Privacy Policy

Rora is a UK-based AI consultancy providing automation, websites, and AI systems to small and medium businesses. We are registered in England and Wales.

Data controller contact: [email protected]

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration number: [ICO_NUMBER].

We collect personal data through the following routes:

We do not collect sensitive personal data (health, financial, ethnic origin, etc.) through any of our website forms.

• To generate and deliver your AI assessment report
• To follow up with you about your assessment results (up to 3 contacts over 7 days)
• To respond to enquiries submitted via the contact form
• To improve our services based on aggregated, anonymised usage patterns

We do not add you to mailing lists, share your data with marketers, or contact you for any purpose unrelated to your initial enquiry without your explicit consent.

Our AI assessment tool uses automated processing to generate a personalised report based on your answers. This involves passing your responses to an AI model (Anthropic Claude API) which analyses them and produces recommendations.

Under UK GDPR Article 22, you have rights in relation to automated decision-making. In this case:

• The report is indicative only — it does not constitute professional advice and carries no legal or financial consequence for you
• No decisions that significantly affect you are made solely by automated means
• A human (us) reviews all follow-up activity before making contact with you
• You can request human review of any output by contacting us at [email protected]

Anthropic API and training data:Your assessment data is processed by Anthropic's Claude API. Anthropic's API usage policy confirms that data submitted via the API is not used to train their models. Your answers are used solely to generate your report and are not retained by Anthropic beyond the immediate API call.

Under UK GDPR, we process your data on the following legal bases:

• Legitimate interests (Article 6(1)(f)) — to respond to your enquiries and follow up on assessment results. Our interest in responding to people who have actively requested information from us is balanced against your reasonable expectation that we will make contact. You can object to this processing at any time.
• Contract performance (Article 6(1)(b)) — where we have entered into a paid engagement with you, processing is necessary to deliver the agreed services.
• Consent (Article 6(1)(a)) — for any further marketing contact beyond the direct follow-up on your enquiry.
• Legal obligation (Article 6(1)(c)) — where we are required by law to retain certain records (e.g., for tax and accounting purposes).

Your data may be processed by the following third-party services, all of which are engaged under appropriate data processing agreements or standard contractual clauses.

SCCs = Standard Contractual Clauses, the approved mechanism for lawful data transfers from the UK/EU to third countries under UK GDPR Article 46.

We do not sell your personal data to any third party, and we do not share it with any party for their own marketing purposes.

We retain personal data for the following periods:

• Assessment and contact form data: 12 months from submission, unless you become a client
• Client project data: Duration of the engagement plus 6 years thereafter, as required by UK tax and contract law
• Server logs: Up to 90 days, retained by our hosting providers for security purposes

After the applicable retention period, data is securely deleted or anonymised. You can request early deletion at any time — see Your Rights below.

Under UK GDPR (as retained in UK law by the Data Protection Act 2018), you have the following rights:

• Access (Article 15) — request a copy of the personal data we hold about you
• Rectification (Article 16) — request correction of inaccurate or incomplete data
• Erasure (Article 17)— request deletion of your data (“right to be forgotten”), subject to legal retention obligations
• Restriction (Article 18) — request that we limit how we use your data while a dispute is resolved
• Portability (Article 20) — request your data in a structured, machine-readable format
• Object (Article 21) — object to processing based on legitimate interests; we will stop unless we can demonstrate compelling grounds
• Automated decision-making (Article 22) — request human review of any automated assessment output
• Withdraw consent — at any time where processing is based on consent

To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

• HTTPS encryption for all data in transit
• Access controls limiting who can view personal data
• Use of reputable, GDPR-compliant processors only
• No storage of personal data in unencrypted local files

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33–34.

This site uses minimal cookies. See our Cookie Policy for full details.

We may update this policy to reflect changes in our practices or legal requirements. The “last updated” date at the top of this page will always reflect the most recent version. Where changes are material, we will take reasonable steps to notify affected individuals.