1. GDPR Compliance Statement

Barniville AI Consulting is subject to the General Data Protection Regulation (EU) 2016/679 and the Data Protection Acts 1988–2018 (Ireland).

Roles under GDPR:

• Data Controller: Barniville AI Consulting (Daniel Barniville) determines the purposes and means of processing personal data collected via this website and the Client Portal. All data controller obligations under GDPR are the responsibility of Daniel Barniville.
• Data Processors: Supabase (database) and Amazon Web Services (hosting and AI compute) act as data processors on our behalf. Each processes personal data only on our documented instructions and is bound by a signed Data Processing Agreement (DPA) in accordance with GDPR Article 28.

Personal data is collected and processed lawfully under GDPR Article 6(1)(b) (contract performance, for portal users) and Article 6(1)(f) (legitimate interests, for website enquiries).

2. Data Residency

All personal data collected and processed by Barniville AI Consulting is stored and processed exclusively within the European Union:

No personal data is transferred outside the European Economic Area (EEA).

3. Security Measures

The following technical and organisational security controls are applied to protect personal data:

• Row-Level Security (RLS): Database-level access controls in Supabase ensure that each authenticated user can access only their own data. No client can access another client's records.
• Encryption in transit: All data transmitted between clients and the portal is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data stored in Supabase and on AWS is encrypted at rest using AES-256.
• Access controls: Portal access is restricted to invited users only. Authentication is managed via Supabase Auth.
• Invite-only authentication: New users can only access the Client Portal upon receipt of a direct invitation. Self-registration is not permitted.

No system can be guaranteed to be entirely secure. In the event of a breach, we will act in accordance with GDPR Article 33 (72-hour DPC notification) and Article 34 (individual notification where required).

4. AI Transparency

The AI assistant available within the BAIC Client Portal is powered by Claude (Anthropic), accessed via AWS Bedrock in the EU Ireland region.

You should be aware of the following:

• Conversation history is stored in the portal database to maintain context across sessions. It is accessible only to the authenticated user and the data controller.
• Conversation data is used solely to provide the consulting service. It is not used to train AI models and is not shared with Anthropic for training purposes.
• AI-generated outputs may be inaccurate, incomplete, or outdated. Clients are responsible for reviewing all AI outputs before relying on them for business decisions.
• The AI does not make automated decisions about clients. All significant recommendations require human review.

5. Sub-processors

Barniville AI Consulting engages the following sub-processors in the delivery of its services:

No other sub-processors are engaged. We will provide notice of any material change to sub-processors before the change takes effect.

6. Data Subject Rights Procedure

You have rights under GDPR including access, rectification, erasure, portability, and objection. To exercise any of these rights:

• Send your request by email to daniel@baic.ie
• Include your name and the nature of your request
• We will acknowledge receipt and respond within 30 calendar days
• We may ask you to verify your identity before processing the request

There is no charge for a data subject rights request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act, with written reasons provided.

7. Responsible Use of Artificial Intelligence

Barniville AI Consulting promotes responsible AI usage in all client engagements.

Our principles include:

• Human oversight of all AI-generated outputs
• Verification of AI-generated information before use in business decisions
• Responsible prompt engineering and system design
• Honest disclosure of AI system limitations
• Avoidance of exaggerated claims regarding AI capabilities

Clients remain responsible for reviewing, validating, and taking responsibility for all decisions made using AI outputs.

8. Supervisory Authority

The supervisory authority for data protection in Ireland is the Data Protection Commission (DPC). If you are not satisfied with our response to a data protection concern, you may lodge a complaint with the DPC:

9. Contact

For any questions regarding this Compliance page or our data protection practices, please contact: