Loading…
AI Engineering · UK · Canarlo, Leeds
Canarlo is a Leeds engineering studio. We build production AI for UK technical founders — AI Act and UK GDPR aware by default. Audit logs the ICO can read, R&D credit evidence the claim needs, deployed to EU-region cloud.
Who we work with
UK SMEs and mid-market — ten to two hundred and fifty staff, from bootstrapped to teams that have already shipped. The buyer is a technical founder or an engineering lead. Someone who can read the diff and who has already costed the alternatives. B2B SaaS, fintech, healthtech, legal tech, ecommerce. Sectors where a UK GDPR breach is a board-level event and an AI Act misclassification reaches the customer contract.
SEIS and EIS rounds fund the discovery. R&D credits — properly evidenced — refund a meaningful slice of the build. We structure the SOW so the claim is straightforward; we are not the accountant, but we hand your accountant what they need.
We are not the right fit for an FTSE 100 RFP — that is a procurement exercise, not an engineering engagement. Not the right fit for a non-technical buyer who wants a no-code chatbot — the tools for that are cheaper than our scoping call. Not the right fit for a team that wants bodies on a Jira board — that is staff aug, not what we do.
UK regulatory posture
Regulation
EU AI Act applicability + UK alignment
Even outside the EU, the AI Act reaches any system serving an EU user. High-risk classification triggers documentation, human oversight, and conformity assessment. We ship a risk register at kickoff, structured decision logs for every automated action, and a model card that maps to Article 13 disclosure. Skip it and the first signal is a customer asking for the artefact you do not have.
Privacy
Lawful basis, DPIAs, where the data actually lives
UK GDPR still applies. Lawful basis written down, DPIA on file before processing starts, transfer impact assessment for any vendor outside the UK. We deploy to EU-region Supabase by default, document the data map, and name the sub-processors in the contract. Sending PII through someone else's prompt without a TIA is the ICO finding.
Audit
Artefacts a UK regulator will actually ask for
When the ICO writes, they ask for the DPIA, the records of processing, the access logs, the deletion logs. Not a slide deck. We ship structured JSON audit rows with sensitive fields redacted, retention policies enforced at the database, and a deletion endpoint that actually deletes. The artefact your DPO emails the regulator without rewriting it first.
Tax
R&D credits, contractor-vs-agency, SOW structuring
An AI build is usually qualifying R&D under HMRC rules — if the SOW names the technological uncertainty and the engineer-days are recorded. We structure the contract for the claim, log time against named uncertainties, and hand your accountant a CT600L-ready evidence pack. A generic agency invoice does not qualify. We have seen the rebate cover a quarter of the engagement.
What we build
AI Engineering
Agents, RAG, evals, MCP — shipped with audit trails.
Agents that fire into production unsupervised, RAG that cites the source, evals that fail the build on regression. Every automated decision logged with input, output, model version, confidence — the row your DPO and HMRC both ask for. Provider-portable by design; when a vendor deprecates a checkpoint, the swap is a config change.
Web Apps
Next.js 16 + Supabase, RLS by default, UK-hosted.
SaaS, ecommerce, CRMs, content systems. Per-row security at the database, not in the page. Deployed to EU-region Supabase, billed in GBP, sub-processors named in the DPA. Eighteen security patterns enforced by default — the list a UK security questionnaire asks for, already there.
Automations
Webhook-triggered workflows that replace manual ops.
Workflows that survive a million-row backfill. Signed webhooks both directions, idempotent retries, audit row per attempt. Replaces the Zap that nobody owns and the per-execution bill that grows quarterly. Internal tools your team will open instead of escalating to engineering.
How we work
Step 1
01
One scoping call. Written brief inside a week — invariants, failure modes, the DPIA shape if regulated data is in scope. The R&D-credit evidence log starts here.
Step 2
02
Schema, API surface, audit-row shape on the page. Data residency boundary named. EU-region Supabase confirmed. One week. You sign off before code starts.
Step 3
03
Eight to twelve weeks. Weekly demo on a real preview URL. Engineer-days logged against named technological uncertainties — your CT600L claim pack writes itself.
Step 4
04
Deploy to your UK or EU cloud, transfer keys, walk through the runbook and the DPIA. ICO-ready audit logs live from day one. Not a goodbye email.
Step 5
05
Optional retainer — security patches, dependency updates, AI Act and ICO guidance changes tracked. From £500 a month. UK office hours, same engineer.
Why Leeds, why us
Leeds sits two hours from London by train, ninety minutes from Manchester, three from Edinburgh. Close enough for an onsite week when the architecture phase needs it. Far enough that you are not paying for a Soho lease in every invoice line. The cost difference is real — a London agency at our seniority bills forty percent more for the same engineer-day.
In-timezone matters when a webhook fails at four on a Friday. An offshore team three time zones away will see it Monday. We see it before the customer does. UK office hours, UK contract, UK invoicing — VAT handled, no foreign-exchange dance.
The accountability is the harder one to source. At a London agency the partner pitches and the junior delivers. At an offshore shop the named lead rotates off and the second engineer never quite picks up the context. We are small on purpose. The engineer who writes the proposal writes the code. They are on the call when it breaks. The handover doc is signed by the same person at both ends.
Recent UK builds
Case study · Recruitment platform
A specialist recruitment business with spreadsheets, PDFs, and an inbox as the matching engine. We built the platform in fourteen weeks — candidate profiles, role briefs, agent-assisted shortlisting with a human gate on every introduction. Hosted on EU-region Supabase, audit row per match, DPIA on file. Twelve thousand active users in month one. They own the code, the schemas, the eval set.
Case study · Real-time scoring platform
A competitive league with sixty thousand UK members and no platform — fixtures lived in Facebook groups. We shipped the subscription product in ten weeks. Custom scoring, leaderboards, Stripe billing in GBP, the admin tool the founder runs without us. UK-hosted, VAT handled in app, R&D claim filed against named uncertainties. Profitable in month two. The codebase ships to their GitHub on every release.
Pricing
Fixed-fee tiers, scope written down before billing starts. Invoiced in GBP, VAT itemised, payment terms thirty days. The SOW names the technological uncertainties so your accountant can file the R&D claim without rewriting anything. If the work runs long, that is on us. Full breakdown on the cost page below.
Production AI, UK-hosted, audit-ready. Booked from Leeds.
§ Beyond the build
A monthly retainer that keeps your codebase in lock-step with the Forge generator. New security patterns, framework upgrades, dependency drift — patched on our schedule, regen-compatible forever. UK clients get a named engineer, in-timezone response, and AI Act or ICO guidance updates tracked against your stack. From £500 a month. Cancel any time.
Frequently asked
Yes. Risk classification, replay-ready logs, policy registries, and human-in-the-loop boundaries are built into the architecture — not bolted on at audit time. We produce the artefacts your DPO and external auditors ask for. UK GDPR, EU AI Act, and SOC 2 evidence delivered as part of the build.
Both. SMEs from twenty employees up, mid-market, Series A through C. The eight-thousand AI System Audit and the free Readiness Assessment are designed as low-friction starting points. Engagement size scales with the problem — not with the buyer's headcount or fundraising history.
Your account, your region. Supabase London by default for UK clients, Frankfurt for EU. Vercel edge regions configurable. We never hold a production copy — you own the database, you set the region, you control the backup retention. UK GDPR data-residency requirements honoured by construction.
Yes when it helps. Kickoff workshops, architecture review days, on-site discovery — billed at cost of travel, never marked up. Most of the build runs remote from Leeds. The engineer who pitches is the engineer who turns up. No subcontracting, no body-shop swap at week three.
Yes — for the engineering work we deliver. Technical narratives, advance/uncertainty descriptions, time and cost apportionment in HMRC's expected format. Handed to your accountant for the submission. Most AI builds qualify under the SME or RDEC schemes, and the documentation is faster to produce in-flight than after the fact.
You. The repo, the schemas, the eval set, the prompt registry, the runbook. No Canarlo SaaS, no licence fees, no shared codebase. Plain TypeScript that any competent engineer can read. The brain is portable: rent the inference, own the rest. Vendor swap is a config change, not a re-architecture.
Start here
Twenty-minute call, UK office hours. Or start with the £8k AI System Audit — a thirty-page report on where your eval coverage has gaps.