Website Privacy Policy

1 INTRODUCTION AND SCOPE

1.1 Purpose

1.1.1 This Privacy Policy governs the collection, Processing, and protection of Personal Data for Users of AirCounsel's Titan website, titan.aircounsel.com. It outlines AirCounsel's commitment to transparency, security, and compliance with the UK GDPR, DPA 2018, and PECR.

1.2 Application

1.2.1 This policy applies to all Data Subjects, including Users and account holders who interact with Titan's website or services, regardless of their location, where such interactions fall within the scope of UK data protection laws.

1.3 Controller Role

1.3.1 Titan acts as the Controller for all Personal Data Processed under this policy, determining the purposes and means of Processing in accordance with the UK GDPR and related legislation.

1.4 Compliance Framework

1.4.1 The policy is designed to comply with the principles of lawfulness, fairness, and transparency under the UK GDPR, ensuring that Users' rights are respected and their data is protected throughout its lifecycle.

2 DEFINITIONS

2.1 "AI Service Providers" means third-party providers of artificial intelligence services, including but not limited to OpenAI and Anthropic, which Titan engages to facilitate the delivery of its AI contract drafting services, subject to the restrictions set forth in this Privacy Policy.

2.2 "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of their personal data in accordance with the UK GDPR and DPA 2018.

2.3 "Controller" means Titan, the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined under Article 4(7) of the UK GDPR.

2.4 "Cookies" means small text files placed on a user's device when visiting the Titan website, which collect standard internet log information and visitor behaviour data, as further detailed in Clause 11 of this Privacy Policy.

2.5 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined under Article 4(12) of the UK GDPR.

2.6 "Data Subject" means an identified or identifiable natural person whose personal data is processed by Titan, including but not limited to website visitors, registered users, and account holders.

2.7 "DPA 2018" means the Data Protection Act 2018, the UK legislation which supplements and tailors the application of the UK GDPR.

2.8 "EEA" means the European Economic Area, comprising the EU Member States as well as Iceland, Liechtenstein, and Norway.

2.9 "GDPR" means the General Data Protection Regulation (EU) 2016/679, as incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR").

2.10 "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, and payment details, as defined under Article 4(1) of the UK GDPR.

2.11 "PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended, which regulate the use of cookies and electronic marketing communications in the UK.

2.12 "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction, as defined under Article 4(2) of the UK GDPR.

2.13 "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, such as Stripe or AI Service Providers, as defined under Article 4(8) of the UK GDPR.

2.14 "Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation, as defined under Article 9(1) of the UK GDPR. For the purposes of this Privacy Policy, credit card information shall not be considered a special category of personal data unless otherwise required by applicable law.

2.15 "Stripe" means the third-party payment processor engaged by Titan to handle credit card transactions, which stores and processes payment details in accordance with its own privacy policy and applicable data protection laws.

2.16 "Titan" means the entity operating the website titan.aircounsel.com, being Loft Legal Ltd, Companies House number 12000525, 124 City Road, London, England, EC1V 2NX, acting as the Controller of personal data processed under this Privacy Policy.

2.17 "UK GDPR" has the meaning given in Clause 1.9.

2.18 "User" means any individual who accesses or uses the Titan website, including visitors, registered account holders, and recipients of AI contract drafting services.

3 LEGAL FRAMEWORK AND COMPLIANCE (UK GDPR, DPA 2018, AND PECR)

3.1 Basis for Processing

3.1.1 Titan processes Personal Data in compliance with the UK GDPR, the DPA 2018, and PECR. All Processing activities are conducted under the legal basis of Consent, as defined in Article 6(1)(a) of the UK GDPR, unless another lawful basis applies under applicable law.

3.2 Regulatory Adherence

3.2.1 Titan adheres to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality under Article 5 of the UK GDPR. Specific compliance measures include: (a) obtaining valid Consent for Processing; (b) implementing safeguards for international data transfers; and (c) upholding Data Subject rights under Articles 12–23 of the UK GDPR.

3.3 PECR Compliance

3.3.1 Titan complies with PECR in relation to the use of Cookies and electronic communications, ensuring Users are provided with clear information and mechanisms to manage their preferences, except where such technologies are strictly necessary for service delivery.

3.4 Periodic Review

3.4.1 This policy and Titan's data protection practices are reviewed periodically to ensure ongoing compliance with evolving UK data protection laws, including updates to the UK GDPR, DPA 2018, or PECR.

4 CONSENT AND COLLECTION OF PERSONAL DATA

4.1 Obtaining Consent

4.1.1 Titan obtains explicit Consent from Users during the account registration process, requiring affirmative action (e.g., ticking a checkbox) to signify agreement to this Privacy Policy. Consent is documented and may be withdrawn at any time by contacting Titan as specified in Clause 12.

4.2 Categories of Personal Data Collected

4.2.1 Titan collects the following Personal Data from Users: (a) name; (b) email address; and (c) payment details processed via Stripe. Titan does not store credit card information.

4.3 Legal Basis for Processing

4.3.1 Titan relies on Consent as the primary legal basis for Processing Personal Data under Article 6(1)(a) of the UK GDPR, unless an alternative lawful basis applies under applicable law.

4.4 Withdrawal of Consent

4.4.1 Users may withdraw Consent at any time by contacting Titan as outlined in Clause 12. Withdrawal does not affect the lawfulness of Processing based on Consent before its withdrawal.

5 PURPOSE OF DATA PROCESSING

5.1 Primary Purposes

5.1.1 Titan Processes Personal Data solely for the following purposes: (a) to create and manage User accounts on the Titan platform; and (b) to deliver AI contract drafting services, including generating and transmitting outputs to Users.

5.2 Communication

5.2.1 Personal Data, such as email addresses, may be used to communicate with Users regarding service updates, security alerts, or administrative notices, where such communications are necessary for the performance of Titan's services.

5.3 Legal Compliance

5.3.1 Titan may Process Personal Data to comply with legal obligations under the UK GDPR, DPA 2018, or other applicable laws, including fraud prevention and regulatory reporting requirements.

5.4 Proportionality and Limitation

5.4.1 All Processing activities are strictly necessary and proportionate to achieve the stated purposes, in accordance with the principles of purpose limitation and data minimization under Article 5(1)(b) and (c) of the UK GDPR. Personal Data is not used for unrelated purposes without additional Consent where required.

5.5 Service Enhancement

5.5.1 Personal Data may also be Processed to improve Titan's services, provided such Processing is compatible with the primary purposes and does not infringe on Users' rights under applicable data protection laws.

6 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

6.1 Scope

6.1.1 Titan does not intentionally Process Special Categories of Personal Data as defined under Article 9(1) of the UK GDPR, unless such Processing is necessitated by applicable law or with the Data Subject's explicit Consent for a specified purpose.

6.2 Credit Card Information

6.2.1 For clarity, credit card information processed via Stripe is not classified as a Special Category of Personal Data under this Privacy Policy, unless otherwise mandated by applicable law. Titan does not retain or directly Process such data.

6.3 Additional Safeguards

6.3.1 In the event Titan Processes Special Categories of Personal Data, such Processing will be conducted only: (a) with the Data Subject's explicit Consent; (b) where necessary for compliance with legal obligations; or (c) under another lawful exception under Article 9(2) of the UK GDPR. Enhanced technical and organisational measures will be implemented to protect such data.

6.4 User Control

6.4.1 Where Special Categories of Personal Data are Processed, Users may exercise their rights under Clause 12, including the right to withdraw Consent or request erasure, subject to Titan's legal obligations.

7 THIRD-PARTY PROCESSORS AND DATA SHARING (INCLUDING AI SERVICE PROVIDERS)

7.1 Engagement of Processors

7.1.1 Titan engages third-party Processors, including Stripe for payment processing and AI Service Providers (e.g., OpenAI, Anthropic), to facilitate service delivery. Such Processors act only on Titan's documented instructions and are contractually bound to comply with the UK GDPR and DPA 2018.

7.2 Scope of Data Sharing

7.2.1 Personal Data shared with AI Service Providers is strictly limited to information necessary for generating contract drafting outputs. Titan ensures such data is not used by AI Service Providers for training their models or any purpose beyond the agreed service scope.

7.3 Safeguards for Third-Party Processing

7.3.1 Titan implements contractual safeguards with all Processors, including: (a) data protection clauses aligned with Article 28(3) of the UK GDPR; (b) restrictions on further subcontracting; (c) obligations to assist Titan in fulfilling Data Subject rights requests; and (d) technical and organisational measures to ensure data security.

7.4 International Transfers

7.4.1 Where Processors are located outside the EEA (e.g., in the USA), Titan ensures transfers are governed by UK GDPR-compliant mechanisms, such as standard contractual clauses or adequacy decisions, and supplemented by additional safeguards.

7.5 Prohibition on Unauthorised Use

7.5.1 Titan prohibits all Processors from retaining, using, or disclosing Personal Data outside the direct business relationship, except as required by applicable law. Processors must promptly notify Titan of any actual or suspected Data Breach.

7.6 User Transparency

7.6.1 A current list of sub-processors is available upon request. Titan will notify Users of any material changes to sub-processors affecting their Personal Data, providing an opportunity to object where required under UK GDPR.

8 INTERNATIONAL DATA TRANSFERS AND SAFEGUARDS

8.1 Scope of Transfers

8.1.1 Titan may transfer Personal Data to third-party Processors located outside the EEA, including to the USA, where such transfers are necessary for service delivery (e.g., to AI Service Providers) or to comply with legal obligations, in accordance with Articles 44–50 of the UK GDPR.

8.2 Safeguard Mechanisms

8.2.1 All international transfers are conducted under appropriate safeguards, including: (a) UK-approved standard contractual clauses; (b) binding corporate rules; or (c) other valid transfer mechanisms under the UK GDPR. Supplementary technical and organisational measures (e.g., encryption, access controls) are implemented to mitigate risks.

8.3 Processor Compliance

8.3.1 Processors receiving Personal Data outside the EEA are contractually bound to: (a) adhere to the safeguards in Clause 7.3 and this Clause 8; (b) process data only for Titan's specified purposes; and (c) notify Titan of any non-compliance with UK GDPR requirements.

8.4 User Rights

8.4.1 Users may request details of the safeguards applied to their Personal Data by contacting Titan as specified in Clause 12, subject to confidentiality and security considerations.

9 DATA RETENTION AND DELETION POLICY

9.1 Retention Periods

9.1.1 Titan retains Personal Data only for as long as necessary to fulfil the purposes outlined in Clause 5, including for the duration of a User's active account. Retention periods are determined based on: (a) the nature of the data; (b) legal or regulatory requirements; and (c) legitimate business needs, in compliance with the storage limitation principle under Article 5(1)(e) of the UK GDPR.

9.2 Deletion Procedures

9.2.1 Personal Data is securely deleted or anonymized upon: (a) User request, where no overriding legal basis for retention exists; (b) account closure; or (c) expiration of the applicable retention period, whichever occurs first. Titan implements automated and manual processes to enforce deletion timelines, using methods that prevent recovery or reconstruction.

9.3 User-Initiated Erasure

9.3.1 Users may request erasure of their Personal Data under Article 17 of the UK GDPR by contacting Titan as specified in Clause 12. Titan will comply with such requests within 30 days unless retention is necessary for: (a) compliance with legal obligations; (b) establishment or defence of legal claims; or (c) other lawful grounds under applicable law.

9.4 Processor Obligations

9.4.1 Titan ensures all Processors (including AI Service Providers and Stripe) adhere to equivalent retention and deletion obligations through contractual agreements. Processors must delete or return Personal Data upon Titan's instruction, unless retention is mandated by law.

9.5 Backup Data

9.5.1 Archived or backup data containing Personal Data is retained only for the shortest period technically feasible and is protected by equivalent security measures. Such data is permanently deleted in accordance with Titan's backup rotation policies.

9.6 Audit and Compliance

9.6.1 Titan conducts periodic audits to verify adherence to this policy, ensuring data is not retained beyond the stipulated periods except where justified under the UK GDPR or DPA 2018.

10 DATA SECURITY MEASURES

10.1 Technical Safeguards

10.1.1 Titan implements industry-standard technical measures to protect Personal Data, including: (a) encryption of data in transit and at rest using robust cryptographic protocols; (b) secure access controls, such as multi-factor authentication and role-based permissions; and (c) regular vulnerability assessments and penetration testing to identify and remediate security risks.

10.2 Organisational Safeguards

10.2.1 Titan maintains internal policies and procedures to ensure compliance with the UK GDPR and DPA 2018, including: (a) staff training on data protection and confidentiality obligations; (b) role-based access restrictions; and (c) designated personnel responsible for overseeing compliance with this policy.

10.3 Incident Response

10.3.1 Titan has established procedures to detect, investigate, and report Data Breaches in accordance with Articles 33–34 of the UK GDPR, including: (a) immediate containment measures; (b) assessment of risk to Data Subjects; and (c) notification to the relevant supervisory authority and affected Users where required by law.

10.4 Processor Accountability

10.4.1 Titan requires all Processors (including AI Service Providers and Stripe) to implement equivalent security measures, as contractually mandated under Article 28(3) of the UK GDPR. Titan retains audit rights to verify compliance and terminates agreements for material breaches of security obligations.

10.5 Continuous Improvement

10.5.1 Titan reviews and updates its security measures periodically to address evolving threats and technological advancements, ensuring ongoing adherence to the principles of integrity and confidentiality under Article 5(1)(f) of the UK GDPR.

11 COOKIES AND TRACKING TECHNOLOGIES

11.1 Use of Cookies

11.1.1 Titan uses Cookies and similar tracking technologies to enhance User experience and analyze website traffic. These technologies may include session Cookies (temporary files deleted upon browser closure) and persistent Cookies (retained for specified periods).

11.2 Categories and Purposes

11.2.1 Cookies are categorized as follows: (a) strictly necessary (essential for website operation); (b) performance/analytical (collecting anonymized usage data); and (c) functional (enabling personalized features). Titan does not use targeting/advertising Cookies or collect Special Categories of Personal Data via Cookies without explicit Consent.

11.3 Consent Mechanism

11.3.1 In compliance with PECR, Titan obtains prior Consent for non-essential Cookies via a banner or pop-up notification upon the User's first visit. Users may adjust preferences at any time through browser settings or Titan's preference center.

11.4 Third-Party Cookies

11.4.1 Third-party services integrated into Titan's website (e.g., analytics providers) may place their own Cookies, subject to their respective privacy policies. Titan ensures such providers adhere to UK GDPR and PECR requirements, and Users are informed of their presence during the Consent process.

11.5 User Control and Data Minimization

11.5.1 Users may disable or delete Cookies via browser settings, though this may impair functionality. Titan limits Cookie data to: (a) anonymized IP addresses; (b) browser/device information; and (c) usage patterns. A detailed Cookie Policy is accessible via the website footer.

12 DATA SUBJECT RIGHTS AND EXERCISING RIGHTS

12.1 Rights Under UK GDPR

12.1.1 Data Subjects have the following rights regarding their Personal Data processed by Titan, in accordance with Articles 12–23 of the UK GDPR: (a) Right of access (Article 15); (b) Right to rectification (Article 16); (c) Right to erasure ("right to be forgotten") (Article 17); (d) Right to restriction of Processing (Article 18); (e) Right to data portability (Article 20); (f) Right to object to Processing (Article 21); and (g) Right not to be subject to automated decision-making, including profiling (Article 22).

12.2 Exercising Rights

12.2.1 Data Subjects may exercise these rights by submitting a written request to Titan via email at [email protected]. Titan will respond within one (1) month of receipt, unless the request is complex or numerous, in which case the period may be extended by two (2) further months with prior notification to the Data Subject.

12.3 Verification and Limitations

12.3.1 Titan may require verification of the Data Subject's identity before fulfilling requests to prevent unauthorized disclosures. Certain rights may be limited where Processing is necessary for: (a) compliance with legal obligations; (b) performance of a contract; or (c) establishment, exercise, or defence of legal claims.

12.4 Complaints

12.4.1 Data Subjects may lodge complaints with the UK Information Commissioner's Office (ICO) if they believe Titan's Processing infringes the UK GDPR or DPA 2018, without prejudice to other administrative or judicial remedies. Titan encourages Data Subjects to contact it first to resolve any concerns.

13 PROCEDURES FOR DATA BREACHES AND NOTIFICATIONS

13.1 Breach Detection and Assessment

13.1.1 Titan shall implement measures to promptly detect, investigate, and assess any suspected or actual Data Breach, including: (a) identifying the nature and scope of the breach; (b) determining the categories and approximate number of Data Subjects affected; and (c) evaluating potential risks to rights and freedoms of Data Subjects.

13.2 Containment and Remediation

13.2.1 Upon confirmation of a Data Breach, Titan shall immediately take steps to: (a) contain the breach and prevent further unauthorized access; (b) mitigate adverse effects; and (c) implement corrective measures to prevent recurrence, in accordance with Article 33(1) of the UK GDPR.

13.3 Notification to Supervisory Authority

13.3.1 Where the Data Breach is likely to result in a risk to the rights and freedoms of Data Subjects, Titan shall notify the UK Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required under Article 33(1) of the UK GDPR. The notification shall include: (a) the nature of the breach; (b) the categories and approximate number of affected Data Subjects and records; (c) likely consequences; and (d) measures taken or proposed to address the breach.

13.4 Communication to Data Subjects

13.4.1 If the Data Breach poses a high risk to Data Subjects' rights and freedoms, Titan shall also notify affected Data Subjects without undue delay, in clear and plain language, as mandated by Article 34(1) of the UK GDPR. Such notification shall describe: (a) the nature of the breach; (b) contact details for Titan's Data Protection Officer; (c) likely consequences; and (d) measures taken or proposed to mitigate risks.

13.5 Exceptions to Notification

13.5.1 Notification to Data Subjects under Clause 13.4 may be delayed or omitted only if: (a) Titan has implemented appropriate technical and organisational measures (e.g., encryption) rendering the data unintelligible to unauthorized parties; (b) subsequent measures ensure the high risk is no longer likely to materialize; or (c) notification would involve disproportionate effort, in which case a public communication or similar measure shall be adopted instead, as permitted under Article 34(3) of the UK GDPR.

13.6 Documentation and Review

13.6.1 Titan shall document all Data Breaches, including their facts, effects, and remedial actions, to demonstrate compliance with Articles 33(5) and 34(5) of the UK GDPR. Post-breach reviews shall be conducted to assess the effectiveness of response procedures and implement improvements where necessary.

13.7 Processor Obligations

13.7.1 Processors shall immediately notify Titan of any actual or suspected Data Breach involving Titan's Personal Data, providing all necessary details to facilitate compliance with this Clause 13. Titan's contractual agreements with Processors shall mandate such notifications without undue delay and require cooperation in containment, assessment, and notification efforts.

14 HANDLING USER COMPLAINTS AND INQUIRIES

14.1 Submission of Complaints

14.1.1 Users may submit complaints or inquiries regarding Titan's Processing of their Personal Data by contacting Titan's Data Protection Officer at the email address specified in Clause 16. Complaints must include: (a) the User's name and contact details; (b) a detailed description of the issue; and (c) any supporting documentation.

14.2 Acknowledgment and Investigation

14.2.1 Titan will acknowledge receipt of complaints within five (5) business days and conduct a thorough investigation, involving relevant internal teams or third-party Processors where necessary. The investigation will be completed within thirty (30) days, unless the complexity of the issue requires an extension, in which case Titan will notify the User.

14.3 Resolution and Communication

14.3.1 Upon concluding the investigation, Titan will provide the User with a written response detailing: (a) the findings; (b) any corrective actions taken or proposed; and (c) the User's right to escalate the matter to the UK Information Commissioner's Office (ICO) if dissatisfied with the resolution.

14.4 Record-Keeping

14.4.1 Titan will maintain records of all complaints and inquiries, including their resolution, for a minimum of two (2) years to demonstrate compliance with the accountability principle under Article 5(2) of the UK GDPR.

14.5 Escalation to Supervisory Authority

14.5.1 Users may lodge complaints directly with the ICO at any time, irrespective of Titan's internal procedures, in accordance with Article 77 of the UK GDPR.

14.6 Continuous Improvement

14.6.1 Titan shall periodically review complaint trends to identify and implement improvements to its data protection practices, ensuring alignment with UK GDPR requirements and enhancing User trust.

15 UPDATES AND AMENDMENTS TO THE PRIVACY POLICY

15.1 Policy Revisions

15.1.1 Titan reserves the right to update or amend this Privacy Policy periodically to reflect changes in legal requirements, data processing practices, or service offerings. Material changes will be communicated to Users via email at least thirty (30) days prior to their effective date, unless a shorter notice period is mandated by law.

15.2 Notification of Changes

15.2.1 For material changes (e.g., changes to Processing purposes, international transfers, or Data Subject rights), Titan will provide clear and prominent notice, including: (a) a summary of key changes; (b) the effective date; and (c) instructions for review. Non-material changes (e.g., clarifications) will be published on the website with an updated effective date.

15.3 User Consent and Continued Use

15.3.1 Where updates require additional Consent under the UK GDPR, Titan will obtain explicit User Consent prior to implementation. Continued use of Titan's services after the effective date constitutes acceptance of non-material changes.

15.4 Version Control

15.4.1 The current version of this Privacy Policy will be accessible on Titan's website with a visible effective date. Archived versions will be retained to demonstrate compliance with the accountability principle under Article 5(2) of the UK GDPR.

15.5 Regulatory Alignment

15.5.1 All amendments will comply with the UK GDPR, DPA 2018, and PECR, ensuring consistency with Titan's legal obligations and Users' rights.

16 CONTACT INFORMATION AND DATA PROTECTION OFFICER

16.1 Controller Contact Details

16.1.1 For all inquiries or requests related to this Privacy Policy or the Processing of Personal Data, Data Subjects may contact Titan as the Controller at the following address: [placeholder physical address]. Electronic communications may be directed to [email protected].

16.2 Data Protection Officer

16.2.1 Titan has appointed Kyle Torrington as its Data Protection Officer (DPO) to oversee compliance with the UK GDPR and DPA 2018. The DPO may be contacted directly at [email protected] for all privacy-related matters, including the exercise of Data Subject rights or reporting concerns regarding Personal Data Processing.

16.3 Supervisory Authority

16.3.1 Data Subjects may lodge complaints with the UK Information Commissioner's Office (ICO), the supervisory authority for data protection matters in the UK, at any time. The ICO's contact details are available at https://ico.org.uk.

17 AGE VERIFICATION AND COMPLIANCE WITH REQUIREMENTS

17.1 Age Verification

17.1.1 Titan implements reasonable measures to verify that Users are at least 16 years of age, or the applicable age of digital consent in their jurisdiction, whichever is higher, in compliance with Article 8 of the UK GDPR. Users may be required to provide proof of age during account registration or upon request.

17.2 Parental Consent

17.2.1 Where a User is below the required age threshold, Titan will seek verifiable parental or guardian consent prior to Processing their Personal Data, in accordance with Article 8(2) of the UK GDPR. Such consent may be obtained through: (a) direct communication with the parent/guardian; or (b) third-party age verification services.

17.3 Restrictions for Unverified Minors

17.3.1 Titan reserves the right to suspend or terminate accounts where age verification or parental consent cannot be confirmed, and to delete any Personal Data collected in breach of this Clause 17, unless retention is mandated by law.

17.4 Data Minimization for Minors

17.4.1 Titan limits the collection and Processing of Personal Data from verified minors to the strict minimum necessary for service delivery, in compliance with the data minimization principle under Article 5(1)(c) of the UK GDPR.

17.5 User Notification

17.5.1 Users will be informed of age verification requirements during the account registration process, with clear references to this Privacy Policy and applicable legal obligations under the UK GDPR and DPA 2018.