Privacy Policy
Last updated: 18 April 2026
This Privacy Policy describes how TMK Marketing Intelligence Ltd (“TMK”, “we”, “us”) collects, uses, and protects your personal data when you use the Tommy & Spartan platform (“Service”). We are the data controller for the purposes of applicable data protection legislation, including the UK GDPR and EU GDPR.
1. Data We Collect
Account data: Email address, name, company name, and authentication credentials (managed by Firebase).
Marketing data: Company information, brand details, competitive landscape, customer personas, and other marketing inputs you provide during diagnostics and strategy sessions.
Generated content: Documents, strategies, content, and other outputs created by the AI agents on your behalf.
Usage data: Agent interactions, action counts, feature usage, session duration, and navigation patterns.
Billing data: Subscription plan, payment method details (processed and stored by Stripe — we do not store full card numbers), and transaction history.
Technical data: IP address, browser type, device information, and error logs.
2. How We Use Your Data
- Service provision: Processing your inputs through AI agents, generating outputs, and delivering the core Service.
- AI processing: Sending your inputs to third-party LLM providers (see Section 3) to generate marketing outputs.
- Analytics: Understanding usage patterns to improve the Service.
- Billing: Processing payments and managing subscriptions.
- Communications: Sending transactional emails (receipts, usage alerts, platform updates).
- Quality assurance: Reviewing outputs through automated quality gates.
We process your data on the legal bases of contractual necessity (to provide the Service you have subscribed to), legitimate interest (to improve the Service), and consent (where explicitly obtained).
3. Third-Party Data Processors
We use the following third-party services to deliver the Service:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | LLM processing (Claude API) | United States |
| Google Cloud Platform | Infrastructure hosting | EU / Australia |
| Firebase | Authentication | United States |
| Stripe | Payment processing | United States |
| PostHog | Product analytics | EU (Frankfurt) |
| Contentsquare | UX analytics (when enabled) | EU / per Contentsquare terms |
| Sentry | Error tracking | United States |
Anthropic processes your marketing inputs to generate AI outputs. Anthropic does not store conversation data beyond the duration of processing and does not use your data to train their models. Refer to Anthropic’s commercial terms for full details.
4. Data Retention
Active accounts: Your data is retained for as long as your account is active and the Service is in use.
Cancelled accounts: Your workspace is archived for 90 days following cancellation, during which you may reactivate and recover your data. After 90 days, workspace data is permanently deleted.
Billing records: Transaction records are retained for 7 years to comply with financial reporting obligations.
LLM processing: Conversations are processed in real-time and are not retained by Anthropic beyond the processing window.
5. Your Rights (GDPR)
If you are located in the UK or European Economic Area, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data (“right to be forgotten”).
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact privacy@tommycmo.com. We will respond within 30 days.
6. International Data Transfers
Some of our processors are located outside the UK and EEA. Where data is transferred to the United States, we rely on the EU-US Data Privacy Framework (for certified providers such as Anthropic and Stripe) and Standard Contractual Clauses (SCCs) where the DPF does not apply. We ensure all transfers provide an adequate level of data protection in compliance with applicable legislation.
7. Cookies and Tracking
We use a single session cookie (__session) for authentication purposes. This cookie is essential for the Service to function and does not track your activity across other websites. We do not use advertising cookies or cross-site advertising technologies.
Product analytics (PostHog) is used to understand feature usage and improve the Service. Analytics data is aggregated and pseudonymised where possible. Where we enable Contentsquare, it may collect interaction data (for example clicks, scrolls, and page views) on our own product surfaces to diagnose UX issues; refer to Contentsquare’s privacy notice for details.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest (AES-256), row-level security in our database ensuring strict tenant isolation, and regular security assessments.
9. Children
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days’ notice of material changes via email. The “Last updated” date at the top of this page indicates when this policy was last revised.
11. Contact
For privacy-related enquiries: privacy@tommycmo.com
Data Protection Officer: dpo@tommycmo.com
TMK Marketing Intelligence Ltd
Registered in England and Wales