Privacy Policy

1. Who we are (Data Controller)

Marble City AI ("we", "us", "our") is an AI automation and consulting agency based in Kilkenny, Ireland. For the purposes of the EU/Irish General Data Protection Regulation (GDPR), we are the data controller of the personal data collected through this website and our client engagements.

Contact: Liam@marblecityai.com
Location: Kilkenny, Ireland
We have not appointed a statutory Data Protection Officer (DPO) as we are not required to do so under Article 37 GDPR. All data protection enquiries should be directed to the contact above.

2. What personal data we collect

• Contact form submissions: name, email address, company name, phone number (optional), and the message you send.
• Pitch audit submissions: optionally your email address, the answers you provide, and the calculated score / band.
• Technical & analytics data: truncated/anonymised IP address, device and browser type, operating system, referring URL, pages visited, approximate geographic location (country/region), and interactions with the site.
• AI tool inputs / outputs: any prompts, files or content you submit to AI features on the site, and the responses generated. See section 7.
• Hosting & server logs: our hosting providers automatically log IP addresses, request headers and user-agent strings for security, abuse prevention and performance.

3. Why we use it & legal basis (GDPR Art. 6)

• Responding to enquiries & delivering pitch audit results — legal basis: consent (you submitted the form) and pre-contractual steps (Art. 6(1)(b)).
• Providing AI features on the site — legal basis: consent when you submit inputs.
• Analytics & product improvement (Google Analytics, Google Search Console) — legal basis: consent via our cookie banner. Analytics cookies are blocked until you opt in.
• Security, fraud prevention and hosting logs — legal basis: legitimate interests (Art. 6(1)(f)) in operating a secure website.
• Marketing pixels (future use) such as Meta/Facebook Pixel or LinkedIn Insight Tag — legal basis: consent. These will only fire after explicit opt-in.
• Legal compliance — Art. 6(1)(c) where we must retain data to meet tax, accounting or regulatory obligations.

4. Third parties & sub-processors

We do not sell or rent your personal data. We share it only with the following categories of vendors, each acting as a processor or independent controller under written terms:

All processors are bound by written agreements requiring them to process data only on our documented instructions and to implement appropriate security measures.

5. International data transfers

Some vendors above (notably Google, GitHub, Stripe and certain AI providers) process data in the United States or other countries outside the European Economic Area (EEA). Where this happens we rely on the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (SCCs), together with supplementary technical measures such as encryption in transit and at rest, to ensure your data receives a level of protection essentially equivalent to that provided under EU law.

6. Cookies & tracking

• Strictly necessary cookies — required for the site to function (e.g. security, load balancing, consent state). No consent required.
• Analytics cookies — Google Analytics 4. Set only after you opt in.
• Marketing pixels (e.g. Meta Pixel, LinkedIn Insight Tag) — only deployed in the future once consent is collected, and never by default.

Non-essential cookies remain blocked until you actively opt in via our consent banner. You can change or withdraw your preferences at any time, or block cookies through your browser settings.

7. AI-specific disclosures

• Inputs vs. outputs. "Inputs" are the prompts, files and information you submit to our AI features or to AI systems we build for clients. "Outputs" are the responses those models generate. Both may be processed transiently by third-party model providers.
• No model training on your data. We do not train, fine-tune or otherwise use your inputs to improve generally-available AI models. Where the provider supports it, we route requests through commercial / zero-retention API endpoints (e.g. OpenAI API "no training" terms, Anthropic commercial terms) so your data is not used to train their foundation models.
• Retention by AI providers. AI providers may retain inputs briefly (typically up to 30 days) for abuse monitoring before deletion. Where zero-retention is available for client engagements, we enable it.
• No solely-automated decisions with legal effect. Our AI tools (including the pitch audit) produce informational output only. We do not use AI to make decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. A human is always involved before any client-impacting decision is made.
• Confidential business data. Do not submit sensitive personal data (special categories under Art. 9 GDPR) or third-party confidential information into our public AI features. For client engagements we agree appropriate confidentiality and data-handling terms separately.

8. Data retention

• Contact form submissions: up to 24 months from last contact, then deleted.
• Pitch audit submissions: up to 12 months, then deleted.
• Google Analytics data: 14 months (GA4 default), then automatically deleted.
• Hosting logs: up to 30 days for security and debugging.
• AI inputs / outputs on the site: not stored beyond the session unless tied to a form submission above.
• Invoices & tax records (once we take payments): 6 years, as required by Irish Revenue.

You can request earlier deletion at any time (see section 10).

9. Data security

We apply appropriate technical and organisational measures including TLS/SSL encryption in transit, encryption at rest at our database provider, principle-of-least-privilege access controls, Row-Level Security policies in our database, application-level input validation, and regular review of our vendor stack.

10. Your GDPR rights

You have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten"), subject to legal retention obligations.
• Restrict or object to processing.
• Data portability in a structured, machine-readable format.
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Not be subject to a solely-automated decision with legal or similarly significant effects (Art. 22).

To exercise any of these rights, email Liam@marblecityai.com. We respond within one month (Art. 12(3) GDPR).

Right to lodge a complaint. If you believe we have infringed your data protection rights, you can complain to the Irish supervisory authority: Data Protection Commission (DPC), Ireland. EEA visitors may also complain to their local supervisory authority.

11. Children

Our services are aimed at businesses and are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by a banner on the site or direct notice to known contacts. The current version always lives at marblecityai.com/privacy.

13. Contact

Marble City AI
Kilkenny, Ireland
Email: Liam@marblecityai.com