LEGAL

Privacy Policy

Last updated: 9 April 2026

1. Who we are

Framework27 ("we," "us," "our") is a productised business audit service operating in Dubai, United Arab Emirates. We score businesses against the Framework27 27-section methodology and deliver fixed-scope audit deliverables. This privacy policy explains what data we collect, why, and what we do with it.

Contact: privacy@framework27.ai
Trading entity: Framework27 is a trading name operated under a UAE mainland licensed entity. Full licensing details available on request.

2. What this policy covers

This policy applies to:

  • Our website at framework27.ai and any subdomains
  • Our free Get Your 270 assessment tool
  • Our paid audit services (The Audit, The Sprint, The Retainer)
  • Any email correspondence, calls, or other interactions you have with us

It does not cover third-party websites we link to, which have their own privacy policies.

3. Data we collect

Website visit data

When you visit framework27.ai, we collect standard analytics data via Google Analytics 4 and Cloudflare: IP address (anonymised), browser type, device type, pages visited, time on page, referring URL, and rough geographic location (country/city level). We do not build individual profiles from this data.

Assessment data

When you use the free Get Your 270 assessment, we collect your answers to the 27 questions. If you opt in to receive your results by email, we collect the email address, first name, and any optional fields you fill in (business name, revenue stage). Your answers are processed by Axis (our AI analyst, built on Claude) to calculate your score.

Audit client data

When you book a paid audit, we collect the information needed to deliver it: business name, contact name, email, phone number, payment details (processed by Stripe — we never see card numbers), and any data you grant us access to for the audit. This is collected under a mutual NDA signed at the start of the engagement.

Email subscriber data

If you subscribe to our email list, we collect your email address, first name, and any metadata you provide.

Communications data

Emails, call recordings, Slack messages, or WhatsApp conversations you exchange with us as part of an active engagement.

4. How we use your data

We use the data we collect for the following purposes, and only these purposes:

  • To deliver the service you requested. If you booked an audit, we use your data to run it. If you ran the assessment, we use your answers to calculate your score.
  • To process payments. Handled by Stripe. We never store card details.
  • To communicate with you about active engagements. Kickoff calls, delivery calls, follow-up emails.
  • To send email content you opted in to. Assessment results, monthly breakdowns, newsletters. Unsubscribe at any time.
  • To improve the service. We review aggregated assessment data (anonymised) to refine the methodology. We do not use individual client audit data for anything beyond delivering that client's audit.
  • To meet legal and regulatory obligations. UAE VAT, accounting records, etc.

5. What we do NOT do

For clarity, we do not:

  • Sell your data to anyone, ever
  • Share audit content between clients
  • Use your audit data to train AI models
  • Send you marketing emails you didn't explicitly opt in to
  • Share your data with advertising networks for retargeting outside our own domains
  • Reuse one client's findings in another client's audit
  • Let Axis retain memory of your session after the assessment ends (unless you opt in to results by email)

6. Third-party services we use

We use a small number of third-party services to deliver Framework27. Each has its own privacy policy.

  • Cloudflare — hosting, DNS, CDN, analytics
  • Google Analytics 4 — website analytics (anonymised IP)
  • Stripe — payment processing (handles card data directly; we never see it)
  • Anthropic (Claude API) — powers Axis. Assessment responses are sent to Anthropic's API for processing. Anthropic's API does not retain customer data for training by default.
  • Klaviyo — email marketing
  • Google Workspace — email, calendar, documents
  • Notion — internal workspace for active client audit content

We do not use Meta Pixel, TikTok Pixel, or similar ad retargeting pixels on framework27.ai unless and until we start running paid advertising.

7. Data retention

  • Assessment data (anonymous): Retained indefinitely in aggregated form. Individual responses without an email address are deleted after 30 days.
  • Assessment data (with email opt-in): Retained as long as you remain on our email list. Deleted within 30 days of unsubscribe.
  • Audit client data: Retained for 24 months after delivery, then archived. Clients can request deletion at any time.
  • Payment records: Retained for 5 years to meet UAE accounting and VAT requirements.
  • Email subscriber data: Retained until you unsubscribe, then deleted within 30 days.
  • Communications: Retained for the duration of the engagement plus 12 months.

8. Your rights

You have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold on you
  • Correction — Ask us to correct inaccurate data
  • Deletion — Ask us to delete your data (subject to legal retention requirements)
  • Portability — Request a copy of your data in a common format
  • Objection — Object to us processing your data for any reason
  • Withdrawal of consent — Withdraw consent for anything you previously opted in to

To exercise any of these rights, email privacy@framework27.ai. We'll respond within 30 days.

9. Data security

We protect your data with standard commercial security practices:

  • TLS encryption on all traffic to and from framework27.ai
  • Access controls on all internal systems
  • Principle of least privilege
  • MFA on all admin accounts
  • No sharing of credentials between team members
  • Regular review of access and deletion of stale accounts

No system is 100% secure. If we ever suffer a data breach affecting your personal data, we will notify you within 72 hours in accordance with UAE data protection law.

10. International transfers

Our service is operated from Dubai, UAE. Some of our third-party providers store data in the United States, the European Union, or other jurisdictions. By using Framework27, you consent to these transfers.

11. Children

Framework27 is a B2B service aimed at business owners. It is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact privacy@framework27.ai and we will delete it.

12. Cookies

We use a minimal set of cookies:

  • Strictly necessary cookies — to make the site work. Cannot be disabled.
  • Analytics cookies — Google Analytics 4. You can opt out.
  • Preference cookies — to remember your cookie preferences.

We do not use advertising or tracking cookies. There is no cookie banner because we do not use non-essential cookies without consent — the analytics cookie can be disabled via your browser settings.

13. Changes to this policy

If we materially change this policy, we will update the "Last updated" date at the top and notify email subscribers in advance. Continuing to use Framework27 after a change constitutes acceptance of the updated policy.

14. Contact

General privacy questions: privacy@framework27.ai
Data subject requests: privacy@framework27.ai
Security concerns: security@framework27.ai
General enquiries: hello@framework27.ai