Privacy Policy
Last updated: 20 April 2026
1. Introduction
Kflows Ltd ("Kflows", "we", "us") is committed to protecting your personal data. This policy explains what we collect, why we collect it, and how we use and safeguard it when you interact with us or with this website.
This policy covers Kflows in its capacity as a data controller — where we determine the purposes and means of processing personal data (for example, managing our client relationships, billing, and B2B marketing).
When Kflows delivers consultancy services, we may access personal data within client systems solely for delivering contracted work. In those cases Kflows acts as a data processor under the client's instructions, governed by a separate Data Processing Agreement. This policy does not cover processing carried out in our capacity as a processor.
Kflows Ltd is registered in Northern Ireland with company number NI738243. This website is not intended for children and we do not knowingly collect data relating to children.
2. Personal data we collect
Personal data means any information from which a person can be identified. The categories we may collect are:
- Identity Data — name, job title, company name.
- Contact Data — business address, email address, phone number.
- Financial Data — payment card details, processed via Stripe (we never store card numbers ourselves).
- Transaction Data — records of services you have purchased from us.
- Technical Data — IP address, browser type and version, device data.
- Usage Data — how you use our website.
- Marketing and Engagement Data — your marketing preferences and how you interact with our emails (opens, clicks, replies).
3. How your personal data is collected
Direct interactions. When you fill in a form on our site, email us, book a call, or subscribe to our services.
Automated technologies. As you use our website, we may collect Technical and Usage Data via cookies and similar technologies. See our Cookie Policy.
B2B data providers and publicly available sources. Where you are a contact at a UK limited company, PLC, LLP, or similar corporate body, we may obtain your business contact details from Companies House, LinkedIn / LinkedIn Sales Navigator, Apollo.io, Cognism (PECR-screened), Clay, Beauhurst, Crunchbase, BuiltWith, Wappalyzer, Calendly, and Google Analytics. These channels are only used where UK law permits direct B2B marketing under legitimate interests.
Article 14 disclosure. Where we obtain your business contact details from a third-party source rather than directly from you, we identify the source in our first communication with you and provide a route to object or unsubscribe.
4. Purposes for which we use personal data and the legal basis
Under UK GDPR we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we process personal data and the legal basis we rely on for each.
| Purpose | Lawful basis |
|---|---|
| Registering new clients and delivering contracted services | Performance of a contract |
| Billing, debt recovery, and keeping tax and accounting records | Legal obligation (HMRC 6–7 year retention) |
| B2B marketing to corporate subscribers (retained 24 months from last contact) | Legitimate interests (written LIA available on request) |
| Marketing to sole traders, partnerships, and other non-corporate subscribers | Consent (PECR) |
Automated decisions. We use AI tools (including large language models) under enterprise/API agreements with zero-retention and no-training-on-input terms to help summarise publicly available information, draft outreach, and classify inbound replies. We do not make decisions producing legal or similarly significant effects about you using solely automated processing — a human reviews and approves any substantive communication or commercial decision before it takes effect.
5. Sharing your data
We share personal data only with service providers who help us operate our business — for example, email delivery, payment processing, calendar booking, analytics, and hosting. Each provider is bound by written terms requiring them to process personal data only on our instructions and to protect it.
Some of these providers are based outside the UK. When we transfer personal data out of the UK, we rely on one of: (a) UK adequacy regulations (including EEA countries); (b) the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge) where the recipient is certified; or (c) UK International Data Transfer Agreements (IDTAs) or addendums. A current list of the processors we engage is available on request to keelan@kflows.co.uk.
6. How long we keep your data
We retain personal data only for as long as reasonably necessary for the purposes we collected it for, including satisfying legal, accounting, or reporting requirements. Basic client information (Identity, Contact, Financial, Transaction) is kept for six years after you cease being a client, in line with HMRC rules. Marketing data for B2B subscribers is retained for 24 months from last contact. After these periods data is securely deleted or anonymised.
7. How we protect your data
We have put in place appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, or alteration. These include encrypted connections (TLS 1.2+), multi-factor authentication, role-based access controls, and regular security reviews. Access to personal data is limited to those who have a business need to know. We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator where legally required.
8. Your rights and options
Under UK GDPR you have the right to:
- request access to your personal data;
- request correction of inaccurate or incomplete data;
- request erasure of your personal data;
- object to processing (including direct marketing — this right is absolute under Article 21(2));
- request restriction of processing;
- request transfer of your personal data (data portability);
- withdraw consent at any time where we are relying on consent; and
- rights relating to automated decision-making, including the right to object to our use of AI to process your personal data.
To exercise any of these rights, contact us using the details in Section 10. You will not normally pay a fee, and we aim to respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the chance to deal with your concerns first — please contact us in the first instance.
9. Third-party websites
Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
10. Contact us
If you have any questions about this privacy policy or how we handle your personal data, please email keelan@kflows.co.uk.
We keep this policy under regular review. The "Last updated" date at the top of this page reflects the most recent material change.