Privacy policy.
Last updated: 23 June 2026
This This Privacy Policy explains how Boris AI® (“we”, “us”, “our”), a trading name of The Lead Ingredient Ltd, collects, uses, and protects personal data. We comply with the UK GDPR and the Data Protection Act 2018.
This policy covers three distinct relationships:
• Visitors to our website (www.boris-ai.com)
• Clients who purchase and use our services
• Visitors to our clients’ websites who interact with a Boris AI® chatbot
Each is explained separately below. If you have any questions, please contact us at hello@boris-ai.com.
1. Who We Are
Data Controller: Boris-ai, a trading name of The Lead Ingredient Ltd
Co Number: 8568019
Contact: hello@boris-ai.com
Registered address: Dinnington, Newcastle Upon Tyne, NE13 7FH
Part A — Website Visitors (boris-ai.com)
This section applies to anyone who visits www.boris-ai.com, whether or not they become a client.
2. What We Collect From Website Visitors
When you visit our website we may collect:
Usage data: pages visited, buttons clicked, time spent on pages, browser type, device type, and IP address — collected automatically via analytics tools.
Contact information: name, email address, company name, phone number, and any message you submit via our contact form or enquiry forms.
Cookie data:information collected via cookies and similar tracking technologies (see Section 5).
3. How We Use Website Visitor Data
Purpose and Legal Basis
Understand how visitors use our site and improve it - Legitimate interests
Respond to enquiries submitted via contact forms - Legitimate interests / Pre-contract steps
Analytics and measuring marketing effectiveness - Consent (where required by cookie preferences)
Security and fraud prevention - Legitimate interests
Marketing to you if you opt in - Consent
4. Google Analytics & Third-Party Analytics
We use Google Analytics to understand how visitors use our website. Google Analytics collects data including your IP address, pages visited, and browsing behaviour. This data is processed by Google and may be transferred to servers in the United States.
IP addresses collected by Google Analytics are anonymised where possible. However, an IP address is considered personal data under UK GDPR. We rely on your cookie consent for this processing.
You can opt out of Google Analytics tracking at any time by adjusting your cookie preferences via the cookie banner on our website, or by using the Google Analytics opt-out browser add-on at tools.google.com/dlpage/gaoptout.
5. Cookies
Our website uses cookies and similar technologies. These fall into the following categories:
Cookie Type and Purpose
Essential - Required for the website to function. Cannot be disabled.
Analytics - Help us understand how visitors use the site (e.g. Google Analytics). Require consent.
Functional - Remember your preferences and improve your experience. Require consent.
Marketing - Used to show relevant advertising. Require consent. We do not currently serve third-party ads.
Part B — Clients & Paying Customers
This section applies to businesses and individuals who purchase services from Boris AI®.
6. What We Collect From Clients
When you become a client we collect:
Contact details: name, email address, phone number, job title, and company information.
Billing information: billing address, VAT number (if applicable). Payment card details are processed directly by Stripe and are never seen or stored by us.
Project information: details about your business, website, products, services, FAQs, and any other content you provide to help us build and train your Boris chatbot.
Communications: emails, call notes, meeting notes, and support correspondence.
7. How We Use Client Data
Purpose and Legal Basis
Build, configure, train and deploy your Boris chatbot - Contract necessity
Manage your account, billing, and invoicing - Contract / Legal obligation
Provide ongoing support and service optimisation - Contract necessity
Accounting and financial record-keeping - Legal obligation (7 years)
Service improvement and quality assurance - Legitimate interests
Communicating service updates or changes - Legitimate interests / Contract
Marketing (only if you opt in) - Consent
8. Data Retention — Client Data
Billing and accounting records: 7 years from the end of the financial year (legal requirement).
Project files, training content, and service logs: up to 24 months after the end of your contract, unless you request earlier deletion.
Marketing contact data: until you unsubscribe or ask us to delete it.
Support communications: up to 24 months after your last interaction.
Part C — Visitors to Client Websites (Boris Chatbot Users)
This section explains the data position when a Boris chatbot is deployed on a client’s website and a visitor interacts with it.
When Boris is deployed on a client’s website, the client is the Data Controller for their website visitors’ data. Boris AI® acts as a Data Processor on their behalf. This means responsibility for informing visitors about data processing, and for ensuring lawful processing, rests with the client, not with Boris AI®.
9. What Data Passes Through a Boris Chatbot
In normal operation, a Boris chatbot is designed to answer questions from website visitors. It does not proactively collect, store, or profile personal data.
However, the following should be noted:
Conversation content: messages typed by a visitor into the chatbot pass through our AI platform infrastructure to generate a response. These are processed transiently and are not actively stored as identifiable personal data by Boris AI®.
Voluntarily provided information: if a visitor chooses to share personal information during a conversation, such as their name, email address, or other details, that information will pass through the system as part of the conversation. Boris is not configured to solicit, retain, or act upon such information unless a client has specifically requested a lead capture or data collection function.
Lead capture (if configured): where a client has requested that Boris capture lead information, the chatbot may collect and store name, email, and other details provided by visitors. In this case the client’s own privacy notice should reflect this processing.
10. Our Technology Partners
The Boris AI® service is delivered using specialist AI platform infrastructure and enterprise-grade cloud hosting. The following categories of sub-processors are involved in delivering the service:
Sub-processor category and Role
AI chatbot platform provider - Hosts and operates Boris chatbot instances. SOC 2 Type II certified, GDPR compliant. Primary hosting region: United States.
Large language model (LLM) provider - Provides AI responses via a closed enterprise API. Does not use API data for model training. Retains API data for up to 30 days for abuse monitoring only.
Cloud infrastructure provider (AWS) - Provides underlying hosting, storage, and compute. ISO 27001 certified, SOC 2 compliant, EU–US DPF participant.
Payment processor (Stripe) - Handles billing for Boris AI® clients only. Does not process chatbot conversation data.
Website host (Squarespace) - Hosts boris-ai.com. Does not process client chatbot data.
Email & productivity tools - Used for client communication and service delivery (e.g. Google Workspace).
CRM & marketing tools - Used for client relationship management and marketing (e.g. HubSpot).
Analytics (Google Analytics) - Used on boris-ai.com to understand website usage. Not used on client deployments.
11. International Data Transfers
Some of our technology partners store and process data outside the UK and EEA, primarily in the United States. Where this occurs, we ensure appropriate safeguards are in place, including:
• UK Addendum to EU Standard Contractual Clauses (SCCs)
• EU–US Data Privacy Framework (DPF) participation (where applicable)
• Data Processing Agreements with all sub-processors
12. Data Processing Agreement (DPA)
Where Boris AI® processes personal data on behalf of a client as a data processor, we are happy to enter into a formal Data Processing Agreement (DPA). The DPA will cover:
• Our obligations as a data processor
• Sub-processor controls and notification obligations
• International transfer safeguards
• Data subject rights support
• Data breach notification procedures
To request a DPA, please contact hello@boris-ai.com.
Part D — Your Rights & General Matters
Depending on the circumstances, you may have the following rights in relation to your personal data:
Right and What It Means
Access - Request a copy of the personal data we hold about you.
Rectification - Ask us to correct inaccurate or incomplete data.
Erasure - Ask us to delete your data in certain circumstances.
Restriction - Ask us to limit how we use your data.
Objection - Object to processing based on legitimate interests.
Portability - Receive your data in a structured, machine-readable format.
Withdraw consent - Withdraw consent for marketing or cookies at any time.
To exercise any of these rights, email hello@boris-ai.com. We will respond within one month.
14. Security
We take the security of personal data seriously and apply appropriate technical and organisational measures, including:
• SSL/TLS encryption for all data in transit
• AES-256 encryption for data at rest on our platform infrastructure
• Access controls and least-privilege principles
• Use of vetted, security-certified technology partners
• Staff awareness of data protection obligations
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but we are committed to protecting your data to the highest practical standard.
15. Children
Our services are intended for business users and are not directed at children under the age of 16. We do not knowingly collect personal data from children.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our services, technology partners, or legal obligations. We will post the updated version on our website and update the “Last updated” date at the top. For material changes we may also notify clients by email.
17. Contact
For any questions about this Privacy Policy or how we handle your data, please contact:
Email: hello@boris-ai.com
Boris AI® is a trading name of The Lead Ingredient Ltd, registered in England & Wales (Co. No. 8568019). Boris® is a registered trademark.
This poliy is provided for information purposes only and does not constitute legal advice. Boris AI® recommends that you seek independent legal advice if you have specific data protection compliance requirements.