Legal

Privacy Policy

Last updated: 14 April 2026

1. Who we are

TALUMA AI Ltd (“TALUMA”, “we”, “us”, “our”) is a company incorporated in England & Wales (company number 17143047), with registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ.

For privacy enquiries, contact us at legal@taluma.ai.

2. Scope — when TALUMA is Controller vs Processor

This policy covers two distinct contexts:

  • Marketing site visitors & prospects — when you visit taluma.ai, request information, or sign up for early access, TALUMA acts as the data controller and this policy applies in full.
  • Customer employee data within the platform — when a corporate customer deploys TALUMA for its workforce, TALUMA acts as a data processor on the customer’s instructions. The customer’s own privacy notice governs the processing of their employees’ data, and a Data Processing Agreement (DPA) governs our obligations to the customer.

3. What personal data we collect

Marketing site:

  • IP address and approximate location
  • Device type, browser, operating system
  • Pages viewed and navigation patterns
  • Contact details you provide when reaching out (name, email, company)

Platform (as processor on customer instructions):

  • Name, work email address, job title, department
  • CV / résumé content uploaded by the employee or HR team
  • Skills, competencies, job history, and learning records
  • Performance and assessment data (if enabled by the customer)

4. Legal bases for processing

  • Legitimate interests — site analytics and security monitoring, where those interests are not overridden by your rights
  • Contract performance — operating the platform for customers and their employees
  • Consent — marketing communications; analytics cookies (where applicable)
  • Legal obligation — where we are required to retain or disclose data by law

5. How we use your data

  • Delivering and improving the TALUMA platform
  • Responding to enquiries and providing customer support
  • Security monitoring, fraud prevention, and abuse detection
  • Sending service-related communications (account, billing, security)
  • Marketing communications (with consent; you may opt out at any time)
  • Compliance with legal and regulatory obligations

6. AI and automated processing

The TALUMA platform uses large language models (LLMs) provided by Anthropic to perform skill extraction, gap analysis, and workforce recommendations. We want to be transparent about how this works:

  • Your data is not used to train foundation models. Anthropic processes data in zero-retention mode; no customer or employee data is retained by Anthropic beyond the duration of each API call.
  • AI-generated recommendations include human-reviewable rationale so that employees and HR teams can understand and challenge outputs.
  • Users may request human review of any AI-generated recommendation that significantly affects them by contacting their HR administrator or emailing legal@taluma.ai.
  • No solely automated decision-making with legal or similarly significant effects is performed without human oversight.

7. Subprocessors

We engage the following subprocessors to operate the platform. All subprocessors are bound by data processing agreements consistent with UK GDPR requirements.

  • Clerk (US / EU) — authentication and identity management
  • Neon (EU Frankfurt) — managed PostgreSQL database hosting
  • Vercel (Global CDN) — application hosting and edge delivery
  • Anthropic (US, zero-retention mode) — AI inference for skill extraction and recommendations
  • Postmark (US) — transactional email delivery
  • Google Workspace (EU) — internal business operations

8. International transfers

Some of our subprocessors are based outside the UK/EEA (notably Anthropic and Postmark in the United States). Where personal data is transferred to a country without an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, together with the UK International Data Transfer Addendum (UK IDTA) where required
  • Transfer Impact Assessments (TIAs) for high-risk transfers

9. Retention

  • Marketing / prospects: contact data retained for 24 months from your last interaction with us, or until you request deletion.
  • Platform (as processor): employee data is retained for the duration of the customer contract plus 90 days post-termination, after which it is permanently deleted unless a longer period is required by law.

10. Your rights (UK / EU GDPR)

You have the following rights regarding your personal data:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion (“right to be forgotten”)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time where processing is based on consent
  • Lodge a complaint — with the UK Information Commissioner’s Office (ICO) at ico.org.uk

To exercise any of these rights, email legal@taluma.ai. We will respond within one calendar month.

11. Data security

  • All data in transit is encrypted using TLS 1.3
  • Data at rest is encrypted using AES-256
  • Access to production systems is controlled via Clerk RBAC and audit logging
  • We conduct regular security reviews and vulnerability assessments

12. Children

The TALUMA platform is a B2B workforce intelligence service. It is not directed at individuals under the age of 16 and we do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify platform users by email. Your continued use of TALUMA after any change constitutes acceptance of the updated policy.

14. Contact

TALUMA AI Ltd
71–75 Shelton Street, Covent Garden
London WC2H 9JQ
England & Wales

Email: legal@taluma.ai