Privacy Policy
Effective date: 6 May 2026
Controller: Fractionality Limited ("Fractionality", "we", "us", "our")
Fractionality Limited is committed to protecting your privacy and to handling personal data transparently, securely, and in accordance with applicable data-protection laws, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
This Privacy Policy explains how we collect, use, store, share, and protect personal data across all of our activities, including:
Our consultancy and fractional-CFO business operated under fractionality.xyz.
Our AI platform at fractionality.ai, including the four AI leaders (Frank, Ben, Jax, Lucy), the Boardroom, the Pitch Tear-Down (PTD), the CxO Hotline, integrations, and saved conversations and files.
Our marketing, recruitment, compliance, and business-development activities.
This Policy supersedes the earlier privacy policy published at fractionality.xyz/privacy-policy in respect of the fractionality.ai platform. The consultancy provisions remain consistent with that earlier policy and are reproduced here for completeness.
1. Who We Are
Fractionality Limited is a UK-based provider of fractional CFO services, strategic financial advisory services, and related AI-powered tools. For the purposes of UK data-protection law, Fractionality Limited is the data controller.
2. Scope of This Policy
This Policy applies to personal data collected through:
Our websites and domains, including fractionality.ai, fractionality.xyz, and any associated subdomains.
The fractionality.ai platform and its features (single-leader chat, the Boardroom, PTD, the CxO Hotline, integrations, account settings, billing, support).
Direct enquiries, contact forms, scheduling, and email correspondence.
Marketing and business-development activities.
Recruitment, contractor onboarding, and due-diligence processes.
Compliance activities, including AML and KYC where applicable.
Analytics, cookies, and website-usage tracking.
3. Personal Data We Collect
3.1 Account Data (fractionality.ai)
When you create an account or sign in, we collect:
First name and last name (you may sign up by email or via a third-party identity provider such as Google).
Email address.
Authentication metadata (provider, sign-in timestamps, login count).
Account preferences (theme, layout-collapse state, Boardroom tone, speaking-order preferences).
Subscription tier and feature entitlements.
3.2 Conversation and Content Data (fractionality.ai)
When you use the leaders, the Boardroom, or PTD, we may process:
Chat inputs you provide and AI-generated responses.
Files you upload (pitch decks, supporting documents, screenshots).
PTD reports, scores, sub-scores, and report tokens.
Sharing grants you create (recipient email, access level, revocation status).
Session metadata (timestamps, session identifiers, conversation logs, model and mode used).
Usage telemetry needed to enforce daily caps, rate limits, and anti-abuse guardrails.
3.3 Payment Data
When you purchase a subscription, credits, or a one-off product:
Stripe customer identifiers, subscription identifiers, invoice references.
Plan, status, currency, and billing cycle.
We do not store full card details. Card processing is handled by Stripe under its own terms; we receive only tokenised references and limited metadata (card brand, last four digits, country, expiry month and year).
3.4 Integration Data
When you connect a third-party service (currently Xero for accounting data and Google Analytics for website data; Microsoft sign-in is staged for future release; others may be added):
OAuth refresh tokens and minimum scopes needed to call the third-party API on your behalf. Tokens are stored in encrypted form and are never returned to the browser; they are accessed only via a controlled server-side view.
The data fetched from the integration when a leader uses it (for example, profit and loss summaries from Xero, top-pages reports from GA4). Fetched data may appear in your conversations and reports.
3.5 Communications Data
Records of emails sent to you (transactional, drip, marketing).
Resend webhook events (delivered, opened, bounced, complained) used to maintain email-list hygiene.
Records of CxO Hotline submissions, meeting requests, and any escalations.
3.6 Technical and Usage Data
IP address, browser type, device information, operating system.
Page visits, route navigation, and PWA version checks.
Performance and error logs.
Cookie identifiers (see section 8).
3.7 Consultancy Data (fractionality.xyz)
For our human consultancy business:
Business and contact data (name, role, company, email, phone, business information you choose to provide).
Marketing and relationship data (preferences, communication records, event attendance, content engagement).
Recruitment and contractor data (CVs, professional history, qualifications, right-to-work checks, references, assessment notes).
Compliance and regulatory data (AML and KYC information, identification documents, ownership and control details, transaction-related compliance records).
3.8 Two Categories of Conversation Storage
We handle conversation data in two distinct ways:
Operational logs (all users, including guests). Conversations and requests are temporarily logged for operational, security, abuse-prevention, and service-quality purposes, whether or not you save the conversation. These logs include conversation content, model used, tier at the time, and metadata. Retention is limited (see section 11).
Saved conversations (account users only). Where you choose to save a conversation, it is associated with your account so you can return to it. You may delete any saved conversation at any time. Free-tier accounts may be limited to one saved conversation; paid tiers allow more.
4. How We Use Personal Data
We use personal data to:
Provide, operate, and maintain the Service, including authenticating you, generating leader responses, running the Boardroom orchestrator, generating PTD reports, calling integrations on your behalf, and serving emails and notifications.
Manage subscriptions, credits, billing, refunds, and customer-portal access.
Enforce daily caps, rate limits, content-safety classifiers, and anti-abuse guardrails.
Diagnose technical issues, monitor performance, and respond to support requests.
Send transactional and (where consented) marketing communications.
Personalise the experience (for example, addressing you by your first name; remembering your saved Boardroom tone and speaking-order preferences).
Recruit and manage contractors and employees.
Meet legal, regulatory, AML, and KYC obligations.
Protect our business, our users, and our systems from misuse.
In relation to the AI platform specifically, personal data is used to:
Enable conversation continuity for account users who save conversations.
Maintain platform security and integrity.
Investigate model errors, hallucinations, and abuse.
Improve our prompt orchestration, routing logic, and report templates (see section 6 on AI training and confidentiality).
5. Lawful Bases for Processing
We process personal data under one or more of the following lawful bases:
Consent where you have provided clear permission (for example, marketing emails, saving a conversation, connecting an integration).
Contract where processing is necessary to perform or enter into a contract with you (for example, providing the Service you have signed up for, billing).
Legitimate interests to operate, secure, debug, and improve our business, provided your interests and fundamental rights do not override ours.
Legal obligation where processing is required by law or regulation (for example, tax, AML, KYC, responding to lawful requests).
Saved conversations linked to an account are processed on the basis of explicit user consent, which you may withdraw at any time by deleting the saved conversation or your account.
6. AI, Confidentiality, and Training
6.1 What the leaders are
The leaders (Frank, Ben, Jax, Lucy) and the Boardroom are AI-powered tools designed to help you think through business, financial, commercial, technological, and marketing topics. They do not provide regulated advice and do not replace qualified professional advisers.
6.2 How AI providers process your data
Generating a leader response requires sending your prompt and relevant context to a third-party large-language-model provider via a controlled gateway. We currently use models from Google (Gemini family) and OpenAI (GPT family) routed through the Lovable AI Gateway. These providers process prompts under contractual terms that prohibit using your content to train their general-purpose models.
6.3 Confidentiality commitments
Subject to section 6.4:
Your conversation content is not used to train any large language model, whether public, private, or proprietary.
Your conversation content is not sold to third parties.
Your conversation content is not made publicly available by us.
6.4 What we may do
We may use aggregated, anonymised, or de-identified data that cannot reasonably be used to identify you or your business to monitor service quality, debug issues, and improve our prompt orchestration, routing logic, and report templates.
Authorised Fractionality personnel may access conversation content where necessary to investigate technical issues, respond to abuse reports, comply with legal obligations, or operate the Service. Access is limited and logged.
6.5 Limits of confidentiality
We cannot promise end-to-end encryption of conversations. You should not paste secrets (for example, passwords, API keys, full payment card numbers, government identifiers) into the Service.
6.6 Anonymous users
For guest sessions (no account), the leaders are designed not to claim memory of past sessions or to recognise you across visits. Operational logs may still record metadata as described in this Policy.
6.7 No PII redaction in transit
We do not strip personal data from your prompts before sending them to AI providers, because doing so would degrade the quality of responses and our leaders' ability to address you correctly. You control what you put into the prompt.
7. Data Sharing
We share personal data only as follows:
Service providers acting under our instructions, including:
Lovable Cloud / Supabase (database, authentication, file storage, edge functions).
Lovable AI Gateway routing to Google and OpenAI (model inference).
Stripe (payment processing, subscriptions, billing portal).
Resend (transactional and marketing email delivery).
Google Analytics (website analytics; only if you accept analytics cookies).
ElevenLabs (voice synthesis; currently disabled in the user interface; reserved for future use).
Perplexity and Firecrawl (web search and content fetching as part of leader tools).
Xero, Google Analytics (when you authorise integrations).
Professional advisers (lawyers, accountants, auditors) where reasonably necessary.
Authorities and regulators where required by law.
Successors in business in the event of a merger, acquisition, or restructuring, with appropriate safeguards.
We do not sell personal data. We do not share conversation content with third parties except as required to provide the Service (for example, sending the prompt to the AI provider so it can generate a response) or as required by law.
8. Cookies and Analytics
We use a small set of cookies and similar technologies:
Strictly necessary cookies for authentication, session management, CSRF protection, and remembering UI preferences (theme, layout collapse). These cannot be opted out of.
Analytics cookies (Google Analytics) to understand how the Service is used. These are loaded only if you accept analytics in the cookie banner.
Functional cookies for features such as anti-abuse guardrails and rate limiting.
You can manage cookie preferences via the cookie notice banner on the site or via your browser settings. The banner respects an explicit opt-out and is not auto-dismissed.
9. International Transfers
Where personal data is transferred outside the United Kingdom, we rely on appropriate safeguards under UK GDPR, including UK International Data Transfer Agreements, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by UK adequacy regulations. Many of our service providers process data in the United States, the European Union, and other regions; their contracts with us include UK-compliant safeguards.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
Row-Level Security policies on our database, with mandatory user-scoped filters on all user-owned data.
Server-side validation of subscription tier, credit balance, and feature gating.
Encryption at rest for OAuth tokens; tokens are never returned to the browser.
HTTPS in transit.
Rate limits, anti-spam guardrails, and content-safety classifiers on AI inputs and outputs.
Limited and logged access for authorised personnel.
Regular review of dependencies and security findings.
No system is perfectly secure. We will notify affected users and the relevant authorities of any personal-data breach as required by law.
11. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, regulatory, contractual, and legitimate business requirements. As a guide:
Account data: retained while your account is active and for a reasonable period after deletion to handle billing, fraud, and legal requirements.
Saved conversations and files: retained until you delete them or your account.
Operational conversation logs: retained for a limited operational window (typically up to 12 months) and then deleted or anonymised, except where longer retention is needed for security investigations, legal claims, or audit.
Rate-limit records: automatically pruned after 48 hours.
Login events and audit logs: retained for security and audit purposes for a reasonable period.
Payment and billing records: retained for at least seven years to meet UK tax and accounting requirements.
Marketing data: retained until you withdraw consent or we determine the data is no longer needed.
AML and KYC records: retained for at least five years after the end of the relationship, in line with UK regulatory requirements.
12. Your Rights
Under UK GDPR you have the right to:
Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase personal data ("right to be forgotten") where applicable.
Restrict or object to processing.
Data portability for data you provided where processing is based on consent or contract.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email hello@fractionality.xyz. We may need to verify your identity before responding. We aim to respond within one month.
13. Children
The Service is not intended for, and may not be used by, anyone under the age of 18.
14. Automated Decision-Making
We do not make solely automated decisions that produce legal or similarly significant effects on you. AI-generated outputs (including PTD scores) are decision-support, not decisions. You remain responsible for any decision you make based on output from the Service.
15. Changes to This Policy
We may update this Policy from time to time. The latest version will always be published on the Service. Material changes will be notified via the Service or by email. The "Effective date" at the top of this Policy indicates when it was last updated.
16. How to Contact Us
For questions about this Policy or your personal data:
Email: hello@fractionality.xyz
Controller: Fractionality Limited, United Kingdom.
You can also contact the UK Information Commissioner's Office at ico.org.uk if you have unresolved concerns.
End of Privacy Policy.