Get started

Privacy Policy

Last updated: 2026-03-22

Who We Are

Bartram Compliance is a digital compliance screening service operated by Rob Alsop as a sole trader. We help UK businesses identify common compliance issues on their websites, covering GDPR/UK GDPR, web accessibility (WCAG 2.2 / European Accessibility Act), cookie compliance, and content health.

Contact details:

We are registered with the Information Commissioner’s Office (ICO) as a data controller. Registration number: [pending registration].

What Data We Collect and Why

We collect personal data in two contexts: when we scan websites as part of our prospecting and service delivery, and when you engage with us as a customer.

Data collected during website scanning

When we scan a publicly accessible website (either as part of prospecting or a paid screening), we collect the following data from the public-facing pages of the website:

  • Publicly accessible page content (HTML) — to identify compliance issues (GDPR, accessibility, cookies, content health)
  • Privacy policy text — to assess GDPR compliance
  • Tracking scripts and cookies detected — to assess cookie consent compliance
  • Accessibility scan results — to assess WCAG 2.2 compliance
  • Broken links and content health data — to assess content quality

Incidental personal data: Website scans may incidentally capture personal data visible on public web pages, such as names on “About” pages or contact email addresses. We do not seek out this data — it is a byproduct of scanning the publicly accessible website content.

Data collected from customers

When you purchase a screening from us, we also collect:

  • Your name and business name — to deliver the service and communicate with you
  • Your email address — to deliver your report and handle follow-up
  • Your payment details — to process your payment (via Stripe — we do not store card details ourselves)
  • Your feedback responses — to improve our service (if you choose to provide feedback)

Data collected during prospecting

If we contact you about compliance issues we found on your website before you become a customer, we will have collected:

  • Your company name and website URL — to identify your business and its compliance posture
  • A generic contact email from your website (e.g., info@, admin@) — to deliver the outreach message
  • 2–3 headline compliance findings from a scan of your public website — to demonstrate the value of the screening service

Our Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing personal data. The bases we rely on are:

  • Customer data (delivering a paid screening) — Contract (Article 6(1)(b)). Processing is necessary to perform the contract you entered into when purchasing a screening.
  • Prospecting (scanning your website and contacting you) — Legitimate interest (Article 6(1)(f)). We have a legitimate business interest in identifying prospective customers. We have completed a Legitimate Interest Assessment confirming that this processing is necessary, proportionate, and does not override your rights. You can object to this processing at any time.
  • Payment processing — Contract (Article 6(1)(b)). Necessary to process your payment for the service.
  • Feedback collection — Legitimate interest (Article 6(1)(f)). To improve our service. You are not required to provide feedback.

How We Use AI

Our screening reports are generated using a combination of automated scanning tools and AI analysis (Claude API, provided by Anthropic). The AI interprets scan results, prioritises findings, and drafts remediation guidance.

Important points about our AI use:

  • The AI analyses publicly accessible website content and scan results. It does not access private data, login-protected areas, or databases.
  • All AI-generated reports undergo human quality review before delivery.
  • AI analysis is performed via the Claude API. Anthropic’s data retention policy applies to data processed through the API — see Anthropic’s privacy policy at anthropic.com/privacy for details. We do not send your personal contact details to the AI; only website content and scan results are processed.

Who We Share Data With

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Anthropic (Claude API) — AI-powered analysis of scan results. Data shared: website content, scan results (not your personal contact details).
  • Stripe — Payment processing. Data shared: payment details (name, email, card details — processed by Stripe, not stored by us).
  • Email provider — Delivering reports and communications. Data shared: your email address and name.

We do not sell personal data to third parties. We do not share prospect data with anyone.

How Long We Keep Your Data

We retain personal data only for as long as necessary for the purpose it was collected:

  • Prospect scan data (you didn’t become a customer) — 3 months from the scan date, or 3–6 months from last contact. Then deleted permanently.
  • Customer scan data and reports — Duration of our engagement plus 6 years. Then deleted or anonymised. The 6-year period aligns with UK tax, accounting, and potential legal claims requirements.
  • Customer contact details — Duration of relationship plus 6 years. Then deleted.
  • Payment records — 6 years from the transaction date. Then deleted. Required for tax and accounting purposes.
  • Feedback responses — 12 months. Then anonymised for trend analysis or deleted.
  • Objection/opt-out records — Indefinitely. We retain a record that you objected (name/email only) so we can ensure we do not contact you again.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — You can request a copy of the personal data we hold about you.
  • Right to rectification — You can ask us to correct inaccurate personal data.
  • Right to erasure (“right to be forgotten”) — You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it.
  • Right to restrict processing — You can ask us to limit how we use your data.
  • Right to data portability — You can request your data in a structured, machine-readable format.
  • Right to object — You can object to our processing of your data at any time, particularly where we rely on legitimate interest as the lawful basis. If you object to prospecting-related processing, we will stop immediately and delete your data.
  • Right to withdraw consent — Where we rely on consent (which is not the primary basis for our processing), you can withdraw it at any time.

How to exercise your rights

Contact us at: hello@bartram.ai

We will respond to your request within one month of receiving it, as required by UK GDPR. There is no charge for exercising your rights.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website Scanning and the Computer Misuse Act

Our automated scanning tools only access publicly available web pages — the same content visible to any web browser. We do not attempt to access login-protected areas, databases, or any content not intended for public access. We respect robots.txt directives: if your website’s robots.txt file prohibits automated access, we will not scan your site.

If you do not wish us to scan your website, please contact us at hello@bartram.ai and we will add your domain to our exclusion list.

Cookies on This Website

This website does not set any cookies. We do not use analytics tracking, advertising pixels, or any third-party scripts that place cookies on your device. If you proceed to purchase via Stripe, Stripe’s own cookie policy applies on their hosted checkout page.

Changes to This Policy

We may update this privacy policy from time to time. The “Last updated” date at the top of this page indicates when the policy was last revised. If we make material changes, we will notify affected individuals where practicable.

Data Protection Registration

Bartram Compliance is registered with the ICO as a data controller.

  • Registration number: [pending registration]
  • Controller: Rob Alsop
  • Contact: hello@bartram.ai