How I Work About James Case Studies Insights
Start a conversation
Orchiture

Making technology teams work better

Legal Notice

Privacy Policy

"We treat your data with the same structural integrity we apply to our consulting."

1. Introduction

Orchiture Ltd ("we", "us", or "our") is committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect the personal information you provide to us through our websites — orchiture.com and orchiture.ai — as well as through the delivery of our consulting services, including remote sessions conducted via video and audio recording.

We are registered in England and Wales (Company No. 15058169) and act as a data controller in respect of personal data processed under this policy. Where we engage third-party tools to process data on our behalf, those parties act as data processors under our instruction.

2. Information We Collect

2a. Website Enquiries

When you use our contact form, we collect the following:

  • Full Name
  • Email Address
  • Organisation Name
  • Details of the business challenge you are facing

2b. Client Session Data

When you engage Orchiture for consulting services, we may also collect the following data in connection with remote sessions:

  • Audio recordings of calls and sessions
  • AI-generated transcripts of those recordings
  • Analysis outputs derived from transcripts, including summaries, themes, and structural observations
  • The identities of all participants captured in recordings, including employees and colleagues of the client who join sessions
  • Any third-party personal data shared during sessions (for example, information about your team members discussed in the course of the engagement)

Note for clients: Where your employees or colleagues participate in recorded sessions, you are responsible as their employer for ensuring they have been informed that the session will be recorded and that their data will be processed as described in this policy.

2c. orchiture.ai Diagnostic Data

When you use The Signal or other diagnostic products on orchiture.ai, we collect the following:

  • Your responses to the diagnostic questions, including presenting problems selected and answers to adaptive follow-up questions
  • Your email address, if you choose to submit it after receiving your diagnostic result
  • An indication of whether you have opted in to receive occasional structural diagnostics insights from Orchiture, via the checkbox on the results page
  • A session identifier, held in a short-lived, cryptographically signed cookie for the duration of your diagnostic session only

Diagnostic question responses are stored in anonymised form. They are not linked to your name, organisation, or any other identifying information unless you subsequently provide your email address. The email address and the anonymised diagnostic log are stored separately and are not joined at a record level.

Note on AI processing: Your diagnostic responses are processed by an AI model (Claude, operated by Anthropic) to generate your structural diagnosis. No personal data is submitted to the AI model. Your responses are treated as anonymised organisational observations, not as data identifying you as an individual. Anthropic does not use API inputs to train its models.

3. How We Use Your Information

Website Enquiries

We use the information you provide solely for the purpose of responding to your enquiry and providing you with information about our services. We do not use your information for generic marketing newsletters unless you specifically opt-in at a later date.

Client Session Recordings & Transcripts

We use session recordings and the outputs derived from them for the following purposes:

  • Producing accurate records of sessions, agreed actions, and decisions
  • Generating transcripts and summaries to support the quality and accuracy of our consulting work
  • AI-assisted analysis to identify patterns, themes, and structural observations relevant to your engagement
  • Producing deliverables — analysis outputs and session summaries may be shared with you directly as part of the service
  • Internal quality review to ensure the consistency and standard of our work

All AI-generated outputs are reviewed by Orchiture before being relied upon or shared. We do not treat AI-generated content as definitive without human oversight.

We do not use your recordings or transcripts to train, fine-tune, or improve any AI model, whether operated by us or any third party.

orchiture.ai Diagnostic Results

We use orchiture.ai diagnostic data for the following purposes:

  • Generating your structural diagnosis and delivering it to you within the diagnostic session
  • Sending your diagnostic result to the email address you provide, where you choose to submit one
  • Sending occasional structural diagnostics insights by email, where you have ticked the opt-in checkbox on the results page
  • Improving the accuracy and calibration of the diagnostic framework over time, using anonymised aggregate response data only

We do not use your diagnostic responses to train, fine-tune, or improve any AI model, whether operated by us or any third party.

4. Legal Basis for Processing

We rely on the following legal bases under UK GDPR for processing your personal data:

Website enquiry data

Processed on the basis of legitimate interests — specifically, our interest in responding to and managing inbound business enquiries.

Session recordings and transcripts

Processed on the basis of legitimate interests — specifically, our operational need to maintain accurate records of consulting sessions, produce quality deliverables, and conduct analysis that forms the core of the service we provide. We have assessed that this interest is not overridden by the rights and interests of the individuals concerned, given the professional context, the notice provided prior to recording, and the controls we apply to how recordings are stored and accessed.

Where a client or participant objects to being recorded, we will make reasonable alternative arrangements to capture session content without recording.

orchiture.ai diagnostic data — anonymised Q&A logs

Processed on the basis of legitimate interests — specifically, our interest in improving the calibration and accuracy of the diagnostic framework. No personal data is attached to these logs. The data is anonymised at the point of collection and cannot be used to identify individuals.

orchiture.ai diagnostic data — email address

Processed on the basis of consent. You provide your email address voluntarily, after receiving your diagnostic result, in order to receive a copy of that result by email. Where you also tick the opt-in checkbox, your email address is additionally used to send you occasional structural diagnostics insights from Orchiture. These are two separate consent actions: submitting your email address delivers your result; ticking the checkbox adds you to our insights list. You may withdraw either consent at any time by contacting us at james@orchiture.com, or by using the unsubscribe link in any email we send.

5. Recording Notice

We inform individuals about session recording as follows:

  • Prospective clients: You will be informed verbally at the start of any initial or exploratory call that the session may be recorded.
  • Engaged clients: Recording practice is addressed in the Client Services Agreement, which governs the terms of your engagement with Orchiture. By entering into that agreement, you acknowledge and accept that sessions conducted as part of the engagement may be recorded for the purposes described in this policy.

If you or any participant do not wish to be recorded, please let us know before the session begins. We will accommodate this where possible.

6. Data Sharing & Third-Party Processors

We will never sell, rent, or share your personal information with third parties for marketing purposes.

To deliver our services, we use the following categories of third-party data processors who act on our instruction:

  • AI recording and transcription services — we use Plaud (operated by Plaud Inc., a US-incorporated company) to record and transcribe sessions. Plaud holds GDPR, ISO 27001, ISO 27701, SOC 2, and HIPAA certifications. Data processed by Plaud is stored on servers located in the United States (AWS US West, Oregon). This constitutes an international transfer of personal data outside the UK. Orchiture holds a confidential independent accountant's examination report, conducted in accordance with AICPA attestation standards, confirming that Plaud Inc. complied with EU GDPR requirements across all applicable articles — including lawfulness of processing, data subject rights, security controls, breach notification, and international transfer safeguards — for the period February to May 2025. EU GDPR and UK GDPR are substantially equivalent frameworks. We rely on this independently verified compliance as the basis for appropriate safeguards being in place for this transfer.
  • Secure cloud storage — analysis outputs, session notes, and client engagement data are stored in Google Workspace (Google Drive), operated under Google's Data Processing Addendum and hosted within the European data region. Access is restricted to Orchiture and protected by encryption at rest, encryption in transit, and multi-factor authentication.
  • Email and communications platforms — we use Brevo (operated by Sendinblue SAS, a French-incorporated company and wholly owned subsidiary of Sinch AB) to send transactional and marketing emails across both orchiture.com and orchiture.ai. This covers: transactional and marketing emails sent from orchiture.com; transactional result delivery emails and opted-in insights communications sent from orchiture.ai. Emails sent via Brevo are processed on servers located within the European Economic Area. Brevo is ISO 27001 certified and processes data under a Data Processing Agreement in accordance with GDPR. Data transmitted via Brevo is limited to the email address and content necessary to deliver the relevant communication. Where you opt in to receive insights from orchiture.ai, your email address is added to a dedicated contact list within Brevo for that purpose only.
  • orchiture.ai — AI inference — diagnostic question responses submitted via orchiture.ai are processed by Claude, an AI model operated by Anthropic PBC (a US-incorporated company). No personal data is submitted to the model; inputs are treated as anonymised organisational observations. Anthropic's API terms confirm that inputs submitted via the API are not used to train or improve Anthropic's models. Processing occurs on Anthropic's infrastructure within the United States, constituting an international transfer outside the UK. We rely on Anthropic's Standard Contractual Clauses and published data processing terms as the basis for appropriate safeguards being in place for this transfer.
  • orchiture.ai — diagnostic data storage — anonymised diagnostic logs and, where provided, email addresses submitted via orchiture.ai are stored in Supabase (operated by Supabase Inc., a US-incorporated company), with the project database hosted in the AWS EU West (Ireland) region. Data does not leave the EU region. Supabase processes data under a Data Processing Agreement.
  • orchiture.ai — transactional email — where you provide your email address after completing a diagnostic on orchiture.ai, your result is delivered by Resend (operated by Resend Inc., a US-incorporated company). Data transmitted to Resend is limited to your email address and the diagnostic result content. Resend is used for result delivery only and is not used for marketing communications. Resend processes data under a Data Processing Agreement.
  • orchiture.ai — hosting and infrastructure — orchiture.ai is hosted on Vercel (operated by Vercel Inc., a US-incorporated company). Vercel processes standard request data, including IP addresses and user agent strings, as a hosting provider. This constitutes an international transfer outside the UK. Vercel processes data under a Data Processing Agreement and Data Privacy Framework certification.
  • orchiture.ai — rate limiting — IP address throttling on orchiture.ai is handled by Upstash (operated by Upstash Inc., a US-incorporated company), with the Redis instance hosted in the London, UK region (AWS eu-west-2). Data does not leave the UK. Only IP addresses are processed, retained for a short rolling window sufficient to enforce rate limits, and not used for any other purpose. Upstash processes data under a Data Processing Agreement.

All third-party processors are required to process data only on our instruction and in accordance with applicable data protection law.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

  • Website enquiry data: Retained for up to 12 months from the date of enquiry, or for the duration of any resulting engagement.
  • Session recordings and transcripts: Retained for 12 months from the conclusion of the relevant engagement, after which they are securely deleted. In cases where a client operates in a regulated industry and requests a longer retention period for their own compliance purposes, we may extend this by written agreement.
  • Analysis outputs and deliverables: Retained for 12 months post-engagement unless otherwise agreed in the Client Services Agreement.
  • orchiture.ai diagnostic Q&A logs: Retained indefinitely in anonymised form. These logs contain no personal data and cannot be used to identify individuals. They are used solely to calibrate and improve the diagnostic framework.
  • orchiture.ai email addresses: Retained for 12 months from the date of submission, after which they are permanently deleted. The anonymised diagnostic log associated with your session is retained beyond this point but remains detached from your email address.
  • orchiture.ai session cookies: Expire at the end of your diagnostic session. No persistent tracking cookies are used on orchiture.ai.
  • orchiture.ai IP address data (rate limiting): Retained for the duration of the rolling rate limit window only, after which it is automatically deleted by Upstash. IP addresses are not stored by Orchiture directly.

You may request early deletion of your data at any time by contacting us at james@orchiture.com.

8. Your Rights

Under UK GDPR, you have the following rights in relation to the personal data we hold about you:

  • Right of access — to request a copy of the personal data we hold about you
  • Right to rectification — to request corrections to inaccurate data
  • Right to erasure — to request deletion of your data, including session recordings and transcripts, subject to any overriding legal obligations
  • Right to object — to object to processing based on legitimate interests, including the use of AI-assisted analysis in connection with your data
  • Right to restrict processing — to request that we limit how we use your data while a dispute is resolved
  • Right to data portability — to receive session outputs in a structured, machine-readable format where technically feasible

To exercise any of these rights, please contact us at james@orchiture.com. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.

Last Updated: June 2026