Skip to content

Privacy Policy

Last updated: 8 April 2026

1. Data Controller

Disintermediate Ltd (company number 13799566, registered in England and Wales) is the data controller for personal data collected through thegpu.ai ("the platform") and The GPU newsletter. We are registered with the Information Commissioner's Office (ICO) under reference ZB365083. Contact: ben@disintermediate.global.

2. What Data We Collect

We collect the following personal data:

  • Account data: email address, name (if provided), and authentication metadata managed by Clerk. We do not store passwords directly.
  • Newsletter subscriptions: email address, name (if provided), and any custom field data you provide (company, role, interests).
  • Newsletter engagement: open rates, click-through rates, and engagement metrics collected by Beehiiv in the course of delivering the newsletter.
  • Platform usage: which pages, profiles, and datasets you view on the platform. Used for product improvement and aggregate analytics.
  • Contact and enquiry submissions: name, email, company, role, and message content when you contact us about advisory or sponsorship.
  • Platform usage and behavioural analytics: we run our own first-party analytics, capturing events such as page views, page exits, clicks, outbound link clicks, searches, scroll depth, dwell time, entry pages, device type, browser, operating system, and UTM parameters (source, medium, campaign, content, term). For signed-in users, these events are linked to your account so we can understand how individual users engage with the platform, improve features, and identify issues. For anonymous visitors, events are linked to a pseudonymous visitor ID and session ID. We do not store raw IP addresses (only country, derived at the edge from Vercel or Cloudflare headers) and we do not fingerprint browsers. All event data is stored in our own Supabase database and is not shared with third-party analytics providers. Vercel additionally collects standard hosting telemetry (request logs, infrastructure metrics) at the edge.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To deliver the platform: authenticating your account, gating subscriber-only features, and personalising your experience.
  • To deliver The GPU newsletter: sending weekly briefings, measuring engagement, and improving content quality.
  • To deliver advisory services: processing enquiries, managing client relationships via Attio CRM, and communicating about engagements.
  • To improve our services: understanding our audience, analysing engagement patterns, and refining our intelligence products.

We do not sell, rent, or share your personal data with third parties for their marketing purposes.

4. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

  • Consent: when you subscribe to The GPU newsletter or opt in to marketing communications.
  • Legitimate interests: to operate the platform, respond to enquiries, manage client relationships, and improve our services.
  • Contract performance: to deliver platform access and advisory services under our Terms or an engagement agreement.

5. Newsletter Subscription and Consent

When you create a platform account, the newsletter subscription option is enabled by default. You may deselect it at signup if you do not wish to receive The GPU newsletter. You can unsubscribe from The GPU at any time by clicking the unsubscribe link in any newsletter email or from your account settings.

Your newsletter subscription is managed by Beehiiv. By subscribing, you also agree to Beehiiv's terms and privacy policy.

6. Third-Party Processors

We use the following third-party services to process your data:

  • Clerk (USA): authentication and account management. Data processed: email, name, authentication metadata. Transfer mechanism: Standard Contractual Clauses and EU-US Data Privacy Framework.
  • Beehiiv (USA): newsletter delivery and subscriber management. Data processed: email, name, custom fields, engagement data.
  • Attio (UK/EU): CRM and contact management. Data processed: name, email, company, job title, enquiry details.
  • Vercel (USA): website hosting and edge infrastructure. Data processed: request logs and hosting telemetry. Note: product analytics are first-party (stored in our own Supabase database), not collected by Vercel Analytics.
  • Supabase (USA): database hosting for the platform. Data processed: account identifiers and market intelligence data. Transfer mechanism: Standard Contractual Clauses.
  • Zapier (USA): workflow automation connecting our tools. Data processed: contact form submissions routed between services. Transfer mechanism: Standard Contractual Clauses and EU-US Data Privacy Framework.
  • Stripe (USA): payment processing for paid subscriptions and sponsorships. Data processed: name, email, payment method details, invoice data. Transfer mechanism: Standard Contractual Clauses, EU-US Data Privacy Framework, and UK International Data Transfer Addendum.
  • Xero (Australia/UK): accounting and invoicing. Data processed: name, email, company, invoice and payment data. Transfer mechanism: UK International Data Transfer Agreement and Standard Contractual Clauses.
  • Google Workspace (USA): email, calendar, and document management. Data processed: name, email, message content, calendar events. Transfer mechanism: Standard Contractual Clauses and EU-US Data Privacy Framework.

Where data is transferred outside the UK, appropriate safeguards are in place including Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), and/or the EU-US Data Privacy Framework as applicable.

7. Social Media and External Links

The platform contains links to third-party sites, including LinkedIn, company websites, regulatory filings, and source documents. When you click these links, you leave our platform and are subject to the privacy policies and terms of those sites. We do not collect, store, or process any data from LinkedIn or other social media platforms.

We do not use LinkedIn APIs to scrape, harvest, or otherwise collect LinkedIn member data. We do not use LinkedIn tracking pixels, social plugins, or embedded widgets on the platform. Our use of LinkedIn is limited to maintaining a company page and sharing content in accordance with LinkedIn's Pages Terms and User Agreement.

If you interact with our content on LinkedIn (e.g. by following our company page, liking, or commenting), that data is governed by LinkedIn's own Privacy Policy. We may receive aggregated, anonymised analytics from LinkedIn about page followers and post engagement, but this data does not identify individuals.

8. Data Retention

  • Platform accounts: retained for as long as your account is active. Closed accounts are anonymised within 30 days, except where retention is required for billing or legal purposes.
  • Newsletter subscribers: retained for as long as you remain subscribed. Upon unsubscribing, your data is retained in anonymised form for analytics purposes.
  • Contact form submissions: retained for up to 3 years to manage client relationships and for legitimate business purposes.
  • Advisory clients and paid subscribers: engagement records and billing data are retained for 7 years in accordance with UK regulatory requirements.

9. Your Rights

Under the UK GDPR, you have the right to: access the personal data we hold about you; rectify inaccurate data; erase your data (subject to legal retention requirements); restrict processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time.

To exercise any of these rights, contact us at ben@disintermediate.global. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use only essential cookies required for platform functionality, including authentication session cookies set by Clerk and a site-access cookie used during private beta. We do not use third-party advertising or tracking cookies, and we do not employ browser fingerprinting.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the newsletter or platform. The date at the top of this page indicates when the policy was last updated.

13. Contact

For privacy-related enquiries, contact:
Ben Baldieri
Disintermediate Ltd
ben@disintermediate.global