Privacy notice

Last updated: 15 May 2026

1. Who we are

Gnomon is a venture of Pragticality Ltd — a UK private limited company registered in England and Wales, company number 17207406. Pragticality Ltd is the data controller for personal information collected through gnomon.info.

This notice is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where data subjects sit in other jurisdictions, equivalent rights under their local frameworks apply alongside.

Pragticality Ltd is registered with the UK Information Commissioner’s Office (ICO), registration number ZC134066.

You can reach us at hello@pragticality.com. Until a dedicated Gnomon mailbox is set up, that address reaches the same desk.

2. What this site actually collects

Gnomon’s public site is mostly static reading. Two places ask for information:

(a) The demo gatekeeper form. Before the demo engine accepts a submission, you give us four things:

Your name
Your professional position or role
Your work email
A short note about why you’re trying the demo

This is stored against a session token that lets you use the demo without re-entering it on the same browser.

(b) Technical metadata at the moment of registration — your IP address, browser user-agent string, and the referring URL. These are collected for one purpose: protecting the demo from automated and abusive use (the gatekeeper enforces a per-IP daily registration cap). They are kept for a much shorter window than the gatekeeper record itself — see How long we keep it below.

(c) The demo engine itself. When you submit a product name, manufacturer, and description for a confidence reading, the combined input is sent to the language-model API for inference, and a non-reversible cryptographic hash of that input (SHA-256) is recorded internally alongside the calibration vertical, the confidence score returned, and a timestamp. The submitted text itself is not stored. The hash exists for de-duplication and audit purposes only. We do not return the HS code, ECCN, or rationale through the public demo, and we do not store them either.

(d) PDF datasheets you upload to refine a reading. Where you choose to upload a product datasheet to sharpen the reading, the PDF is read into memory only, sent to the language-model API for structured attribute extraction, and discarded the moment that returns. The datasheet itself is never written to disk and is not retained. What is recorded internally is limited to: a SHA-256 hash of the PDF (so we can detect repeated uploads of the same document in the same session), the file size in bytes, and the names — not the values — of the attributes the engine extracted. Datasheet uploads are capped at two per session and 10 MB per file.

That’s the entire personal-data picture for this site. We don’t use behavioural analytics, ad networks, or third-party trackers. The site does not set tracking cookies.

3. Why we collect it

To operate the demo — the gatekeeper exists so we know who is reading the engine, and so we can keep the demo within sensible per-session limits
To consider follow-up — if your note suggests Gnomon is relevant to your team’s work, we may reply
To prevent abuse of the demo — the IP address, user-agent and referrer let us cap automated or bulk use that would otherwise drain the language-model budget the demo runs on
To understand what kinds of products people try — the calibration choices and confidence outcomes help us see where the engine is being put to work and where its calibration needs to extend
To meet our audit and legal obligations

4. Legal basis for processing

Legitimate interests — operating the demo, qualifying enquiries, and reviewing the kinds of products being submitted are all legitimate interests of a B2B software business. We have weighed these against your rights and consider the impact minimal because the data collected is professional-context information voluntarily entered into a demo gatekeeper.
Pre-contract steps — where you ask us to follow up about a possible engagement, we process your contact details to do so.
Legal obligation — where required by law (e.g. responding to a regulator).

You have the right to object to processing based on legitimate interests at any time — see Your rights below.

5. Sub-processors and where data sits

We use a small number of trusted service providers to run the demo. Each operates under a written agreement and processes data on our behalf:

Anthropic, PBC (United States) — provides the language-model API that produces the classification confidence reading. Submitted product fields, and the text content of any PDF datasheets you upload to refine a reading, are sent to Anthropic for inference. Anthropic does not train its production models on API-submitted content. Anthropic privacy policy
Railway Corporation (United States) — hosts the Gnomon demo API and the PostgreSQL database that holds gatekeeper records and demo submissions. Railway privacy policy
IONOS SE (Germany / United Kingdom) — hosts the static gnomon.info site files. Standard web-server access logs (IP address, page requested, user-agent) are retained briefly for operational and security purposes. IONOS privacy policy
Google LLC (United States) — serves the IBM Plex web fonts via the Google Fonts CDN. No personally identifiable information is sent for this purpose beyond what is required to deliver a font file (IP address, browser type). Google privacy policy

We do not sell or rent personal information. We do not share it with anyone outside this list other than where required by law or by a regulator with proper authority.

6. International transfers

Anthropic and Railway are based in the United States. Where personal information is transferred to the United States, we rely on the UK Information Commissioner’s International Data Transfer Agreement (IDTA), or on the EU Standard Contractual Clauses with the UK addendum, alongside the provider’s certification under the EU–US Data Privacy Framework where applicable. The Gnomon demo is intentionally narrow in what it sends abroad — product descriptions and the gatekeeper record — so the transfer surface is small and specific.

7. How long we keep it

Demo records are retained on a deliberate two-tier schedule, automatically enforced by a daily background job. Once a record passes a tier’s threshold, the data at that tier is purged on the next nightly run.

PDF datasheets — not retained at all. Datasheet bytes are processed in memory and discarded the instant the engine returns. The only artefacts kept are a SHA-256 hash of the document, its size in bytes, and the names of attributes the engine extracted (not the values). These artefacts follow the 12-month rule below.
Security metadata at 90 days — IP address, user-agent string and referrer are nulled out after 90 days from the date of submission, and the corresponding registration audit log entries are deleted at the same point. The anti-abuse purpose is fully served by 90 days; longer would not be justifiable.
Gatekeeper records and demo activity at 12 months — the name, position, email, reason, and the linked record of which calibrations were tried with what confidence outcome (and the non-reversible description hashes) are deleted in full at 12 months from the date of submission. The follow-up window for B2B trade-compliance procurement closes well within this period; longer would not be justifiable.
Email correspondence — retained for as long as the conversation is reasonably live, then archived for up to two years.
Web-server access logs — retained briefly by IONOS per their standard policy.
Records we are legally required to keep (e.g. accounting records) — retained for the period the law requires, typically six years.

You can ask us to delete your gatekeeper record at any time, ahead of the schedule above — see Your rights.

8. Your rights

Under UK GDPR you have the right to:

Access — ask for a copy of the personal information we hold about you
Rectification — ask us to correct inaccurate information
Erasure — ask us to delete your information (subject to legal obligations to retain certain records)
Restriction — ask us to limit how we process your information
Portability — ask for your information in a portable format
Object — object to processing based on legitimate interests
Withdraw consent — where we have relied on consent for any specific processing

To exercise any of these, email hello@pragticality.com. We respond within one calendar month.

9. Cookies and similar technologies

The Gnomon site does not set tracking cookies. The demo uses your browser’s session storage to remember a session token and the number of demo readings remaining — this is a strictly functional use, exempt from the cookie consent requirements of PECR, and is cleared automatically when you close the browser tab.

10. Security

The site is served exclusively over HTTPS. The demo API enforces an allowlist of permitted origins and rate-limits per session. Database backups are encrypted at rest by the hosting provider. We design the demo to capture as little as it needs to do its job — the strongest privacy control is data we never collect.

11. Children

Gnomon is a B2B trade-compliance product. The site is not directed to anyone under 18 and we do not knowingly collect information from children.

12. Changes to this notice

If this notice changes materially we will update the date at the top of the page and, where practical, notify anyone with an active conversation by email. Material here is light enough that minor wording revisions don’t merit notification — the date is the source of truth.

13. Complaints

If you are unhappy with how we have handled your information, we would prefer to hear from you first — email hello@pragticality.com. You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.

← Back to home · Get in touch →

What we collect, why, and what we don’t.