Privacy Policy

1. Introduction

Ethos Miles Limited ("we", "us", "our", or "Company") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information in connection with our AI-led digital hub services, website (ethosmiles.com), and related services.

Ethos Miles Limited is incorporated in England and Wales and is subject to the UK GDPR and the UK Data Protection Act 2018. Where we handle data from individuals in the European Economic Area, we comply with the EU GDPR. Where we handle data from individuals in Switzerland, we apply the principles of the revised Federal Act on Data Protection (revFADP) that came into force on 1 September 2023. Where we handle data from California residents, we provide the disclosures required under the California Consumer Privacy Act (CCPA) / CPRA. This policy is written to satisfy all four frameworks; jurisdiction-specific rights are set out in section 10.

2. Information We Collect

We collect personal data in the following ways:

• Contact Form: When you submit an enquiry through our website contact form, we collect your name, email address, company name (optional), service interest (optional), and the message you write. We do not collect phone numbers through this form.
• Email Communications: Correspondence and replies sent to our contact addresses (Info@ethosmiles.com, Online@ethosmiles.com).
• Website Analytics: Aggregated, anonymised usage data — such as pages visited and session duration — via Vercel Analytics. This service does not use persistent tracking cookies and does not fingerprint individual users. See our Cookie Policy for full details.
• Call Booking: When you use the "Book a Call" button on this site, you are directed to Google Calendar (a Google LLC service). Google collects your name, email address, and any details you enter during scheduling directly, under Google's own Privacy Policy. We receive the appointment details (name, email, selected time) to prepare for the meeting.
• Business Interactions: Information you provide during discovery calls, meetings, proposals, or service engagements.

3. Legal Basis for Processing

We process your personal data on the following lawful bases:

• Contractual Performance: To deliver services you have requested or engaged us to provide.
• Legitimate Interest: To respond to enquiries, improve our services, prevent fraud, and comply with legal obligations.
• Consent: Where you have explicitly consented, such as for analytics cookies. You may withdraw consent at any time via our Cookie Preferences link in the footer.
• Legal Obligation: To comply with applicable laws, regulations, and lawful governmental requests.

4. How We Use Your Data

Your personal data is used for:

• Responding to your enquiries and providing service information
• Delivering services, creating proposals, and invoicing
• Sending service updates or communications (where consented)
• Improving our website and user experience through anonymised analytics
• Legal compliance and fraud prevention

5. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:

• Contact form submissions: Retained for 3 years for enquiry follow-up and business records.
• Client data: Retained for the duration of the service relationship plus 6 years for accounting and tax compliance.
• Analytics data: Vercel Analytics retains aggregated data per its own retention schedule. No individual-level data is stored by us.
• Website cookies: As specified in our Cookie Policy.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share it with:

• Service providers: Email delivery (Resend), website hosting (Vercel), bot-protection (Cloudflare Turnstile), and meeting scheduling (Google Calendar / Google Workspace) — each operating under their own data processing agreements. When you book a call via our Google Calendar link, your name, email address, and any information you provide during scheduling are processed by Google LLC under its privacy policy at policies.google.com/privacy.
• Team members: Our UK and international team members on a need-to-know basis.
• Legal compliance: When required by law, regulation, or valid legal process.
• Business transfers: If Ethos Miles Limited is acquired or merges, your data may be transferred as part of that transaction.

7. Your Rights

Under UK GDPR and other applicable privacy laws, you have the right to:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data (subject to legal retention requirements).
• Restriction: Request limitation of how we process your data.
• Portability: Request your data in a portable format.
• Objection: Object to processing on the basis of legitimate interest.
• Withdraw Consent: Withdraw consent to analytics cookies at any time via Cookie Preferences in the footer.
• Lodge a Complaint: File a complaint with the ICO (ico.org.uk) or your local data protection authority.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include TLS encryption in transit, secure hosting infrastructure, bot protection on public forms, and limited access controls. No method is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

Our primary processing location is the United Kingdom. Some of our service providers operate infrastructure in the United States and elsewhere. The table below names each processor, the data they handle, their primary processing location, and the safeguard we rely on for any transfer out of the UK / EEA / Switzerland.

For Swiss individuals: transfers to the USA above rely on SCCs approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) as an appropriate safeguard under Article 16 revFADP, in the absence of a Swiss adequacy decision covering these providers. You may request a copy of the applicable SCCs by emailing Info@ethosmiles.com.

10. Jurisdiction-Specific Rights and Notices

UK and EEA residents (UK GDPR / EU GDPR)

In addition to the rights listed in section 7, you have the right to lodge a complaint with:

• UK: Information Commissioner's Office (ICO) — ico.org.uk / 0303 123 1113
• EEA: The supervisory authority in the EU member state where you reside, work, or where an alleged infringement occurred.

Our lawful basis for processing enquiry data is legitimate interest (Article 6(1)(f) UK/EU GDPR) — specifically, responding to a business enquiry you initiated. Marketing follow-up is only conducted where you have given separate, explicit consent via the opt-in checkbox on the contact form.

Swiss residents (revFADP)

Under the revised Federal Act on Data Protection (in force 1 September 2023), you have equivalent rights to access, rectification, erasure, restriction, and portability. You may also object to automated processing and request human review of decisions that significantly affect you. Complaints may be directed to the Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.

International transfers from Switzerland are covered by the SCCs referenced in section 9. Ethos Miles Limited acts as the data controller for data submitted via this website. We do not appoint a Swiss representative at this time as our processing of Swiss resident data is limited in volume and risk; we will review this as our Swiss client base grows.

California residents (CCPA / CPRA) — Notice at Collection

At the point of collection (the contact form), we disclose:

• Categories collected: Identifiers (name, email), professional information (company, service interest), and inferences drawn from your message content.
• Purpose: Responding to your enquiry. With your separate consent, sending service-related communications.
• Retention: 12 months for enquiry records; 6 years for client engagement records.
• Sale / sharing: We do not sell or share personal information for cross-context behavioural advertising.
• Sensitive personal information: We do not intentionally collect sensitive personal information as defined under CPRA.

California residents may submit access, deletion, correction, or opt-out requests to Info@ethosmiles.com. We will respond within 45 days. We do not discriminate against individuals who exercise CCPA rights.

11. Third-Party Links and Services

Our website may contain links to third-party websites and services. This Privacy Policy does not apply to external sites. We encourage you to review their privacy policies before providing personal information.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a complaint: