Privacy Policy

Last updated: March 2026

1. Data Controller

9Mil Ltd is the data controller responsible for your personal data. We are registered in the United Kingdom. For any data protection queries, you can reach us at support@9mil.io.

2. Data We Collect

We collect the following categories of personal data:

  • Identity data: First name, last name
  • Contact data: Email address, phone number
  • Business data: Company name, industry, revenue range, growth goals, and business challenges
  • Technical data: Browser type, IP address, and page visit data collected via Vercel Analytics
  • Transaction data: Payment records processed through Stripe (we do not store card details)

3. How We Use Your Data

We use your personal data for the following purposes:

  • To deliver Growth Audits and personalised recommendations
  • To provide and manage the services you have purchased
  • To send marketing emails about relevant content, product updates, and offers (you can unsubscribe at any time)
  • To improve our website and services through analytics
  • To comply with legal obligations

Our legal bases for processing are: performance of a contract, legitimate interests (business development and service improvement), and your consent (for marketing communications).

4. Data Storage and Security

Your data is stored securely using Supabase, which provides encryption at rest and in transit. Our database is hosted on secure cloud infrastructure with row-level security policies in place.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

5. Third-Party Sharing

We share your data with the following third-party processors, who act on our behalf:

  • Stripe: For secure payment processing
  • n8n: For workflow automation (e.g., audit delivery, follow-up sequences)
  • Vercel: For website hosting and analytics
  • Supabase: For database hosting and authentication

We do not sell your personal data to third parties. We only share data as necessary to provide our services.

6. Cookies

We use minimal cookies. Our website uses Vercel Analytics, which is a privacy-focused analytics solution that does not use cookies for tracking. We do not use third-party advertising cookies.

Essential cookies may be used to maintain session state and ensure the proper functioning of our website.

7. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data
  • Right to portability: Request your data in a structured, machine-readable format
  • Right to restrict processing: Request limitation of how we process your data
  • Right to object: Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw consent for marketing communications at any time

To exercise any of these rights, please contact us at support@9mil.io. We will respond within 30 days.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Typically, we retain client data for up to 6 years after the end of our business relationship, in line with UK legal requirements.

9. International Transfers

Some of our third-party processors may store data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, to protect your data.

9a. Google API Services — Limited Use Disclosure

When you connect a Google account to Sonny (our recruitment automation product), 9Mil uses Google API Services to send mail on your behalf. Specifically, we request the following OAuth scope:

  • https://www.googleapis.com/auth/gmail.send — used solely to send outreach email and follow-up messages that you, the authenticated user, compose or approve inside Sonny’s dashboard or via your own Sonny API key. We never send mail without an explicit in-product action by you.

Note: Sonny does not currently request the gmail.readonly scope. Replies to Sonny-sent messages on Gmail are marked manually by the recruiter in the Sonny pipeline. Reply detection on Outlook / Microsoft 365 uses Microsoft Graph webhooks (separate provider, separate consent flow).

9Mil’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Concretely this means:

  • We do not use Gmail data to develop, improve, or train generalised AI/ML models. Sonny’s scoring and drafting models are trained on data sourced independently of any Google account data.
  • We do not transfer Gmail data to third parties except as strictly necessary to provide and improve user-facing features of Sonny, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • We do not use Gmail data to serve advertising, including retargeting, personalised ads, or interest-based ads.
  • We do not allow humans to read Gmail data unless we have your explicit consent to read specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or where the data is aggregated and used for internal operations and the data has been de-identified.

You can revoke Sonny’s access at any time at myaccount.google.com/permissions. When you do, we delete the OAuth refresh token and stop reading or sending on your behalf within 24 hours. Any cached message metadata we hold is purged within 30 days of disconnection.

Questions about how Sonny handles your Google account data can be sent to privacy@9mil.io.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.

11. Contact and Complaints

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact:

Anthony Dennis
9Mil Ltd
United Kingdom
support@9mil.io

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. Visit ico.org.uk for more information.