1. Who We Are and How to Contact Us

The data controller responsible for the personal data described in this Privacy Policy is:

Company name: Red Lotus Digital Marketing Ltd

Trading name: red lotus digimark

Registered in England and Wales

Registered address: Bracken Edge, Woodview Close, Ashtead, KT21 1HA

Website: www.redlotusdigimark.com

Privacy enquiries: [email protected]

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise your rights, please contact us at [email protected]. We aim to respond to all privacy enquiries within 5 business days.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data we process in two distinct capacities:

2.1  As a Data Controller (our own processing)

We act as a Data Controller when we collect and process personal data for our own purposes. This includes:

•       Data we collect from visitors to www.redlotusdigimark.com.

•       Data we collect from prospective clients who enquire about our services.

•       Data we collect from clients and their representatives when they engage our services.

•       Data we process for our own marketing, business development, and administrative purposes.

2.2  As a Data Processor (processing on behalf of our clients)

We act as a Data Processor when our clients ask us to handle data about their own customers as part of delivering marketing automation, AI voice agent, or chatbot services. In this role:

•       Our clients are the Data Controllers.

•       We process data only as instructed by the client.

•       Our clients’ own privacy policies govern the relationship between them and their customers.

This Policy describes both roles where relevant, so you can understand how data flows through our business.

3. What Personal Data We Collect

3.1  Data We Collect Directly From You (Website Visitors and Prospective Clients)

When you visit our website or get in touch with us, we may collect:

•       Contact information: your name, email address, phone number, and business name.

•       Enquiry information: the details you provide in contact forms, emails, or messages.

•       Professional information: your job title, industry, and company size if provided.

•       Marketing preferences: your choices regarding receiving communications from us.

•       Website usage data: pages visited, time on site, clicks, and other browsing behaviour, collected via cookies and analytics tools (see Section 9).

•       Technical data: your IP address, browser type and version, operating system, device type, and referring URL.

3.2  Data We Collect From Our Clients (Contracted Service Recipients)

When you become a client, we collect additional information necessary to deliver services:

•       Business information: company registration number, VAT number, registered address, and trading information.

•       Billing information: billing address and payment details (note: full payment card numbers are processed directly by our payment provider, Stripe, and are not stored by us — see Section 6).

•       Service configuration data: information about your products, services, pricing, scripts, and business processes needed to configure AI systems.

•       Account credentials: login details for third-party platforms where access is granted (e.g. Google Ads, social media accounts). We handle such credentials with strict confidentiality.

•       Communications: emails, messages, and meeting notes relating to our ongoing working relationship.

3.3  Data About Your Customers That We Process On Your Behalf

As part of delivering AI voice agent, chatbot, and marketing automation services, we may process personal data about your customers on your instructions. This may include:

•       Names, email addresses, and phone numbers from your CRM or marketing lists.

•       Call recordings and transcripts from AI voice agent interactions.

•       Chat transcripts from AI chatbot interactions.

•       Lead and enquiry data captured via AI systems.

•       Engagement data: opens, clicks, responses, and other interaction data from marketing campaigns.

•       Appointment booking data where AI systems handle scheduling.

You, as the Data Controller for this data, are responsible for ensuring you have a lawful basis for sharing your customers’ data with us and for ensuring your customers have been informed appropriately.

3.4  Special Categories of Data

We do not intentionally collect special categories of personal data (such as data about health, religion, ethnicity, or political opinions) as part of our standard services. If you believe any special category data has been inadvertently collected, please contact us immediately at [email protected] so we can address this appropriately.

4. How and Why We Use Your Personal Data (Lawful Basis)

Under UK GDPR, we must have a lawful basis for processing personal data. The table below sets out our main processing activities and the lawful basis we rely on for each:

Responding to website enquiries; Legitimate interests (Art. 6(1)(f)); To communicate with prospective clients and develop business relationships.

Delivering contracted services; Performance of a contract (Art. 6(1)(b)); To fulfil our obligations to you as a client.

Billing and invoicing; Performance of a contract / Legal obligation (Art. 6(1)(b)(c)); To invoice you correctly and maintain required financial records.

Processing client customer data for AI/marketing services; Performance of a contract (Art. 6(1)(b)) — we act as Processor on your documented instructions; To deliver AI voice, chatbot, and automation services on your behalf.

Sending marketing communications to prospects; Legitimate interests or Consent (Art. 6(1)(a)(f)); To promote our services to relevant businesses (subject to your preferences).

Improving our AI systems and services; Legitimate interests (Art. 6(1)(f)); To improve accuracy, quality, and performance of our services. Only anonymised or aggregated data is used.

Security and fraud prevention; Legitimate interests / Legal obligation (Art. 6(1)(c)(f)); To protect our business and your data from fraud, misuse, or security threats.

Compliance with legal obligations; Legal obligation (Art. 6(1)(c));To comply with laws, regulations, and court orders applicable to our business.

Analytics and website performance; Consent (where cookies used) / Legitimate interests; To understand how our website is used and to improve user experience.

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests are not overridden by your privacy rights. You may request details of this assessment by contacting us.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal. To withdraw consent, contact [email protected] or use the unsubscribe link in any marketing email.

5. AI Services — How We Handle Data in AI Systems

5.1  AI Voice Agent Call Recordings and Transcripts

Our AI voice agent services involve automated telephone conversations. Here is how we handle the associated data:

•       Call recordings: All AI voice agent calls may be recorded for quality assurance, system improvement, dispute resolution, and compliance purposes. Recordings are stored securely and retained for the period specified in Section 8.

•       Transcripts: Calls are transcribed automatically using speech-to-text technology. Transcripts may be reviewed by our team for quality assurance and to improve AI performance.

•       Caller disclosure: We configure AI systems to identify that a call is automated or AI-assisted at the outset of each call, in accordance with UK GDPR and PECR obligations. Our clients are responsible for ensuring their calling practices and consents comply with applicable law.

•       Access to recordings: Client businesses can access recordings and transcripts of their own AI voice agent interactions via their account dashboard or upon request.

5.2  AI Chatbot Transcripts

AI chatbot conversations are logged and stored to:

•       Enable you (as the client) to review conversations with your customers.

•       Allow us to improve chatbot responses and accuracy.

•       Facilitate handover to human agents where configured.

•       Identify and resolve errors or inappropriate outputs.

Chat transcripts are retained in accordance with Section 8 and may be reviewed internally on an anonymised basis for service improvement.

5.3  Use of Data to Train or Improve AI Systems

We want to be transparent about how data is used in the context of AI:

•       Client-specific AI configuration: Training Data (scripts, FAQs, product information) you provide to configure your AI systems is used solely to customise your AI systems and is not shared with other clients.

•       General service improvement: We may use anonymised and aggregated performance metrics (such as call completion rates, query categories, or accuracy scores) to improve our service offering. No personally identifiable information is used in this process.

•       Third-party AI providers: Where we use third-party AI APIs (such as OpenAI), these providers may process data as part of generating responses. Please refer to Section 7 and to OpenAI’s privacy policy at openai.com/privacy for details of how they handle data. We use these APIs under service agreements that include appropriate data protection provisions.

•       We do not sell data: We do not sell, rent, or otherwise commercially exploit personal data about you or your customers to third parties.

5.4  Automated Decision-Making

Our AI systems may make automated assessments (for example, qualifying a lead based on their responses). Where such assessments have a significant effect on individuals, we will ensure appropriate safeguards are in place and will inform affected individuals of their right to request human review. If you are concerned about automated decision-making affecting you or your customers, please contact us.

6. Sharing Your Data With Third Parties

We do not sell your personal data. We share personal data only where necessary and with appropriate safeguards. The table below identifies our key sub-processors and why data is shared with them:

GoHighLevel (HighLevel Inc.); CRM, marketing automation, pipeline management; Client and customer contact data, campaign data, communications; USA — Standard Contractual Clauses apply. Privacy: highlevel.com/privacy-policy

Twilio Inc.; Telephony, SMS, and AI voice infrastructure; Phone numbers, call recordings, transcripts; USA — Standard Contractual Clauses apply. Privacy: twilio.com/en-us/legal/privacy

OpenAI, L.P.; AI language model API (chatbot/voice response generation); Conversation inputs and context (processed in real time); USA — Data Processing Agreement in place. Privacy: openai.com/privacy

Google Analytics (Google LLC); Website analytics and performance measurement; Anonymised IP, browsing behaviour, device data (via cookies); USA — Standard Contractual Clauses apply. Privacy: policies.google.com

Stripe, Inc.; Payment processing for service fees; Billing address, payment card data (handled directly by Stripe); UK/EU/USA — PCI DSS compliant. Privacy: stripe.com/gb/privacy

Cloud infrastructure provider (AWS or Google Cloud); Secure data storage and hosting; All service data stored in encrypted cloud environments; UK/EU data centres used where available. Standard Contractual Clauses where required.

We may also share personal data in the following circumstances:

•       Legal requirements: If required by law, court order, or regulatory authority (such as the ICO or a law enforcement agency).

•       Business transfer: If we sell or transfer all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate confidentiality obligations.

•       Professional advisers: With our solicitors, accountants, or insurers where necessary to obtain professional advice.

•       With your consent: In any other circumstances where you have specifically agreed to the sharing.

7. International Data Transfers

Some of our third-party sub-processors are based outside the UK and the European Economic Area (EEA). Where personal data is transferred to countries that do not provide an equivalent level of data protection under UK law, we ensure appropriate safeguards are in place, specifically:

•       Standard Contractual Clauses (SCCs): The UK International Data Transfer Addendum (IDTA) or UK-approved SCCs are used for transfers to processors in the USA and other third countries.

•       Adequacy decisions: Where the UK government has issued an adequacy decision for a country, we rely on this as the transfer mechanism.

•       Binding Corporate Rules: Where a sub-processor operates under ICO-approved Binding Corporate Rules, we rely on those.

Our primary sub-processors (GoHighLevel, Twilio, OpenAI, Google, Stripe) each operate under Standard Contractual Clauses or equivalent UK-approved transfer mechanisms. You can request details of the specific transfer safeguards we rely on by contacting [email protected].

Where possible, we configure services to store data in UK or EEA data centres. However, due to the global nature of cloud infrastructure, some data processing may occur outside these regions even where data is nominally stored locally.

8. How Long We Keep Your Data

We keep personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The table below summarises our key retention periods:

Client account data (name, contact details, contract); Duration of contract + 7 years; Legal and financial record-keeping obligations

Billing records and invoices; 7 years from invoice date; UK tax and accounting requirements (HMRC)

Marketing enquiries (pre-contract); 2 years from last contact; Business development and follow-up

AI voice agent call recordings; 12 months from date of call; Quality assurance and dispute resolution

AI voice agent transcripts; 12 months from date of call; Quality assurance, training, and compliance review

Chatbot conversation transcripts; 12 months from date of interaction; Quality assurance and client review

Website analytics data; 26 months (Google Analytics default, anonymised); Website performance improvement

Email marketing engagement data; Duration of subscription + 12 months after unsubscribe; Compliance with suppression list obligations

Consent records; Duration of consent + 5 years; Demonstrating compliance

Support and communication records; Duration of contract + 3 years; Reference and dispute resolution

Where we process personal data on behalf of a client, the client’s retention instructions take precedence. Upon termination of a client agreement, we will delete or return all client customer data within 30 days unless a longer retention period is required by law or agreed in writing.

Certain data may be retained in anonymised or aggregated form beyond these periods where it no longer constitutes personal data (for example, aggregated performance statistics).

9. Cookies and Tracking Technologies

9.1  What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember information about your visit, making your experience more efficient and personalised. We use cookies and similar tracking technologies (such as web beacons and pixels) on www.redlotusdigimark.com.

9.2  Types of Cookies We Use

Strictly Necessary; Essential for website function; Session management, security cookies. Cannot be disabled.

Analytics / Performance; Understand how visitors use the site;Google Analytics (anonymised traffic data — pages visited, session duration, device type).

Functional; Remember your preferences; Language settings, form auto-fill, chat widget preferences.

Marketing / Targeting; Track effectiveness of marketing campaigns; Google Ads conversion tracking, Meta Pixel (where active). Only set with your consent.

9.3  Managing Your Cookie Preferences

When you first visit our website, you will be presented with a cookie consent banner where you can choose which categories of cookies to accept. You can change your preferences at any time by:

•       Clicking the “Cookie Settings” link in the footer of our website.

•       Adjusting your browser settings to block or delete cookies (note: blocking all cookies may affect website functionality).

•       Using opt-out tools provided by Google Analytics at tools.google.com/dlpage/gaoptout.

Please note that strictly necessary cookies cannot be disabled as they are essential for the website to function.

9.4  Google Analytics

We use Google Analytics to understand how visitors interact with our website. Google Analytics collects anonymised data including pages visited, session duration, geographic location (country/region level), and device information. IP addresses are anonymised before processing. Google’s use of this data is governed by its Privacy Policy available at policies.google.com/privacy. You can opt out of Google Analytics tracking across all websites using the Google Analytics opt-out browser add-on.

10. How We Protect Your Data

We take data security seriously and implement layered technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction:

Technical Measures

•       Encryption in transit: All data transmitted between users, our website, and our systems uses TLS/SSL encryption.

•       Encryption at rest: Sensitive data stored on our infrastructure is encrypted at rest.

•       Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, using role-based access controls and multi-factor authentication.

•       Secure cloud infrastructure: We use reputable cloud providers (AWS or Google Cloud) with ISO 27001 certification and SOC 2 compliance.

•       Regular security updates: Software and systems are kept up to date with security patches.

Organisational Measures

•       Staff training: All team members with access to personal data receive training on data protection obligations and our internal security policies.

•       Data minimisation: We collect and retain only the minimum personal data necessary for each purpose.

•       Vendor assessments: We assess the security practices of key sub-processors before engagement and periodically thereafter.

•       Incident response: We maintain a data breach response procedure (see Section 13).

While we take all reasonable precautions, no method of data transmission or storage over the internet is completely secure. We cannot guarantee absolute security of data transmitted electronically, and you provide data to us at your own risk. However, we will notify you promptly if a breach occurs that affects your rights and freedoms.

11. Your Privacy Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to personal data we hold about you as a Data Controller:

Right of Access (Subject Access Request); You can ask us to provide a copy of the personal data we hold about you, along with information about how and why we process it. We will respond within one calendar month.

Right to Rectification; If personal data we hold about you is inaccurate or incomplete, you can ask us to correct it.

Right to Erasure (‘Right to be Forgotten’); In certain circumstances, you can ask us to delete personal data we hold about you. This right is not absolute — we may need to retain data to comply with legal obligations or for legitimate business purposes.

Right to Restrict Processing; You can ask us to stop actively processing your data while a dispute about its accuracy or use is resolved.

Right to Data Portability; Where we process your data by automated means and on the basis of consent or contract, you can ask us to provide it in a structured, machine-readable format for transfer to another organisation.

Right to Object; You can object to processing based on our legitimate interests (including direct marketing). For direct marketing, we will stop immediately upon receiving your objection.

Rights re: Automated Decisions; You have the right not to be subject to decisions based solely on automated processing that have a significant effect on you, unless you have consented or it is necessary for a contract.

Right to Withdraw Consent; Where we process data on the basis of your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

11.1  How to Exercise Your Rights

To exercise any of the above rights, please contact us:

•       By email: [email protected]

•       By post: Red Lotus Digital Marketing Ltd, Bracken Edge, Woodview Close, Ashtead, KT21 1HA

We will acknowledge your request within 5 business days and respond in full within one calendar month. In complex cases, we may extend this by a further two months, in which case we will notify you. We do not charge a fee for routine requests, but may charge a reasonable administrative fee for manifestly unfounded, excessive, or repetitive requests.

We may need to verify your identity before processing your request. We will ask for reasonable identification to prevent unauthorised access to your data.

11.2  Right to Lodge a Complaint

If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

•       Website: ico.org.uk

•       Telephone: 0303 123 1113

•       Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would welcome the opportunity to resolve any concerns you have before you approach the ICO, so please contact us first.

12. California Privacy Rights (CCPA / CPRA)

This section applies to California residents whose personal information we collect in connection with our business activities, to the extent the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) applies.

California residents have the following additional rights:

•       Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect, the purposes for collection, the categories of sources, and the categories of third parties with whom we share information.

•       Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.

•       Right to Correct: You may request correction of inaccurate personal information.

•       Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising. If this changes, we will update this Policy and provide an opt-out mechanism.

•       Right to Limit Sensitive Personal Information: Where we process sensitive personal information, you may limit its use and disclosure.

•       Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise your California privacy rights, please submit a verifiable consumer request to [email protected]. We will respond within 45 days, extendable by a further 45 days with notice where necessary.

In the preceding 12 months, we have not sold personal information. We have shared personal information with the service providers listed in Section 6 for the business purposes described in this Policy.

13. Children’s Privacy

Our website and services are directed solely at businesses and their representatives. We do not knowingly target, market to, or collect personal data from individuals under the age of 18 (“minors”).

Our AI voice agent, chatbot, and marketing automation services are designed for business-to-business and local business-to-customer marketing. We do not knowingly configure AI systems to engage with or collect data from minors.

If you believe that a minor has submitted personal data to us, or that our AI systems have inadvertently collected data from a minor, please contact us immediately at [email protected]. We will promptly investigate and delete any such data.

Clients who use our AI services for consumer-facing interactions are responsible for ensuring their campaigns and target audiences do not include minors, and for complying with any applicable laws protecting children’s data (including the UK Children’s Code / Age Appropriate Design Code where relevant).

14. Marketing Communications

14.1  Marketing to Prospective and Existing Clients

With your consent or where we have a legitimate interest to do so (for example, if you are an existing client), we may contact you with:

•       Information about our services, including new AI features, product updates, and service improvements.

•       Educational content such as guides, case studies, and marketing insights relevant to local businesses.

•       Promotional offers and event invitations.

14.2  Your Opt-Out Rights

You can opt out of marketing communications at any time by:

•       Clicking the “Unsubscribe” link in any marketing email we send.

•       Replying “STOP” to any marketing SMS.

•       Contacting us directly at [email protected] with the subject line “Marketing Opt-Out”.

We will process all opt-out requests within 5 business days. You will continue to receive service-related communications (such as invoices, account updates, and important notices) even if you have opted out of marketing.

We maintain a suppression list of opt-outs to ensure we do not contact those who have opted out. Your email address or phone number will be added to this suppression list but not deleted, so that we can honour your preference.

14.3  Marketing on Behalf of Our Clients

Where we send marketing communications on behalf of our clients using their marketing lists, we do so as a Data Processor acting on the client’s instructions. The client is the Data Controller for this processing and is responsible for ensuring compliance with PECR and UK GDPR. Recipients of such communications should contact the relevant client business to exercise their marketing preferences.

15. Data Breach Notification

15.1  Our Detection and Response Process

We maintain a documented data breach response plan that includes the following steps:

•       Detection: We use monitoring tools and internal reporting procedures to detect security incidents as quickly as possible.

•       Assessment: Upon detecting a potential breach, we assess its nature, scope, and likely impact on individuals’ rights and freedoms.

•       Containment: We take immediate steps to contain the breach and prevent further unauthorised access or data loss.

•       Documentation: All incidents are documented, including those that are determined not to require external notification.

15.2  Notification to the ICO

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR. Our notification will include:

•       The nature of the breach and the categories and approximate number of individuals and records affected.

•       The likely consequences of the breach.

•       The measures taken or proposed to address the breach.

15.3  Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals (for example, where there is a risk of identity theft, financial loss, or significant harm), we will notify those individuals directly without undue delay. Our notification will describe the breach in clear language and explain the steps individuals can take to protect themselves.

15.4  Notification to Clients (as Data Controller)

Where a breach relates to personal data we process on behalf of a client, we will notify that client without undue delay (and in any event within 72 hours) of becoming aware of the breach, providing sufficient information for the client to meet their own notification obligations. We will cooperate fully with clients in investigating and addressing any such breach.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or best practice. The “Effective Date” at the top of this Policy indicates when it was last revised.

We will notify you of material changes by:

•       Posting a prominent notice on our website.

•       Sending an email notification to active clients.

For non-material changes (such as clarifications or minor corrections), we will update the Policy without specific notification. We encourage you to review this Policy periodically. The current version is always available at www.redlotusdigimark.com/privacy-policy.

Continued use of our website or services after any changes take effect constitutes your acceptance of the revised Policy (except where consent is required for material changes, in which case we will seek fresh consent).