German
French
Dutch
TurkishPrivacy Policy
Effective Date: 20.10.2025 · Last Updated: 20.10.2025
Table of contents
- Introduction and Purpose
- 1. Important Information and Who We Are
- 2. The Data We Collect About You
- 3. How Is Your Personal Data Collected?
- 4. How We Use Your Personal Data
- 5. Disclosures of Your Personal Data
- 6. International Transfers
- 7. Data Security
- 8. Data Retention
- 9. Your Legal Rights
- 10. Glossary
- Part II: Expert Commentary & Implementation Guide
- 1. Foundational Compliance
- 2. Lawful Bases
- 3. Data Subject Rights Playbook
- 4. International Transfers (TRA)
- 5. Breach Incident Response
- 6.1. Artificial Intelligence (AI)
- 6.2. Domain Registration Data
Introduction and Purpose
Mars AI Technology Solutions ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. It is designed to be transparent and to provide you with a clear understanding of our data processing practices.
Our commitment is to handle your personal data in compliance with the UK's data protection legislation, which includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).1 This policy is written in clear and plain language to ensure it is concise, transparent, intelligible, and easily accessible.3 Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1. Important Information and Who We Are
1.1. Purpose of this Privacy Policy
This Privacy Policy aims to give you information on how Mars AI Technology Solutions collects and processes your personal data through your use of our website, products, and services. This includes any data you may provide when you sign up for our newsletter, purchase a product or service, or take part in a competition. It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
1.2. Data Controller and Our Role
Mars AI Technology Solutions is the controller and responsible for your personal data. Our full legal details are: Full name of legal entity: Mars AI Technology Solutions Limited · Company number: 14863498 · Registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
For the purposes of the UK GDPR, it is essential to understand the distinction between a "data controller" and a "data processor".5
As a Data Controller: When we collect personal data from you for our own business purposes, such as for managing your account, processing payments, or for our own marketing and analytics, Mars AI Technology Solutions acts as the Data Controller. In this role, we determine the purposes and means of the processing of personal data.
As a Data Processor: When you use our services to process personal data for which you are the controller, Mars AI Technology Solutions acts as a Data Processor. In this capacity, we process personal data only on your behalf and in accordance with your documented instructions. Our obligations as a processor are governed by a separate Data Processing Agreement (DPA) with you, our customer.5
1.3. Contact Details
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below:
Email address: info@marsai.eu
Postal address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).6 We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
1.4. Your Duty to Inform Us of Changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. This aligns with the 'accuracy' principle of the UK GDPR.7
1.5. Third-Party Links
Our website and services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
2. The Data We Collect About You
Personal data means any information that identifies a person. We may collect the following types:
- Identity Data: first name, last name, username, marital status, title, date of birth, gender.
- Contact Data: billing and delivery address, email, telephone numbers.
- Financial Data: bank account and payment card details.
- Transaction Data: payments to/from you, details of products/services purchased.
- Technical Data: IP address, login data, browser type/version, time zone, location, plug‑ins, OS, platform, device tech, and cookie identifiers.
- Profile Data: username/password, purchases, interests, preferences, feedback, survey responses.
- Usage Data: how you use our website, products and services.
- Marketing & Communications Data: preferences in receiving marketing and communication choices.
Aggregated Data
We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy. If data is fully anonymised so that an individual cannot be re-identified, UK GDPR rules may not apply.5
Special Categories of Personal Data
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).3 Nor do we collect any information about criminal convictions and offences.
3. How Is Your Personal Data Collected?
- Direct Interactions: You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you: apply for our products or services; create an account on our website; subscribe to our service or publications; request marketing to be sent to you; enter a competition, promotion, or survey; or give us feedback or contact us.
- Automated Technologies or Interactions: As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details. Under UK law, we must ask for your consent before placing non-essential cookies on your device.9
- Third Parties or Publicly Available Sources: We will receive personal data about you from various third parties and public sources as set out below: Technical Data from analytics providers such as Google based outside the UK. Contact, Financial, and Transaction Data from providers of technical, payment, and delivery services. Identity and Contact Data from data brokers or aggregators. Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK.
If we have not collected personal data directly from you, we are obligated to inform you of the source of that data.4
4. How We Use Your Personal Data (Our Lawful Bases for Processing)
We will only use your personal data when the law allows us to: (i) performance of a contract; (ii) legitimate interests (balanced against your rights); (iii) compliance with a legal obligation; or (iv) your consent.
The table below summarises key processing activities, the types of data, and the lawful bases relied upon.
| Purpose / Activity | Type of Data | Lawful Basis (incl. legitimate interest) |
|---|---|---|
| To register you as a new customer | (a) Identity (b) Contact | Performance of a contract with you |
| To process and deliver your order (incl. payments, debt recovery) | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing & Communications | (i) Contract (ii) Legitimate interests (to recover debts due to us) |
| To manage our relationship with you (policy changes, reviews) | (a) Identity (b) Contact (c) Profile (d) Marketing & Communications | (i) Contract (ii) Legal obligation (iii) Legitimate interests (records accuracy, service improvement) |
| To enable participation in prize draws, competitions or surveys | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing & Communications | (i) Contract (ii) Legitimate interests (to study how customers use our services and grow our business) |
| To administer and protect our business and website (troubleshooting, testing, security, hosting) | (a) Identity (b) Contact (c) Technical | (i) Legitimate interests (running our business, IT services, network security, fraud prevention) (ii) Legal obligation |
| To deliver relevant content/ads and measure their effectiveness | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing & Communications (f) Technical | Legitimate interests (to develop services and inform marketing strategy) |
| To use analytics to improve website, products/services and experiences | (a) Technical (b) Usage | Legitimate interests (to keep our site relevant and develop our business) |
| To make suggestions/recommendations about goods or services | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile | Legitimate interests (to grow our business); consent where required by PECR for electronic marketing |
Generally, we do not rely on consent as a legal basis except for specific activities (e.g., non‑essential cookies or third‑party marketing). You can withdraw consent at any time.
5. Disclosures of Your Personal Data
We may share your personal data with the following recipients for the purposes set out in Section 4:
Internal Third Parties
- Other companies in the Mars AI Technology Solutions Group acting as joint controllers or processors in the UK providing IT/system administration and leadership reporting.
External Third Parties
- Service providers (processors) supplying IT, system administration, hosting and support services.
- Payment service providers (processors or controllers).
- Professional advisers (lawyers, bankers, auditors, insurers) providing consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
- Third parties involved in a sale, transfer or merger of parts of our business or assets.
We require all third parties to respect the security of personal data and to process it lawfully. We do not permit them to use personal data for their own purposes and only allow processing for specified purposes in accordance with our instructions, under legally binding Data Processing Agreements.
6. International Transfers
We share your personal data within the Mars AI Technology Solutions Group. This may involve transferring your data outside the United Kingdom (UK). Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, in compliance with Chapter V of the UK GDPR 2: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government ("adequacy regulations").13 Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK, namely the International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses (SCCs).15 Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
7. Data Security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.1 These measures include, but are not limited to, data encryption at rest and in transit, access control restrictions to ensure data is only accessed by authorised personnel, and regular security testing of our systems.5 In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (such as the ICO) of a breach where we are legally required to do so.5 If we are acting as a data processor on your behalf, we will notify you, the data controller, without undue delay upon becoming aware of a personal data breach affecting your data.5
8. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.4 We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
9. Your Legal Rights
- Be informed about the collection and use of your personal data. This Privacy Policy serves to fulfil this right.9
- Request access to your personal data (commonly known as a "data subject access request" or SAR). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.7
- Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.9
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. This is also known as the "right to be forgotten".9
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in certain scenarios.9
- Request the transfer of your personal data to you or to a third party (data portability). We will provide your personal data in a structured, commonly used, machine-readable format.1
- Object to processing where we rely on a legitimate interest and your situation makes you object on this ground. You also have the absolute right to object to direct marketing.8
- Rights in relation to automated decision-making and profiling.1
To exercise any rights, contact our data privacy manager at info@marsai.eu. You will not normally have to pay a fee. We may charge a reasonable fee or refuse where a request is clearly unfounded, repetitive or excessive. We try to respond to all legitimate requests within one month.3
10. Glossary
- LAWFUL BASIS: The UK GDPR requires that all processing of personal data has a valid justification. The six available lawful bases are: Consent, Contract, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests.18
- DATA CONTROLLER: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.5
- DATA PROCESSOR: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.5
- PERSONAL DATA: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (like an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.3
- SPECIAL CATEGORY DATA: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation.3
Part II: Expert Commentary and Implementation Guide
1. Foundational Compliance: Understanding Your Role and Obligations
SaaS providers often act as both Controller and Processor. Distinguish roles to avoid compliance gaps.
1.1. Controller vs. Processor
- As Controller: CRM, HR, marketing/analytics. Determine lawful bases, ensure data quality, handle rights requests, and accountability to the ICO.
- As Processor: Act on instructions; ensure security; maintain confidentiality; assist controllers; manage sub‑processors with equivalent obligations. Formalised in a DPA (Article 28).
2. A Deeper Dive into Lawful Bases for Processing
Legitimate Interests requires a documented Legitimate Interests Assessment (purpose, necessity, balancing tests).
Consent must be freely given, specific, informed, unambiguous, and withdrawable; typically for non‑essential cookies or e‑marketing.
Contract applies only where processing is necessary to deliver the contracted service.
3. Operationalising Data Subject Rights
- Recognise/log requests; verify identity; clarify scope; search systems; review/redact; respond clearly; lawfully refuse if unfounded/excessive.
4. Navigating International Data Transfers
Use adequacy decisions or Article 46 safeguards (IDTA/UK Addendum to SCCs). Conduct ICO TRA focusing on risk to individuals; apply supplementary measures where needed.
5. Data Breach Incident Response Plan
- Detection & assessment → containment & recovery → notification (controller/ICO/individuals) → post‑incident review and improvements.
6.1. Artificial Intelligence (AI)
- Identify lawful bases across AI lifecycle; ensure fairness/transparency; conduct DPIAs for large‑scale or high‑impact AI processing.
6.2. Domain Name Registration Data (ICANN/Nominet)
- WHOIS/registrant data obligations apply in addition to UK GDPR; ensure separate compliance with registry policies and contracts.
Contact
Mars AI Technology Solutions Limited · 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom · www.marsai.eu · info@marsai.eu