← Back to Horizon Intelligence PRIVACY POLICY

How we handle your data.

We build AI platforms for businesses. That means we think carefully about data from the start, not as an afterthought. This policy explains what we collect, why, and what control you have over it.

Who we are

Horizon Intelligence is a product of Impactflow Limited, registered in London, UK. We are the data controller for the personal data described in this policy.

You can reach us at hello@horizonintelligence.ai for any privacy-related questions.

What we collect

Current state

Right now, the Horizon Intelligence website loads Google Fonts for typography. We do not collect any personal data ourselves. The Concierge conversation interface operates entirely client-side — your input is not transmitted to our servers or stored anywhere.

When the Concierge backend goes live

Once the Concierge is connected to its backend service, we will collect:

Conversation text — the messages you exchange with the Concierge
Session tokens — to reconnect you to your conversation if you return
Email address — if you choose to provide it
AI-generated qualification data — the Concierge's assessment of your challenge type and framework fit
Pain Chain mapping outputs — structured data produced during the qualification process

How we use your data

Every piece of data we collect has a defined purpose and a lawful basis under UK GDPR.

Purpose	Data	Lawful basis
Delivering the AI Concierge conversation	Conversation text, session tokens	Legitimate interest (Art. 6(1)(f))
Qualifying your challenge against our frameworks	Conversation text, qualification data, Pain Chain outputs	Legitimate interest (Art. 6(1)(f))
Preparing for pre-discovery sessions	All collected data	Legitimate interest (Art. 6(1)(f))
Building your platform specification	All collected data	Legitimate interest (Art. 6(1)(f))
Persisting conversations across sessions (cookies/localStorage)	Session token	Consent (Art. 6(1)(a))

Legitimate Interest Assessment Summary

Purpose: The Concierge conversation service is initiated by the user. When someone types a message describing their business challenge, they are actively seeking our help to qualify that challenge and explore whether our platform is the right fit.

Necessity: Processing the conversation text through our AI system is essential to deliver the service the user has initiated. There is no less intrusive way to qualify a business challenge through a conversational interface.

Balance: The data processed is business context voluntarily provided by the user in a professional setting. Users have clear expectations about what happens with their input — it is used to understand their challenge and prepare a response. No sensitive personal data categories are targeted. The processing directly benefits the individual by providing them with a structured assessment of their challenge. The impact on privacy is minimal and proportionate to the service requested.

Safeguards: Users are informed about AI processing before they begin. Data retention is time-limited. Deletion is available on request. No data is used for purposes beyond delivering the requested service.

AI processing disclosure

The Concierge is an AI assistant, not a human. Your messages are processed by Anthropic's Claude API to generate responses, qualify your challenge, and map it to the appropriate framework.

In accordance with EU AI Act Article 50, we make this clear at the point of interaction. You always know you are talking to an AI system.

Anthropic's commercial API terms explicitly state that data submitted through the API is not used to train their models. Your conversations remain your data, processed for the purpose you initiated.

The Concierge does not make automated decisions that produce legal effects or similarly significant effects concerning you. Its role is to qualify and map your challenge — all substantive decisions about platform specification and delivery involve human review.

Who we share data with

We use a limited set of sub-processors, each chosen for a specific function:

Anthropic — AI processing. Based in the US. EU-US Data Privacy Framework certified. Processes conversation text to generate Concierge responses.
Supabase — Database hosting. EU-region data centres. Stores conversation data, session tokens, and qualification outputs.
Netlify — Website hosting, serverless functions, and CDN. Serves the website and handles edge routing.
Google Fonts — Font delivery. No personally identifiable information is sent by us. Google may collect standard web request data (IP address) per their privacy policy.

We do not sell, rent, or trade your data to any third party. We do not use your data for advertising.

International transfers

Your data is primarily stored in EU-region infrastructure (Supabase). The UK adequacy decision provides the legal basis for EU-UK transfers.

Conversation text is processed by Anthropic's Claude API in the United States. This transfer is covered by Standard Contractual Clauses (SCCs) and Anthropic's participation in the EU-US Data Privacy Framework.

No data is transferred to jurisdictions without adequate safeguards in place.

Cookies and session persistence

When the Concierge backend is live, we will offer the option to persist your conversation across visits using a session token stored in your browser (via a cookie or localStorage).

This is not strictly necessary for the service to function under PECR (Privacy and Electronic Communications Regulations). It is a convenience feature, and we will ask for your consent before enabling it.

If you decline, the Concierge still works — each visit simply starts a fresh conversation. You lose nothing except continuity.

We do not currently use analytics cookies. If we add analytics in the future, that will require separate, explicit consent and this policy will be updated before any such cookies are deployed.

Data retention

Active prospect conversations (email provided or ongoing engagement) — retained for 12 months from the last interaction, then deleted.
Abandoned sessions (no email provided, no return visit) — deleted after 30 days.
On request — we will delete your data immediately upon request, regardless of the above schedules.

Retention periods are enforced through automated processes. We do not retain data beyond these periods for any purpose.

Your rights

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data
Restriction — ask us to limit how we process your data
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interest
Withdraw consent — where we rely on consent (session persistence), you can withdraw it at any time

To exercise any of these rights, contact us at hello@horizonintelligence.ai. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Changes to this policy

We will update this policy as our service develops. The "Last updated" date below always reflects the most recent version. Material changes — particularly those affecting what data we collect or how we use it — will be clearly communicated on the website before taking effect.

Last updated: 25 April 2026