Craig's Oracle

Privacy Policy

Last updated: 4th October 2025

1. Who we are

  • Craig's Oracle - AI Guidance (the "Site") is operated by Quantalingo Ltd ("we", "us", "our"), a company registered in the UK.
  • Registered office: Elmsmere Court, Swansea, SA2 7JN
  • Contact email: oracle@craigsoracle.com
  • Data Protection Lead: Company Secretary; oracle@craigsoracle.co

2. Scope

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you:

  • Visit craigsoracle.com
  • Create an account and use the Dashboard
  • Book or attend an AI Oracle session
  • Communicate with us or follow our social media pages
  • View embedded content (e.g., YouTube)

3. Legal bases (UK GDPR)

We process personal data under one or more of:

  • Contract: to provide services you request (e.g., bookings, account access)
  • Legitimate interests: to secure, maintain, and improve the Site, prevent misuse, and market to existing users
  • Consent: for optional cookies, marketing emails, and processing of special category data (see Section 6)
  • Legal obligation: where required by law or regulation

4. What data we collect

A. Data you provide

  • Account data: name, email, password (hashed), profile settings
  • Booking details: session type, preferred times, contact details, payment status (not full card numbers)
  • Communications: emails, messages, support requests
  • Session inputs: prompts, questions, and any information you enter for AI guidance
  • Testimonials and feedback (if you choose to provide and publish)

B. Data collected automatically

  • Usage and device data: IP address, browser type, device identifiers, pages viewed, session duration, referral URLs
  • Cookies and similar technologies: essential cookies for security and login; with consent, analytics and performance cookies

C. Third-party and integrated services

  • Payments: processed by third-party provider Stripe; we receive transaction status and limited billing metadata, never full card details
  • Hosting & infrastructure: our site and databases are hosted on Microsoft Azure
  • AI sessions: your questions and other session inputs are processed via OpenAI's models under our agreement with them; see Section 7 for more detail
  • Video and media: embedded YouTube videos may set cookies and collect viewing data subject to Google/YouTube policies
  • Social media: if you click through to Facebook/X/Instagram/YouTube, those platforms may collect data per their own policies
  • Calendaring/scheduling: if you use external booking links or meeting tools, those providers process your data under their own terms

5. How we use your data

  • Provide and manage services: account access, bookings, session delivery, customer support
  • AI guidance: to process your prompts/inputs and generate responses
  • Improve the Site and services: troubleshooting, analytics, product development
  • Security and abuse prevention: detect fraud, spam, and misuse
  • Communications: service emails (e.g., confirmations, updates); with consent, marketing/newsletters
  • Legal compliance: record-keeping, responding to lawful requests

6. Special category data and sensitive information

You may choose to share sensitive or special category data (e.g., health, beliefs) in your session inputs. We do not require such data. If you share it:

  • We will process it only with your explicit consent and strictly for the purpose of providing the AI guidance you request.
  • Do not share information that you are not comfortable disclosing.
  • You can withdraw consent at any time (see Section 11); withdrawal will not affect prior lawful processing.

7. AI model processing and retention

  • Inputs you provide to the Oracle (questions, context) are sent securely to OpenAI for processing and to generate responses. OpenAI acts as a data processor under contract with us and is required to comply with applicable data protection law.
  • Where feasible, inputs used for improvement are pseudonymised and aggregated.
  • You can opt-out of your session transcripts being used for improvement by emailing us or using any available privacy controls in your account.
  • We do not sell your data to third parties.

8. Sharing your data

We share data only as needed with:

  • Service providers (processors): Microsoft Azure (hosting), OpenAI (AI processing), Stripe (payment), analytics, email delivery, authentication, customer support
  • Professional advisers: legal, accounting, security consultants
  • Authorities: where legally required or to protect rights, safety, or prevent fraud
  • Business transfers: in connection with mergers, acquisitions, or restructuring (with appropriate safeguards)

All processors are bound by data processing agreements that include confidentiality, security, and UK GDPR-compliant obligations.

9. International transfers

Some service providers, including Stripe and OpenAI, may process data outside the UK/EEA. Where this occurs, we rely on lawful transfer mechanisms such as:

  • UK adequacy regulations, or
  • Standard Contractual Clauses with UK Addendum

Contact us for information about specific transfers and safeguards.

10. Cookies and tracking

  • Essential cookies: required for site functionality and security
  • Analytics/performance cookies: used with your consent to understand usage and improve the Site
  • Marketing cookies: used with your consent for personalised content or measurement

You can manage cookie preferences via our cookie banner or your browser settings. Disabling certain cookies may impact functionality.

11. Your rights (UK GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase data in certain circumstances
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests or direct marketing
  • Data portability (to receive your data in a usable format)
  • Withdraw consent at any time where processing is based on consent

To exercise your rights, contact us at oracle@craigsoracle.com. We may need to verify your identity.

12. Data retention

We retain personal data only as long as necessary for the purposes described:

  • Account data: while your account is active and for a reasonable period after closure for record-keeping, dispute resolution, and legal obligations
  • Booking and transaction records: per legal and tax requirements
  • AI session logs: for service delivery, fraud prevention, safety, and improvement; you may opt-out of improvement use as stated above

We periodically review and securely delete data that is no longer needed.

13. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, logging, least-privilege, and vendor due diligence. No method of transmission or storage is 100% secure; we continuously improve our safeguards.

14. Children

Our services are not directed to individuals under 16. If you believe a child has provided us with personal data, contact us to request deletion.

15. Third-party links and embedded content

The Site contains links and embedded content from third parties (e.g., YouTube, social media). We are not responsible for their privacy practices. Please review their policies before interacting.

16. Direct marketing

With your consent, we may send newsletters or updates. You can opt out at any time via the unsubscribe link in emails or by contacting us.

17. Complaints

If you have concerns, please contact us first. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

18. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the Site or email. Continued use of the Site after changes indicates acceptance.

19. Contact us

  • Email: oracle@craigsoracle.com
  • Address: Elmsmere Court, Swansea, SA2 7JN
  • For Data Protection Lead: oracle@craigsoracle.com