Privacy Policy
This Privacy Policy explains how London Informatics ("we," "us," "our") collects, uses, shares, and protects information about you when you use drumsoundart.com, askzante.com, or webgpt.biz.
We are committed to handling your personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where you access our services from within the European Union or EEA, the EU GDPR (Regulation 2016/679) also applies.
1. Who is the data controller?
The data controller for all three services is:
London Informatics, operated by Harris Maroudas
United Kingdom
privacy@london-informatics.org
We do not currently have a Data Protection Officer (DPO). Under UK GDPR Article 37, a DPO is mandatory only where processing is carried out by a public authority, or where the core activities of the controller consist of large-scale systematic monitoring of data subjects or large-scale processing of special category data. We do not believe those thresholds are currently met. We will review this position annually as the platform grows.
2. What data we collect and why
2A. Data collected on all platforms
When you visit any of our websites, our web server and Azure infrastructure logs may record:
- Your IP address
- Browser type and operating system
- Pages visited and time of visit
- HTTP referrer
This data is processed on the basis of our legitimate interest (UK GDPR Article 6(1)(f)) in maintaining security, preventing abuse, and diagnosing errors. These server logs are retained for a maximum of 30 days and then deleted automatically.
Note on Harris's consent decision: Harris has elected to use consent as the lawful basis for processing that goes beyond server-log security and service delivery (such as marketing emails and analytics cookies). The legitimate-interest basis is used only for the narrowly scoped security-log processing described above. All other processing categories below are consent-based.
2B. Drum Sound.Art (drumsoundart.com)
| Data | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Email address (subscriber) | Sending notifications when new drums matching your brand interest are listed | Consent (UK GDPR Art. 6(1)(a)) | Until you unsubscribe or we receive an erasure request. Unconfirmed subscriptions are deleted automatically after 30 days. |
| Brand interest (e.g. "Ludwig") | Filtering notifications to the brand you requested | Consent — same as above | Same as above |
| Email address (inquiry form) | Responding to your inquiry about a specific item | Consent (UK GDPR Art. 6(1)(a)) | 12 months from the date of the inquiry, then deleted |
| IP address (subscribe/inquiry rate limiting) | Preventing spam and abuse of the contact and subscribe forms | Legitimate interest (security) | In-memory only; not persisted to disk |
| Confirmation and unsubscribe tokens (UUID4) | Enabling you to confirm and cancel your subscription | Consent — same as above | Same as subscriber email retention above |
We do not use cookies on drumsoundart.com for any purpose other than strictly necessary session management (see Section 5).
We do not share your email address or inquiry content with any third party except where required by law. Outbound emails are sent via Azure Communication Services (ACS), which acts as a data processor under a data processing agreement with Microsoft Azure.
2C. Ask Zante (askzante.com)
| Data | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Email address (OTP login) | Authenticating your identity via one-time passcode | Consent (UK GDPR Art. 6(1)(a)) | The OTP store (otp_pending.json) retains pending codes for 10 minutes only. Verified entries are deleted on the 10-minute TTL cycle. The email itself is stored in a hashed form (SHA-256 prefix) in the usage file; the raw email is not stored after session creation. |
Session cookie (az_session) |
Maintaining your authenticated session | Consent — same as above | The cookie has a max-age equal to WEB_SESSION_TTL_SECONDS (default 30 days). The session token contains only a hashed identifier, not your raw email. |
| IP address (hashed) | Usage tracking and rate limiting (anonymous users get 5 free messages per day; authenticated users get 25) | Consent (for usage allowance tracking) / Legitimate interest (for rate-limiting) | Hashed IP usage counts are reset each day. Raw IPs are not persisted. |
Chat questions and AI answers (answer_logs) |
Maintaining service quality, reviewing for safety, and improving our knowledge base | Consent (UK GDPR Art. 6(1)(a)) | Answer logs are retained for 90 days then deleted, except where a specific log entry is needed for an ongoing safety review. |
| Location data (latitude/longitude, if you click "Share location") | Providing nearby business recommendations within the AI response | Consent (explicit, via browser location permission) | Location data is included in the chat request payload and sent to the AI provider. It is not stored separately. It may appear in the answer log for the relevant request (90-day retention above). |
AI responses from Ask Zante are generated by Anthropic (Claude models) or OpenAI (GPT models), depending on routing. Your chat question is sent to these providers as part of the API request. See Section 4 for third-party processor details.
2D. WebGPT (webgpt.biz)
| Data | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Google account identifier and email (Google OAuth) | Authenticating your identity | Consent (UK GDPR Art. 6(1)(a)) | Google identifier stored in our PostgreSQL database for the lifetime of your account. Email stored in database; used only for account management. |
| Telegram user identifier (Telegram login) | Authenticating your identity | Consent (UK GDPR Art. 6(1)(a)) | Telegram ID stored in PostgreSQL for the lifetime of your account. |
Session cookie (__Host-webgpt_session or webgpt_session) |
Maintaining your authenticated session | Consent — same as above | Max-age equals WEB_SESSION_TTL_SECONDS. |
| Credit balance | Billing and service delivery | Consent (as part of account registration) | For the lifetime of your account, and for 7 years after account closure for accounting and legal compliance purposes (UK Companies Act 2006 requirement — this is a legal obligation basis override for the retention period, not the processing purpose). |
| Chat messages and thread history | Providing conversational context within a thread | Consent (UK GDPR Art. 6(1)(a)) | Retained for the lifetime of the thread. Threads are not automatically deleted. You may request deletion via the account deletion flow or by contacting us. |
Usage data (tokens consumed, model used, cost per request — request_costs table) |
Billing, credit deduction, and usage display | Consent — same as above | 7 years from the date of the transaction, for accounting purposes (legal obligation basis for the extended retention). |
Stripe customer reference (client_reference_id) |
Linking Stripe payment sessions to your account | Consent (as part of payment initiation) | For the lifetime of your account plus 7 years (accounting). |
| IP address | Rate limiting, fraud prevention | Legitimate interest (security) | Not stored persistently beyond server logs (30 days). |
| Uploaded files (images, PDFs, audio) | Processing your attachments as part of a chat request | Consent — same as above | Temporary: files are registered in a short-lived file store and expire automatically. The expires_at value is returned in the API response and is typically a few hours. |
| AI-generated file outputs (PDFs, images) | Delivering file outputs you requested | Consent — same as above | Same as above — temporary, auto-expiring. |
Stripe processes payment card information directly. We do not receive or store full card numbers. Stripe operates under its own privacy policy (stripe.com/privacy) and its own PCI-DSS compliance programme. Stripe is a data processor for the payment transaction data and a separate data controller for its own fraud and risk systems.
The Telegram bot integration (@MessengerGPTbot) relates to the MessengerGPT product described in our marketing pages and is subject to Telegram's privacy policy. Users arriving via Telegram login to webgpt.biz have their Telegram ID stored as described above.
3. Legal basis summary
| Processing | Lawful basis |
|---|---|
| Marketing emails (Drum Sound.Art new-listing notifications) | Consent — PECR Regulation 6 (electronic mail) and UK GDPR Art. 6(1)(a) |
| OTP email delivery (Ask Zante) | Consent — UK GDPR Art. 6(1)(a) |
| Account creation and session management (Ask Zante, WebGPT) | Consent — UK GDPR Art. 6(1)(a) |
| Chat processing and AI response generation | Consent — UK GDPR Art. 6(1)(a) |
| Credit purchase and billing | Consent (processing); Legal obligation (7-year accounting retention) |
| Security and server logging | Legitimate interest — UK GDPR Art. 6(1)(f) |
| Rate limiting (in-memory, non-persistent) | Legitimate interest — UK GDPR Art. 6(1)(f) |
The legitimate interest basis for security logging has been assessed as proportionate: the data is minimised (30-day retention), not combined with other data for profiling, and the interest in preventing abuse and diagnosing errors overrides any interference with your privacy rights given the minimal nature of the processing.
4. Third parties and processors
We use the following third-party processors. Each has agreed to process data only on our instructions (or we rely on their published DPA terms).
| Processor | Role | Data shared | Location | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Azure (App Service, PostgreSQL, ACS Email) | Infrastructure hosting and email delivery | All data processed on the platform | UK/EU Azure regions (West Europe, UK South) | UK adequacy for EU data; EU SCCs in applicable Azure DPA |
| OpenAI, Inc. | AI model provider (WebGPT, Ask Zante) | Chat input text; uploaded files | USA (San Francisco, CA) | UK IDTA / EU SCCs — OpenAI publishes its DPA at openai.com/policies/data-processing-addendum |
| Anthropic, PBC | AI model provider (WebGPT, Ask Zante) | Chat input text | USA | UK IDTA / EU SCCs — Anthropic DPA at anthropic.com/legal/privacy |
| Google LLC | AI model provider (WebGPT) and OAuth provider | Chat input text; Google account identifier and email on login | USA | UK IDTA / EU SCCs — Google Cloud DPA at cloud.google.com/terms/data-processing-addendum |
| xAI (Twitter/X Corp.) | AI model provider (WebGPT) | Chat input text | USA | UK IDTA / EU SCCs — xAI terms at x.ai/legal |
| Stripe, Inc. | Payment processing | Payment session metadata, credit purchase amount, user identifier | USA | UK IDTA / EU SCCs — Stripe DPA at stripe.com/legal/dpa |
| Telegram Messenger Inc. | Authentication provider (WebGPT Telegram login) | Telegram user ID | USA/EU | UK IDTA |
| Cloudflare, Inc. (Turnstile) | CAPTCHA/bot protection on WebGPT signup | IP address, browser fingerprint | USA | UK IDTA / EU SCCs |
Cross-border transfers: All transfers to the United States are made under the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) adopted by the European Commission Decision of 4 June 2021 (C(2021) 3972). We rely on each processor's published Data Processing Addendum as the transfer mechanism, which incorporates the applicable SCCs or IDTA. We have not conducted a separate Transfer Impact Assessment for each processor but will do so if any processor's arrangements materially change.
5. Cookies
Please see our Cookie Policy, which is embedded in the Cookie Consent Banner (coming soon). In summary:
- drumsoundart.com uses no cookies other than those strictly necessary for security (server-side session token).
- askzante.com uses one authentication session cookie (
az_session), one cookie for consent preference storage, and Google Fonts is loaded from an external CDN (this may set a cookie — see our cookie banner for details). - webgpt.biz uses one authentication session cookie (
__Host-webgpt_sessionorwebgpt_session), one cookie for consent preferences, and one temporary guest trial cookie (webgpt_guest_trial). The Cloudflare Turnstile widget may set cookies.
No third-party tracking or advertising cookies are set by us. The Google OAuth Sign-In button on webgpt.biz loads a Google JavaScript library that may set Google cookies — this is disclosed in the cookie banner.
6. Children's data
Our services are not directed at children below the minimum age described in our Terms of Service (13 years in most of the world; 16 years in the EU/EEA). We do not knowingly collect personal data from anyone below those ages.
If a child below the applicable minimum age attempts to register, our age gate will block registration. If we discover that data has been collected from a child below the minimum age despite this, we will:
- Delete the account and all associated personal data within 5 working days of discovery.
- Record the deletion in our erasure register.
- Not use the data for any purpose prior to deletion.
If you are a parent or guardian and believe we have inadvertently collected data about your child, please contact privacy@london-informatics.org.
We do not use the data of users who are between 13 and 15 (or 13 and 15 in EU states that allow 13 as the GDPR age of consent) for any purpose other than delivering the service, and we apply heightened data minimisation standards to those accounts.
7. Your rights
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by emailing privacy@london-informatics.org. We will respond within 30 days (UK GDPR Article 12(3)).
| Right | What it means | How to exercise |
|---|---|---|
| Access (UK GDPR Art. 15) | Receive a copy of the personal data we hold about you | Email privacy@london-informatics.org with subject "DSAR — Access Request" |
| Rectification (Art. 16) | Have inaccurate data corrected | Email with subject "DSAR — Rectification" |
| Erasure (Art. 17) | Have your data deleted ("right to be forgotten") | Use the account deletion flow in the app, or email with subject "DSAR — Erasure Request". |
| Portability (Art. 20) | Receive your data in a machine-readable format | Email with subject "DSAR — Portability Request". We will provide JSON or CSV export within 30 days. |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email with subject "DSAR — Objection". We will stop processing within 30 days unless we can demonstrate a compelling legitimate ground. |
| Withdraw consent | Withdraw consent for any consent-based processing at any time | Use the in-app opt-out or email us. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Restriction (Art. 18) | Request that we restrict processing while a dispute is resolved | Email with subject "DSAR — Restriction Request" |
You also have the right to lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk/make-a-complaint, and if you are in the EU/EEA, with your local data protection authority.
We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive (UK GDPR Article 12(5)).
8. Retention summary
| Data category | Retention period |
|---|---|
| Server logs (all platforms) | 30 days |
| OTP codes (Ask Zante) | 10 minutes (TTL auto-expiry) |
| Unconfirmed email subscriptions (Drum Sound.Art) | 30 days (auto-pruned) |
| Confirmed email subscriptions (Drum Sound.Art) | Until unsubscribe or erasure request |
| Inquiry emails (Drum Sound.Art) | 12 months |
| Ask Zante answer logs | 90 days |
| Ask Zante usage counters | Daily reset (day-boundary); no persistent individual-level storage |
| WebGPT account data (identifiers, credits) | Lifetime of account + 7 years (accounting) |
| WebGPT chat history | Lifetime of account or until deletion request |
| WebGPT billing records | 7 years from transaction |
| Temporary file outputs (WebGPT) | Hours (auto-expiring, expires_at shown in UI) |
9. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit (HTTPS/TLS on all endpoints)
- Encrypted database connections on Azure PostgreSQL
- HTTP-only, SameSite session cookies
- Admin tokens transmitted only via request headers, not URL query strings
- SSRF defence middleware on all outbound HTTP requests
We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach (UK GDPR Article 33) and will notify affected individuals if the risk is high (Article 34).
10. Updates to this Policy
We may update this Privacy Policy from time to time. We will publish the new version at the same URL with an updated effective date. For material changes, we will notify registered users by email at least 14 days before the change takes effect.
The version number and effective date at the top of this document allow you to track changes.
11. Contact us
For all data protection queries: privacy@london-informatics.org
To lodge a complaint: ico.org.uk/make-a-complaint (UK) or your EU/EEA national supervisory authority.
For general legal matters, see our Terms of Service.