Privacy Policy
This policy explains how CONRAD & THOMAS LTD (“EnqLayer”, “we”, “us”) collects, uses and protects personal data when you visit our website, contact us, or use our enquiry-operations service. We are based in Glasgow, Scotland, United Kingdom, and we handle personal data in line with the UK GDPR and the Data Protection Act 2018.
1. Who we are & how to reach us
The data controller for our website and prospect enquiries is CONRAD & THOMAS LTD, a company registered in Scotland. You can contact us about privacy at [email protected].
2. Controller vs. processor — two roles
- As a controller. For our own website visitors, prospects and customers, we decide how and why personal data (e.g. your contact details) is used.
- As a processor. When a customer business uses EnqLayer to handle its incoming enquiries, that business is the controller of its customers’ data, and we process that data on its behalf and on its instructions, under a data-processing agreement.
3. What we collect
| Category | Examples | Why |
|---|---|---|
| Contact data | Name, email, business name, message | To answer enquiries and provide a quote or audit |
| Transaction data | Plan, order and payment status (payment card data is handled by our payment provider, not stored by us) | To deliver and bill the service |
| Usage data | Pages viewed, device/browser type, approximate region | To keep the site secure and improve it |
| Enquiry content (as processor) | Messages your customers send you across the channels you connect | To capture, draft replies, and track follow-ups on your behalf |
4. How we use data & our legal bases
- Contract — to provide the service you or your business asked for.
- Legitimate interests — to run, secure and improve our site and service, where your rights do not override this.
- Consent — for optional analytics or marketing, where used; you can withdraw consent at any time.
- Legal obligation — to meet accounting, tax and other legal duties.
5. AI-usage disclosure & human control
AI drafts. A human approves. Nothing is sent automatically. EnqLayer uses AI to draft suggested replies to enquiries. Those drafts are held for a person to review and approve. We operate a 0 auto-sent rule: no substantive reply is sent to a customer without a human approving it.
We do not use AI to make solely automated decisions that produce legal or similarly significant effects about a person (UK GDPR Article 22). The AI does not provide medical, legal or financial advice, and it is never presented as a human.
Enquiry content may be sent to our AI provider solely to generate a draft. It is not used to train third-party public models. See sub-processors below.
6. Data processing & sub-processors
We use a small set of trusted providers to run the service. Each is bound by a data-processing agreement and appropriate safeguards. This list is kept current as the product platform rolls out.
| Provider | Purpose | Status |
|---|---|---|
| Cloudflare, Inc. | Domain, website hosting/CDN, edge compute | In use |
| Google (Workspace) | Business email ([email protected]) | In use |
| Anthropic, PBC | AI drafting of suggested replies | Product platform |
| Supabase | Application database (enquiries, approvals, audit log) | Product platform |
| Stripe, Inc. | Payment processing | Product platform |
7. International transfers
Some providers process data outside the UK. Where they do, we rely on UK-approved safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with adequacy decisions where they apply.
8. How long we keep data
We keep personal data only as long as needed for the purpose it was collected, to meet legal duties, or to resolve disputes. Prospect enquiries are kept for up to 24 months from last contact. Customer (processor) data is retained per the customer’s instructions and deleted or returned when the agreement ends.
9. Your rights
Under UK GDPR you can ask us to: access your data; correct it; erase it; restrict or object to its use; and receive it in a portable format. Where we rely on consent, you can withdraw it at any time. To exercise a right, email [email protected]. If EnqLayer holds your data as a processor on behalf of a business, we will direct your request to that business (the controller).
You also have the right to complain to the UK regulator, the Information Commissioner’s Office (ICO) — ico.org.uk. We’d appreciate the chance to resolve your concern first.
10. Security
We use appropriate technical and organisational measures — encryption in transit, access controls, and an approval/audit trail — to protect personal data. No system is perfectly secure, but we work to reduce risk and respond quickly to incidents.
11. Cookies
Our website uses only essential and functional storage. See our Cookie Policy for details.
12. Children
EnqLayer is a business tool and is not directed at children. We do not knowingly collect data from anyone under 16.
13. Changes
We may update this policy as the service evolves. We’ll change the “last updated” date above and, for material changes, take reasonable steps to let affected users know.
14. Contact
CONRAD & THOMAS LTD (EnqLayer), Glasgow, Scotland, United Kingdom · [email protected]