Privacy Policy

This policy explains, in plain language, what personal data PeopleAMP handles, why we handle it, how we protect it, and the rights you have over it. The defined terms and full obligations sit in the numbered sections that follow.

• We collect only what we need to respond to enquiries, deliver the services you request, run a safe and useful website, and comply with the law.
• We never sell your personal data. We do not use it to train third-party large language models.
• We work with a small, named set of trusted sub-processors (listed in Section 05) and keep your data only for as long as we have a lawful reason to.
• You have rights over your personal data — including access, correction, deletion and objection — and you can exercise them by emailing privacy@peopleamp.io.

The PeopleAMP website at www.peopleamp.io is operated by PeopleAMP Tech Ltd, a private limited company registered in England and Wales, company number 14934358, with its registered office at B32 3SB, United Kingdom (“PeopleAMP,” “we,” “us,” or “our”).

For the purposes of data-protection law, PeopleAMP is the data controller in respect of personal data we collect through our own website, marketing and sales activities. When we deliver services to a client under a Statement of Work, we typically act as a data processorin respect of any personal data we process on that client's behalf — governed by a separate Data Processing Agreement.

The person responsible for data-protection matters at PeopleAMP is Ola Idowu, Founder and CEO of PeopleAMP, reachable at privacy@peopleamp.io. They can be reached at privacy@peopleamp.io.

We collect only the personal data we need for the purposes described in Section 04. We categorise it as follows.

Information you give us directly

• Contact data — your name, email address, company, job title, phone number and any other details you include when you contact us, book a call, download a resource or complete a form such as the 10-Hour Audit.
• Diagnostic and engagement data — the tasks, tools, hours, notes, website, LinkedIn handle or other business context you voluntarily share in the 10-Hour Audit worksheet or in any pre-call, discovery or engagement materials.
• Commercial data — information relevant to a proposal, Statement of Work, invoice or payment; only when we are in a live commercial conversation with you.

Information we collect automatically

• Technical data — IP address, user agent, device characteristics, operating system, approximate location derived from the IP address, and request metadata generated when you visit the site.
• Usage data — pages visited, time on page, referrer URL, UTM parameters, click events and other aggregate-analytics signals.
• Cookies and similar technologies — see Section 09 for what is set, why, and how to control it.

Information we receive from third parties

• From our booking provider (Microsoft Bookings) when you schedule a call — the attendee name, email, time zone and any answers you provide on the booking form.
• From publicly available professional sources (e.g. a company website or LinkedIn profile) when you explicitly share them with us for pre-call research.

We do not knowingly collect special-category personal data (health, biometric, political opinions, religious beliefs, sexual orientation, trade-union membership, genetic data) through this website. If you provide such data in a worksheet or message, please don't; email us instead and we will delete it.

Under UK GDPR we must have a lawful basis for every use of your personal data. The table below sets out the main ways we use your data, the purpose for each use, and our lawful basis.

To respond to your enquiries and deliver what you ask for

• Reply to emails, strategy-call requests, proposals, and resource downloads.
• Send you the completed 10-Hour Audit and associated follow-up materials.

Lawful basis: performance of a contract or steps taken at your request prior to entering into a contract; our legitimate interest in responding to people who reach out to us.

To operate and improve our services and website

• Maintain the site, fix bugs and monitor performance.
• Understand how visitors use the site (aggregate analytics only) so we can improve content and flow.
• Protect the site, our users, and our business against fraud, abuse and security incidents.

Lawful basis: our legitimate interests in running a safe, reliable and improving service.

To send marketing and educational content

• Send occasional emails with articles, updates and offers related to the work we do.
• Show relevant messages on this website and on third-party platforms.

Lawful basis: your consent (where required) or our legitimate interest in marketing to business contacts on a soft-opt-in basis. Every marketing email includes a one-click unsubscribe link.

To comply with legal and accounting obligations

• Keep invoicing and tax records for the statutory periods required by law.
• Respond to lawful requests from courts, regulators and other authorities.

Lawful basis: compliance with a legal obligation to which we are subject.

We will not use your personal data for automated decision-making that produces legal or similarly significant effects on you. We will not sell your personal data.

We share personal data only with the categories of recipient listed below, and only to the extent needed for the purpose stated. Every sub-processor we use is contractually bound to protect your data.

Our service providers (sub-processors)

• Vercel Inc. — website hosting and edge delivery. Hosts page content and processes request metadata (vercel.com).
• Resend — transactional email for audit copies and lead notifications (resend.com).
• Microsoft Corporation — email, calendar and Bookings services for scheduling strategy calls (microsoft.com).
• GitHub, Inc. — source-control and deployment pipeline for this website (github.com).
• Analytics and observability providers — where used, strictly in an aggregated, privacy-respecting configuration.

Professional advisers

Our accountants, auditors, insurers and lawyers, where needed to operate the business, obtain advice or manage disputes.

Corporate transactions

If PeopleAMP is involved in a reorganisation, merger, acquisition, asset sale or financing, your personal data may be shared with the counterparties and their advisers, under appropriate confidentiality obligations.

Legal and regulatory recipients

Courts, tribunals, law-enforcement and regulators, where we are legally required to share information or where it is necessary to establish, exercise or defend legal claims.

We do not share your data with advertising networks for cross-site tracking or profiling.

Some of our sub-processors are based outside the UK or European Economic Area, including in the United States. Where we transfer personal data outside the UK/EEA, we put in place appropriate safeguards such as:

• the UK International Data Transfer Agreement or the UK addendum to the EU Standard Contractual Clauses;
• the EU Standard Contractual Clauses adopted by the European Commission;
• certification under the EU–US Data Privacy Framework and the UK Extension to that Framework, where the recipient is certified; or
• any other mechanism recognised as providing an adequate level of protection under applicable law.

You can request a copy of the safeguards we use by contacting us at privacy@peopleamp.io.

We keep personal data only for as long as we need it, after which we either delete it or irreversibly anonymise it. The typical periods are:

• Enquiry and audit data — up to 24 months from your last interaction with us, unless you ask us to delete it sooner.
• Marketing contact data— until you unsubscribe, and then a suppression record to ensure we don't contact you again.
• Engagement and project records — for the duration of the engagement and up to 7 years afterwards, for contractual, tax, regulatory and limitation-period reasons.
• Website logs and aggregate analytics — up to 13 months in identifiable form, aggregated thereafter.
• Financial and accounting records— for the statutory retention period applicable in our jurisdiction (typically 6–10 years).

Under UK GDPR, EU GDPR and other comparable frameworks you may have the following rights in respect of personal data we hold about you:

• Access — to request a copy of the personal data we hold about you.
• Rectification — to ask us to correct data that is inaccurate or incomplete.
• Erasure — to ask us to delete data we no longer have a lawful reason to hold.
• Restriction — to ask us to stop processing data while we resolve a dispute about it.
• Portability — to receive a machine-readable copy of data you provided to us, or to have us send it to another controller.
• Objection — to object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent — where we rely on your consent, you can withdraw it at any time; this does not affect the lawfulness of processing carried out before withdrawal.
• Complain — to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@peopleamp.io. We will respond within one month; we may extend this by a further two months for complex or numerous requests, and will tell you if we do. We may ask you to verify your identity before we act on a request.

A cookie is a small text file placed on your device when you visit a website. We use cookies and similar technologies only where they are strictly necessary for the site to function, or where you have given your consent.

• Strictly necessary cookies — used to operate the site, route traffic to the nearest edge location, and detect abuse. These cannot be turned off without breaking core functionality.
• Analytics cookies — where used, set only with your consent and configured to avoid cross-site tracking.

You can control cookies through your browser settings and, where applicable, through any on-site consent banner. Blocking non-essential cookies will not prevent you from using the site.

We take appropriate technical and organisational measures to protect personal data against loss, unauthorised access, alteration and disclosure. These include:

• encryption in transit (TLS) and at rest, where supported by the underlying platform;
• the principle of least privilege — only people who need access to a system or dataset have it, and access is logged;
• multi-factor authentication on every business-critical account;
• regular review of our sub-processors and their security posture; and
• a documented process for responding to suspected personal-data breaches, including notification to supervisory authorities and affected individuals where required by law.

No system is 100% secure. If you believe your data has been compromised, contact us immediately at privacy@peopleamp.io.

The PeopleAMP website and services are directed at businesses and professionals. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this policy from time to time to reflect changes in our services, legal requirements or industry practice. The Last updated date at the top of the page reflects the most recent material change. Where a change is significant we will, where practical, notify registered users by email before the change takes effect.

If you have any questions about this policy, want to exercise a right, or wish to raise a concern, please contact us first so we have the opportunity to resolve it:

• Email: privacy@peopleamp.io
• Post: PeopleAMP Tech Ltd, a private limited company registered in England and Wales, B32 3SB, United Kingdom

If you are unhappy with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

See also: Terms of Service.