Privacy Policy

Last updated: 14 June 2026

This policy explains how Ambital collects, uses, and protects personal data, and your rights under UK data protection law (the UK GDPR and the Data Protection Act 2018). Ambital is currently in pre-launch beta.

1. Who we are

Ambital is operated by Ops First Consultancy (operating Ambital) ("we", "us"), the data controller for personal data processed through the platform.

  • Company number: [to be confirmed — pre-launch beta]
  • Registered address: [registered address to be confirmed]
  • Contact: privacy@ambital.co.uk
  • ICO registration: [ICO registration number to be confirmed]

Note on roles: for the personal data you enter about your own clients and contacts, you are the controller and we act as your processor, processing that data only on your instructions to provide the service.

2. The data we collect

  • Account data — your name, email, password (stored only as a secure hash), and role.
  • Business profile — business name, address, company/VAT/UTR numbers, and bank details. Bank and other sensitive financial fields are encrypted at rest.
  • Content you create — projects, tasks, time entries, invoices, proposals, briefs, notes, files, and the client/contact records you add.
  • Integration data — when you connect Google, Fireflies or Xero, we store OAuth tokens (encrypted at rest) and the calendar/meeting/accounting data you choose to sync.
  • Usage & technical data — log data, IP address (used for security and rate limiting), and device/browser information.
  • Consent records — your cookie and marketing preferences and when they were given.

3. Why we use it and our lawful basis

PurposeLawful basis
Providing and operating your account and the platformPerformance of a contract
Securing the platform (authentication, rate limiting, fraud/abuse prevention)Legitimate interests
Optional AI features (e.g. drafting from meeting notes)Performance of a contract / consent
Analytics and product improvement cookiesConsent
Marketing emails (if you opt in)Consent
Keeping financial/transaction recordsLegal obligation

4. AI features

Some optional features send the specific content you act on (e.g. a meeting transcript you ask to summarise) to our AI sub-processor, Anthropic, to generate a result. This content is not used to train AI models. You can avoid this processing by not using the AI features.

5. Where your data is stored (sub-processors)

Our primary database is hosted in the UK/EU (London region). We use the following sub-processors, under contracts that include the appropriate safeguards (Standard Contractual Clauses / the UK International Data Transfer Addendum where data leaves the UK/EEA):

ProviderPurposeLocation
NeonDatabaseUK/EU (London)
UpstashRate-limiting storeEU (Ireland)
VercelApplication hostingUS (SCCs/IDTA)
Vercel BlobFile storageUS (SCCs/IDTA)
AnthropicOptional AI featuresUS (SCCs/IDTA)
ResendTransactional email (e.g. password reset)US/EU (SCCs/IDTA)

6. International transfers

Where personal data is transferred outside the UK/EEA (e.g. to US-based sub-processors above), we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an adequacy decision, to protect it.

7. How long we keep it

  • Account & content — for as long as your account is active.
  • After account deletion — we permanently erase your data after a 30-day grace period (during which you can cancel the request).
  • Financial records — retained for up to 6 years where required by law.
  • Audit logs — retained for 12 months.

8. Your rights

Under UK GDPR you have the right to: access, rectification, erasure, restriction, data portability, and to object to processing. You can also withdraw consent at any time.

You can exercise most of these directly in the app under Settings → Privacy (export your data, or request deletion), or by emailing privacy@ambital.co.uk. We will respond within one month.

9. Cookies

We use essential cookies to make the platform work, and optional analytics/marketing cookies only with your consent. See our Cookie Policy and manage your choices at any time via the cookie banner.

10. Security

We protect data in transit with TLS, encrypt sensitive fields (bank details, integration tokens) at rest, hash passwords, and restrict access. No system is perfectly secure, but we take appropriate technical and organisational measures.

11. Children

Ambital is not intended for anyone under 18, and we do not knowingly collect their data.

12. Changes to this policy

We may update this policy. Material changes will be notified in-app or by email, and where required we will ask you to re-consent.

13. Complaints

If you have a concern, please contact us first at privacy@ambital.co.uk. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk.