AI and Client Data
OPTO AI and Client Data.
This page is OPTO's public-facing summary of how we handle data when we run AI tooling on a client's behalf. It is not a contract. The contractual position lives in our Master Services Agreement and the Data Processing Agreement that sits under it.
We publish this because clients ask us the same questions repeatedly during procurement, and we would rather answer them once, in plain English.
1. Controller and processor
When OPTO builds and runs tooling on a client's data, the client is the data controller and OPTO is the data processor. The client decides what data is in scope and what is out of scope. We act on documented instructions.
For our own marketing, prospecting, and operational data (the people who contact us, the people we engage), OPTO is the controller. That data is governed by our Privacy Notice.
2. What we will and will not do with client data
We will:
- process client data only for the purposes set out in the engagement
- limit access to the people on the engagement who need it
- store client data in systems the client has been told about and agreed to
- only send client personal data to AI services the client has approved in the engagement, and keep a record of those flows
- delete or return client data on request and at the end of the engagement, in line with our DPA
We will not:
- use client data to train any AI model that is not exclusive to that client
- combine client data sets across clients without explicit written consent
- sell, rent, or share client data with anyone for their own purposes
3. AI tooling and sub-processors
Most engagements involve third-party AI services and supporting platforms (model providers, automation tools, hosting, observability). We treat these as sub-processors.
For each engagement we maintain a list of sub-processors that names the provider, what they do, and where they process the data. The list is shared with the client at the start and updated when it changes. Clients have a reasonable right to object to a new sub-processor.
Where a client requires a specific provider to be excluded (for example, no transfer outside the UK or EEA, or no use of a particular model provider), we design the engagement to that constraint.
4. Client ownership and IP
The client owns its own data, its own platform accounts, and the operational outputs that depend on its data. OPTO retains intellectual property in the underlying methods we have developed (such as prompts, scrapers, and native artefacts) and grants the client a revocable licence to use them within the engagement. Detail is in the MSA.
5. Security
OPTO follows reasonable, proportionate security practices. That includes encrypted devices, multi-factor authentication on all production accounts, least-privilege access, and supplier review.
Where a client has heavier security requirements (for example, ISO 27001, SOC 2, or sector-specific frameworks), we will agree the controls in writing as part of the engagement.
6. Sub-processor list and DPA
We provide our standard Data Processing Agreement and current sub-processor list during contracting, and on request to existing clients, by emailing hello@optobusinessai.com.