Privacy Policy — Pivot Bureau

This policy explains what personal data Pivot Bureau ("we", "us", "our") collects when you visit our website or get in touch, why we collect it, and what your rights are. We aim to use plain English — if anything is unclear, email us at info@pivotbureau.com and we'll explain.

The short version: we only collect what you give us through the contact form or chat widget (name, business, email, phone, the message you send), we use it to reply to you and to run our service, and we don't sell or share it with anyone outside our service providers.

1. Who we are

Pivot Bureau is a UK-based agency that builds agentic AI solutions for small businesses — AI receptionists and booking agents, AI-powered SEO (GEO/AEO) services, AI-ready websites, and workflow automation. For the purposes of UK GDPR, Pivot Bureau is the data controller for any personal data collected through this website.

You can contact us at info@pivotbureau.com.

2. What we collect

Information you give us directly

Contact form: name, business name, email, phone (optional), and the message you write.
Chat widget: the messages you send to our chat assistant, plus your business name and email if you choose to share them.
Email or phone enquiries: whatever you choose to send.

Information collected automatically

Local storage: our chat widget stores your conversation history in your browser (not on our servers) for up to 7 days, so the chat picks up where you left off when you return. You can clear this by clearing your browser data.
Hosting & CDN logs: our host (Cloudflare Pages) and CDN/security layer (Cloudflare) keep standard access logs (IP address, browser type, pages visited, rate-limit signals) for security, abuse prevention, and aggregate analytics. These are kept by Cloudflare, not by us, and are not used to identify individuals.
API request logs: our backend (api.pivotbureau.com) keeps short-lived request logs for debugging — typically 30 days — and longer-lived records of audit submissions and chat messages tied to an email you provided.

We do not use third-party advertising trackers, social media pixels, or analytics tools that build profiles of you.

3. Why we use it (and our legal basis)

To reply to your enquiry — based on your consent when you submit the form or chat, and our legitimate interest in answering prospective customers.
To provide our service if you become a customer — based on the contract between us.
To send occasional follow-ups about your enquiry — based on our legitimate interest. We do not send marketing emails unless you've explicitly opted in.
To keep the website secure and working — based on our legitimate interest.

4. Who we share it with (sub-processors)

We share data only with the service providers we need to run the site, deliver our service, and reply to you. Each is bound by their own privacy terms (linked) and processes data on our instruction:

Cloudflare — website hosting (Cloudflare Pages), CDN, DDoS protection and rate-limiting. Based in the US; certified under the EU-US / UK-US Data Privacy Framework. Privacy policy.
Google (Gemini API) — powers our chat assistant and AI audit engine. Messages and audit prompts are sent to Google's API for processing. Google does not use this data to train its public models when used via the paid Gemini API. Gemini API terms.
Resend — sends our transactional emails (audit reports, replies, confirmations). Based in the US. Privacy policy.
Stripe — payment processing. Card data is entered directly into Stripe's hosted checkout and never touches Pivot Bureau's servers. Stripe is the data controller for your card data. Privacy policy.
Google Workspace — the email account we send and receive replies from.
Hetzner — German-based VPS host where our backend runs (api.pivotbureau.com). EU data residency.
Twilio (where applicable) — SMS and voice for AI receptionist customers. Only used where a customer's service explicitly requires it. Privacy policy.
Any tools you've explicitly asked us to integrate with as part of your service (e.g. Google Calendar, OpenTable, your CMS) — only after you become a customer and only with your instruction.

We do not sell your data to anyone. Ever. We do not share it for advertising.

5. How long we keep it

Enquiries that don't become customers: 24 months, then deleted.
Customer records: for the duration of our service plus 7 years (for tax and accounting purposes).
Chat logs: 7 days in your browser; if a transcript is emailed to us, the same retention as enquiries.

6. Customer data on assistants we build

When we build an AI receptionist for a paying customer, the customer is the data controller for the end-users (their own customers) who interact with that assistant. We act as their data processor and only handle that data on their instruction. Customer-side data (bookings, names, contact details) typically lives in the customer's own Google account or database — we do not store it on our side.

7. Your rights

Under UK GDPR you have the right to:

Ask us what data we hold about you (right of access)
Ask us to correct it if it's wrong (right of rectification)
Ask us to delete it (right to erasure)
Ask us to stop or restrict processing it
Receive a copy in a portable format
Object to processing based on our legitimate interest
Withdraw your consent at any time, where consent is the legal basis

To exercise any of these, email info@pivotbureau.com. We'll respond within one month.

You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk if you think we've mishandled your data.

8. Cookies and local storage

We do not use tracking, advertising or analytics cookies. There is no cookie consent banner because nothing we set requires consent under the PECR rules.

Cloudflare essential cookies (__cf_bm, cf_clearance) — set by our CDN/security layer to distinguish humans from bots and prevent abuse. Strictly necessary; expire automatically (typically 30 minutes to 30 days).
localStorage — our chat widget remembers your conversation history for up to 7 days so the chat picks up where you left off. Never leaves your browser.
sessionStorage — remembers if you dismissed the auto-prompt during the current browser session.

You can clear any of the above at any time by clearing your browser's site data.

9. International transfers

Some sub-processors are based outside the UK:

US-based: Cloudflare, Google (Gemini, Workspace), Resend, Stripe, Twilio — all certified under the UK-US Data Bridge / EU-US Data Privacy Framework, or covered by UK International Data Transfer Agreements / Standard Contractual Clauses.
EU-based: Hetzner (Germany) — data remains within the EEA and is covered by the UK adequacy decision for the EEA.

10. Payment data

All payments are processed by Stripe. Card numbers, CVV codes and bank details are entered into Stripe's hosted checkout and never touch Pivot Bureau's servers, logs or databases. We receive only the payment confirmation (status, last 4 digits of the card, billing email) needed to fulfil your order and meet our tax / accounting obligations. Your statutory rights under the Consumer Rights Act 2015 and Payment Services Regulations 2017 are unaffected.

11. Children

Our service is intended for businesses. We do not knowingly collect personal data from anyone under 16. If you believe we have, please email us and we'll delete it.

12. Changes to this policy

If we change this policy, we'll update the "Last updated" date at the top. Significant changes affecting how we use existing data will be communicated by email where we have one.