This policy sets out the controlled and transparent use of artificial-intelligence (AI) and transcription technologies within Cavendish Family Office. The objective is to enhance professional accuracy, efficiency, and record-keeping while maintaining the highest standards of confidentiality and data protection.
This policy applies solely to the Chief Executive Officer, who is the only authorised user of AI or transcription tools within the business. The systems covered are:
• OpenAI ChatGPT – used for structured drafting, document refinement, and research support.
• Otter.ai – used for meeting transcription and note creation.
All processing of personal data through these systems is carried out under the legitimate-interest basis as defined by Article 6(1)(f) of the UK General Data Protection Regulation (UK GDPR). No automated decisions or profiling are made about clients or third parties.
• Clients are informed at the start of each meeting that recording and transcription will take place via Otter.ai.
• ChatGPT is used only for internal drafting and analytical assistance; client-identifiable data is anonymised wherever possible.
• No confidential documents are uploaded in full; only necessary extracts are summarised or redacted.
• All AI outputs are reviewed by the CEO before use or circulation.
• Data processed through these tools is retained only as long as required for professional purposes and then securely deleted.
• Both platforms use encryption in transit and at rest; access is password-protected and limited to the CEO.
OpenAI and Otter.ai may process data outside the United Kingdom. Both providers operate under Standard Contractual Clauses and the UK Addendum to ensure adequate safeguards for cross-border data transfer.
The CEO is responsible for ensuring compliance with this policy, maintaining documentation of provider terms, and updating the privacy notice and client engagement materials as required. Any suspected data incident must be logged and addressed immediately, following the firm’s standard incident protocol.
This policy will be reviewed annually or following any material change in provider terms, regulatory guidance, or business ownership.
