Legal

Privacy and Cookie Policy

Effective date: 12 June 2026Last updated: 12 June 2026

This policy explains how Palate AI Ltd, trading as Palate Labs, collects, uses, and protects personal data when you visit palatelabs.ai, and how we use cookies and similar technologies. Please read it carefully.

1. Who We Are

Palate AI Ltd, trading as Palate Labs ("Palate Labs", "we", "us", "our"), is the data controller for personal data processed through palatelabs.ai (the "Website").

Registered name: Palate AI Ltd

Trading name: Palate Labs

Company number: 16392993

Registered address: 9a Crosswall, London EC3N 2JY

hello@palatelabs.ai

We are registered with the Information Commissioner's Office (ICO) as a data controller. If you have any questions about how we handle your personal data, contact us at hello@palatelabs.ai.

2. What This Policy Covers

This policy explains:

  • what personal data we collect when you use this Website;
  • why we collect it and the legal basis for doing so;
  • how long we keep it;
  • who we share it with;
  • your rights under UK GDPR; and
  • how we use cookies and similar technologies.

This policy applies to palatelabs.ai only. It does not cover any third-party websites linked from this Website, or any future Palate Labs products or applications, which will have their own separate policies.

3. Data We Collect and How We Collect It

3.1 Data you give us directly. When you submit an enquiry through our Typeform contact form or email us, we collect the information you choose to provide. This typically includes your name, email address, company name, and the content of your message. For investor enquiries, this may also include your fund name, investment stage, and geographic mandate.

3.2 Technical and usage data. When you visit this Website, our hosting provider automatically records limited technical data in server logs, including your IP address, browser type, device type, operating system, referring URL, pages visited, and the date and time of your visit. This data is collected for security, reliability, and abuse prevention purposes and is not used to build marketing profiles.

3.3 Analytics data (consent-dependent). If you consent to Analytics cookies via our cookie consent tool (CookieHub), we load PostHog, a web analytics service, to understand how visitors use this Website. PostHog collects data including pages viewed, time spent on pages, click patterns, and general session behaviour. PostHog is hosted on EU servers. It is not loaded unless you have actively consented. See Section 7 (Cookies) for full details.

3.4 Data we do not collect. We do not collect special category data (such as health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric data) through this Website. We do not knowingly collect personal data from children under 18.

4. Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for each processing activity. The table below maps each activity to its lawful basis.

Processing ActivityData InvolvedLawful Basis
Responding to enquiries submitted via form or emailName, email, company, message contentPre-contractual steps / contract (Article 6(1)(b)): you have requested us to respond to your enquiry
Managing business relationships in our CRMContact details, enquiry historyLegitimate interests (Article 6(1)(f)): maintaining records of business contacts and enquiries
Website security and reliabilityServer log data including IP addressLegitimate interests (Article 6(1)(f)): protecting the Website from abuse, fraud, and security threats
Website analyticsAnonymised usage data via PostHogConsent (Article 6(1)(a)): only after you accept Analytics cookies via CookieHub
Cookie consent recordsYour consent choice and timestampLegal obligation (Article 6(1)(c)): demonstrating compliance with UK PECR
Sending email notifications for new enquiriesEmail routing dataLegitimate interests (Article 6(1)(f)): internal business operations

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms given the limited and expected nature of the processing involved.

5. How We Use Your Data

We use the data we collect to:

  • respond to enquiries you submit through the Website or by email;
  • manage business contacts and relationships in our CRM;
  • maintain security and the stable operation of the Website;
  • understand how visitors use the Website and improve its content and performance (Analytics only, with consent);
  • comply with our legal obligations; and
  • defend or exercise legal claims if necessary.

We do not use personal data collected through this Website for automated decision-making or profiling. We do not sell personal data to third parties. We do not use personal data collected through this Website for direct marketing without your explicit consent.

6. Who We Share Data With

We do not sell, rent, or trade personal data. We share data only with the service providers listed below, who process it on our behalf as data processors, and only to the extent necessary for the purpose described.

ProviderPurposeLocationTransfer Mechanism
Typeform S.L.Contact form submission and routingSpain (EEA)UK adequacy, EEA
HubSpot, Inc.CRM: storing and managing enquiry contactsUnited StatesUK-US Data Bridge (DPF certified)
Zapier, Inc.Email notification routing for new enquiriesUnited StatesUK-US Data Bridge (DPF certified)
PostHog, Inc.Website analytics (Analytics consent required)EU serversUK adequacy, EEA processing
CookieHub ehfCookie consent managementIceland (EEA)UK adequacy, EEA
Microsoft CorporationBusiness email and communicationsEU Data BoundaryUK-US Data Bridge / EU Data Boundary
Hosting providerWebsite infrastructure and server logs[Confirm location][Confirm mechanism]

We require all data processors to implement appropriate technical and organisational security measures and to process personal data only on our documented instructions.

7. Cookies

7.1 What cookies are. Cookies are small text files placed on your device when you visit a website. They serve different purposes: some are essential for the website to function, others help us understand how you use it.

7.2 How we manage cookie consent. We use CookieHub to manage cookie consent on this Website in line with UK PECR and UK GDPR. When you first visit, a banner gives you the option to accept all cookies, reject non-essential cookies, or choose your preferences by category. You can change your preferences at any time by clicking the cookie settings icon in the footer.

7.3 Categories of cookies we use.

Strictly Necessary. These cookies are required for the Website to function and for your consent preferences to be stored. They cannot be disabled. No personal data is used for marketing or profiling purposes.

Analytics (requires your consent). These cookies allow us to understand how visitors use the Website. We use PostHog for this purpose. PostHog is only loaded after you actively consent to the Analytics category. If you decline or have not consented, PostHog is not initialised and no analytical tracking takes place.

7.4 Cookie table.

Cookie NameProviderCategoryPurposeDuration
cookiehubCookieHubStrictly NecessaryStores your cookie consent preferences365 days
_cfuvid / __cf_bmCloudflareStrictly NecessarySecurity and bot detectionSession / 30 minutes
ph_* (multiple)PostHogAnalyticsTracks page views, session behaviour, and navigation patternsUp to 1 year
posthog_sessionPostHogAnalyticsIdentifies a browsing session for analyticsSession

Note: This table will be updated as the CookieHub configuration is finalised. If additional cookie categories (such as Marketing or Preferences) are enabled in future, this table and the consent banner will be updated accordingly.

7.5 What happens if you decline analytics cookies. If you decline or do not consent to Analytics cookies, PostHog is not loaded. No behavioural analytics, session tracking, or similar tools that depend on your Analytics consent will run during your visit. The Website continues to function fully: you can browse every page, submit forms, and contact us by email.

Strictly necessary cookies relating to website function and your consent choice will still be set regardless of your Analytics preference.

7.6 Changing your preferences. You can withdraw or change your cookie consent at any time by accessing the cookie settings via the banner or footer link. If you withdraw Analytics consent, PostHog tracking stops from that point forward. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

8. Data Retention

We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Data TypeRetention PeriodReason
Enquiry form submissions and email correspondence3 years from the date of last contactStandard business correspondence retention; limitation period for contract claims
HubSpot CRM contact records3 years from last meaningful contactBusiness relationship management
Server logs (IP addresses, technical data)90 daysSecurity and abuse prevention; logs reviewed and purged on a rolling basis
PostHog analytics data12 monthsAnalytics and Website performance improvement
Cookie consent records3 yearsDemonstrating compliance with UK PECR

At the end of each retention period, data is securely deleted or anonymised. If you make a valid request for erasure before the end of a retention period, we will delete your data unless we have a lawful basis to retain it (for example, where we are required to do so by law or to defend a legal claim).

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These measures include access controls, encrypted data transmission (HTTPS), and restricted access to personal data within our team.

No method of transmission over the internet is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. If you believe your personal data has been compromised, please contact us immediately at hello@palatelabs.ai.

10. International Data Transfers

Some of our data processors are located outside the United Kingdom. Where personal data is transferred outside the UK, we ensure an appropriate transfer mechanism is in place.

Transfers to EEA-based processors (Typeform, PostHog, CookieHub): The UK has recognised the EEA as providing adequate protection for personal data. No additional mechanism is required.

Transfers to US-based processors (HubSpot, Zapier, Microsoft): We rely on the UK-US Data Bridge, established under the Data Protection (Adequacy) (United States of America) Regulations 2023, for transfers to US processors that are certified under the UK Extension to the EU-US Data Privacy Framework. Before transferring data to any US processor, we verify their active DPF certification status.

Where the UK-US Data Bridge is not applicable, we rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses as the transfer mechanism.

11. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.

Right to rectification: You may request that we correct inaccurate or incomplete personal data we hold about you.

Right to erasure: You may request that we delete your personal data where there is no compelling reason for us to continue processing it. This right is not absolute and does not apply in all circumstances.

Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances, for example if you contest its accuracy or object to our processing.

Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may request that we provide your personal data in a structured, commonly used, and machine-readable format.

Right to object: You may object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to process the data for the establishment, exercise, or defence of legal claims.

Rights related to automated decision-making: We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

12. How to Exercise Your Rights

To exercise any of your rights, contact us at hello@palatelabs.ai. Please include your name, contact details, and a clear description of your request. We will respond within one calendar month. We may ask you to verify your identity before processing your request.

There is no charge for exercising your rights in most circumstances. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or decline to respond, in accordance with Article 12 UK GDPR.

13. Complaints

If you are unhappy with how we have handled your personal data, we encourage you to contact us first at hello@palatelabs.ai so we can try to resolve the matter.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

ico.org.uk

14. Changes to This Policy

We may update this policy from time to time to reflect changes in our data processing practices or applicable law. We will post the updated policy on this page with a revised "Last updated" date. Where changes are material, we will take reasonable steps to bring them to your attention. Your continued use of the Website after the effective date of any changes constitutes your acceptance of the revised policy.

15. Contact

For any questions, concerns, or requests relating to this policy or to your personal data:

Palate AI Ltd (trading as Palate Labs)

hello@palatelabs.ai

9a Crosswall, London EC3N 2JY