MLA Group Ltd (trading as MLA Group)
Unit 1 (Suite 121), Imperial Court, Exchange Street East, Liverpool, L2 3AB
Tel: 0151 558 0162 · info@mlagroup.co.uk
Company Registration No: 16117562 · ICO Registration No: ZB826186
Who We Are
MLA Group Ltd (trading as MLA Group) is an AI governance advisory firm registered in England and Wales. We provide AI governance risk assessments, compliance advisory services, and board-level reporting tools to organisations operating across regulated and professional sectors.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at www.mlagroup.co.uk, complete an AI Governance Risk Diagnostic, access your client portal, or otherwise interact with our services.
We are registered with the Information Commissioner's Office (ICO) as a data controller under registration number ZB826186.
Data We Collect
We collect personal data in the following categories:
| Category | Data Collected | Source |
|---|---|---|
| Account Data | Email address, password (hashed), account creation date | Provided by you on registration |
| Professional Data | Full name, job title/role, organisation name, industry sector, organisation size | Provided by you during diagnostic |
| Assessment Data | Responses to AI governance diagnostic questions, risk scores, governance maturity ratings | Generated during diagnostic completion |
| Report Data | AI governance risk reports generated from your assessment responses, including domain scores and remediation recommendations | Generated by our platform |
| Usage Data | Pages visited, time on site, browser type, device type, IP address | Collected automatically via cookies |
We do not collect special category data (such as health, biometric, or financial data) through our platform. We do not collect payment card data — any future payment processing will be handled by a PCI-compliant third-party provider.
Legal Basis for Processing
Under UK GDPR, we rely on the following legal bases for processing your personal data:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) — necessary to provide the service you have requested |
| Delivering the AI Governance Risk Diagnostic and report | Contract (Art. 6(1)(b)) — core delivery of our service |
| Storing assessment results and reports in your portal | Contract (Art. 6(1)(b)) — necessary to provide ongoing access to your results |
| Sending service communications (account, report notifications) | Contract (Art. 6(1)(b)) |
| Analytics and site improvement | Legitimate Interests (Art. 6(1)(f)) — improving our platform and user experience |
| Compliance with legal obligations | Legal Obligation (Art. 6(1)(c)) |
| Marketing communications (where opted in) | Consent (Art. 6(1)(a)) |
How We Use Your Data
We use your personal data for the following purposes:
Service Delivery — To create and manage your account, deliver the AI Governance Risk Diagnostic, generate your personalised governance risk report, and provide access to your client portal.
Communication — To send you account confirmations, report notifications, and material updates to our regulatory framework where these affect your risk band or sector obligations.
Platform Improvement — To analyse how users interact with our platform in order to improve the diagnostic tool, reporting quality, and user experience. This analysis is conducted on aggregated, anonymised data where possible.
Legal Compliance — To meet our obligations under applicable law, including responding to lawful requests from regulators or enforcement authorities.
We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects about you. Our diagnostic generates a risk score based on your responses; interpretation and advisory context is provided by our framework and reviewed by our team.
Third Parties and Data Sharing
We share personal data with the following third parties only where necessary to deliver our services:
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Authentication, secure data storage, and database hosting for your account and assessment results | EU / USA (SCCs in place) |
| Netlify Inc. | Website hosting and content delivery | USA (SCCs in place) |
| Google (Analytics) | Anonymous site usage analytics | USA (SCCs in place) |
We do not sell, rent, or otherwise disclose your personal data to third parties for their own marketing purposes. All third-party processors are bound by data processing agreements and are required to process your data only on our instructions.
Where data is transferred outside the UK, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the ICO, in compliance with UK GDPR Chapter V.
Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account and registration data | Duration of account plus 2 years after account closure |
| Assessment responses and risk reports | Duration of account plus 3 years after account closure |
| Usage and analytics data | 26 months from collection |
| Communications and correspondence | 3 years from date of communication |
At the end of the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion of your data subject to the conditions set out in Section 07 below.
Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, contact us at info@mlagroup.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
Encryption — All data is transmitted over encrypted HTTPS connections. Passwords are hashed and never stored in plain text.
Access Controls — Access to personal data is restricted to authorised personnel only, on a need-to-know basis. Database access is protected by Row Level Security policies.
Authentication — Account access requires secure authentication through our portal.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with our obligations under UK GDPR Art. 33–34.
Cookies
We use cookies and similar tracking technologies on our website. For full details of the cookies we use, the purposes for which we use them, and how to manage your preferences, please read our Cookie Policy.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Material changes will be communicated to registered users by email. The effective date at the top of this page will always reflect the date of the most recent revision.
Continued use of our services following notification of changes constitutes acceptance of the updated policy.
Contact Us
MLA Group Ltd
Unit 1 (Suite 121), Imperial Court, Exchange Street East, Liverpool, L2 3AB
Tel: 0151 558 0162
Email: info@mlagroup.co.uk