Privacy Policy

1. Introduction and Scope

This Privacy Policy (the "Policy") is issued by Pumpt AI Technologies Limited, a company incorporated in England and Wales under company number 16507362, with registered office at 71-75 Shelton St, London, WC2H 9JQ ("Pumpt", "we", "us", "our").

This Policy governs the collection, use, storage, sharing, and protection of personal data processed through:

the Pumpt website and any associated web properties;
the Pumpt mobile and desktop applications (the "Apps");
our AI-powered marketplace platform connecting Business Customers and Service Providers (the "Platform");
all conversational AI systems, automated matching services, and related digital tools operated by Pumpt;
any other interactions where Pumpt acts as a Data Controller.

All of the above are collectively referred to in this Policy as the "Services".

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must cease use of the Services immediately.

This Policy should be read alongside our Terms of Service and, where applicable, any Data Processing Agreement (DPA) entered into between Pumpt and Business Customers operating in a commercial capacity.

2. Data Controller

Company

Pumpt AI Technologies Limited

Company Number

16507362

Registered Office

71-75 Shelton St, London, WC2H 9JQ

Privacy Contact

privacy@pumpt.com

General Contact

hello@pumpt.com

Where Business Customers process personal data of their own employees or end-users through the Platform, Pumpt may act as a Data Processor on their behalf. In such cases, a separate Data Processing Agreement will apply.

3. Categories of Personal Data We Collect

We collect personal data directly from you (when you register, use the Services, or communicate with us), automatically (through your use of the Services), and from third parties (such as payment processors, identity verification services, or business information providers).

3.1 Identity and Verification Data

Full legal name
Date of birth (where age verification is required)
Government-issued identification documents (e.g., passport, driving licence)
Professional qualifications, trade licences, and regulatory membership numbers
Business registration details (for Business Customers and incorporated Service Providers)
Right-to-work documentation (where applicable for Service Provider onboarding

3.2 Contact Data

Email address
Telephone and mobile number
Business address and registered address
Emergency contact information (where voluntarily provided)

3.3 Account and Profile Data

Login credentials (securely hashed and encrypted)
Profile photographs and business images
Service offerings, pricing configurations, and availability settings
Preferences and customisation settings

3.4 Transaction and Financial Data

Payment card details (processed and tokenised exclusively via PCI-DSS compliant third-party payment providers — Pumpt does not store raw card data)
Bank account details (where applicable for Service Provider payouts)
Transaction history, invoices, and receipts
Booking and service request records
Dispute and refund history

3.5 AI Interaction and Conversation Data

Inputs submitted to Pumpt's AI systems and conversational interfaces
AI-generated outputs, estimates, and recommendations
Interaction logs, session records, and conversation transcripts
Language preferences and detected intent signals
Feedback provided on AI outputs

3.6 Technical and Usage Data

IP address and geolocation data
Browser type and version, operating system, and device identifiers
Session duration, page views, clickstream data, and feature usage
Referral source and marketing attribution data
Error logs and diagnostic data
Cookie identifiers and similar tracking technologies (see Section 13)

3.7 Communications Data

Messages sent through the Platform's in-app messaging system
Support tickets and correspondence with Pumpt's team
Survey responses and feedback submissions

3.8 Compliance and Due Diligence Data

Results of identity verification and KYC checks
Sanctions screening and fraud detection flags
Insurance certificates, liability documentation, and relevant regulatory records
Complaint and dispute records

4. Lawful Bases for Processing and Purposes

We process personal data only where we have a valid lawful basis under Article 6 UK GDPR. In limited circumstances involving special category data, we also rely on a condition

under Article 9. The table below sets out our principal processing activities and the lawful basis for each.

Processing Purpose

Lawful Basis

Account registration and platform

access

Contract (Art. 6(1)(b))

Identity, Contact, Account

Matching Business Customers with

Service Providers via AI

Contract; Legitimate Interests

Account, AI Interaction, Technical

Processing payments and

managing transactions

Contract (Art. 6(1)(b))

Transaction, Identity

Identity verification and KYC

compliance

Legal Obligation (Art. 6(1)(c))

Identity, Compliance

AI model training and performance

improvement

Legitimate Interests (Art. 6(1)(f))

AI Interaction, Usage

Fraud detection, security, and

platform integrity

Legitimate Interests (Art. 6(1)(f))

All categories

Legal compliance, tax, and

regulatory obligations

Legal Obligation (Art. 6(1)(c))

Identity, Transaction, Compliance

Sending transactional

communications

Contract (Art. 6(1)(b))

Contact, Account

Sending marketing communications

Consent (Art. 6(1)(a))

Contact, Account

Dispute resolution and complaints

handling

Legitimate Interests; Legal Claims

All relevant categories

Business analytics and product

improvement

Legitimate Interests (Art. 6(1)(f))

Usage, Technical, AI Interaction

Compliance with court orders or

regulatory requests

Legal Obligation (Art. 6(1)(c))

All relevant categories

Where we rely on Legitimate Interests, we have conducted a Legitimate Interests Assessment (LIA) balancing our interests against the rights and freedoms of data subjects. Copies of LIAs are available on written request.

5. Artificial Intelligence and Automated Processing

5.2 Automated Decision-Making

Certain Platform functions involve automated processing that may produce outputs affecting your access to services or the visibility of your profile. These include:

automated matching decisions that determine which Service Providers are presented to Business Customers;
dynamic pricing recommendations generated by our AI systems;
automated fraud and risk scoring applied during onboarding and transaction processing;
account suspension or restriction triggers activated by anomaly detection systems.

Where an automated decision produces legal or similarly significant effects, we implement the following safeguards:

You have the right to request human review of the decision;
You have the right to express your point of view before the decision is given effect;
You have the right to contest the decision.

To exercise these rights, contact privacy@pumpt.com. We will acknowledge your request within 72 hours and respond substantively within the applicable statutory period.

5.3 AI Model Training

We may use anonymised and aggregated data from Platform interactions to train, validate, and improve our AI systems. Where we do so:

we apply technical measures to remove or pseudonymise personal identifiers before data is used for model training;
raw conversational transcripts are not shared with third-party AI providers for training purposes without your explicit consent;
you may opt out of contributing to AI model improvement by contacting privacy@pumpt.com.

6. Business Customer and Service Provider Specific Provisions

6.1 Business Customers

Where Business Customers use the Platform in the course of their business:

Pumpt processes personal data of Business Customer representatives (e.g., account managers, booking contacts) as a Data Controller;
where Business Customers instruct Pumpt to process data on behalf of their own customers or employees, Pumpt acts as a Data Processor and a separate Data Processing Agreement (DPA) applies;
Business Customers are responsible for ensuring they have a valid lawful basis for sharing any personal data with Pumpt;
Business Customers must not share with Pumpt personal data of individuals who have not been informed of such sharing in accordance with UK GDPR Articles 13 and 14.

6.2 Service Providers

Service Providers registered on the Platform acknowledge and agree that:

their profile information, including name, photograph, trade qualifications, service areas, ratings, and pricing, is displayed to Business Customers and may be publicly visible on the Platform;
their identity and professional credentials are subject to verification processes, which may involve third-party verification providers;
their performance data, including job completion rates, response times, and customer ratings, is processed by Pumpt for Platform integrity and matching algorithm purposes;
Pumpt may process their financial information for the purpose of calculating and disbursing payments, and for compliance with tax reporting obligations;
Pumpt may share their personal data with Business Customers to the extent necessary to fulfil a service booking.

6.3 Limitation of Liability for User-Generated Data

Pumpt is not responsible for the accuracy of information self-submitted by Business Customers or Service Providers. We do not warrant that profiles, credentials, qualifications, or self-reported data are accurate, current, or complete. Verification checks do not constitute a guarantee of competence, suitability, or compliance with applicable laws.

7.1 Service Providers and Sub-processors

We do not sell personal data to third parties. We share personal data only as described in this Policy or as required by law.

We may share personal data with the following categories of recipients:

7.1 Service Providers and Sub-processors

Payment processors and financial services providers (e.g., Stripe, Banking-as-a-Service partners)

Identity verification and KYC service providers
Cloud infrastructure and hosting providers (e.g., AWS, Google Cloud)
Customer support and CRM platforms
AI and machine learning infrastructure providers
Analytics and business intelligence tools
Email and communications delivery services

All sub-processors are subject to contractual obligations requiring them to process personal data securely, lawfully, and in accordance with our instructions. A list of current sub-processors is available on request.

7.2 Marketplace Participants

We share Service Provider profile data with Business Customers to facilitate service matching and bookings.

We share Business Customer contact and booking details with Service Providers to the extent necessary to deliver requested services.
Sharing is limited to what is strictly necessary for the fulfilment of the relevant transaction.

8. International Data Transfers

Pumpt is based in the United Kingdom. Where we transfer personal data outside the UK (including to service providers or infrastructure hosted in other jurisdictions), we ensure appropriate safeguards are in place, including:

transfers to countries benefiting from a UK adequacy decision under Article 45 UK GDPR;
use of UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses;
where no other mechanism applies, reliance on specific derogations under Article 49 UK GDPR (e.g., performance of a contract).

Details of the safeguards applicable to specific third-country transfers are available on written request to privacy@pumpt.com.

9. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, subject to any longer retention period required by law or regulation.

Data Category

Retention Period

Account and profile data

Duration of account plus 2 years following account closure

Transaction and financial records

7 years from date of transaction (HMRC compliance)

AI interaction and conversation logs

12 months, or as anonymised data for model training indefinitely

Identity and verification documents

5 years following completion of verification, or as required by applicable regulation

Communications and support records

3 years from date of communication

Technical and usage data

13 months (analytics) or 26 months (aggregated)

Legal dispute and compliance records

Duration of proceedings plus 6 years, or as required by law

Marketing consent records

Until consent withdrawn plus 3 years

Upon expiry of the relevant retention period, personal data will be securely deleted or anonymised in accordance with our data disposal procedures. Anonymised data may be retained indefinitely for statistical and analytical purposes.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction, proportionate to the risks involved in the processing and the nature of the data concerned.

Our security measures include:

encryption of personal data in transit (TLS 1.2 or above) and at rest (AES-256 or equivalent);
multi-factor authentication for all Pumpt staff accessing production systems;
role-based access controls limiting access to personal data on a need-to-know basis;
regular penetration testing and vulnerability assessments by qualified third parties;
secure development practices and code review processes, including OWASP guidelines;
documented incident response and breach notification procedures;
annual security awareness training for all staff with access to personal data;
secure disposal of hardware and data storage media.

11. Your Data Subject Right

Under UK GDPR, you have the following rights in relation to your personal data. You may exercise any of these rights by submitting a written request to privacy@pumpt.com. We will respond within one calendar month of receipt, which may be extended by up to two further months in cases of complexity or high volume (you will be informed of any extension).

We reserve the right to verify your identity before processing any request. We will not charge a fee for handling requests unless they are manifestly unfounded or excessive, in which case a reasonable fee may be applied.

Right

Description and Limitations

Right of Access (Art. 15)

Obtain confirmation as to whether we process your personal data and, if so, a copy of that data and related information.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of personal data where processing is no longer necessary, unlawful, or where consent has been withdrawn. This right is subject to exceptions including legal obligation and legitimate overriding interests.

Right to Restriction (Art. 18)

Request restriction of processing in specified circumstances, e.g., while accuracy is contested.

Right to Portability (Art. 20)

Receive personal data you provided to us in a structured, machine-readable format, or have it transmitted to another controller, where processing is based on consent or contract and carried out by automated means.

Right to Object (Art. 21)

Object to processing based on Legitimate Interests, including profiling. We may override this right where we can demonstrate compelling legitimate grounds.

Right Not to be Subject to Automated Decisions

(Art. 22)

Request human review of automated decisions with significant effects, and contest such decisions. See Section 5.2 for further detail.

Right to Withdraw Consent (Art. 7(3))

Until consent Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal. plus 3 years

If you are dissatisfied with our handling of your request or believe your data is being processed unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO Website: https://ico.org.uk
ICO Helpline: 0303 123 1113
ICO Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12. Special Category Data

We do not intentionally collect special category personal data (as defined in Article 9 UK GDPR), which includes data relating to health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation.

If you voluntarily disclose special category data through the Platform (for example, within a conversational AI interface), you consent to its processing to the extent strictly necessary to address your query or provide the Services. We will not use such data for any secondary purpose without your explicit consent.

Where we are legally required to process special category data (e.g., for right-to-work verification involving health-related documents), we will rely on appropriate Article 9 conditions and will notify you accordingly.

13. Cookies and Tracking Technologies

We use cookies and similar technologies (including pixels, web beacons, and device fingerprinting) on our website and Apps. Our use of cookies is governed by this Policy and our separate Cookie Policy, available at [pumpt.com/cookie-policy].

We use the following categories of cookies:

Cookie Category

Description

Strictly Necessary

Essential for Platform operation, authentication, and security. Cannot be disabled.

Performance & Analytics

Help us understand how users interact with the Platform. Disabled if analytics consent is declined.

Functional

Enable personalisation features, language preferences, and user settings.

Targeting & Marketing

Used to deliver relevant advertising. Only activated where explicit consent is given.

You can manage your cookie preferences through our cookie consent banner when you first visit the Platform, or at any time via your browser or device settings. Please note that disabling certain cookies may affect Platform functionality.

We do not use tracking technologies to create profiles for sale to third parties. Where third-party tracking tools are used (e.g., analytics providers), they are subject to the data sharing provisions in Section 7 and applicable sub-processor agreements.

14. Marketing Communications

Where you have provided your consent, we may send you marketing communications by email, SMS, or in-app notification relating to Pumpt's services, features, and promotions.

You may withdraw your consent and opt out of marketing communications at any time by:

clicking the unsubscribe link in any marketing email;
updating your notification preferences in your account settings;
contacting us at privacy@pumpt.com.

Opting out of marketing will not affect the delivery of transactional communications essential to your use of the Services (e.g., booking confirmations, payment receipts, security alerts).

We do not share personal data with third-party advertisers for the purpose of delivering advertising on their behalf. We do not use your personal data to infer sensitive characteristics for marketing profiling.

15. Children

The Services are not directed to, and are not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18.

If we become aware that we have inadvertently collected personal data from a person under 18 without appropriate parental or guardian consent, we will take immediate steps to delete such data. If you believe we may have collected data from a child, please contact us at privacy@pumpt.com.

16. Third-Party Services and Links

The Platform may contain links to third-party websites, applications, or services. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through or alongside the Platform.

Third-party payment processors and identity verification providers operate under their own privacy policies and regulatory obligations. We select sub-processors that provide adequate data protection guarantees, but Pumpt accepts no liability for the independent data practices of third parties beyond our contractual obligations with them.

17. Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in law, regulatory guidance, our business operations, or the Services we offer.

Where changes are material, we will notify you by:

prominent notice on the Platform;
email to your registered address (where required by law or where the change materially affects your rights);
in-app notification.

The date of the most recent revision will be displayed at the top of this Policy. We encourage you to review this Policy periodically. Your continued use of the Services following notification of any changes constitutes acceptance of the updated Policy. If you do not agree to the updated Policy, you must cease use of the Services.

Archived versions of this Policy are available on request from privacy@pumpt.com.

18. Governing Law and Jurisdiction

This Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes relating to this Policy or the processing of personal data shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to your right to lodge a complaint with the ICO or any other competent supervisory authority.

19. Limitation of Liability

Nothing in this Policy limits or excludes Pumpt's liability where such limitation or exclusion would be unlawful, including liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.

Subject to the above, Pumpt's aggregate liability to any individual arising from a privacy-related claim, to the extent permitted by applicable law, shall be limited to the greater of: (a) the total fees paid by that individual to Pumpt in the 12 months preceding the claim; or (b) £500.

We shall not be liable for any indirect, consequential, special, or punitive losses or damages arising from any privacy-related claim, including loss of profits, loss of revenue, loss of business, or loss of data, except where such liability cannot be excluded by applicable law.

These limitations reflect a reasonable and proportionate allocation of risk, consistent with our obligations under UK GDPR and applicable law.

20. Contact Us

For any privacy-related enquiries, to exercise your data subject rights, or to raise a concern, please contact:

Privacy Officer

Pumpt AI Technologies Limited

71-75 Shelton St, London, WC2H 9JQ

Email: privacy@pumpt.com

General: hello@pumpt.com

We aim to acknowledge all privacy-related enquiries within 3 business days and to respond substantively within the timeframes required under UK GDPR.

— End of Privacy Policy —