Privacy Policy
Last updated: 5 March 2026
1. Who we are
Stepping Stones AI is operated by Scott Mitchell, sole trader, based in Liverpool, United Kingdom.
- Data controller: Scott Mitchell trading as Stepping Stones AI
- Contact: scott@steppingstonesai.co.uk
- Website: steppingstonesai.co.uk
- ICO registration: C1887676
2. What personal data we collect
We collect different types of information depending on how you interact with us:
Via booking (Google Calendar)
- Name and email address
- Date and time of your booking
Via email or enquiry
- Name and email address
- Content of your message
Via training sessions (Google Meet)
- Video and audio recordings of sessions (with your consent)
- Any information you share during the session, including screen content
- Session notes and summaries we create based on our work together
Via invoicing and payment (Stripe)
- Name, business name, email and address
- Payment reference and amount (your card details are processed securely by Stripe and never stored by us)
Via our CRM (Notion)
- Name, contact details, session history and notes related to your engagement
Via AI tools used in service delivery
- We use AI tools including ChatGPT (OpenAI) and Claude (Anthropic) to prepare training materials, custom prompts and session content tailored to your business
- This may involve processing information you provide about your business, workflows and goals
- We do not input sensitive personal data (financial details, health data, passwords) into AI tools
Via the website
- We use Vercel Analytics, a privacy-focused analytics service that does not use cookies or collect personally identifiable information. It processes anonymised usage data (pages visited, referrer, device type) to help us improve the website.
- If we introduce additional analytics or tracking in the future, we will update this policy and provide a consent mechanism before any non-essential cookies are placed.
3. Why we collect it and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Booking and scheduling sessions | Performance of a contract |
| Delivering training and consulting | Performance of a contract |
| Recording training sessions | Consent |
| Processing client information via AI tools to prepare training materials | Legitimate interests / Performance of a contract |
| Sending invoices and processing payment | Contract / Legal obligation (HMRC) |
| Storing client records in our CRM | Legitimate interests |
| Responding to enquiries | Legitimate interests |
| Sending marketing emails (where you opt in) | Consent |
| Improving the website (anonymised analytics) | Legitimate interests |
| Complying with tax and legal obligations | Legal obligation |
4. Session recordings
All training sessions are delivered via Google Meet and are recorded. We obtain your explicit consent before recording begins, both in writing (in your booking confirmation) and verbally at the start of each session.
- Purpose: Recordings are made so you can revisit session content and for our internal reference when preparing follow-up materials.
- Storage: Recordings are stored securely in Google Drive and shared with you via a restricted link.
- Retention: Recordings are kept for 12 months after your final session, then permanently deleted.
- Withdrawing consent: You can withdraw your consent to recording at any time. If you do, future sessions will not be recorded and existing recordings will be deleted on request. Withdrawal of consent does not affect the lawfulness of recording that took place before withdrawal.
5. How long we keep your data
| Data type | Retention period |
|---|---|
| Booking and enquiry records | 2 years from last contact |
| Session recordings | 12 months after your final session |
| Client contract and service records | 6 years from end of contract |
| CRM records (Notion) | 6 years from end of contract |
| Financial and invoice records | 6 years from end of the relevant tax year |
| Marketing email list | Until you unsubscribe, or 2 years from last engagement |
| Data processed via AI tools | Not retained by us beyond the session preparation period. Subject to the retention policies of OpenAI and Anthropic. |
After the retention period, data is securely deleted or anonymised.
6. Who we share your data with
We do not sell your personal data to third parties. We share data only with the following service providers who help us operate our business:
- Google Workspace (Google LLC, USA) for email, Google Calendar bookings, Google Meet video sessions, and Google Drive file storage including session recordings
- Stripe (Stripe Payments Europe Ltd, Ireland/USA) for payment processing. Stripe acts as both a data controller (for its own fraud prevention and regulatory obligations) and as a data processor (for processing your payment on our behalf). Your card details are handled securely by Stripe and are never accessible to us. See Stripe's privacy policy.
- Notion (Notion Labs Inc., USA) for client relationship management, storing contact details, session notes and engagement records
- n8n (n8n GmbH, Germany) for internal automation of client onboarding, session preparation and follow-up workflows
- OpenAI (OpenAI LLC, USA) for processing client information via ChatGPT when preparing training materials and custom prompts
- Anthropic (Anthropic PBC, USA) for processing client information via Claude when preparing training materials and session content
- Vercel (Vercel Inc., USA) for website hosting and anonymised website analytics
- HMRC where required by law
7. International data transfers
Several of our service providers are based outside the United Kingdom, including Google, Stripe, Notion, OpenAI, Anthropic and Vercel (USA) and n8n (Germany). Where personal data is transferred outside the UK, it is protected by one or more of the following safeguards:
- Standard Contractual Clauses with the UK International Data Transfer Addendum
- The UK Extension to the EU-US Data Privacy Framework
- Data Processing Agreements with each provider
8. Your rights
Under UK data protection law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data where it is no longer needed
- Restrict how we process your data in certain circumstances
- Port your data in a machine-readable format
- Object to processing based on legitimate interests or direct marketing
- Withdraw consent at any time where consent is the basis for processing (for example, session recording consent or marketing consent)
To exercise any of these rights, email scott@steppingstonesai.co.uk. We will respond within one month.
9. Cookies
This website uses Vercel Analytics, which is cookie-free and does not track individual users. We do not currently use any other analytics cookies, advertising cookies or third-party tracking scripts.
If we introduce cookies in the future (for example, Google Analytics), we will update this policy and provide a consent mechanism before any non-essential cookies are placed.
10. Complaints
If you have a concern about how we handle your data, please contact us first at scott@steppingstonesai.co.uk. We will:
- Acknowledge your complaint within 5 working days
- Investigate and respond within 30 days
- Let you know how to escalate to the ICO if you are not satisfied with our response
You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated with reasonable notice through our website or by email where appropriate. The date at the top of this page shows when it was last updated.