Privacy Policy

Tincture is a sole trader based in the United Kingdom. For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Tincture is the data controller for the personal data described in this policy.

Contact: [email protected]

This policy covers personal data we collect when you visit the Tincture website at tinctu.re, subscribe to The Concentrate newsletter, download a tool or kit from the site, make an enquiry or book a diagnostic or fractional engagement, work with us as a client during an engagement, or correspond with us by email or through connected platforms.

It does not cover third-party sites we link to. Those have their own policies.

We try to collect only what we actually need. Here's the full list.

Newsletter signup. When you subscribe to The Concentrate, we collect your email address and, if you provide it, your name. Lawful basis: consent. We use this to send you the newsletter and occasional related updates from Tincture. You can unsubscribe at any time via the link in every email.

Tool downloads. When you download a tool or kit from the site (for example, the Multi-Agent Starter Kit), we collect your email address and, if you provide it, your name and company. Lawful basis: consent, and our legitimate interest in understanding which tools are useful. We may send you a short follow-up email related to the tool. You can opt out.

Enquiries and bookings. When you contact us about a diagnostic, a fractional engagement, or any other enquiry, we collect the information you choose to share, typically your name, email, company, role, and a description of what you're trying to solve. Lawful basis: steps taken at your request to enter into a contract, and our legitimate interest in responding to enquiries.

Client engagement data. During a paid engagement (diagnostic or fractional), we process information about your business that you share with us. This may include commercial information, customer or pipeline data, financial figures, tool stack details, team information, and any other context needed to do the work. Lawful basis: performance of our contract with you. How we treat this data is set out in sections 4 and 5 below, and in our Terms of Service.

Billing data. For paid engagements, we collect the information needed to invoice you and receive payment: business name, billing address, VAT or tax identifier if applicable, and bank or card details as processed by our payment provider. Lawful basis: performance of contract and legal obligation (accounting records). We do not store full card numbers; our payment processor handles that.

Website analytics. When you visit the site, we collect limited technical information to understand how the site is used: pages viewed, approximate location (derived from IP at the country or region level), device type, browser, and referrer. Where this is collected through analytics cookies, we rely on your consent. See our Cookie Notice for the full list of cookies used.

Correspondence. Emails, messages, and notes from calls or meetings during our work together. Lawful basis: performance of contract, and our legitimate interest in keeping records of what was discussed and agreed.

This is the part clients most often ask about, so we've written it out in full.

When you hire Tincture for a diagnostic or fractional engagement, you're trusting us with commercial information about your business. The default rule is simple: your data is your data. We use it to do the work you hired us to do, and nothing else.

Specifically: we read, analyse and work with the information you share in order to deliver the diagnostic, the roadmap, the AI workflow layer, and any other agreed deliverable. We may configure AI tools (for example Claude, or other large language models accessed through a provider's API) on your stack as part of the workflow layer build-out. Where those tools process your data, they do so as processors or sub-processors acting on our instructions, under their own data processing terms. A current list of subprocessors is in section 8.

We keep records of our work with you for as long as we need to, to complete the engagement and meet our legal obligations (see section 9).

We do not sell your data. We do not share your commercial information with other clients. We do not use your raw data to train any AI model or to build products for other clients.

Like any practice that gets better with experience, we learn from the work we do. To refine our methodology, improve our frameworks, and develop tools, we may use anonymised and aggregated insights drawn from our work. This means removing anything that could reasonably identify you, your company, your team, or your customers, combining patterns across multiple engagements so no individual client's data is visible, and using the resulting insights only for general methodology and tool development, never for targeted analysis of an identified business.

This is explicitly permitted under our Terms of Service and reflects standard practice for advisory work. If you're not comfortable with this, tell us at the start of the engagement and we'll agree an alternative in writing.

We will not use your identifiable personal or business data to train models or develop products. That's a hard line.

We keep the circle small. We share personal data only with:

Service providers who help us run the business. These include our email provider (Google), newsletter platforms (Substack and Resend), analytics tool (Vercel), BaaS provider (Supabase), payment processor (Stripe), and the AI tools we use to deliver engagements (Anthropic, Google, OpenAI). Each acts as a processor under a data processing agreement and is bound by confidentiality.

Professional advisors. Our accountant, and where relevant our solicitor, on a confidential basis.

Authorities. Where we are legally required to disclose, for example to HMRC or in response to a lawful order.

We do not share your data with anyone else without your consent.

Some of the services we use are provided by companies outside the UK, typically in the United States or the European Economic Area. Where personal data is transferred outside the UK, we rely on the safeguards required by UK data protection law, usually the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, along with adequacy decisions where they apply.

If you'd like a list of where specific processors are based and the safeguards we rely on for each, email [email protected].

A current list of the main processors and subprocessors we use:

Email and productivity: Google, Notion

Newsletter platform: Substack, Resend

Website hosting: Vercel, Supabase

Website analytics: Vercel

Payment processing: Stripe

AI tools used in engagements: Anthropic, OpenAI, Google

Cloud storage used in engagements: Google

We'll update this list when it changes. If you want a definitive up-to-date version before signing an engagement, please ask.

We keep personal data only as long as we need to, then we delete or anonymise it.

Newsletter subscribers: until you unsubscribe, or three years from your last engagement with our emails, whichever is sooner.

Tool download contacts: up to two years from download.

Enquiries that don't become engagements: up to twelve months from the last contact.

Client engagement records: for the duration of the engagement and for six years after it ends, to meet tax, accounting and professional record-keeping requirements.

Financial and billing records: six years, as required by UK tax law.

Website analytics: as set out in our Cookie Notice.

After these periods, we delete the personal data or convert it into anonymised records that no longer identify you.

Under UK data protection law, you have the right to:

Access the personal data we hold about you.

Correct it if it's wrong or incomplete.

Delete it, in certain circumstances.

Restrict how we use it, in certain circumstances.

Object to our processing, where we rely on legitimate interests.

Portability, meaning you can ask for a copy in a structured, commonly used format.

Withdraw consent at any time where consent is the lawful basis (for example, unsubscribing from the newsletter).

Complain to the Information Commissioner's Office (ICO) at ico.org.uk if you think we've mishandled your data. We'd appreciate the chance to fix it first, so if you can, email us before going to the ICO.

To exercise any of these rights, email [email protected]. We'll respond within one month.

We use reasonable technical and organisational measures to protect personal data against loss, misuse, and unauthorised access. These include encrypted storage, strong passwords and multi-factor authentication on business-critical accounts, access controls limited to what's needed, and supplier due diligence on the processors we use.

If we ever discover a personal data breach that meets the threshold, we'll notify the ICO within 72 hours and notify affected individuals without undue delay, as required by law.

We use cookies and similar technologies on the website. A full breakdown of what's used and how to manage them is in our Cookie Notice at tinctu.re/cookies.

Our services are for businesses, not consumers, and not intended for children. We don't knowingly collect personal data from anyone under 18. If you think we have, email [email protected] and we'll delete it.

We'll update this policy from time to time, for example when we add a new processor or change how we use data. The "Last updated" date at the top will reflect the most recent change. If the change is material, we'll notify subscribers and active clients by email.

Questions, requests, or complaints: [email protected].

You can also contact the Information Commissioner's Office at ico.org.uk or 0303 123 1113.