AI Security Policy

Effective date: 1 February 2026

1. PURPOSE

This policy explains how Gather 'n' Grow uses Artificial Intelligence (AI) tools safely, responsibly, and in line with confidentiality and data protection obligations. It is designed to protect our customers, our staff, our suppliers, and our business.

2. SCOPE

This policy applies to:

  • all employees, contractors, and temporary staff of Gather 'n' Grow
  • all AI tools used for business purposes, including chat assistants, content tools, transcription tools, image tools, and automation services
  • any device used for company work, including personal devices where permitted

3. PRINCIPLES

We use AI to support people, not replace responsibility.

We minimise data, if we do not need the detail, we do not use it.
We anonymise wherever possible.
We keep human oversight for anything that impacts customers, finances, safety, or legal obligations.
We only use approved AI tools for business work.
We report mistakes quickly, without blame, so we can fix the system and prevent recurrence.

4. DEFINITIONS

AI tool: any software that generates, transforms, or analyses content using machine learning models.
Personal data: information that can identify a living person (directly or indirectly).
Confidential data: business-sensitive information including pricing, contracts, supplier terms, internal documents, strategies, or customer details.
Restricted data: special category personal data (for example health), financial account details, passwords, security codes, identity documents, or anything that would cause harm if disclosed.

5. APPROVED AI TOOLS

Only approved tools may be used for company work.
Approved tools list (maintained by the policy owner):

  • Claude AI
  • Cursor

Any new AI tool must be reviewed and approved before use. Approval must consider:

  • how data is handled, stored, and retained
  • security controls and access management
  • the supplier’s terms of service, including any training or reuse of inputs
  • deletion, export, and audit capabilities

6. DATA YOU MUST NOT INPUT (UNLESS EXPLICITLY APPROVED IN WRITING)

You must never paste, upload, or share the following in any AI tool unless the policy owner has approved it in writing for a specific task:

  • passwords, access codes, API keys, authentication tokens
  • bank details, card details, payment links, or direct debit information
  • copies of passports, driving licences, identity documents
  • medical or health information
  • HR information, disciplinary matters, or sensitive staff information
  • full customer records including name + address + contact details in the same prompt
  • supplier contracts or confidential supplier pricing terms
  • any information labelled confidential by a client or supplier

Default rule:
If you would not put it on a public noticeboard, do not put it into an AI tool.

7. ANONYMISATION AND MINIMISATION (DEFAULT BEHAVIOUR)

Where AI support is useful, we remove identifying details:

  • names become “the customer” or “the supplier”
  • addresses become “a property in [region]”
  • dates become approximate if exact dates are not required
  • order numbers and account references are removed

We only include the minimum detail needed to complete the task.

8. HUMAN REVIEW AND APPROVAL

AI outputs must be reviewed by a person before they are:

  • sent to customers or suppliers
  • used in quotes, contracts, or legal documents
  • used in pricing, financial decisions, or credit control
  • used in safety-critical guidance
  • published publicly under the company name

The reviewer is responsible for ensuring the output is accurate, appropriate, and compliant.

9. ACCURACY AND QUALITY CONTROL

AI tools can produce plausible-sounding errors.

Staff must:

  • check facts, figures, and claims before use
  • avoid stating assumptions as facts
  • use primary sources for technical, legal, or medical claims
  • escalate internally when unsure

10. RECORD KEEPING AND AUDIT

Gather 'n' Grow maintains appropriate records of:

  • approved AI tools
  • who has access to them
  • training completed
  • approved exceptions
  • any incidents or suspected incidents

Where AI is used to support customer work, we keep enough context to explain decisions if questioned, without storing unnecessary personal data.

11. INCIDENT MANAGEMENT

If you suspect data has been shared incorrectly, or AI tools have been used in breach of this policy, report it immediately to:

Alyssa Yap (alyssa@gatherngrow.com)

We will:

  • contain the issue and stop further exposure
  • assess what data may be affected
  • record what happened and actions taken
  • notify relevant parties where legally required
  • improve controls to prevent recurrence

12. TRAINING AND AWARENESS

All staff who use AI tools for business work must complete basic training covering:

  • data handling and confidentiality
  • anonymisation and minimisation
  • how to review AI outputs properly
  • how to report issues quickly

Training will be refreshed at least annually, or sooner if tools or risks change.

13. EXCEPTIONS

Exceptions are allowed only if:

  • there is a clear business reason
  • risks are understood and mitigated
  • approval is provided in writing by the policy owner
  • scope is limited to what is necessary

14. POLICY REVIEW

This policy will be reviewed:

  • at least every 12 months
  • after any significant incident
  • when introducing new AI tools or major new AI use cases

Signed
Alyssa Yap
Director of Gather 'n' Grow