logoAgentBeluga
← Back to home

Data Compliance (UK GDPR & GDPR)

Last updated: May 23, 2026

This page explains how Beluga AI Ltd supports data protection obligations under the UK GDPR, the EU GDPR, and the Data Protection Act 2018. It is provided for informational purposes and does not constitute legal advice. For details of how personal data is processed see the Privacy Policy; for the contractual data protection terms see the Data Processing Agreement.

1. Our roles

Depending on the use case Beluga AI Ltd may act as a controller (for visitors to our marketing sites, prospects, and our direct customers) or as a processor (for data we handle on behalf of customers as part of providing the Service). The applicable role determines the legal basis for processing and the contractual terms that apply.

2. Lawful bases

We rely on the following lawful bases under UK GDPR Art. 6:

  • Contract — to provide the Service to our customers.
  • Legitimate interests — to operate, secure, and improve our business.
  • Consent — for non-essential cookies and marketing communications.
  • Legal obligation — for tax, accounting, and regulatory record-keeping.

3. Data minimisation

We process only the minimum personal data necessary to deliver the requested features and support. Where possible we use pseudonymisation, aggregation, or anonymisation.

4. Security measures

  • TLS 1.2+ encryption for data in transit.
  • Encryption at rest on managed infrastructure.
  • Role-based access control, least-privilege defaults, and administrative MFA.
  • Logging, monitoring, and regular backups with restore testing.
  • Vendor due diligence on all sub-processors.

More detail is set out on our Security page and in Annex A of the DPA.

5. Retention

We retain personal data only for as long as required to provide the Service, meet contractual or legal obligations, and maintain platform security. Specific retention periods are listed in the Privacy Policy.

6. International transfers

Where personal data is transferred outside the UK or EEA we use the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or another lawful safeguard. A copy of the relevant safeguards can be requested by email.

7. Sub-processors

We engage trusted sub-processors for hosting, AI inference, telephony, email delivery, analytics, and payments. They are contractually bound to maintain appropriate safeguards and to process data only on our documented instructions. The current list is available on request and is summarised in Annex B of the DPA.

8. Breach notification

We maintain documented incident response procedures. Where Beluga AI suffers a personal data breach affecting Customer Personal Data we will notify the affected Controller without undue delay and in any event within 72 hours of becoming aware. We will also notify supervisory authorities and affected data subjects where required by law.

9. Data subject requests

You may have rights to access, correct, delete, restrict, port, or object to the processing of your personal data. To make a request email support@agentbeluga.com. If the request relates to data held on behalf of one of our customers we will route the request to that customer as the controller.

10. Regulator contact

If you believe we have not handled your personal data appropriately you may lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or with your local supervisory authority.