Privacy Notice

This Privacy Notice covers the processing of personal data by HOIBOY AI LTD (UK Companies House 17211412), trading as hoiboy.uk for the AI Managed Harness Services consultancy.

It satisfies the controller’s obligations under UK GDPR Article 13 (information to be provided where personal data are collected from the data subject) and UK GDPR Article 14 (information to be provided where personal data have not been obtained from the data subject, including the 30-day clock for notification under Article 14(3)(a)).

1. Who we are (controller identity)

Controller: HOIBOY AI LTD (UK Companies House 17211412)
Registered office: address recorded in the prevailing engagement-letter for engaged clients; available on request via hello@hoiboy.uk for general enquiries
Contact email: hello@hoiboy.uk
Data Protection contact: Senh Hoi Ung (sole director). Email hello@hoiboy.uk for all data-protection queries, subject-access requests, erasure requests, and Article 21 objections

HOIBOY AI LTD does not have a separate Data Protection Officer (DPO). The sole director is the Data Protection contact and is accountable for all data-protection responsibilities under UK GDPR.

2. What this notice covers

This notice covers two scopes:

Site visitor data (general)

Visitor analytics: aggregated, anonymised page-view counts via privacy-preserving analytics. No individual tracking, no cookies beyond strictly-necessary, no advertising trackers.
Contact-form / email enquiries: when you email hello@hoiboy.uk, your email address and message content are processed for the purpose of responding to your enquiry.

Consultancy engagement data (engaged clients only)

Audio recordings, video frames, transcripts, and AI-summaries from recorded sessions during AI Managed Harness Services engagements.
Operator notes and engagement metadata (timestamps, attendee lists, meeting purpose, engagement-reference codes).
Time-logs, invoices, and VAT records for billing and statutory retention.

3. Notes + AI-assisted summaries (consultancy-engagement scope)

This section applies ONLY to clients with a signed engagement-letter. Pre-engagement Cal.com discovery calls are NEVER recorded.

I take digital notes during our calls. Typed by hand, occasionally backed by an audio recording that I transcribe and summarise locally with AI assistance. The purpose is personal accuracy: I cross-check notes against the transcript so the brief matches what you said.

Audio is deleted within 7 days of transcript verification. The transcript is deleted once we’ve locked the scope in writing. The brief itself I keep per HMRC’s 6-year business-record rule.

Nothing leaves my workstation beyond the sub-processors listed on the Sub-Processors page. PII redaction is applied before any external AI-review call; speaker-verification and face-recognition are disabled.

You can ask me to stop, or delete anything at any time, by emailing hello@hoiboy.uk.

4. Site visitor data

Visitor analytics

We use privacy-preserving analytics that aggregate page-view counts without setting cookies or tracking individuals. No personal data is collected via analytics.

Contact-form / email enquiries

When you email hello@hoiboy.uk, your email address and message content are used to respond to your enquiry. Enquiry threads are kept for 12 months from last reply, then deleted unless you have entered a paid engagement (in which case the engagement scope below applies).

5. Your data-subject rights

Under UK GDPR, you have the following rights:

Article 15 right of access: request a copy of the personal data we hold about you.
Article 16 right to rectification: request correction of inaccurate personal data.
Article 17 right to erasure: request deletion of your personal data. Where HMRC statutory retention applies (time-logs, invoices, VAT records), we sanitise-and-retain rather than fully delete; where it does not (recordings, transcripts, AI-summaries), we cryptographically erase.
Article 18 right to restriction: request that we restrict processing while we resolve a rectification or erasure dispute.
Article 20 right to portability: where applicable, request a copy of the data in a structured, commonly used, machine-readable format.
Article 21 right to object (handled standalone, NOT collapsed into erasure): object at any time to the recording-related processing under our Article 6(1)(f) Legitimate Interest basis. We cease processing forward; existing recordings stay under Legitimate Interest unless you also invoke Article 17.

To exercise any of these rights, email hello@hoiboy.uk with your request. We respond within one calendar month.

6. Right to lodge a complaint with the ICO

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have failed to meet our UK GDPR obligations.

Website: https://ico.org.uk/make-a-complaint/
Helpline: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to email us at hello@hoiboy.uk first so we can attempt to resolve concerns directly, but you are not required to do so before lodging an ICO complaint.

7. Article 14 specific notice (where personal data have not been obtained from the data subject)

Where you (the data subject) are notified of this Privacy Notice indirectly, for example you are a third-party engineer invited by our Client to a recorded session and you are receiving this notice via the Client (not directly from us), UK GDPR Article 14 applies and we provide notice within the 30-day clock under Article 14(3)(a). The information in sections 1-6 above applies equally; the source of your personal data in this case is the Client who invited you to the recorded session.

8. Changes to this notice

We may update this notice over time (for example, when a sub-processor changes, or when retention windows are revised). Material changes are communicated to active engagements via the engagement-letter signatory’s email address. The version-controlled history of this notice is reflected in the lastmod date at the top of this page.