Version 4.3 · Last updated 23 May 2026
Legal
Data Processing Agreement & AI Addendum
This page reflects the current GoPresent Data Processing Agreement and Artificial Intelligence Addendum. It governs data protection, model training, confidentiality, processor obligations, sub-processors, retention, and AI-specific legal terms across the Free tier, Raise Ready, Scout Portal, and Consulting Services.
1. Scope and hierarchy
This Data Processing Agreement and Artificial Intelligence Addendum is between GoPresent Ltd and the customer using the services. It expressly states that the Terms and Conditions govern commercial, billing, refund, and service delivery matters, while the DPA prevails on data protection, privacy, and model training matters.
The DPA defines AI Services, Output, Hallucinations, Third-Party AI Providers, Personal Data, Customer Data (the prompts, uploaded documents, and AI outputs as defined in Terms of Service clause 4.1), Free Tier, Paid Tier (currently Raise Ready at £499 launch promo / £749 regular, and Scout Portal Premium on commercial launch), Consulting Services (a separate category, governed by SOW and clause 2.3), Model Training, Aggregate Usage Metrics, and Resultant Data.
2. Model training and service improvement by tier
2.1 Free Tier. By creating or maintaining a Free Tier account (including the Scout Free tier), the customer grants GoPresent a perpetual, royalty-free, worldwide licence to use the prompts, uploaded documents, and AI outputs generated from them (Customer Data) to: develop, train, fine-tune, evaluate, and improve GoPresent's own AI models, prompts, and Services; build benchmarks, evaluation datasets, and synthetic data; conduct quality and safety review (including by GoPresent staff bound by confidentiality); and inform product, research, and roadmap decisions. This licence is part of the consideration for free access. Withdrawal is forward-looking only — any model snapshot trained before withdrawal remains valid. The DPA explicitly accepts the standard regulator position that untraining is not technically feasible.
2.2 Paid Tier. For Paid Tier services (Raise Ready and Scout Portal Premium on commercial launch), GoPresent will not use Customer Data to train, fine-tune, evaluate, or improve any AI model — neither its own nor any third party's. The Paid Tier exclusion is not subject to a customer opt-in path. This clause aligns with Terms of Service clause 4.2.
2.3 Consulting Services. Consulting Services are a separate category from the Free and Paid Tiers in clauses 2.1–2.2. Customer Data provided under Consulting Services are strictly confidential and are not used for model training, fine-tuning, or evaluation unless the customer provides explicit written consent in the applicable Statement of Work. Where SOW consent is given, the scope and terms set out in the SOW prevail over clauses 2.1–2.2 for those Consulting Services materials.
2.4 Aggregate Usage Metrics. Regardless of tier, GoPresent collects and uses aggregated usage statistics — feature-adoption rates, session durations, error rates, aggregate cost data, and similar operational signals — that do not include the content of Customer Data. The legal basis is legitimate interests.
2.5 Resultant Data. GoPresent retains and may use Resultant Data — patterns, trends, statistics, and aggregate insights derived from use of the Services — across all tiers. Resultant Data is GoPresent's property and survives termination of the customer's account. Resultant Data does not include, and cannot be reverse-engineered back to, identifiable Customer Data.
2.6 Safety and abuse review. Across all tiers, GoPresent may manually review Customer Data where reasonably necessary to investigate suspected abuse, security incidents, or breach of the Acceptable Use Policy. Reviewers are bound by confidentiality. Each such access is logged to an internal audit trail. GoPresent will notify the affected customer in writing within 30 days of the access, except where (a) prohibited by law or (b) notification would compromise an active investigation, in which case notification is deferred until the legal restriction lifts or the investigation concludes.
2.7 Tier-at-time-of-creation. Customer Data is tagged with the tier at which it was created. Upgrading from Free Tier to Paid Tier removes the licence in clause 2.1 from Customer Data created after the upgrade; Customer Data created before the upgrade continues to carry the consent granted at creation. Customer Data created on a Paid Tier never enters the training corpus.
3. UK GDPR legal basis and controller/processor split
Free Tier model training, evaluation, benchmarking, synthetic-data generation, and product development rely on consent under Article 6(1)(a). Paid Tier Customer Data is processed on the basis of contract performance and is not used for model training. Aggregate Usage Metrics and Resultant Data (clauses 2.4 and 2.5) rely on legitimate interests; manual safety and abuse review (clause 2.6) likewise relies on legitimate interests.
Where GoPresent provides AI services to the customer, the customer is controller and GoPresent is processor for that personal data. Where GoPresent uses Customer Data for Free Tier model training and the other Free Tier activities listed in clause 2.1, GoPresent acts as an independent controller for that training and improvement activity.
4. Confidentiality and processor obligations
GoPresent agrees to treat Customer Data as confidential, implement technical and organisational security measures, and not disclose Customer Data except to authorised sub-processors, where required by law, to professional advisors under confidentiality duties, or with prior written consent.
Where GoPresent is processor, it processes only on documented instructions, binds authorised persons to confidentiality, implements security measures, appoints sub-processors on equivalent protections, assists with data subject rights, and makes information available for reasonable audits.
The DPA states that GoPresent will notify the customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, in accordance with UK GDPR Article 33.
5. Transfers, retention, and deletion
The DPA acknowledges that third-party providers (see Annex A and the live Sub-Processors Registry at /legal/sub-processors) may process Customer Data in the United States and other jurisdictions outside the UK. Transfers are handled using UK GDPR Chapter V safeguards, including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, and additional supplementary measures (encryption in transit and at rest) where appropriate.
Customer Data — Paid Tier: retained for 90 days after the customer's access window expires (matching the 90-day Raise Ready access term), then deleted from primary storage. Backups age out under our backup-rotation policy. Customer Data — Consulting: deleted within 30 days after Statement of Work completion. Customer Data — Free Tier: retained for as long as the customer's account is active, subject to the licence in clause 2.1; identifiable Customer Data is deleted within 30 days of a valid erasure request, with the model-snapshot caveat below.
Deletion requests are honoured within 30 days, subject to legal retention obligations and the technical limit that model snapshots already trained on Customer Data cannot be retrained or rolled back — this is the standard regulator position for AI training data. Aggregate Usage Metrics and Resultant Data (clauses 2.4 and 2.5) are retained indefinitely as set out in those clauses and are not subject to the erasure right because they are not identifiable to the customer.
6. Intellectual property, output, and AI disclaimers
GoPresent retains ownership of the platform, AI services, methodologies, models, Aggregate Usage Metrics (clause 2.4), Resultant Data (clause 2.5), and improvements developed using Customer Data under the tier-specific rules in clause 2. Customers retain ownership of their original Customer Data.
Customers own output generated specifically for them, subject to GoPresent's rights, third-party AI provider terms, and the obligation to review and verify output before use.
The DPA states that AI output is probabilistic, may contain hallucinations, and is provided as-is and as-available without warranty. Customers are responsible for validating output and may not use the services for high-risk activities, unlawful purposes, or prohibited automated decisions.
7. Liability, termination, and annexes
Liability is capped by tier: Free Tier users at GBP 100, Raise Ready users at 100% of the fees paid for their purchase, Scout Portal Premium users (on commercial launch) at 100% of fees paid in the prior 12 months, and Consulting Services at 100% of fees paid under the relevant SOW. The DPA also excludes indirect and consequential loss, subject to legal carve-outs and a GBP 50,000 confidentiality-related unauthorised disclosure cap per incident.
Commercial termination rights are governed by the Terms, while the DPA governs the data and IP consequences of termination. Free Tier model training rights and the rights GoPresent holds in Resultant Data and Aggregate Usage Metrics survive termination, and model snapshots already trained on Customer Data cannot be retrained or rolled back.
Annex A — Sub-processors. The canonical, live list of authorised sub-processors (with data category, region, and link to each provider's current DPA or privacy policy) is maintained at /legal/sub-processors and updated when sub-processors change. As at the date of this DPA, the list comprises: Vercel Inc. (USA, application hosting); Supabase Inc. (USA, EU-west-1, database + storage + auth + realtime); Cloudflare Inc. (USA, DDoS + CDN + Turnstile); Railway Corp. (USA, worker compute); Clerk Inc. (USA, authentication); Stripe Inc. and Stripe Payments UK Ltd (USA / UK, billing); Anthropic PBC (USA, primary LLM); Together Computer Inc. (USA, failover LLM); OpenAI Inc. (USA, embeddings only); Deepgram Inc. (USA, voice transcription); Firecrawl Ltd (USA / UK, web extraction); Resend Inc. (USA, transactional email); PostHog Inc. (USA, product analytics + error tracking); Vercel Analytics (cookie-free first-party telemetry); Instantly Inc. / leadsy.ai (USA, marketing visitor identification on the public site only, US-IP only, consent-gated); HubSpot Inc. (USA / EU, consultant-team internal CRM); Apify (Czech Republic) and Icypeas (France) for public-data enrichment for consultant prospecting.
Annex B sets out security measures including TLS 1.3+, AES-256 at rest, RBAC, MFA, authenticated API endpoints, rate limiting, logical data separation, pseudonymisation, staff training, incident response, and annual internal security reviews.