GDPR Compliance Statement

1) Who we are

Thinking Forword Ltd (“we”, “us”). We provide AI chat assistants for websites, staff knowledge hubs, and learning tools.

Controller vs Processor:

• We act as controller for our own website, demos and marketing.
• We act as processor for client deployments, following each client’s instructions and data-sharing agreement.

2) What we collect (minimal, purpose-based)

We only collect what we need to run the service and improve it.

• Usage data: page views, clicks, basic device info, and anonymised chat metrics.
• Chat content: not stored by default. If a user chooses to email or download a transcript, we process that action and the transcript may be sent to them or their chosen address.
• Contact details (e.g., name, email) only when you provide them to request a demo, support, or a follow-up.

3) Lawful bases for processing

• Contract: to provide and support the services you request.
• Legitimate interests: to keep services secure, fix issues, and understand high-level usage (balanced against your rights).
• Consent: where required (e.g., certain cookies or marketing). You can withdraw consent at any time.

4) Data security (UK-hosted by default)

• UK data residency by default for our hosting.
• Encryption in transit (HTTPS/TLS) and at rest for applicable systems.
• Access controls, audit trails, and least-privilege practices.
• No persistent chat storage unless a user opts in by emailing/downloading their transcript.

5) Your rights (UK GDPR / GDPR)

You can exercise these rights at any time:

• Access – ask for a copy of your personal data.
• Rectification – correct inaccurate or incomplete data.
• Erasure – request deletion where applicable.
• Restriction – limit how we use your data in certain cases.
• Portability – receive your data in a portable format.
• Objection – object to processing based on legitimate interests or to direct marketing.

To act on your rights, contact us (details below). We’ll respond without undue delay.

6) Data retention

We keep personal data only as long as needed for the stated purpose or as required by law.

Chat content is session-based and not stored by default. If you export/email a transcript, that copy will be processed to fulfil your request and retained only as necessary for delivery, security, and audit obligations.

7) International transfers

If we transfer data outside the UK/EEA (for example, for specific sub-processors or resilience), we use approved safeguards such as UK IDTA or EU Standard Contractual Clauses (SCCs), plus additional measures where appropriate.

8) Cookies and similar tech

We use only the cookies or local storage needed to run the service and improve performance. Where consent is required, we’ll ask for it. You can manage preferences in your browser and (where present) our cookie banner.

9) Sub-processors

We use carefully selected providers for hosting, security, and service delivery. Each is under contract with appropriate data protection terms. A current list is available on request. For client deployments, we follow the client’s approved vendor list.

10) Children

Our services are designed for organisations and adult users. If you believe a child has provided personal data to us, contact us so we can act promptly.

11) Updates to this statement

We may update this page to reflect changes in law or how we run the service. Significant changes will be signposted. Please check back from time to time.

12) Contact & complaints

ICO: You have the right to complain to the UK Information Commissioner’s Office if you’re unhappy with how we process your data.

For more detail on cookies, retention periods, and sub-processors, see our full Privacy Policy.