Privacy Policy

Effective: 8 May 2026 · Version: 1.0

1. Introduction

This Privacy Policy explains how At Beyond Limited (trading as Beyond — "we", "us", "our") collects, uses, stores, shares, and protects personal data when you visit atbeyond.com, contact us, engage us as clients or partners, or otherwise interact with us.

We handle personal data responsibly, transparently, and in line with applicable data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), the Privacy and Electronic Communications Regulations 2003 (PECR), the EU General Data Protection Regulation (EU GDPR) where it applies, and US state privacy laws (such as the CCPA/CPRA) where they apply.

This Policy should be read together with our Cookie Policy, Website Terms and Conditions, AI Transparency Policy, and Responsible AI Policy.

2. Who we are (Data Controller)

At Beyond Limited is the data controller for personal data collected through this website and the marketing, sales, and engagement activities run from it. Our registered office is 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ and our company number is 17146628.

When we deliver AI Blueprints, hosted products, or advisory engagements to clients, we typically act as a data processor on behalf of those clients in respect of their end-users' personal data. Roles, instructions, and safeguards for those engagements are set out in the relevant client contract and Data Processing Agreement (DPA).

Privacy contact: privacy@atbeyond.com

3. What personal data we collect

We only collect data that is relevant, necessary, and proportionate to the purposes set out in this Policy.

3.1 Information you give us

  • Name
  • Work email address
  • Company name and job title
  • Phone number (if you provide one)
  • The content of your message, enquiry, or request
  • Information you choose to share when discussing a potential or live engagement, such as project context, requirements, organisational background, or technical environment
  • Professional profile information you share with us (for example, LinkedIn or other public business profile data)

3.2 Information we collect automatically

When you use our website we may collect, via cookies, pixels, server logs, and similar technologies:

  • IP address (often truncated by analytics providers)
  • Browser type, version, language, and device characteristics
  • Operating system and screen size
  • Pages visited, time on page, navigation paths, and referring URLs
  • Approximate location (city or country level, derived from IP)
  • Diagnostic and performance data from our hosting platform (Vercel)

Details of the specific cookies and similar technologies in use are in our Cookie Policy. Non-essential cookies and analytics tags only load where consent is required and you have given it.

3.3 Engagement and project data

When we discuss or deliver advisory or AI work to you, we may also process:

  • Technical, operational, and business context shared by your team
  • Project specifications, designs, prototypes, and outcomes
  • Performance, usage, and outcome data from systems we build, customise, or operate, where this has been agreed
  • Testimonial, case study, or reference content (only with permission and only as agreed)

3.4 Contractual and financial data

For formal engagements, we process:

  • Billing and payment details (account name, bank or card identifiers as required by our payment processors — Beyond does not store full card numbers)
  • Purchase order numbers and supplier onboarding details
  • Contract documents, statements of work, and related correspondence
  • Tax, invoicing, and accounting records

3.5 Special category data

We do not generally seek special category data (for example, health, racial or ethnic origin, biometric data) through the website. If a client engagement requires us to process special category or otherwise sensitive data, we agree the lawful basis, conditions for processing, and safeguards in advance and in writing.

4. How we use personal data

4.1 Running our business

  • Responding to your enquiries, requests, and contact form submissions
  • Assessing, scoping, and discussing potential engagements with you
  • Delivering advisory services, AI Blueprints, and hosted products under contract
  • Managing the day-to-day relationship with clients, partners, and suppliers
  • Processing payments, raising invoices, and keeping financial and tax records

4.2 Marketing and business development

  • Sharing information about Beyond, our services, AI Blueprints, events, and insights where we have a lawful basis to do so
  • Producing case studies, testimonials, and reference material with permission
  • Building and maintaining professional relationships with prospective clients and partners
  • Measuring the effectiveness of our marketing where you have consented to analytics or marketing cookies

We do not engage in high-volume, intrusive, or untargeted direct marketing. You can opt out of any marketing email at any time using the unsubscribe link or by emailing us.

4.3 Improving our website and services

  • Understanding how the website is used, identifying issues, and making improvements
  • Refining our methodologies, AI Blueprints, and operating models
  • Internal training, quality assurance, and review

4.4 Protecting our business and complying with the law

  • Meeting legal, regulatory, accounting, and tax obligations
  • Establishing, exercising, or defending legal claims
  • Detecting and preventing fraud, abuse, or misuse of the website or our services
  • Cooperating with regulators, courts, and law enforcement where required

4.5 What we do not do

  • Sell personal data to third parties
  • Use your data for fully automated decisions that produce legal or similarly significant effects without meaningful human oversight
  • Use client data to train Beyond, third-party, or public AI models without explicit, written agreement

5. AI and intelligent systems

Beyond is an AI-native company. We design, deploy, and operate AI systems for ourselves and for our clients. The way we handle personal data in AI contexts is summarised here and explained more fully in our AI Transparency Policy and Responsible AI Policy.

Client data in client engagements

  • Client data is processed only on documented client instructions and under a written contract and DPA.
  • Client data is not used to train Beyond, public, or third-party AI models without the client's explicit written agreement.
  • Confidentiality, access controls, encryption, and segregation are applied in line with the engagement design.
  • Client data remains the client's property.

Beyond's own products (Frontline OS, Generative Commerce, Marketing OS and other Blueprints)

  • Beyond's products are deployed in dedicated, per-client environments under separate agreements; the public website does not host live product instances.
  • Where Beyond is the controller for limited operational data (for example, account administration), we minimise the data we hold and apply security controls proportionate to the risk.
  • Where Beyond is the processor, we act under the client's instructions as set out in the relevant DPA.

Third-party AI providers

  • We may route inference to third-party model providers (for example, large-language-model APIs) where this is the right tool for the job.
  • We use enterprise or business-tier offerings with appropriate data processing terms wherever available, and we do not allow our clients' content to be used by providers to train their public models unless this is expressly agreed.
  • The specific providers used in any engagement are documented in the engagement design.

Internal AI use

We use approved AI tools internally to draft, analyse, and accelerate our own work. Personal data and client confidential information are not put into general-purpose, public AI tools without permission and appropriate safeguards. See our AI Transparency Policy for details.

6. Lawful bases for processing

We rely on one or more of the following lawful bases under UK GDPR / EU GDPR:

  • Consent — for example, where you opt in to marketing emails or non-essential cookies.
  • Contract — to perform a contract with you or your organisation, or to take steps at your request before entering into one.
  • Legitimate interests — for example, business development, securing our website, improving our services, and managing existing relationships, where our interests are not overridden by your rights.
  • Legal obligation — to comply with laws, regulations, and binding requests from authorities.
  • Vital interests or public task — only in narrow, exceptional circumstances.

If you would like further detail on the lawful basis for a specific activity, contact us at privacy@atbeyond.com.

7. Marketing communications

We may send you communications about Beyond's services, products, events, and insights where:

  • You have asked us for information or otherwise opted in;
  • You are an existing or recent client or business contact and the communication is closely related to services we provide; or
  • We have another lawful basis to do so.

Every marketing email contains an unsubscribe link. You can also opt out at any time by emailing us. Operational and contractual messages (such as service updates, security notices, or invoices) are not marketing and may continue while a relationship is active.

8. Sharing your personal data

We share personal data only where it is necessary, lawful, and proportionate. Recipients fall into the following categories.

Service providers acting on our behalf

  • Vercel Inc. — our website hosting and edge infrastructure provider.
  • Google LLC — Google Analytics for website measurement (only where you have given consent and with IP anonymisation enabled).
  • Email, productivity, and collaboration providers used to run our business (for example, Microsoft, Google Workspace, or similar).
  • Customer relationship and marketing platforms used to manage enquiries, mailings, and pipeline.
  • Accounting, billing, and payment service providers.
  • AI model and infrastructure providers used to deliver client engagements (documented in the relevant engagement).
  • Legal, financial, insurance, and professional advisers.

All such providers are bound by written terms requiring them to act only on our instructions, apply appropriate security, comply with applicable data protection law, and treat the data as confidential.

Within the Beyond group

We may share personal data with current or future Beyond group companies for the purposes set out in this Policy and under appropriate intra-group terms.

Authorities, advisers, and successors

We may disclose personal data to regulators, courts, law enforcement, our advisers, or to a buyer or successor as part of a corporate transaction, where lawful and necessary. Where the law allows, we will let you know.

What we do not do

We do not sell personal data, and we do not allow third parties to use personal data we share with them for their own independent purposes.

9. International transfers

Beyond is based in the United Kingdom but works with clients and providers in the UK, EU/EEA, the United States, and other regions. As a result, your personal data may be transferred to, stored in, or accessed from countries outside the UK or EEA.

Where personal data is transferred outside the UK or EEA, we use one or more of the following safeguards:

  • UK or EU adequacy regulations / decisions where these are in place;
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
  • EU Standard Contractual Clauses (SCCs) for transfers from the EEA;
  • The UK extension to the EU–US Data Privacy Framework where the recipient is certified;
  • Other lawful transfer mechanisms permitted by applicable law, supported by a transfer risk assessment where required.

You can request a copy of the relevant safeguards by contacting privacy@atbeyond.com.

10. Cookies and analytics

Our website uses a small number of cookies and similar technologies to operate the site, measure usage, and improve performance. The current configuration on this stage of the site is:

  • Strictly necessary cookies needed to deliver the site and remember your cookie choices.
  • Vercel — our hosting and edge platform may use limited operational cookies and logs to deliver, secure, and monitor the site (for example, traffic routing and bot mitigation).
  • Google Analytics 4 — used only with your consent to understand how the site is used in aggregate, with IP anonymisation and a short data retention period configured.

Until our cookie consent banner is fully live, non-essential cookies and analytics tags do not load by default. Full details — including cookie names, expiries, and how to change your choices — are in our Cookie Policy.

11. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements. Typical retention periods are:

  • Website enquiries and unconverted leads: up to 24 months from last contact.
  • Marketing subscribers: until you opt out, or after a sustained period of inactivity (typically 24 months).
  • Client engagement and project records: for the duration of the engagement and a further 7 years to meet contract, professional indemnity, and tax requirements.
  • Financial, accounting, and tax records: at least 6 years (or longer where required by law).
  • Server, security, and audit logs: typically 30 days to 12 months depending on the system.
  • Backups: removed in line with the relevant backup rotation cycle.

When we no longer need personal data, we securely delete it or irreversibly anonymise it.

12. Data security

We take security seriously and apply technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest where appropriate;
  • Role-based access controls, multi-factor authentication, and least-privilege provisioning;
  • Hardened cloud and edge infrastructure, including reputable hosting partners;
  • Vendor due diligence, contractual data protection terms, and ongoing monitoring;
  • Logging, monitoring, vulnerability management, and incident response procedures;
  • Secure development practices, code review, and AI-system review for client engagements;
  • Regular staff training on data protection, security, and AI safety.

No system is fully immune from compromise. If you believe your data has been put at risk, contact privacy@atbeyond.com immediately so we can investigate.

13. Your rights

Subject to applicable law, you have the following rights over your personal data:

  • Access — to request a copy of the personal data we hold about you and information about how it is processed.
  • Rectification — to ask us to correct inaccurate or incomplete data.
  • Erasure — to ask us to delete personal data in certain circumstances.
  • Restriction — to ask us to limit our processing in certain circumstances.
  • Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Portability — to receive certain data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.
  • Automated decisions — to ask for human review of decisions made solely by automated means that have a legal or similarly significant effect on you.
  • Lodge a complaint — see Section 14.

Residents of California and certain other US states have additional rights under their state laws (for example, to know, delete, correct, and limit certain uses of personal information, and to opt out of "sale" or "sharing" — Beyond does not sell or share personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA).

To exercise any right, contact privacy@atbeyond.com. We will respond within one month, with the ability to extend by a further two months for complex requests, in line with the UK GDPR (as amended by the DUAA), the EU GDPR, or applicable US law. We may pause our response time where we reasonably need to verify your identity or clarify the scope of your request, and we may apply a reasonable and proportionate effort threshold for very broad requests.

14. Complaints

If you have a concern about how we handle your personal data, please raise it with us first — we want to put things right. You can:

We will acknowledge complaints within 30 days and respond without undue delay, in line with the DUAA. If you remain unhappy, you have the right to complain to:

  • United Kingdom: the Information Commissioner's Office (ICO) — ico.org.uk
  • EU/EEA: the data protection authority for your country of residence, place of work, or where you believe the issue occurred.
  • United States: the relevant state Attorney General or privacy regulator (for example, the California Privacy Protection Agency).

15. Children

Our services and website are aimed at professionals and businesses. We do not knowingly collect personal data from anyone under the age of 18 through the website. If you believe a child has provided personal data through the site, please contact us so we can delete it.

16. Third-party websites and services

Our website may link to third-party sites, platforms, or tools. We are not responsible for the privacy practices or content of third parties. When you leave our website, please read the privacy policy of the site you visit.

17. Changes to this Policy

We may update this Policy from time to time. The latest version will always be available at atbeyond.com/privacy. We will let you know about material changes through the website or, where appropriate, by email.

18. Contact us

  • Email: privacy@atbeyond.com
  • Company: At Beyond Limited (Company No. 17146628)
  • Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

For data protection matters, please mark correspondence "Attention: Data Protection".