Legal
Privacy Policy
Last updated: 29 June 2026
1. Introduction
This Privacy Policy explains how AI Studio London Ltd (company number 14837219, registered in England and Wales) ("AISL", "we", "us") handles personal data in connection with the Huki platform ("Huki", the "Platform").
Huki is provided to organisations ("Client Organisations") for use by their authorised users. This policy applies to personal data processed through the Platform.
2. Controller and processor
For the conversation content and material that a Client Organisation and its users submit to a Workspace, the Client Organisation is generally the data controller and AISL acts as a data processor on its behalf, under the terms of the agreement between AISL and that Client Organisation.
For limited account, security, and operational data needed to run the Platform, AISL acts as a controller. This policy describes both.
3. Personal data we process
- Account and identity data — name, email address, and organisation membership, handled through our authentication provider so that you can sign in and access the correct Workspace.
- Conversation content — the prompts, messages, and files you submit, and the AI-generated responses.
- Usage and technical data — logs, timestamps, model-usage records, and limited technical information (such as IP address) used for security, troubleshooting, and operating the service.
4. How and why we use personal data
We process personal data to: provide and maintain the Platform; authenticate users and enforce Workspace isolation; route prompts to the AI Models and return responses; secure the service and investigate misuse; provide support; and meet legal obligations.
Under UK GDPR our legal bases are: performance of a contract (providing the Platform), legitimate interests (securing and improving the service, in a way balanced against your rights), consent where specifically requested, and legal obligation where applicable.
5. AI model processing — and no training on your data
When you use Huki, your prompts (and any content you include) are sent to the relevant AI Model provider solely to generate a response. Client and production traffic is routed through paid, no-training provider routes, and your Content is not used to train the AI Models. We deliberately avoid free model tiers that would permit training on submitted data.
6. Where your data is stored (residency)
- Conversation data is stored on UK infrastructure — Amazon Web Services in the London region (
eu-west-2) and a database hosted in the same region. - AI Model routing uses EU-region routes by default (for example, Claude via an EU inference profile and Gemini via an EU region). A Client Organisation may request a narrower region restriction, with the trade-off of a smaller model set.
- Authentication is provided by Clerk, a US-based provider. This is the one element of the service that involves a US processor; appropriate safeguards for international transfers are described in section 9.
7. Sub-processors
We use the following third parties to provide the Platform.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | UK (London, eu-west-2) |
| MongoDB Atlas | Workspace database (conversation data) | UK (on AWS London) |
| Clerk | Authentication and organisation membership | United States |
| Anthropic (via AWS Bedrock) | Claude AI Models | EU |
| Google (via Vertex AI) | Gemini AI Models | EU (Netherlands) |
| Microsoft Azure OpenAI | OpenAI AI Models (planned — not yet live) | EU (Data Zone) |
8. Sharing and disclosure
We do not sell personal data. We share it only with the sub-processors above to operate the Platform, and where required by law or to protect our legal rights.
9. International transfers
Where personal data is transferred outside the UK (notably to Clerk in the US), we rely on appropriate safeguards such as the UK International Data Transfer Agreement or Addendum to EU Standard Contractual Clauses, as applicable. AI Model routing is kept within the EU as described above.
10. Retention and deletion
Conversation data is retained while the Workspace is active. When a Client Organisation's engagement ends, or on request under the agreement, the Workspace and its data are deleted — Huki supports clean per-Workspace erasure. Limited operational logs may be retained for a longer period where necessary for security or legal reasons.
11. Security
Workspaces are isolated from one another, each with its own database and access-scoped credentials. Data is encrypted in transit, access is restricted, and per-user session secrets are not shared between Workspaces. No system is perfectly secure, but we take reasonable measures appropriate to the service.
12. Your rights
Under UK GDPR you have rights to access, rectify, erase, restrict, port, and object to the processing of your personal data. Because the Client Organisation is usually the controller of Workspace content, requests are often best directed to it; you can also contact us and we will assist or route the request appropriately. You also have the right to complain to the Information Commissioner's Office (ICO).
13. Children
Huki is a business tool and is not intended for, or directed at, children under 18. We do not knowingly collect personal data from children.
14. Changes to this policy
We may update this policy from time to time. Material changes will be notified through the Platform or via your Client Organisation.
15. Contact
For privacy questions or to exercise your rights, contact admin@aistudio.london.