1. Who We Are

The data controller for personal data processed through this website and the BAIC Client Portal is:

As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is lawful.

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

• Name — provided when contacting us or registering for the Client Portal
• Email address — used for correspondence and portal authentication
• Company name — provided during enquiries or onboarding
• AI conversation history — generated when using the AI assistant within the Client Portal
• Usage logs — technical records of portal access, including timestamps and feature usage, collected for security and service improvement

We do not collect special category data (as defined in GDPR Article 9) and do not knowingly collect data from persons under 18 years of age.

3. Legal Basis for Processing

We process personal data only where we have a valid legal basis under GDPR Article 6. The bases we rely on are as follows:

• Article 6(1)(b) — Contract performance: Where you are a client using the BAIC Client Portal, we process your name, email address, and AI conversation history as necessary to perform our consulting services agreement with you.
• Article 6(1)(f) — Legitimate interests: Where you submit an enquiry via our website without being an existing client, we process your contact details on the basis of our legitimate interest in responding to business enquiries. This interest is not overridden by your rights, given the minimal data involved and the reasonable expectation of contact when submitting an enquiry form.

Personal data is never sold to third parties.

4. The BAIC Client Portal

The BAIC Client Portal is a secure, invite-only platform that provides clients with access to an AI assistant, resources, and project materials.

When you use the Client Portal:

• Your AI conversation history is stored securely within the portal database so that context is preserved across sessions.
• Conversation history is accessible only to you (the authenticated user) and to Daniel Barniville as data controller, solely for the purpose of service delivery, troubleshooting, and quality assurance.
• Your conversation history is not shared with other clients or any third party not listed in this policy.
• The AI assistant is powered by Claude (Anthropic) via AWS Bedrock. Conversation data is processed in the EU (Ireland) region and is not used to train AI models.

Portal access is authenticated on a per-user basis. Row-level security controls ensure that each client can only access their own data.

5. Data Processors and Sub-processors

We use the following third-party processors to operate our services. Each acts only on our documented instructions and is bound by a Data Processing Agreement (DPA):

No other sub-processors are used. We will notify you of any material change to sub-processors before it takes effect.

6. Retention Periods

We retain personal data only for as long as is necessary for the purpose for which it was collected:

• Active client data (name, email, company): retained for the duration of the consulting engagement plus 12 months following its conclusion.
• AI conversation history: deleted after 12 months of inactivity.
• Enquiry data (non-clients): retained for up to 2 years from the date of the last communication.
• Usage logs: retained for up to 12 months for security and audit purposes.

After the applicable retention period, data is securely deleted or anonymised.

7. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR. You may exercise any of these rights by contacting us at daniel@baic.ie. We will respond within 30 calendar days of receipt of your request.

• Right of access (Article 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You may request correction of inaccurate or incomplete data.
• Right to erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to data portability (Article 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

There is no charge for exercising these rights. If a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline to act, with reasons provided in writing.

8. International Transfers

All personal data collected and processed by Barniville AI Consulting is stored and processed within the European Union, specifically in Ireland (AWS eu-west-1 and Supabase eu-west-1).

No personal data is transferred outside the European Economic Area (EEA).

9. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Irish Data Protection Commission (DPC) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

All breaches, regardless of severity, are logged internally.

10. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects, as described in GDPR Article 22.

The AI assistant within the Client Portal provides information and suggestions but does not make decisions about you without human involvement.

11. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes to our practices or applicable law. The effective date at the top of this page will be updated accordingly.

We will notify active portal clients of any material changes by email prior to the change taking effect.

12. Contact and Supervisory Authority

For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a concern about how your data is handled, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Irish supervisory authority: