Privacy Policy

1. Who we are

GVT Labs Limited is the data controller for the personal information collected through the Sites. We are a company incorporated in England and Wales, with our registered office at Clifton House, Bunnian Place, Basingstoke, RG21 7JE, United Kingdom.

You can contact us about anything in this policy, including a privacy request, at ask@gvtlabs.com.

3. What personal information we collect, and why

3.1 Anonymous analytics

We use Plausible Analytics to understand how visitors find and use the Sites. Plausible is a privacy-friendly analytics tool that does not use cookies, does not collect personal data, and does not track visitors across other websites. The data Plausible collects is anonymous and aggregated, and includes:

• the pages visited on the Sites
• the country a visit came from (derived from the IP address and discarded immediately after; the full IP address is not stored)
• the referring website (where applicable)
• the type of device and browser used (at a high level, such as "mobile" or "desktop", "Chrome" or "Safari")

None of this can be tied back to you as an individual. We use it solely to understand which content is useful, where visitors are coming from, and how the Sites are performing.

Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is understanding how visitors use the Sites so we can improve them. Because Plausible does not process personal data in a form that identifies you, the privacy impact on you is minimal.

3.2 Security and infrastructure

Our hosting and infrastructure provider, Cloudflare, sets a small number of strictly necessary cookies and processes limited technical information about each request to the Sites. This includes your IP address, browser user-agent, and request timing. Cloudflare uses this information to protect the Sites from abuse (such as denial-of-service attacks, fraudulent traffic, and bot scraping) and to deliver pages to you reliably.

This information is not used to track you, not combined with any other data we hold, and not used for advertising. It is processed as part of standard web infrastructure.

Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is operating a functional, secure website.

3.3 Contact form and email submissions

If you contact us through a form on the Sites or by writing directly to ask@gvtlabs.com, we collect whatever you send us. That typically includes your name, your email address, and the content of your message. If you choose to provide additional information (a phone number, a company name, a description of your role), we collect that too.

We use this information to:

• respond to your inquiry
• keep a record of our correspondence with you, so we can pick up where we left off if you contact us again
• understand what visitors are asking about, in aggregate, so we can improve the Sites and the information they provide

If you have explicitly opted in (by ticking a clearly labeled box at the point of contact), we may also use your email to send you product news, launch updates, and other marketing communications from GVT Labs Limited. You can opt out of these at any time by clicking the unsubscribe link in any email or writing to ask@gvtlabs.com.

Lawful basis: for replying to you and keeping a record, legitimate interests (Article 6(1)(f) UK GDPR). For marketing communications, consent (Article 6(1)(a) UK GDPR), which you can withdraw at any time.

3.4 Newsletter

If, in future, we offer a newsletter through Beehiiv, your email address will be processed by Beehiiv on our behalf so that we can send you the newsletter. You will only ever receive the newsletter if you have explicitly subscribed (typically by entering your email into a subscription form and confirming through a double opt-in email). You can unsubscribe at any time using the link at the foot of every newsletter, or by writing to ask@gvtlabs.com.

When a newsletter is active, this section will reflect the data we collect through it (typically: your email address, the date you subscribed, and aggregate engagement signals such as whether emails are opened).

Lawful basis: consent (Article 6(1)(a) UK GDPR).

3.5 What we do not collect on the Sites

For clarity, the Sites do not:

• offer accounts, logins, or user profiles
• accept any user-generated content, comments, or uploads
• embed third-party social media plugins, video players, or chat widgets
• run any advertising network or tracking pixel
• collect payment information

If any of this changes in future, we will update this policy and (where required) seek your consent before turning on the new processing.

4. Cookies

We use only the cookies that are strictly necessary to operate the Sites. Specifically:

• Cloudflare cookies for security, bot detection, and the basic delivery of pages. These are essential cookies; the Sites would not function correctly without them.

We do not use:

• analytics cookies (Plausible does not set them)
• advertising or retargeting cookies
• third-party tracking cookies
• cookies for any non-essential purpose

Because we only use strictly necessary cookies, we don't show a cookie consent banner. If you would still prefer to block them, you can do so through your browser settings, though parts of the Sites may not work correctly if you do.

If we ever start using cookies that are not strictly necessary (for example, if we add analytics tools that set cookies, marketing tools, or third-party embeds), we will update this policy and present a consent banner so you can choose what to allow.

5. We don't use your data to train generative AI

We don't use any information collected through the Sites (your messages, your contact details, your analytics data, anything else) to train, fine-tune, or develop generative AI models, ours or anyone else's. We don't sell or share data with third parties for that purpose. The information you share with us is used to respond to you, operate the Sites, and (where you've opted in) send you the communications you've asked for. Nothing more.

If this ever changes, we will tell you in advance and ask for your explicit consent before using your data in that way.

6. Who we share your data with

We share personal information only with the following categories of recipients, and only as needed to operate the Sites:

• Service providers acting on our behalf, including Plausible Analytics (anonymous analytics), Cloudflare (hosting and security), and Beehiiv (newsletter delivery, when a newsletter is offered). These providers process data only on our instructions and under written contracts that require them to keep the data secure and use it only for the purposes we've defined.
• Professional advisers such as lawyers, accountants, and auditors, when they need access to data to advise us on a matter and are under a duty of confidentiality.
• Authorities, if we are required by law, by a court order, or by a regulator to disclose data, and we cannot reasonably refuse. Where the law allows, we will tell you before disclosing your data in this way.

We do not sell personal data to anyone, and we do not share it with advertising networks, data brokers, or AI training operations.

7. International data transfers

Some of our service providers (in particular Cloudflare and Beehiiv) operate globally and may process your data in countries outside the United Kingdom, including in the United States. Where we transfer personal data outside the UK, we make sure it is protected to the same standard required by UK law, typically by using contractual clauses approved by the UK Information Commissioner's Office (the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) or by relying on an adequacy decision where one applies.

If you would like more detail about a specific transfer, write to ask@gvtlabs.com.

8. How long we keep your data

We keep personal data only for as long as we need it for the purpose we collected it.

• Anonymous analytics (Plausible): retained in aggregate indefinitely, since it does not identify any individual.
• Contact form and email correspondence: typically retained for up to 36 months after our last meaningful exchange, so that we can pick up where we left off if you contact us again. We may keep correspondence longer where it relates to a legal matter or where a longer period is required by law.
• Newsletter subscriptions (when a newsletter is offered): retained for as long as you remain subscribed, and for a short period after you unsubscribe so we can confirm your unsubscribe request. If you unsubscribe, your email is removed from active sending lists immediately; a record of the unsubscribe request itself is kept so we can prove your opt-out.
• Security and infrastructure logs: retained by Cloudflare for the periods set out in its own retention policies, typically a matter of days to weeks.

When the retention period ends, we delete or anonymize the data.

9. Your rights

Under the UK GDPR, you have the following rights over your personal data:

• Access. You can ask us for a copy of the personal data we hold about you.
• Rectification. You can ask us to correct personal data that is inaccurate or incomplete.
• Erasure. You can ask us to delete personal data we hold about you, in certain circumstances.
• Restriction. You can ask us to limit the way we use your personal data, in certain circumstances.
• Portability. You can ask us to provide your personal data to you in a structured, commonly used, and machine-readable format, and to transmit it to another organization, in certain circumstances.
• Objection. You can object to our processing of your personal data where we rely on legitimate interests.
• Withdraw consent. Where we rely on your consent (for example, for marketing communications), you can withdraw it at any time. Withdrawing consent doesn't affect the lawfulness of any processing we carried out before you withdrew it.
• No automated decisions. We don't make any decisions about you based purely on automated processing. If we ever start, we'll tell you and explain your rights in that context.

To exercise any of these rights, write to ask@gvtlabs.com. We'll respond within one month. We won't charge you for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

If you live outside the UK, equivalent rights may apply to you under your local law (for example, the EU GDPR, or the California Consumer Privacy Act and California Privacy Rights Act if you are a California resident). The rights described above will broadly cover what you are entitled to. If you have a specific request based on a local law, please reference that law in your message and we'll handle it accordingly.

10. Complaints

If you're not happy with how we've handled your personal data, please tell us first at ask@gvtlabs.com so we can try to put it right.

You also have the right to complain to a data protection authority. In the UK, that is the Information Commissioner's Office (ICO). You can contact the ICO at:

If you live in another country, you can contact your local data protection authority instead.

11. Children

The Sites are not intended for, and not directed at, anyone under the age of 16. We don't knowingly collect personal data from anyone under 16. If you believe a child under 16 has submitted personal data to us through the Sites, please write to ask@gvtlabs.com and we'll delete it.

12. Security

We take reasonable technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encrypted connections to the Sites (HTTPS), restricted access to internal systems, and contractual security obligations on our service providers.

No system is perfectly secure. If a security incident affects your personal data, we will notify the relevant authorities and (where required) the affected individuals as soon as is reasonably practicable.

13. Changes to this policy

We may update this policy from time to time. The effective date at the top of this document shows when the current version took effect. If we make material changes (such as collecting new types of data, changing the lawful basis for an existing processing activity, or adding a new third-party processor), we'll take reasonable steps to draw them to your attention, for example by posting a notice on the Sites or by updating the effective date.

14. Contact

For any privacy question, request, or concern, please write to: