Privacy Policy
Operated by PrimorAI Limited (UK company no. 16490159)
Version 1 — Last updated: 8 September 2025
This policy explains what we collect, why, how long we keep it, who we share it with, and the rights you have. Plain English. No fluff.
Who we are. PrimorAI Limited, 3 Fieldgate Lane, Curry Mallet, Taunton, United Kingdom, TA3 6AL. Lead supervisory authority: UK ICO. No DPO appointed. No EU Article 27 representative.
Privacy contact: Thomas Gamblin, Founder — thomas.gamblin@primor.ai
What’s covered. This policy applies to thomasgamblin.com and thescalablecreative.com (both hosted on Framer). Both sites link to the canonical URL: https://www.thomasgamblin.com/privacy-policy (US opt-out anchor: #us-opt-out).
Circle community runs on Circle.so, which manages its own cookies and consent on its domain.
What we collect
We collect the minimum needed to run the sites, serve content, handle payments, provide support, and run our community and marketing.
Usage & device data: page URLs, referrer, event data, IP address, device/browser info, approximate location (from IP), session IDs, consent choices.
Form & account data: name, email, company, role, content of messages; course/community account details on Circle (managed by Circle).
Payment data: billing name, email, address, last 4 digits, payment method metadata (Stripe tokenized).
Support data: emails, chat transcripts, troubleshooting details, system logs.
Marketing preferences: newsletter opt-in, unsubscribes, SMS STOP events.
AI interactions: prompts and uploads you send to our custom GPT or similar capture, plus the outputs we deliver.
Fraud/abuse signals: reCAPTCHA scores, security events, rate limiting, anti-scraping telemetry.
We do not target or knowingly collect data from under-18s. If you’re under 18, please don’t use our sites.
Why we collect it (and what we do with it)
Provide the sites and services (pages, forms, content delivery, payments, account emails).
Measure performance (what content is used, where to fix issues).
Security and abuse prevention (bot defense, fraud checks, anti-scraping, IP protection).
Marketing with consent (email updates, ads measurement where allowed).
Contract and legal (invoices, tax, compliance, enforcing terms).
Support (answer questions, fix issues).
Product improvement (aggregate analytics, error logs).
We avoid sending special-category data to AI tools.
Legal bases (UK/EU)
Contract: to provide what you asked for (e.g., deliver content, process payments, respond to support).
Consent: non-essential cookies/tags, marketing emails/SMS.
Legitimate interests:
security & fraud prevention,
anti-scraping/anti-abuse,
IP protection & enforcement,
system logs/platform integrity.
(You can object. Email thomas.gamblin@primor.ai with subject: “LIA objection”.)
Legal obligation: tax, accounting, compliance.
PECR note (UK): we do not use legitimate interests to set non-essential cookies. We ask first.
Cookies & tracking (CMP, Consent Mode, and tags)
Our setup (Framer + GTM + Google CMP, IAB TCF 2.2):
Consent Mode v2 (Basic) with default-denied globally; non-essential tags fire only after consent via GTM.
Sticky “Privacy settings” on all Framer pages with Accept, Reject (denies all non-essential), and a link to this policy.
Consent records (Google CMP) retained 24 months.
reCAPTCHA used for fraud prevention. (Google docs: reCAPTCHA overview and help).
Tags we use (only after consent unless strictly necessary): GA4, Meta Pixel, Google Ads, LinkedIn Insight Tag, reCAPTCHA (security). Learn about the vendors’ terms in the Processors table below. (Google controller and ads terms; Meta terms.)
Circle.so note: Circle runs its own cookies/CMP on Circle domains. Manage those preferences in Circle.
Who we share with (processors & key partners)
We use reputable vendors to run the service. We sign DPAs, use SCCs/UK Addendum where needed, or rely on the EU-U.S. Data Privacy Framework (DPF) where a vendor is certified. You can verify DPF participation on the official list.
Processors table
Vendor | Purpose | Data types (examples) | Processing regions* | Safeguards | DPF status | Official DPA / Terms |
|---|---|---|---|---|---|---|
Google (GA4, Ads, GTM, CMP, reCAPTCHA) | Analytics, ads, tag mgmt, consent, bot defense | Usage, event data, consent state, IP (truncated), ad/utm params; reCAPTCHA risk signals | EU/UK & US | DPF or SCCs/UK Addendum | Yes (Google LLC) | Google Controller Terms; Google Ads Data Processing Terms; reCAPTCHA docs. |
Meta (Facebook/Instagram, Pixel/Ads) | Ads measurement/remarketing (post-consent) | Page events, hashed identifiers, ad events | EU/UK & US | DPF or SCCs/UK Addendum | Yes (Meta Platforms, Inc.) | Meta Data Processing Terms; Business Tools Terms. |
LinkedIn (Microsoft) | Insight Tag & ads (post-consent) | Page events, hashed identifiers | EU/UK & US | DPF or SCCs/UK Addendum | Yes (Microsoft Corp.; LinkedIn Corp. covered) | LinkedIn DPA. |
Stripe | Payments | Billing details, tokenized payment info, fraud signals | EU/UK & US | DPF or SCCs/UK Addendum | Yes (Stripe, Inc.) | Stripe DPA; Stripe DPF policy. |
GoHighLevel (HighLevel, Inc.) | Email, CRM, forms | Contact info, consent prefs, campaign metadata | US (with global delivery) | DPF or SCCs/UK Addendum | Yes (HighLevel, Inc.) | GoHighLevel DPA. |
Notion | CRM/ops | Contact records, notes, support context | US & EU/UK | DPF or SCCs/UK Addendum | Yes (Notion Labs, Inc.) | Notion GDPR page (DPA linked). |
Make.com (Celonis) | Automation | Workflow metadata, contact fields | EU/UK & US | SCCs/UK Addendum | Not listed (N/A for EU entities; US affiliates may vary) | Make.com (Celonis) DPA (PDF). |
Slack (Salesforce) | Internal comms/support | User mentions, support context, docs | EU/UK & US | DPF or SCCs/UK Addendum | Yes (via Salesforce program covering Slack) | Slack DPA; Slack GDPR/DPF note. |
Framer | Hosting/web platform | Site content, logs, sub-processor telemetry | EU/UK & US | SCCs/UK Addendum | EU entity (DPF N/A) | Framer DPA; Security; Sub-processors. |
Circle.so | Community platform | Community profiles, posts, messages | US & EU/UK | SCCs/UK Addendum or DPF (if applicable by Circle) | (Check Circle’s DPF page; not required for our domain) | Circle DPA; EU Privacy Notice. |
OpenAI | AI inference (our custom GPT capture) | Prompts, attachments, outputs (business use) | US (may use other regions per OpenAI terms) | SCCs/UK Addendum | Not listed on DPF list (as of 8 Sep 2025) | OpenAI DPA; Enterprise privacy. |
Anthropic (Claude) | AI inference | Prompts, attachments, outputs (business use) | US (may use other regions per Anthropic) | SCCs/UK Addendum | Not listed on DPF list | Anthropic DPA / Help Center. |
Perplexity | AI tools/search | Prompts, usage | US | SCCs/UK Addendum | Not listed on DPF list | Perplexity DPA; Enterprise Terms. |
*Processing regions: Vendors listed may process in the EU/UK and/or US. Where a vendor is DPF-certified, we may rely on DPF; otherwise we rely on SCCs + UK Addendum/IDTA in our DPAs.
International transfers
When data leaves the UK/EU, we use:
EU-U.S. DPF / UK Extension / Swiss-U.S. DPF where a vendor is certified (see table and official DPF list).
Standard Contractual Clauses (SCCs) + UK Addendum/IDTA in our DPAs for others (see linked DPAs above).
Retention
We keep data only as long as needed, then delete or anonymise. Defaults:
Category | Period | Why |
|---|---|---|
Accounts & service records | 6 years after last activity | Contract, audit, tax limitation periods |
Billing & payments | 6 years | Tax and accounting laws |
Marketing consents/logs | 2 years or until you withdraw | Proving consent and handling preferences |
Analytics (GA4) | 14 months | Trend analysis with minimal history |
Support tickets/logs | 24 months | Troubleshooting and quality improvement |
CMP consent logs | 24 months | Proving consent choices |
AI capture (prompts/files)** | Up to 24 months unless we need longer for security, legal, or abuse prevention | Service quality, abuse review |
We avoid sending special-category data to AI tools. If you include it anyway, we’ll process it only as needed to respond and then delete according to this schedule.
Security
We use encryption in transit (TLS), access controls, logging, least privilege, and vendor reviews. Key vendor security references are in their DPAs and trust pages (see table). OpenAI and Slack publish enterprise security details; Stripe is PCI-DSS compliant.
Your rights (UK/EU)
You can: access, correct, delete, restrict, port, or object to processing. You can withdraw cookie/marketing consent anytime. To act on your rights, email thomas.gamblin@primor.ai, use our web form https://www.thomasgamblin.com/data-optout, or reply to any message. We verify requests by email.
If we can’t resolve an issue, you can contact the ICO (UK) or your local EU authority.
Your choices (marketing & cookies)
Email: double opt-in; every email has one-click unsubscribe.
SMS: reply STOP to opt out.
Cookies: use the sticky Privacy settings to Accept or Reject (reject denies all non-essential). You can also reset preferences in the banner.
U.S. state privacy rights
If you’re in a U.S. state with privacy laws (e.g., CA/CO/CT/UT/VA and others), you may have rights to access, correct, delete, portability, and to opt-out of “sale,” “sharing,” or targeted advertising.
Opt-out link: https://www.thomasgamblin.com/data-optout (Do Not Sell/Share / Targeted Ads opt-out).
How to appeal: email thomas.gamblin@primor.ai with subject “Appeal”. We acknowledge in 7 days and decide within 45 days (extensions only where permitted).
DSARs: how to contact us
Email: thomas.gamblin@primor.ai
Web form: https://www.thomasgamblin.com/data-optout
AI capture: You may also submit via our custom GPT.
We verify by email. Requests are tracked in GoHighLevel and Notion and routed to the privacy inbox.
Circle.so community
Circle runs on its own domain(s) and uses its own CMP/cookies. Manage those preferences in Circle. See Circle’s DPA and EU privacy notice.
Contact
PrimorAI Limited, 3 Fieldgate Lane, Curry Mallet, Taunton, United Kingdom, TA3 6AL
Privacy contact: Thomas Gamblin — thomas.gamblin@primor.ai
Changes to this policy
We’ll update this page if we make material changes. The version and date are at the top.