Privacy Policy
IMPORTANT NOTICE: This Privacy Policy explains how Included AI Limited (trading as Clu) collects, uses, stores, and shares personal data. It applies to everyone whose personal data we process as a Data Controller: visitors to our website, platform users, marketing contacts, and employees of our clients who interact with our optional platform modules. Where we process personal data on behalf of a client organisation as a Data Processor, that organisation's own privacy policy and our Data Processing Agreement govern that processing.
Last updated: April 2026
​
​1. Who We Are​
​
Included AI Limited, trading as Clu, is a company registered in England and Wales (Company Number: 13111292). Our registered office is at Floor 3, Capital Tower Business Centre, Greyfriars Road, Cardiff, Wales, CF10 3AG.
Clu develops software for analysing and modelling workforce architecture. Our platform processes structural organisational data provided by client organisations to produce analytical outputs that inform workforce planning and operating model decisions. We are not a recruitment platform and do not facilitate hiring between employers and job seekers.
For the purposes of UK data protection law, Included AI Limited is the Data Controller for the personal data described in this policy. Our Data Protection contact is: dpo@getaclu.
2. Who This Policy Applies To
​
​This policy applies to the following categories of individuals whose personal data we process as Data Controller:
Who You Are
What This Policy Covers For You
Website visitors
Data collected when you visit www.getaclu.io, including analytics and cookie data.
Platform users
Admin Users and Standard Users who hold a named licence and log in to the Clu platform on behalf of a client organisation.
Marketing contacts
Individuals whose details are held in our CRM (HubSpot) because they have engaged with Clu commercially or given consent to receive communications.
Client employees: Career Pathways Module
Individuals whose details are held in our CRM (HubSpot) because they have engaged with Clu commercially or given consent to receive communications.
Client employees: Work Capture Forms
Employees of a client organisation who complete a Work Capture Form via a link sent to their work email address.
Where Clu processes personal data on behalf of a client organisation as a Data Processor (for example, where a client submits data about its employees for core platform analysis), the client is the Data Controller and its own privacy notice governs that processing. This policy does not cover that processing.
​
​3. What Personal Data We Collect And Why
​
3.1 Website Visitors
When you visit www.getaclu.io, we collect data automatically through cookies and analytics tools. This includes your IP address, approximate location, device type, browser type, operating system, pages visited, time spent on pages, and referral source.
We use this data to understand how our website is used, to improve its content and performance, and — where you have consented — to serve targeted advertising. The tools we use for this are described in Section 5.
3.2 Platform Users (Admin Users and Standard Users)
When a client organisation purchases a licence, we create accounts for named Authorised Users. We collect and process the following personal data for these individuals:
-
Full name and work email address (used for account creation and login)
-
Job title and organisation name (used for account management)
-
Login activity and platform usage data (used for security, audit, and support)
-
Correspondence with Clu's support or account management teams
The lawful basis for this processing is the performance of our contract with the client organisation, and our legitimate interests in operating a secure and functional platform.
3.3 Marketing Contacts
We hold personal data about individuals who have engaged with Clu commercially or consented to receive communications. This includes:
-
Name and work email address
-
Job title, organisation, and LinkedIn profile (where provided or publicly available)
-
Notes on commercial interactions and engagement history
-
Email open and click data from marketing communications
We only add individuals to our CRM where we have a legitimate interest basis or explicit consent. Every contact record in HubSpot is documented with its lawful basis at the point of capture.
Legitimate interests: We may hold and use contact details of individuals at organisations that represent potential clients, where we have a reasonable expectation that our services are relevant to them, and where the use of their data does not outweigh their interests or rights. We have conducted a Legitimate Interests Assessment covering this processing, which is available on request.
Consent: Where individuals have actively opted in to receive marketing communications from Clu, we process their data on that basis. You can withdraw consent at any time using the unsubscribe link in any communication or by emailing hello@getaclu.io.
3.4 Client Employees: Career Pathways Module
Where a client activates the Career Pathways Module, employees of that client may be sent a link to a web application that allows them to explore role adjacency and internal mobility options based on their organisation's rebuilt workforce model.
Access is via a link sent to the employee's work email address. We process that email address to authenticate access. Employees are not required to complete any personally identifiable fields in the module; use is entirely voluntary.
Any personal data an employee voluntarily provides within the module is processed by Clu on behalf of the client organisation (Clu as Data Processor, client as Data Controller). However, because the employee has no direct contractual relationship with Clu, they may contact us directly with data rights requests at hello@getaclu.io, and we will liaise with the client organisation as appropriate.
The lawful basis for Clu's own processing of the work email address (for authentication) is our legitimate interests in providing a secure access mechanism for the module on behalf of the client.
​
3.5 Client Employees: Work Capture Forms
When a client deploys Work Capture Forms, specific employees receive a link to a short, structured questionnaire. Forms are targeted to individuals in areas of the organisation that the Clu model has flagged as presenting structural risk; they are not sent broadly.
Access is via a link sent to the employee's work email address. No personally identifiable fields are mandatory. Responses are used to validate and refine the analytical model produced for the client.
The same controller/processor framework applies as for the Career Pathways Module. Employees may contact Clu directly at hello@getaclu.io with any data rights requests.
​
4. Lawful Bases for Processing
UK GDPR requires us to identify a lawful basis for each processing activity. The table below sets out our processing activities and the basis on which we rely for each.
Processing Activity
Lawful Basis
Website analytics and performance monitoring
Legitimate interests (understanding how our website is used and improving it). Consent where analytics cookies are set beyond strictly necessary.
Advertising and remarketing (LinkedIn, Meta)
Consent. We only place advertising cookies or pixels where you have actively consented via our cookie preference mechanism.
Platform user account management
Performance of contract (with the client organisation). Legitimate interests in operating a secure and functional platform.
Platform security, audit logging, and incident response
Legitimate interests in maintaining the security and integrity of the platform.
Marketing communications — consent basis
Consent (where individuals have opted in to receive communications from Clu).
Marketing communications — legitimate interests basis
Legitimate interests (where we have a reasonable commercial basis for contacting individuals at organisations relevant to our services, assessed via LIA).
CRM data management and sales activity
Legitimate interests in managing our commercial pipeline and client relationships.
Career Pathways Module — work email authentication
Legitimate interests in providing a secure access mechanism on behalf of the client organisation.
Work Capture Forms — work email authentication
Legitimate interests in providing a secure access mechanism on behalf of the client organisation.
Model continual learning loop (anonymised improvement)
Legitimate interests in improving the accuracy and quality of our platform. Data is anonymised and aggregated before use; a Legitimate Interests Assessment has been conducted and is available on request.
Responding to data rights requests and complaints
Legal obligation and legitimate interests in managing our legal and regulatory compliance.
Complying with legal and regulatory obligations
Legal obligation.
5. Cookies and Analytics Tools
We use cookies and similar tracking technologies on our website. Some are essential for the website to function; others are used for analytics or advertising and are placed only with your consent.
Tool / Provider
Purpose and Data Processed
Google Analytics
Website traffic analysis. Collects anonymised data on page visits, session duration, referral sources, and device/browser type. Google LLC is based in the US; data is transferred under Standard Contractual Clauses. Requires consent for non-essential cookies.
Semrush Inc.
Website performance monitoring and SEO analysis. Collects data on traffic sources and keyword performance. Semrush Inc. is based in the US; data transferred under SCCs.
Linkedin Insights Tags
Advertising and remarketing. Identifies visitors who are LinkedIn members and enables targeted advertising on the LinkedIn platform. Only placed with your consent. LinkedIn may transfer data outside the EEA under SCCs.
Meta Pixels
Advertising and remarketing. Tracks conversions and enables targeted advertising on Meta platforms (Facebook, Instagram). Only placed with your consent. Meta may transfer data to the US under SCCs.
You can manage your cookie preferences at any time using the cookie preference control on our website. You can also object to analytics cookies through your browser settings. Withdrawing consent for advertising cookies will not affect cookies that are strictly necessary for the website to function.
For further detail on how each provider handles your data, please refer to their respective privacy policies.
​
6. How We Share Personal Data
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share personal data only in the following circumstances:
​
6.1 Service Providers and Sub-processors
We share personal data with a limited number of third-party service providers who process data on our behalf, including:
Tool / Provider
Purpose and Data Processed
HubSpot (US)
CRM and marketing automation. Personal data of marketing contacts is stored and processed on HubSpot's US-based servers. Data is transferred under Standard Contractual Clauses.
Siteground via Google Cloud
All platform data (including client data and platform user data) is hosted and processed within the United Kingdom.
All service providers are subject to data processing agreements that require them to process data only on our instructions, maintain appropriate security measures, and not use data for their own purposes.
​
6.2 Legal Disclosure
We may disclose personal data where required to do so by law, court order, or regulatory authority. Where permitted, we will notify the affected individual before making such a disclosure.
​
6.3 Business Transfers
If Clu undergoes a merger, acquisition, or sale of all or substantially all of its assets, personal data held by Clu may be transferred to the acquiring entity. We will notify affected individuals and ensure the acquiring entity is bound by obligations equivalent to those in this policy.
​
6.4 What We Do Not Do
-
We do not sell personal data to any third party.
-
We do not share personal data with advertisers — advertising platforms (LinkedIn, Meta) receive hashed or technical identifiers under consent; they do not receive named personal data from our databases.
-
We do not share client employee data (from the Career Pathways Module or Work Capture Forms) with any party other than the client organisation on whose behalf we are processing it.
​
7. International Data Transfers
Clu's platform infrastructure is hosted and operated entirely within the United Kingdom. All client data and platform user data is processed in the UK.
Some of our third-party service providers are based outside the UK or transfer data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place:
Tool / Provider
Condition
HubSpot (US)
Standard Contractual Clauses (UK Addendum)
Google Analytics
Standard Contractual Clauses (UK Addendum)
Semrush
Standard Contractual Clauses (UK Addendum)
Standard Contractual Clauses
Meta
Standard Contractual Clauses
You can obtain further information about the transfer mechanisms we use by contacting dpo@getaclu.io.
​
8. How Long We Keep Personal Data
We retain personal data for no longer than is necessary for the purposes for which it was collected, subject to any legal obligations that require us to retain it for longer. Our standard retention periods are:
Category of Data
Retention Period
Platform user account data
For the duration of the active licence, plus 12 months following termination of the client contract. Deleted or anonymised thereafter unless legal obligation requires longer retention.
Marketing contact data (consent basis)
Until consent is withdrawn, plus a reasonable administrative period (no more than 30 days) to action the withdrawal.
Marketing contact data (legitimate interests basis)
For as long as the commercial relationship or reasonable prospect of one exists, subject to regular review. Contacts are reviewed and suppressed if there has been no engagement for 24 months.
Website analytics data
As configured in the respective tool (Google Analytics default: 14 months). Anonymised aggregate data may be retained indefinitely.
Client employee data (modules)
For the duration of the client's active contract, plus 90 days to allow for data export requests. Deleted or anonymised thereafter.
Support and correspondence records
3 years from the date of the last interaction, or longer if related to an active dispute or legal claim.
Legal and compliance records
As required by applicable law (typically 6 years for contract-related records under the Limitation Act 1980).
When data is deleted, we do so securely. When data is anonymised, it is rendered non-identifiable and may be retained for aggregated analytical purposes.
​
9. Security
We maintain appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:
-
Role-based access controls limiting access to personal data to those who need it
-
Encryption of data in transit and at rest
-
Multi-factor authentication for platform access
-
Regular security assessments and vulnerability management
-
Incident response procedures with defined notification timelines
-
Staff training on data protection and security obligations
Clu maintains Cyber Essentials certification. Our security practices are built to the standard of ISO 27001.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it, and will notify affected individuals without undue delay where required.
If you suspect a security incident relating to your data, please contact us immediately at dpo@getaclu.io.
10. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data. These rights apply where Clu is acting as a Data Controller in respect of your data.
Type
Your Rights
Right of access
You can request a copy of the personal data we hold about you and information about how we use it. We will respond within one month.
Right to rectification
You can ask us to correct personal data that is inaccurate or incomplete.
Right to erasure
You can ask us to delete your personal data in certain circumstances — for example, where we no longer need it, or where you withdraw consent and there is no other lawful basis for processing.
Right to restrict processing
You can ask us to pause processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have disputed.
Right to data portability
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format.
Right to object
You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to withdraw consent
Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
10.1 Automated Decision-Making
Clu does not use personal data to make automated decisions that produce legal or similarly significant effects about individuals. All analytical outputs produced by the platform are directed to the client organisation and require human review before any action is taken. Clu's terms of service prohibit clients from using platform outputs as the sole basis for automated decisions affecting individuals.
10.2 How to Exercise Your Rights
To exercise any of the rights above, please contact us at dpo@getaclu.io or write to us at our registered office. We will respond within one month of receiving your request. In complex cases we may extend this by a further two months, in which case we will notify you within the first month and explain why.
We will not charge a fee for responding to a rights request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to respond.
If you are a client employee who has accessed the Career Pathways Module or a Work Capture Form and wishes to exercise your data rights, you may contact us directly at hello@getaclu.io. We will liaise with your employer as the Data Controller for your data to ensure your request is fulfilled appropriately.
​
10.3 Right to Complain
If you are dissatisfied with how we have handled your personal data or a data rights request, you have the right to complain to the Information Commissioner's Office (ICO):
-
Website: www.ico.org.uk/concerns
-
Telephone: 0303 123 1113
-
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would always prefer to resolve any concern directly before you escalate to the ICO, so please contact us first at dpo@getaclu.io.
11. Children and Age
The Clu platform is intended for use by individuals in a professional capacity and of legal working age in their jurisdiction. It is not directed at or intended for use by minors. We do not knowingly collect personal data from individuals below legal working age. If we become aware that we have done so, we will delete it promptly.
​
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. The effective date at the top of this document indicates when it was last revised.
Where changes are material, meaning they significantly affect how we process your data or your rights, we will notify you by email (where we hold your email address) or by a prominent notice on our website, at least 14 days before the change takes effect.
Continued use of our website or platform after the effective date of a revised policy constitutes acknowledgement of the update. Where changes require fresh consent, we will seek that consent before the change takes effect.
​
13. Contact Us
For any questions about this Privacy Policy or how we handle your personal data:
General enquiries: hello@getaclu.io
Data protection queries: dpo@getaclu.io
Post: Included AI Limited, Floor 3, Capital Tower Business Centre, Greyfriars Road, Cardiff, Wales, CF10 3AG
Website: www.getaclu.io