Skip to main content

Privacy Policy

Last updated: Version 1.1

Introduction

i2o.ai ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal data when you visit our website at i2o.ai (the "Site").

This policy applies to all visitors, subscribers, and users of the Site. We act as the data controller for the personal data described below. This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Privacy and Electronic Communications Regulations 2003 (PECR).

Data We Collect

We collect the following categories of personal data:

Information You Provide

  • Email address — when you subscribe to our newsletter or submit a contact form.
  • Name and business details — when you submit a sprint enquiry form (company name, project description, contact details).

Information Collected Automatically

  • Usage data — anonymous analytics data (page views, referrer, device type, browser type, operating system, session duration) collected via PostHog, only after explicit cookie consent.
  • Cookie data — essential cookies for site functionality and optional analytics cookies. See our Cookie Policy for details.

Information We Do Not Collect

We do not collect payment information, government identification numbers, or sensitive personal data (such as health data, political opinions, or biometric data).

How We Use Your Data

We process your personal data for the following purposes:

  • Newsletter delivery — to send our weekly newsletter and content updates (with your explicit consent via double opt-in).
  • Sprint enquiry processing — to respond to and manage enquiries submitted via our sprint contact forms.
  • Site analytics — to understand how visitors use the Site and improve our content and user experience (only with your cookie consent).
  • Site functionality — to maintain essential site features such as theme preferences and cookie consent state.

Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process personal data under the following legal bases:

  • Consent (Article 6(1)(a)) — for newsletter subscriptions (double opt-in), analytics cookies, and session recordings.
  • Legitimate interest (Article 6(1)(f)) — for essential site functionality, security, and responding to sprint enquiries you initiate.

You may withdraw your consent at any time. For newsletter subscriptions, use the unsubscribe link in any email. For analytics, you can adjust your preferences at any time via the "Cookie Settings" link in the site footer, choosing independently between product analytics (PostHog) and web analytics (Google Analytics).

Third-Party Data Processors

We share personal data with the following third-party service providers who process data on our behalf. Each processor is bound by a data processing agreement (DPA):

ConvertKit (or Beehiiv)

Purpose: Email newsletter delivery and subscriber management.
Data shared: Email address.
Location: United States (EU-US Data Privacy Framework certified).
Retention: Until you unsubscribe, after which your data is deleted within 30 days.

Pipedrive

Purpose: CRM for managing sprint enquiries and business communications.
Data shared: Name, email address, company name, project details submitted via the sprint enquiry form.
Location: European Union.
Retention: Enquiry data is retained for the duration of the business relationship and deleted within 12 months of last contact.

PostHog (Product Analytics)

Purpose: Product analytics and user experience insights, including session recordings (10% sample rate with all input fields masked).
Data shared: Anonymised usage data (page views, clicks on links and buttons, session duration, referral sources, device and browser type). No personally identifiable information is sent. PostHog uses localStorage for persistence (no tracking cookies are set). Session recordings mask all text inputs and exclude legal pages (/privacy, /terms, /cookies).
Technology: PostHog JS SDK with persistence: "localStorage", respect_dnt: true, and person_profiles: "identified_only".
Location: European Union (hosted at eu.i.posthog.com).
Retention: Analytics data is retained for 12 months. Session recordings are retained for 30 days (configured server-side).

Google Analytics 4 (Web Analytics)

Purpose: Website traffic analysis and audience insights.
Data shared: Anonymised usage data (page views, traffic sources, audience demographics). IP addresses are anonymised via the anonymize_ip configuration setting.
Technology: Google Analytics 4 via gtag.js. Sets _ga and _ga_* cookies for visitor and session identification.
Location: United States (EU-US Data Privacy Framework certified).
Retention: Data is retained for 14 months and then automatically deleted.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

Data Retention

We retain personal data only as long as necessary for the purposes described above:

  • Newsletter subscribers: Email address retained until you unsubscribe.
  • Sprint enquiry data: Retained for 12 months after last contact, then deleted.
  • Analytics data: Retained for 12–14 months depending on the platform.
  • Cookie consent preferences: Retained for 12 months, then re-prompted.

International Data Transfers

Some of our third-party processors are located outside the European Economic Area (EEA) and the United Kingdom. Where data is transferred to countries outside the EEA or the UK, we ensure adequate safeguards are in place:

  • EU-US Data Privacy Framework — for US-based processors (ConvertKit, Google Analytics) that are certified under the framework.
  • UK International Data Transfer Agreement (IDTA) — for transfers from the UK to countries without an adequacy decision, as approved by the UK Information Commissioner's Office (ICO).
  • Standard Contractual Clauses (SCCs) — where required, as approved by the European Commission, supplemented by the UK Addendum where applicable.

Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your data ("right to be forgotten").
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — file a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@i2o.ai. We will respond to your request within 30 days.

Children's Privacy

The Site is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Changes will be reflected by the "Last updated" date at the top of this page. For significant changes, we will provide prominent notice on the Site.

Continued use of the Site after changes are posted constitutes acceptance of the revised policy.

Contact

For data-related enquiries, requests, or complaints, contact us at:

Email: privacy@i2o.ai
Website: i2o.ai

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.