of your interaction with us, we may collect and process the following categories of personal data:

  • Identity Data: your first and last name or title.
  • Contact Data: your email address, telephone numbers, home address.
  • Technical Data: internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system, and platform on the devices you use to access our systems.
  • Usage Data: Information about how you use our systems.
  • Communications Data: records of correspondence and communications between you and us, including emails, support requests and other communications.
  • Financial Data: where you provide this over our website to purchase one of our products or services.
  • Location Data: your device location if you log into our systems remotely.

5. How We Use Your Information

We are required under data protection law to identify a lawful basis for each purpose for which we collect and use your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:

  • fulfil our contract with you;
  • comply with a legal obligation that we have;
  • pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g., your right to privacy); and
  • Do something for which you have given your consent.

The lawful basis on which we rely when processing your personal data is set out below. Where we intend to process your personal data for a purpose not described in this Privacy Notice, we will update it and, where required by law, provide you with additional information. Further detail on the specific categories of personal data processed for each purpose, and the applicable lawful basis, can be provided on request.

6. Contract

We process personal data where it is necessary to enter into or perform a contract with you. This includes processing personal data in order to:

  • administer and perform our contractual obligations to you;
  • process payment information in connection with any contract we have with you; and
  • Provide you with service-related communications, such as order confirmations, service updates, and other information necessary for the performance of the contract.

7. Legal Obligation

In certain circumstances, we are required to process personal data to comply with legal and regulatory obligations to which we are subject to. This includes obligations arising under data protection and other applicable laws, as well as requirements imposed by regulatory authorities or courts. Such processing is limited to what is necessary to meet those obligations.

This includes processing personal data to:

  • Record and maintain your preferences (e.g., marketing preferences) In order to comply with data protection requirements
  • Process or disclose information where required to comply with a legal or regulatory obligation; and
  • Retain records where necessary to establish, exercise or defend legal claims.

8. Legitimate Interests

Where it is necessary, we process personal data in pursuit of our legitimate business interests, provided that such interests are not overridden by your rights and freedoms. These legitimate interests include:

  • improving, maintaining, and optimising our website and systems;
  • monitoring and enhancing the security, resilience, and integrity of our website, including for the prevention and detection of fraud and misuse;
  • delivering our services to you and ensuring the effective operation of our website and related systems; and
  • protecting our business, personnel, and users, including the establishment, exercise, or defence of legal claims.

Where we rely on legitimate interests as a lawful basis, we have carried out an appropriate balancing assessment to ensure that the processing is necessary and proportionate and does not unduly impact your rights and freedoms.

9. Consent

Where required, we rely on your consent to collect, use, or share your personal data for specific purposes. This includes situations where you have consented to receive marketing communications from us. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to its withdrawal. You have a right to object at any time to the processing of your personal data for direct marketing purposes. If you exercise this right, we will stop using your personal data for such purposes immediately.

Where we are required to collect personal data in order to enter into or perform a contract with you, failure to provide that personal data may mean that we are unable to provide the relevant services. In such circumstances, and where we do not have the information necessary to fulfil a request or order, we may be required to decline or cancel the service.

We may use automated tools, including artificial intelligence (“AI”) and machine-learning technologies, to support certain internal business processes and the delivery of our services.

This may include, for example, analysing usage patterns, improving system performance, detecting potential fraud or security risks, and supporting operational decision-making.

Any use of AI is subject to appropriate human oversight and governance controls. We do not use AI to make solely automated decisions that produce legal effects concerning you or similarly significantly affect you, unless permitted by applicable data protection law and supported by appropriate safeguards.

Where AI tools process personal data, such processing is carried out in accordance with applicable data protection laws, including principles of fairness, transparency, data minimisation, and accuracy.

If we introduce any new forms of high-risk automated decision-making involving personal data, we will update this Privacy Notice accordingly and, where required, provide you with additional information about the logic involved and your rights.

10. Who We Share Your Information With

We may share your personal data with the following categories of recipients, where necessary and in accordance with applicable data protection laws:

  • Our personnel: our employees or other types of workers who have contracts containing confidentiality and data protection obligations and who require access to personal data in order to perform their roles.
  • Our supply chain: third party service providers and professional advisers who support the delivery of our services. These parties are provided with access only to the information required to perform their functions and are subject to appropriate contractual confidentiality and data protection obligations.
  • Regulatory and public authorities: such as HM Revenue & Customs and other authorities where we are required to do so by law or regulation.

Where we are required to disclose personal data in response to a court order, regulatory request, or other lawful request (for example, from law enforcement authorities), we will assess the request carefully and, where appropriate, seek legal advice before responding, taking into account the impact of any disclosure on your rights and freedoms.

11. Where Your Information is Located or Transferred To

We store your personal data on our servers in the UK.

We will only transfer personal data outside of the UK or European Economic Area where an appropriate legal safeguard is in place, such as an adequacy decision, the UK International Data Transfer Agreement, or other transfer mechanisms approved by the Information Commissioner’s Office or the UK Secretary of State.

If you access our website or systems from outside the UK or EEA, your personal data may be accessed from that location. However, this does not necessarily mean that your personal data is stored outside the UK or EEA.

12. How We Keep Your Information Secure

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission.

These measures include:

  • access controls and user authentication (including multi-factor authentication);
  • internal IT and network security;
  • regular testing and review of our security measures; staff policies and training;
  • incident and breach reporting processes;
  • business continuity and disaster recovery processes.

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

If you notice any unusual activity on the Website, please contact us at privacy@bourn.ai.

13. How Long We Can Keep Your Information

Where we act as the controller, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

To decide how long to keep personal data (also known as its retention period), we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for HM Revenue & Customs).

We may keep Identity Data, Contact Data, and certain other data (including correspondence between us for up to seven years after the end of our contractual relationship with you, to comply with legal, regulatory, accounting, and audit obligations and to support the establishment, exercise, or defence of legal claims, unless a longer or shorter retention period is required or permitted by applicable law.

If you browse our website, we keep personal data collected through our analytics tools for only as long as necessary to fulfil the purposes we collected it for.

If you have asked for information from us or you have subscribed to our mailing list, we will keep your details until you ask us to stop contacting you.

14. Your Legal Rights

You have specific legal rights in relation to your personal data.

We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. Usually there is no cost for exercising your data protection rights, but we may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive. If this happens, we will always inform you in writing.

We will respond to your legal rights request without undue delay, but within one month of us receiving your request or confirming your identity (whichever is later). We may extend this deadline by two months if your request is complex or we have received multiple requests at once. If we need to extend the deadline, we will let you know and explain why we need the extension.

We do not respond directly to requests which relate to personal data for which we act as the processor. In this situation, we forward your request to the relevant controller and await their instructions before we take any action.

If you wish to make any of the right requests listed below, you can reach us at privacy@bourn.ai.

Your rights include:

  • Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
  • Deletion: You can ask us to delete or remove your personal data if there is no good reason for us to continue holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g., to comply with regulatory requirements), we will let you know and explain our decision.
  • Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it.
  • Objection: You can object to us using your personal data if you want us to stop using it. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.
  • Portability: You can ask us to send you or another organisation an electronic copy of your personal data.

Complaints:

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters. Further information is available at www.ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.