Privacy & Security Policy

Who we are

Our website address is: https://www.lorcandigital.com.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

Additional information

How we protect your data

What data breach procedures we have in place

What third parties we receive data from

What automated decision making and/or profiling we do with user data

Industry regulatory disclosure requirements

AI Security Policy

**Lorcan Digital**

**Document Version:** 1.0

**Last Updated:** [12/02/2026]

**Next Review:** [12/02/2026 + 12 MONTHS]

**Owner:** Lol Lowe

—

## 1. PURPOSE

This AI Security Policy establishes guidelines for the responsible use of artificial intelligence (AI) tools at Lorcan Digital. This policy protects:

– **Clients** – Protecting Google Ads accounts, business strategies, and confidential information entrusted to us

– **Business Operations** – Preventing security breaches, data loss, and reputational damage

– **Data Integrity** – Ensuring accurate handling of sensitive campaign and strategic data

The policy ensures AI tools support and enhance our work while maintaining security, privacy, and compliance standards.

—

## 2. SCOPE

This policy applies to:

– **All work** – All activities conducted under Lorcan Digital

– **All AI tool usage** – Regardless of the tool, platform, or location

– **All work devices** – Computers, tablets, phones, and other devices used for client work

– **Personal devices** – When used for Lorcan Digital work purposes

This includes but is not limited to:

– ChatGPT, Claude, Gemini, and similar large language models

– AI-powered search tools

– Generative design and content tools

– AI code assistants

– Automation and workflow tools with AI components

– Specialized AI tools for marketing, data analysis, or client work

—

## 3. PRINCIPLES

All AI tool usage is guided by five core principles:

### 3.1 AI Supports, Not Replaces, Human Expertise

AI should enhance our strategic thinking and capabilities, not eliminate human judgment or accountability. Final responsibility for outputs remains with Lol Lowe and Lorcan Digital.

### 3.2 Minimize Data Input

Only input necessary information. Avoid sharing full client databases, complete account records, or unnecessary context that could expose sensitive information.

### 3.3 Anonymize and Depersonalize

Remove identifying details before using AI tools. Replace client names with [CLIENT TYPE/INDUSTRY], account IDs with [REFERENCE], specific metrics with [TIMEFRAME/PERCENTAGE], etc.

### 3.4 Maintain Human Oversight

All AI outputs require human review, fact-checking, and approval before use—particularly for client deliverables and strategic recommendations.

### 3.5 Use Only Approved Tools

All AI tools must be approved before use. Unapproved tools present unknown security and confidentiality risks.

—

## 4. DEFINITIONS

**AI Tool** – Any software or service that uses artificial intelligence, machine learning, or generative technology to perform tasks, analyze data, or create outputs.

**Client Data** – Any information belonging to or about Lorcan Digital’s clients, including Google Ads account information, business strategies, customer lists, and performance data.

**Confidential Data** – Business information that provides competitive advantage or is marked confidential, including client strategies, pricing, competitive analysis, and proprietary processes.

**Personal Data** – Any information that directly identifies an individual (name, email, phone, ID number, account credentials, etc.).

**Anonymization** – Removing or replacing identifying details so information cannot be linked back to individuals or specific clients.

**Approved Tools List** – The current registry of authorized AI tools available for use by Lol Lowe.

—

## 5. APPROVED AI TOOLS

The following AI tools are approved for use:

|——|————–|————–|—————|

### 5.1 Adding New Tools

To approve a new AI tool for use:

1. Evaluate based on:

– Data protection and encryption standards

– Privacy policy and terms of service

– Compliance with data handling requirements

– Risk assessment and business need

– Cost and contract terms

2. Document decision with:

– Tool name and vendor

– Approved use cases

– Specific restrictions

– Date of approval

3. Update Approved Tools List above

**Unapproved tools are not permitted, regardless of convenience or popularity.**

—

## 6. DATA YOU MUST NOT INPUT

**DO NOT** share any of the following with AI tools:

### 6.1 Security Credentials

– Google Ads account passwords or API keys

– Login credentials for any client system

– Google Analytics or Search Console credentials

– Private encryption keys or authentication tokens

– Access codes or security information

### 6.2 Client Account Details

– Google Ads account IDs or customer ID numbers

– Full Google Ads account structure and settings

– Complete customer lists or prospect databases

– Client business login credentials

– Full contact information for client contacts

### 6.3 Financial Information

– Client budget figures or spending details (if confidential)

– Client revenue or financial performance (unless anonymized)

– Pricing information

– Bank account or payment information

– Cost per acquisition or client profitability data

### 6.4 Sensitive Strategic Information

– Confidential client business strategies

– Unreleased campaign plans or initiatives

– Client competitive advantages or secret tactics

– Client market positioning details

– Product launch plans or timing

### 6.5 Personal Information

– Client employee names or contact details

– Client customer personal data

– Personal identification numbers

– Health or medical information about clients

### 6.6 Legally Protected Information

– Pending litigation or legal disputes

– Confidential client contracts (unless anonymized)

– Non-public financial statements

– Proprietary client processes or methods

—

## 7. ANONYMISATION AND MINIMISATION

### 7.1 Default Practice

By default, remove identifying details from all prompts. Examples:

| Original | Anonymized |

|———-|———–|

| “My client ABC Corporation in the plumbing industry is struggling with…” | “A client in [INDUSTRY] is struggling with…” |

| “Google Ads account 123-456-789 is spending $5,000/month but only getting 15 leads” | “An account is spending [AMOUNT]/month but conversion rate is [PERCENTAGE]” |

| “John Smith at XYZ Company wants to launch a new SaaS product in March” | “A client wants to launch a [PRODUCT TYPE] in [TIMEFRAME]” |

| “We’re testing a new RSA angle about ROI because competitors in the [INDUSTRY] are focusing on cost” | “Testing a new angle about [VALUE PROPOSITION] because market is shifting toward [TREND]” |

### 7.2 Information Minimization

Only share information necessary for the task:

– **DO provide**: Task description, context about the problem, relevant examples, industry context

– **DON’T provide**: Full client information, complete account data, unnecessary sensitive details, client names or specific figures

### 7.3 Documentation

Keep records of what types of client information were shared with AI tools, particularly for audit purposes.

—

## 8. HUMAN REVIEW AND APPROVAL

### 8.1 What Requires Human Review

All AI outputs must be reviewed before use, with special attention to:

– **Client Deliverables** – Campaign recommendations, strategy documents, reports, presentations

– **Client Communications** – Emails, proposals, updates, recommendations sent to clients

– **Strategic Recommendations** – Any advice or analysis provided to clients

– **Ad Copy and Creative** – Headlines, descriptions, landing page suggestions

– **Data Analysis** – Any analysis, metrics, or conclusions presented as fact

– **New Strategies** – Untested approaches or novel recommendations

### 8.2 Review Checklist

Before approving AI-generated content:

– [ ] Has accuracy been verified against my knowledge and client data?

– [ ] Does it reflect Lorcan Digital’s expertise and approach?

– [ ] Would it withstand client scrutiny or challenge?

– [ ] Is the analysis logically sound and well-reasoned?

– [ ] Does it avoid making up data or presenting assumptions as facts?

– [ ] Is it aligned with the client’s goals and context?

– [ ] Have I added my own strategic thinking and perspective?

### 8.3 Documentation

Keep records of:

– What was reviewed

– When it was reviewed

– Any changes made before approving

– Confirmation that it meets quality standards

—

## 9. ACCURACY AND QUALITY CONTROL

### 9.1 AI Limitations

AI tools are prone to:

– **Hallucinations** – Generating plausible-sounding but false information

– **Outdated Knowledge** – Information based on training data that may be incomplete or outdated

– **Overconfidence** – Presenting uncertain information as fact

– **Context Errors** – Misinterpreting nuance or strategy complexity

– **Inconsistency** – Providing different answers for similar queries

### 9.2 Verification Standards

Always verify AI outputs through:

1. **Fact-checking** – Cross-reference with known data and sources

2. **Logic review** – Ensure reasoning is sound and conclusions justified

3. **Industry knowledge** – Does it align with current PPC and digital marketing best practices?

4. **Client context** – Does it account for the specific client situation and goals?

5. **Personal expertise** – Have I reviewed this through my own strategic perspective?

### 9.3 Responsibility

Lorcan Digital takes full responsibility for accuracy and quality of all client work, regardless of AI tool use. Never attribute errors to AI tools when communicating with clients.

—

## 10. RECORD KEEPING AND AUDIT

### 10.1 Documentation Requirements

Maintain records for:

– **Tool Usage** – What tools are being used, for what purposes, when

– **Client Work** – What AI tools were used in client deliverables or recommendations

– **Approvals** – When AI-generated content was reviewed and approved

– **Incidents** – Any confidentiality concerns, policy violations, or data concerns

– **Training Completion** – When monthly AI security training was completed

### 10.2 Retention Period

Maintain records for 6 months to support compliance and incident investigation.

### 10.3 Access Controls

Record-keeping systems should be protected with:

– Secure, password-protected storage

– Regular backup and disaster recovery

– Limited access to Lol Lowe only

—

## 11. INCIDENT MANAGEMENT

### 11.1 Incident Types

Report the following incidents immediately (same day) if they occur:

– **Confidentiality Breach** – Accidentally sharing client data, account information, or strategies with an AI tool

– **Unauthorized Tool Use** – Using unapproved AI tools for client work

– **Accuracy Issue** – AI-generated content was used before errors were discovered

– **Client Impact** – Any situation where client data, account security, or work quality was affected

– **Data Concern** – Any unusual activity, tool malfunction, or policy violation

### 11.2 Incident Response Process

**Upon Discovery:**

1. **Stop** – Cease using the tool immediately if data may have been exposed

2. **Contain** – Prevent further sharing (e.g., delete prompts from tool history, stop using tool)

3. **Assess** – Determine what data was shared and to which tool

4. **Document** – Record what happened, when, and what client data may be affected

**Investigation:**

1. Assess severity and scope of incident

2. Determine if client notification is required

3. Identify root cause (user error, tool vulnerability, process gap)

4. Develop corrective action plan

**Resolution:**

1. Implement fixes (process changes, tool restrictions, procedure updates, etc.)

2. Notify affected clients if necessary

3. Update policies or procedures if needed

4. Verify corrective actions are effective

### 11.3 Escalation

Any incident involving client data or confidentiality concerns requires immediate assessment and potential client notification.

—

## 12. TRAINING AND AWARENESS

### 12.1 Initial Training

Complete AI security training covering:

– AI tool capabilities and limitations

– Client data protection requirements

– Anonymization and minimization practices

– Approved tools and approval process for new tools

– Incident reporting procedures

– Review and approval workflows

**Timing**: Before using any AI tools for the first time

### 12.2 Monthly Training

Ongoing monthly refresher training reinforces:

– Policy requirements and best practices

– Recent incidents and lessons learned

– Emerging risks and opportunities

– Tool updates and new features

– Q&A and feedback on AI tool use

**Timing**: Monthly on [DAY/DATE]

### 12.3 Training Records

Maintain records of:

– Dates of training completion

– Training materials covered

– Updates to training based on incidents or policy changes

—

## 13. EXCEPTIONS

### 13.1 Documented Exceptions

Limited exceptions to this policy are permitted only when:

– A specific client or business need requires deviation

– No alternative approach exists

– Risk has been assessed and mitigated

– Exception is documented with clear justification

– Exception is time-limited

### 13.2 Exception Request Process

To request an exception, document:

1. **The need** – What business requirement can’t be met within policy

2. **Why** – Why standard approaches won’t work

3. **The risks** – What data protection risks this creates

4. **The controls** – How will risks be mitigated?

5. **The duration** – How long is this exception needed?

### 13.3 Exception Documentation

Approved exceptions must be recorded with:

– Exception description and date

– Specific conditions and controls

– Expiration date

– Review and renewal process

### 13.4 Prohibition on Exceptions

The following can **never** be exceptions:

– Sharing client Google Ads account passwords or API keys

– Using unapproved AI tools for client strategy or confidential data

– Skipping human review for client deliverables

– Failing to report confidentiality breaches

—

## 14. POLICY REVIEW

### 14.1 Annual Review

This policy will be reviewed at least annually to:

– Assess effectiveness of controls

– Identify areas for improvement

– Update approved tools list

– Incorporate feedback from use and incidents

– Ensure compliance with industry best practices

**Annual review date**: [DATE]

### 14.2 Post-Incident Review

Following any significant incident:

1. Policy will be reviewed for gaps or weaknesses

2. Updates will be made promptly

3. Affected processes will be updated

4. Policy will be re-reviewed if needed

### 14.3 Version Control

|———|——|———|————-|

| 1.0 | 12/02/2026] | Initial policy for Lorcan Digital | Lol Lowe |

| | | | |

—

## Contact Information

For questions about this policy or to report incidents:

– **Policy Owner**: Lol Lowe

– **Email**: [YOUR EMAIL]

– **Incident Reporting**: Report same day by email

– **Website**: lorcandigital.com

—

## Appendices

### Appendix A: Approved Tools Specifications

**Claude (Anthropic)**

– Approved for: Strategic analysis, content creation, research, campaign optimization

– Data: Do not share client account credentials or full client information

– Restrictions: Treat as external service; anonymize client details

– Vendor: Anthropic | Privacy Policy: [LINK]

**ChatGPT (OpenAI)**

– Approved for: Writing, brainstorming, communication

– Data: Do not share Google Ads account information or client API keys

– Restrictions: Treat as external service; anonymize client details

– Vendor: OpenAI | Privacy Policy: [LINK]

**Google Gemini**

– Approved for: Research, analysis, alternative perspectives

– Data: Do not share confidential client strategies or full account data

– Restrictions: Treat as external service; anonymize client details

– Vendor: Google | Privacy Policy: [LINK]

### Appendix B: Incident Log Template

|——|——|————-|——–|————–|———–|—————–|

| | | | | | | |

### Appendix C: Exception Request Template

**Exception Request**

– **Date Requested**:

– **Business Need**:

– **Standard Policy Restriction**:

– **Why Standard Approach Won’t Work**:

– **Proposed Exception Details**:

– **Risks and Mitigations**:

– **Duration Needed**:

– **Approval Date**:

– **Expiration Date**: