AI & Data Policies
Our commitment to responsible AI, marketing practices, and data security
AI and Automated Systems Policy
Effective: 28th April 2025 · Updated: 28th April 20251 Purpose
This policy defines how Stixx Digital Ltd, trading as EngageAI, responsibly develops, deploys, and manages AI and Automated Systems. It establishes our framework for ensuring that the use of these technologies aligns with our ethical standards, legal obligations, and commitment to transparency.
2 Scope
This policy applies to:
- All employees, contractors, and third parties who develop, deploy, or interact with AI and automated systems on behalf of EngageAI.
- All AI and automated systems used across the organisation, including those developed in-house and those procured from third-party vendors.
- All lifecycle stages of AI systems, from design and development through to deployment, monitoring, and decommissioning.
3 Definitions
- Artificial Intelligence (AI): Technology that simulates human intelligence, including learning, reasoning, and problem-solving capabilities.
- Automated Systems: Software or hardware systems designed to perform tasks without ongoing human control, often using predefined rules or AI-driven decision-making.
4 Principles
4.1 Ethical Use
AI and automated systems must be developed and deployed in a manner that respects human rights and dignity. We are committed to preventing bias, discrimination, and harm in the design and application of these technologies.
4.2 Transparency
Users and stakeholders will be clearly informed when they are interacting with AI or automated systems. Explanations of how these systems work and make decisions will be made available where practicable.
4.3 Data Privacy and Security
All AI and automated systems will comply with applicable data protection regulations, including the UK GDPR and CCPA. Personal data used by these systems will be minimised and, where possible, anonymised or pseudonymised to protect individual privacy.
4.4 Accountability
Clear lines of accountability will be established for the development, deployment, and outcomes of AI and automated systems. Regular audits and impact assessments will be conducted to ensure compliance with this policy.
4.5 Human Oversight
Critical decisions made or influenced by AI and automated systems will be subject to appropriate human oversight. AI is used to support, not substitute, human judgement in sensitive or high-impact areas.
5 Implementation
5.1 Governance
An internal AI Governance Team will be responsible for overseeing the ethical development and use of AI technologies. All new AI and automated systems will undergo an Ethical and Data Impact Assessment before deployment.
5.2 Training and Awareness
Ongoing training will be provided to all employees and relevant third parties to ensure awareness of this policy and best practices for the responsible use of AI and automated systems.
5.3 Vendor and Third-Party Management
All third-party AI vendors and partners must demonstrate compliance with our ethical and data protection standards before engagement. Contracts will include obligations relating to transparency, data protection, and ethical use.
6 Monitoring and Review
All AI and automated systems will be subject to continuous monitoring to ensure they operate within defined ethical and legal boundaries. This policy will be reviewed at least annually and updated as necessary to reflect changes in legislation, technology, or organisational practice.
7 Breach of Policy
Any breach of this policy may result in disciplinary action, up to and including termination of employment or contract. Where a breach involves a violation of law, legal action may also be pursued.
Direct Marketing & PECR Compliance Statement
Effective: 28th April 2025 · Updated: 28th April 20251 Purpose
This statement outlines the commitment of Stixx Digital Ltd, trading as EngageAI, to compliance with the Privacy and Electronic Communications Regulations (PECR), the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 in relation to all direct marketing activities.
2 Scope
This policy applies to all direct marketing communications carried out by or on behalf of EngageAI, including email, SMS, telephone, and social media marketing. It covers all employees, contractors, and third parties involved in marketing activities.
3 Definitions
- Direct Marketing: The communication of any advertising or marketing material directed to particular individuals.
- Consent: A freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data for marketing purposes.
4 Principles
4.1 Lawful Basis for Marketing
All direct marketing will be conducted on the basis of valid consent or, where applicable, legitimate interests, in accordance with the UK GDPR and PECR. Consent will be obtained through clear, affirmative action and will not be inferred from silence, inactivity, or pre-ticked boxes.
4.2 Transparency
At the point of data collection, individuals will be clearly informed about how their personal data will be used for marketing purposes, including the types of communications they may receive and the channels through which these will be sent.
4.3 Right to Object and Opt-Out
Every marketing communication will include a clear and easy-to-use mechanism for recipients to opt out of future communications. Opt-out requests will be processed promptly, and a suppression list will be maintained to prevent further contact.
4.4 Data Accuracy and Minimisation
Personal data used for marketing purposes will be kept accurate, up to date, and limited to what is necessary for the intended purpose. Regular data cleansing will be conducted to maintain data quality.
4.5 Third-Party Compliance
Where third-party data processors or marketing platforms are used, EngageAI will ensure that appropriate contractual safeguards are in place to guarantee compliance with applicable data protection and marketing regulations.
5 Marketing Channels
5.1 Email and SMS
Marketing emails and SMS messages will only be sent to individuals who have given explicit opt-in consent, unless the soft opt-in exemption under PECR applies (i.e., the individual is an existing customer and the marketing relates to similar products or services).
5.2 Telephone
Outbound marketing calls will comply with the Telephone Preference Service (TPS) requirements. Numbers registered with the TPS will not be contacted for marketing purposes unless valid consent has been obtained.
5.3 Social Media
Social media marketing activities will comply with platform-specific rules and regulations, as well as PECR and UK GDPR requirements. Targeted advertising will be conducted in accordance with applicable consent and transparency obligations.
6 Monitoring and Review
EngageAI will conduct regular reviews of its marketing practices to ensure ongoing compliance with PECR, UK GDPR, and the Data Protection Act 2018. This statement will be reviewed and updated as necessary to reflect changes in legislation or organisational practices.
7 Breach of Compliance
Any breach of this policy may result in disciplinary action, including termination of employment or contract. Breaches may also result in regulatory penalties imposed by the Information Commissioner's Office (ICO).
Data Breach and Cybersecurity Policy
Effective: 28th April 2025 · Updated: 28th April 20251 Purpose
This policy establishes the framework for Stixx Digital Ltd, trading as EngageAI, to protect its data assets, respond effectively to data breaches and cybersecurity incidents, and ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2 Scope
This policy applies to all employees, contractors, and third parties who access, process, or manage data on behalf of EngageAI. It covers all data assets and IT infrastructure owned or managed by the organisation.
3 Definitions
- Data Breach: A security incident resulting in the unauthorised access, disclosure, alteration, loss, or destruction of personal or confidential data.
- Cybersecurity Incident: Any event or attempt to gain unauthorised access to, disrupt, or misuse information systems, networks, or data.
4 Cybersecurity Measures
4.1 Preventative Controls
EngageAI will implement and maintain robust preventative controls, including antivirus software, firewalls, encryption, and intrusion detection systems. Access to data and systems will be managed on a least-privilege basis, with multi-factor authentication (MFA) enforced for all critical systems.
4.2 Awareness and Training
All employees and contractors will receive mandatory cybersecurity awareness training upon onboarding and on an annual basis. Phishing simulations and other awareness exercises will be conducted regularly to reinforce best practices.
4.3 Third-Party Security
All third-party vendors and partners with access to EngageAI systems or data must meet our cybersecurity standards and demonstrate compliance with relevant security frameworks and data protection regulations.
5 Data Breach Response Plan
5.1 Identification and Containment
All suspected data breaches must be reported immediately to the Data Protection Officer (DPO). Upon identification, swift action will be taken to contain the breach and prevent further unauthorised access or data loss.
5.2 Assessment and Investigation
A thorough investigation will be conducted to determine the nature, scope, and impact of the breach. This will include identifying the data affected, the individuals impacted, and the root cause of the incident.
5.3 Notification
Where a breach is likely to result in a risk to the rights and freedoms of individuals, EngageAI will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Affected individuals will be notified directly where the breach poses a high risk to their rights and freedoms.
5.4 Remediation
Following investigation and notification, appropriate remedial actions will be implemented to address the root cause of the breach and prevent recurrence. Lessons learned will be incorporated into updated procedures and training.
6 Record-Keeping
All data breaches and cybersecurity incidents will be documented in a central breach register, regardless of whether they meet the threshold for notification. Records will include the nature of the breach, the data affected, containment measures, and outcomes.
7 Monitoring and Review
This policy will be reviewed at least annually and updated as necessary to reflect changes in legislation, technology, or organisational practice. Regular audits and penetration testing will be conducted to assess the effectiveness of cybersecurity measures.
8 Breach of Policy
Any breach of this policy may result in disciplinary action, up to and including termination of employment or contract. Breaches may also result in regulatory penalties imposed by the Information Commissioner's Office (ICO) or other relevant authorities.