Privacy Policy
Last updated: 5 February 2026
Introduction
Stepflow Lab (a trading name of RGH COMMERCE LTD, "we", "our", "us") is committed to protecting the privacy and security of the personal data we collect about customers and users of our services ("you/your").
The purpose of this privacy notice is to explain what personal data we collect about you when you use our website or when we provide our services to you. When we do this, we are the data controller.
Please read this privacy notice carefully, as it provides important information about how we handle your personal information and your rights.
You should revisit this privacy notice regularly, as we may update it occasionally to reflect changes in how we deliver our services.
If you have any questions about any aspect of this privacy notice, you can contact us by emailing hello@stepflowlab.com.
Personal Data We Collect
We collect, use and are responsible for certain personal data about you. When we do so, we are subject to the UK General Data Protection Regulation ("UK GDPR"). The personal data we may collect includes (but is not limited to):
- Contact information such as your name, phone number, email address, company name, job title, and location, which we collect when you fill in our contact form or engage with our services.
- Business information you provide to us as part of our AI consultancy and automation services, including details about your workflows, processes, and technology systems.
- Communications data, including records of correspondence between us and any feedback you provide.
- Any other information you may provide as part of our market research or service delivery.
How Your Personal Data Is Collected
We collect personal data directly from you — in person, by telephone, video call, text, email, and/or via our website.
Purposes for Which We Use Personal Data and the Legal Basis
When providing services to you, we may use your personal data for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis for Processing |
|---|---|
| To provide our AI consultancy, workflow automation, and related services to you | Performance of contract |
| To respond to enquiries and communicate with you about our services | Performance of contract / Legitimate interest |
| To comply with any legal obligations we may have | Legal obligation |
| To send you marketing communications about our services or other information relating to our business which we think may be of interest to you | Consent |
| To contact you when you provide us with feedback | Legitimate interest to ensure our services meet your expectations |
| To administer and protect our business and website | Legitimate interest to keep our services running securely |
Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
Sharing Your Data
For some business activities, we share your personal data with our vendors and third-party service providers. This may include:
- Cloud service providers and data hosting services
- Email marketing platforms
- Payment processors
- AI and automation tool providers necessary for service delivery
- Professional advisers including accountants and legal advisers
Personal data may also be shared with government authorities and/or law enforcement officials for the prevention or detection of crime if required by law or if required for a legal or contractual claim.
The personal data we collect from you may be processed outside the UK. We have taken appropriate steps to ensure that personal data processed outside the UK has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:
- Your personal data is only processed in a country which the UK government has confirmed has an adequate level of protection (an adequacy regulation), or
- We enter into Standard Contractual Clauses (SCCs) with our providers and ensure that supplementary measures are applied where necessary.
How Long We Keep Your Data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
At the end of the retention period, your personal data will be securely deleted or anonymised, for example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
How We Protect Your Data
We endeavour to process all personal data securely and have implemented appropriate technical and organisational measures to protect the data we process from unauthorised disclosure, use, alteration, or destruction.
Your Rights and Options
You have the following rights in respect of your personal data:
- Right of access: You have the right to access your personal data and request copies of it and information about our processing of it.
- Right to rectification: If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify it or add to it.
- Right to withdraw consent: Where we are using your personal data with your consent, you can withdraw your consent at any time.
- Right to object: Where we use your personal data because it is in our legitimate interests, you can object to us using it this way.
- Right to object to direct marketing: Where we use your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
- Right to restriction: You can ask us to restrict the use of your personal data if:
- It is not accurate
- It has been used unlawfully, but you do not want us to delete it
- We do not need it anymore, but you want us to keep it for use in legal claims
- You have already asked us to stop using your data but are waiting for confirmation on whether we can comply with your request
- Right to portability: You can request a machine-readable copy of your personal data to transfer to another service provider.
- Right regarding automated decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
You will not have to pay a fee to access your personal data or exercise any other rights. However, we may charge a reasonable fee if your access request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, please contact us at: hello@stepflowlab.com
You can also lodge a complaint with the Information Commissioner's Office. They can be contacted using the information provided at: https://ico.org.uk/concerns/
Third-Party Websites
Our website may contain hyperlinks to websites owned and operated by third parties. These third-party websites have privacy notices separate from ours, so we strongly suggest you review them separately before submitting your data. We have no control over and are not responsible for these third parties' collection, use, and disclosure of your personal information.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please email us at: hello@stepflowlab.com
Stepflow Lab is a trading name of RGH COMMERCE LTD.
This privacy policy was last reviewed on 5 February 2026.