Privacy Policy | Brains Before Bots

Privacy Policy
Last Updated: 21 January 2026

Introduction
This Privacy Policy explains how I, Michael MacDonald, trading as Brains Before Bots ("Brains Before Bots", "I", "me", "my"), collect, use, and protect your personal information when you interact with my business.
I operate as a sole trader registered in England and Wales, providing Shadow AI Governance consultancy services to UK professional services agencies. I am committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller Details:
Legal Name: Michael MacDonald
Trading As: Brains Before Bots
Business Address: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB, United Kingdom
Email: hello@brainsb4bots.com
Website: www.brainsb4bots.com
Jurisdiction: England and Wales
ICO Registration: CSN7870138
As a sole trader, I am personally responsible as the data controller for all data processing activities conducted under the Brains Before Bots trading name.

What Information I Collect
I collect and process the following categories of personal information:
Website Visitors
When you visit www.brainsb4bots.com, I may collect:
Technical Information: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, device identifiers
Usage Information: Information about your visit, including the full Uniform Resource Locators (URLs), clickstream to, through and from my site, pages you viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page
Cookie Information: See Cookie Policy for details
Newsletter Subscribers (Craft with Command)
When you subscribe to my newsletter "Craft with Command" via Beehiiv, I collect:
Contact Information: Email address, first name (if provided)
Subscription Preferences: Content interests, communication preferences
Engagement Data: Email open rates, click-through rates, content interactions (processed by Beehiiv)
Lead Magnet Downloads
When you download resources (checklists, templates, frameworks) via my website or Systeme.io, I collect:
Contact Information: Email address, name, company name (if provided)
Professional Information: Job title, agency size, areas of interest (if voluntarily provided)
Download History: Which resources you've accessed
Client Engagement (Audit, Pilot Blueprint, Advisory Services)
When you engage my consultancy services, I collect:
Business Information: Company name, trading name, business address, company size, sector, service offerings
Contact Details: Name, job title, email address, telephone number, LinkedIn profile (if shared)
Professional Information: Role responsibilities, authority level, decision-making capacity
Client Data (During Service Delivery): Information about your AI tool usage, governance practices, team structure, client relationships, operational workflows, risk exposures - all handled under explicit confidentiality agreements
Payment Information: Invoicing details, VAT number (if applicable), payment records - I do not store credit card details; payments are processed through third-party payment processors
Correspondence
When you contact me via email, LinkedIn, or through website forms:
Communication Content: The content of your messages, questions, feedback
Contact Details: Email address, name, any other information you choose to share

How I Use Your Information
I use your personal information for the following purposes:
Website Visitors
To provide and maintain website functionality
To analyse site usage and improve user experience
To ensure website security and prevent fraud
To comply with legal obligations
Legal Basis: Legitimate interests (improving my services and website security)
Newsletter Subscribers
To send you weekly content on Shadow AI Governance topics
To inform you of new resources, frameworks, or service offerings
To provide requested information about my services
To analyse engagement and improve content quality
Legal Basis: Consent (you can unsubscribe at any time)
Lead Magnet Downloads
To deliver the requested resource to you
To send follow-up emails with additional relevant resources (if you opt in)
To invite you to discovery calls or introduce service offerings
To understand which resources generate most interest
Legal Basis:
Delivering the resource you requested: Contract performance (you requested it, I deliver it)
Marketing follow-up emails (if you opt in): Consent (obtained via explicit opt-in checkbox on download form)
If you opt out of marketing communications, I will only use your email to deliver the resource you requested and for essential service communications.
Client Engagement
To deliver consultancy services (Shadow AI Audit, Governance-Ready Pilot Blueprint, Momentum Advisory Retainer)
To communicate about service delivery, timelines, and deliverables
To invoice for services and maintain financial records
To fulfil contractual obligations
To maintain client relationship records
To improve service delivery based on project learnings
Legal Basis: Contract performance and legitimate interests (service delivery and business operations)
Correspondence
To respond to your inquiries
To provide information you've requested
To maintain communication records
Legal Basis: Legitimate interests (responding to communications)

How I Store and Protect Your Information
Data Storage
Your information is stored using the following platforms:
Website Hosting: Managed through standard web hosting services with security protocols
Email Marketing (Newsletter): Beehiiv (US-based platform with UK GDPR commitments)
Lead Magnet Delivery: Systeme.io (with EU data processing agreements)
Client Project Management: Google Workspace (with UK/EU data residency options where available)
Communication Tools: Email, LinkedIn (standard platforms with security measures)
File Sharing: Google Drive (with encryption and access controls)
Analytics: Standard website analytics tools with anonymisation where appropriate
International Data Transfers
Some of the platforms I use are based in the United States or other jurisdictions outside the UK/EU. Where I transfer your data internationally, I ensure appropriate safeguards are in place:
Transfer Mechanisms:
Beehiiv (Newsletter Platform):
Location: United States
Transfer Mechanism: EU-U.S. Data Privacy Framework (DPF)
Beehiiv participates in and complies with the EU-U.S. Data Privacy Framework, which provides adequacy findings for data transfers. This framework is recognised by UK authorities as providing appropriate safeguards for international data transfers.
Additional Protection: Data Processing Agreement (DPA) with UK GDPR Article 28 processor obligations
Documentation: Transfer mechanism documentation available on request
Systeme.io (Lead Magnets):
Location: European Union (France)
Transfer Mechanism: Not required (EU to UK transfers covered by UK adequacy decisions)
Additional Protection: EU-standard Data Processing Agreement
Google Workspace (Client Work):
Location: Global infrastructure with UK/EU data residency options
Transfer Mechanism: UK Addendum to EU Standard Contractual Clauses
Data Residency: UK/EU data residency configured where available
Additional Protection: Comprehensive data protection terms and processor obligations
Transfer Risk Assessments:
I conduct transfer risk assessments for all international data transfers to ensure:
Appropriate safeguards are in place
Data subjects' rights remain enforceable
Supplementary measures are implemented where needed
Ongoing monitoring of legal and practical protections
If you have specific concerns about international data transfers or would like copies of transfer mechanism documentation, please contact me at hello@brainsb4bots.com.
Security Measures
I implement appropriate technical and organisational security measures to protect your personal information, including:
Encryption of data in transit (SSL/TLS certificates)
Secure password management and access controls
Regular security updates to systems and platforms
Restricted access to personal data (only I and necessary service providers have access)
Regular backups with secure storage
Confidentiality agreements with any third-party service providers
Important Note on Sole Trader Liability: As a sole trader, I bear personal unlimited liability for data protection compliance. I take this responsibility seriously and implement security measures appropriate to the sensitivity of the data I process.
Data Retention
I retain your personal information only for as long as necessary:
Website Analytics: Anonymised data retained indefinitely for historical analysis; identifiable data retained for 14 months
Newsletter Subscribers: Until you unsubscribe, plus 6 months for administrative purposes
Lead Magnet Data: 24 months from last engagement, or until you request deletion
Client Engagement Data: 7 years from completion of services (UK tax and business record requirements)
Correspondence: 3 years from last communication, or duration of business relationship
Financial Records (Invoices, Payments): 7 years (UK tax law requirement)

Cookies and Tracking Technologies
I use cookies and similar technologies on my website. Please see my separate Cookie Policy for comprehensive details.
In summary:
Essential Cookies: Required for website functionality
Analytics Cookies: Help me understand how visitors use the site (consent required)
I do not currently use marketing or advertising cookies. If this changes in future, I will update this policy and request your consent.

Your Rights Under UK GDPR
As a data subject, you have the following rights regarding your personal information:

1. Right of Access
You can request confirmation of whether I process your personal data and obtain a copy of that data.

2. Right to Rectification
You can request correction of inaccurate or incomplete personal data.

3. Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in certain circumstances, including:
When the data is no longer necessary for the purposes for which it was collected
When you withdraw consent (where processing is based on consent)
When you object to processing and there are no overriding legitimate grounds
When data has been unlawfully processed
Limitations: I may retain certain data where required by law (e.g., financial records for 7 years) or where I have overriding legitimate interests.

4. Right to Restrict Processing
You can request restriction of processing in certain circumstances, such as when you contest the accuracy of data.

5. Right to Data Portability
You can request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where:
Processing is based on consent or contract performance
Processing is carried out by automated means

6. Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes. I will cease processing unless I can demonstrate compelling legitimate grounds.

7. Right to Withdraw Consent
Where processing is based on consent, you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

8. Rights Related to Automated Decision-Making
I do not use automated decision-making or profiling that produces legal or similarly significant effects.

How to Exercise Your Rights
To exercise any of these rights, please contact me at:
Email: hello@brainsb4bots.com
Post: Michael MacDonald, Brains Before Bots, 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB
I will respond to requests within one month. If your request is complex or numerous, I may extend this period by two months, notifying you of the extension.

Data Breach Procedures
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, I am committed to handling it responsibly and in accordance with UK GDPR requirements.
My Obligations
If a breach occurs:
I will notify the ICO (Information Commissioner's Office) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
I will notify affected individuals without undue delay if the breach poses a high risk to your rights and freedoms
Notifications will include:
The nature of the breach and categories of data affected
Likely consequences of the breach
Measures I have taken or propose to take to address the breach and mitigate potential adverse effects
Your Action
If you believe your personal data has been compromised in relation to my services, please contact me immediately at hello@brainsb4bots.com so I can:
Investigate the matter promptly
Take appropriate remedial action
Keep you informed of the situation and steps being taken
Security Measures
I maintain appropriate technical and organisational security measures to prevent breaches, including:
Encryption of data in transit and at rest
Access controls and authentication
Regular security updates and patches
Secure backup procedures
Confidentiality agreements with service providers
Regular review of security practices
While I take data security very seriously, no system can be 100% secure. I continuously monitor and improve my security measures to protect your personal information.

Information Sharing and Disclosure
I do not sell, rent, or trade your personal information to third parties.
I may share your information with:
Service Providers
I use trusted third-party service providers who process data on my behalf:
Email Marketing: Beehiiv (newsletter delivery)
Lead Management: Systeme.io (lead magnet delivery and funnel management)
Cloud Storage: Google Workspace/Google Drive (document storage and sharing)
Payment Processing: Third-party payment processors (I do not store credit card details)
Website Hosting: Hosting providers for website operation
Analytics: Website analytics services (with data anonymisation where possible)
All service providers are bound by data processing agreements requiring them to:
Process data only on my instructions
Implement appropriate security measures
Comply with UK GDPR requirements
Not use your data for their own purposes
Legal Requirements
I may disclose your information if required by law or if I believe disclosure is necessary to:
Comply with legal obligations or court orders
Enforce my Terms and Conditions
Protect my rights, property, or safety, or that of others
Prevent fraud or other illegal activity
Business Transfers
As a sole trader, if I were to sell or transfer my business, your personal data may be transferred to the acquiring party, subject to the same privacy protections outlined in this policy. You would be notified of any such transfer.

Children's Privacy
My services are intended for businesses and professionals. I do not knowingly collect personal information from individuals under 16 years of age. If I become aware that I have inadvertently collected such information, I will take steps to delete it promptly.

Links to Third-Party Websites
My website may contain links to third-party websites (including LinkedIn, Beehiiv subdomain, external research sources). I am not responsible for the privacy practices of these external sites. I encourage you to read the privacy policies of any third-party sites you visit.

Changes to This Privacy Policy
I may update this Privacy Policy from time to time to reflect changes in my practices, legal requirements, or service offerings. The "Last Updated" date at the top indicates when the policy was last revised.
Significant changes will be communicated via:
Email to newsletter subscribers
Prominent notice on the website
Updated "Last Updated" date
Your continued use of my services after changes indicates acceptance of the updated policy.

Contact and Complaints
Data Protection Queries
If you have questions about this Privacy Policy or how I handle your personal data:
Michael MacDonald, Trading as Brains Before Bots
Email: hello@brainsb4bots.com
Post: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB, United Kingdom
I aim to resolve all privacy concerns promptly and transparently.
Complaints to the ICO
You have the right to lodge a complaint with the UK supervisory authority for data protection:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
However, I would appreciate the opportunity to address your concerns before you contact the ICO, so please contact me first if possible.
Sole Trader Specific Notice
Important: Michael MacDonald operates as a sole trader, not a limited company. This means:
I have personal unlimited liability for all data protection obligations
I am personally responsible as the data controller for all processing activities
There is no separate corporate entity; "Brains Before Bots" is my trading name
My business and personal assets are not legally separated
This structure means I take data protection compliance very seriously, as I bear full personal responsibility for any breaches or non-compliance issues.

© 2026 Michael MacDonald trading as Brains Before Bots. All rights reserved.