Privacy Policy

This Privacy Policy applies to your use of the Numiva website (the “Website”) operated by Numiva Ltd (“we”, “us” or “our”). We take your privacy very seriously. This Policy explains how we collect, use, share, and safeguard your personal data when you use our Website. Please read it carefully.

By using the Website, you agree to the terms of this Privacy Policy.

Definitions

• Data: Any information that you provide to Numiva via the Website, or that we collect about you. This includes personal data as defined under Data Protection Laws.
• Data Protection Laws: Laws and regulations about personal data and privacy that apply to us, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection or privacy laws.
• User (or “you”): Any person using the Website who is not employed by Numiva and acting in the course of their employment, and not engaged as a contractor/consultant providing services to Numiva.
• Website: The website located at Numiva.ai and any sub-domains of that site, unless expressly excluded by their own terms and conditions.
• GDPR:The General Data Protection Regulation. In this Policy, “GDPR” refers to the UK GDPR as it applies in the United Kingdom (and where relevant, the corresponding EU GDPR if you are in the EEA).

Scope of this Privacy Policy

This Privacy Policy applies only to the actions of Numiva and Users with respect to this Website. It describes how we handle personal data on this Website and does not cover other websites that may be linked from our site. If you follow links to other websites (for example, to social media platforms), please note that those sites have their own privacy policies and we do not accept any responsibility or liability for their policies.

As we are registered in the UK, for purposes of the applicable Data Protection Laws, Numiva is the “data controller” of your personal data. This means we determine the purposes and manner in which any of your personal data is processed.

Data We Collect

We follow the principle of data minimization – we only collect data that is necessary to provide and improve our services. The types of data we may collect include:

• Account Information: When you create an account, we collect information such as your email address and a display name. If you choose to sign in via Google, we receive an OAuth token to authenticate you (we do not receive or store your Google password).
• Authentication Data: This includes session IDs and authentication tokens to keep you logged in securely.
• Payment Information: If you subscribe to a paid plan, we collect data about your subscription and payment status (e.g. plan type, billing email, country). Payments are processed by Stripe. Numiva does not store your full card number or payment credentials – those are handled securely by Stripe.
• Technical & Log Data: When you use the Website, we automatically collect technical information such as your IP address, device and browser type, operating system, and timestamps of your visits. We also maintain server logs for security, fraud prevention, and troubleshooting purposes.
• Product Usage Analytics: With your consent where required, we collect analytics data about how you use our Website. This may include pages viewed, clicks, features used, session duration, and device information.
• Customer Support Communications: If you contact us for support or send us feedback, we will collect the information you provide in those communications. This is voluntary and only used to assist you.
• Content You Submit to AI Features: If our service offers AI-powered features, we will process the content you submit (your prompts or input data and the resulting outputs) to provide you with the requested feature. We do not use the personal content you submit to train any third-party general AI models or our own models.

We do not intentionally collect any special-category or sensitive personal data about you (such as information about your health, biometric identifiers, religious beliefs, etc.), unless it is strictly necessary for a specific feature and you have explicitly consented.

How We Collect Data

We collect personal data in two main ways:

• Directly from you: You may provide data to us, for example when you create an account, update your profile, fill in forms on the Website, communicate with us, or when you voluntarily submit information as part of using our services.
• Automatically from your use of the Website: When you access and navigate our Website, certain data gets collected automatically via cookies, log files, and similar technologies. This automatic collection helps us run, secure, and improve our service.

How We Use Your Data

We will use your personal data only as necessary to operate our business, provide our services to you, and meet our legal obligations. Specifically, we may use your data for the following purposes:

• To provide our service: Creating and managing your account, authenticating you, and delivering the features and services you request.
• To provide customer support: Using your contact details and support communications to help resolve your inquiries, technical issues, or disputes.
• To improve our products and services: Analyzing usage data and feedback to understand how our Website is used and to make improvements.
• To maintain security and prevent fraud: Using technical data to protect our Website, monitor for suspicious or malicious activity, and enforce our terms of service.
• For internal record-keeping: Keeping records of transactions, support requests, and other interactions as needed for administration, accounting, and auditing.
• To send you marketing communications: With your consent, we may use your email address to send you promotional emails. You can opt out at any time.
• To comply with legal obligations: Processing and retaining data to fulfil legal requirements such as tax and accounting records.

Legal Bases for Processing

We only process your personal data when we have a valid legal basis under the UK GDPR:

• Performance of a Contract: Processing data necessary to provide you with our services and fulfil our contractual obligations, including account management, features, payments, and customer support.
• Legitimate Interests: Processing data as necessary for our legitimate business interests, provided those interests are not overridden by your rights. This includes keeping our service secure, monitoring performance, improving products, and communicating with users. We conduct Legitimate Interest Assessments to ensure your fundamental rights are not overridden.
• Consent: We rely on your consent for non-essential analytics cookies and marketing emails. You have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation: Processing and retaining data when legally required, such as complying with financial and tax laws (e.g. retaining invoice records for HMRC) and responding to lawful requests from courts or regulators.

Marketing Communications

• Consent for marketing: We will only send you promotional emails or newsletters if you have given us consent. You have full control and can unsubscribe at any time.
• Soft opt-in (existing customers in the UK): If you are an existing customer, we may send you marketing emails about similar products or services under the UK’s “soft opt-in” rule, provided you have not opted out. We will always give you a clear opportunity to opt out in every message.
• Your right to opt out: You can stop marketing messages at any time by clicking the “unsubscribe” link in any marketing email or contacting us. Even after opting out, we may still send you essential service or account-related communications.

Who We Share Your Data With

We do not sell your personal data to anyone. We may share your information with trusted third parties in order to run our service or when required by law. Any third party that processes data on our behalf must comply with strict data protection obligations.

• Infrastructure and Hosting Providers: Cloud infrastructure services (e.g. Amazon Web Services) to host our Website, databases, and backups.
• Authentication / Identity Providers: Identity providers like Google OAuth to authenticate users. Google only shares basic account info needed for login authentication.
• Payment Processors: Stripe handles subscription payments and billing. Numiva never sees or stores your full credit card information.
• Email and Communication Tools: Email service providers to send account confirmations, password resets, notifications, or newsletters.
• Analytics Services: With consent, tools like Google Analytics to collect anonymised statistics on Website usage. We configure these tools in compliance with privacy laws (e.g. IP anonymisation).
• AI Service Providers: Third-party AI APIs to process your requests. We do not allow service providers to use your personal content for training their own general AI models without your explicit opt-in consent.
• Our Affiliates and Subsidiaries: Data may be shared with companies in our corporate group insofar as necessary to support provision of services, always under the same privacy safeguards.
• Employees and Contractors: Authorised personnel only, on a need-to-know basis, subject to strict confidentiality obligations.
• Professional Advisers: Auditors, insurers, and legal counsel when necessary, bound to confidentiality.
• Regulators and Legal Authorities: When required by law, court order, or regulatory request. We only share data we are legally required to disclose.

We do NOT sell your personal data, and we do not share your personal information with third parties for their own independent marketing or advertising purposes.

Keeping Your Data Secure

We employ a range of technical and organisational measures to prevent unauthorised access, loss, or disclosure of your information:

• Encryption in transit: HTTPS with TLS to prevent eavesdropping.
• Encryption at rest: AES-256 encryption for databases and backups.
• Access controls: Role-based access control (RBAC) and the principle of least privilege.
• Authentication safeguards: Multi-factor authentication (MFA) on sensitive systems and administrative accounts.
• Activity logging and monitoring: Detailed audit logs of access to personal data and critical systems.
• Regular backups: Encrypted backups stored securely with the same level of protection as production systems.
• Vulnerability management: Regular software updates, periodic security assessments, firewalls, and prompt vulnerability remediation.
• Breach notification: In the unlikely event of a data breach, we will notify the relevant supervisory authority (such as the ICO) within 72 hours and inform affected individuals without undue delay where required by law.

If you suspect any misuse of your account or any security breach, please notify us immediately at info@numiva.ai.

Data Retention

We will not keep your personal data for longer than necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.

• Account Data: Retained for as long as your account is active. After deletion, we keep a limited backup for 30 days, then permanently delete.
• Session Data: Server logs of user access are kept for approximately 90 days, then deleted or anonymised.
• Security Logs: Retained for about 1 year to aid in security audits and investigations.
• Product Analytics Data: Retained for up to 26 months by default. Analytics data may be aggregated or anonymised after a certain period.
• Customer Support Records: Kept for approximately 3 years after resolution of your issue, then deleted or anonymised.
• Payment and Transaction Records: Retained for 6 years after the end of the financial year to comply with HMRC requirements.
• Data Processed by AI Features: Processed transiently. Not stored long-term in personally identifiable form unless you choose to save an AI-generated document.

Your Rights

Under data protection laws (such as the UK GDPR), you have several important rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you, as well as information about how we use it.
• Right to Rectification: Ask us to correct inaccurate or incomplete personal data. You can also update certain information directly via your account settings.
• Right to Erasure: Request that we delete your personal data (the “right to be forgotten”). You can delete your account via the Website, and we will erase the associated data except where we are legally required to retain it.
• Right to Restrict Processing: Ask us to restrict or pause the processing of your personal data in certain circumstances.
• Right to Data Portability: Obtain your data in a structured, commonly used, machine-readable format and request transfer to another service provider.
• Right to Object: Object to processing based on our legitimate interests or to any processing for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time. This will not affect the lawfulness of processing that happened before your withdrawal.

To exercise any of these rights, email us at info@numiva.ai. We will respond within one month (we may extend by an additional two months for complex requests).

International Data Transfers

Your personal data may be transferred to, stored at, or processed in a country outside the United Kingdom or the European Economic Area. Whenever we transfer your data outside of the UK/EEA, we take steps to ensure your information receives an equivalent level of protection:

• Standard Contractual Clauses (SCCs): Approved template clauses that legally bind recipients to protect data to EU/UK GDPR standards.
• UK International Data Transfer Agreement (IDTA): Legal tools endorsed by the ICO to safeguard UK personal data sent overseas.
• Transfer Impact Assessments (TIAs): Evaluating the circumstances of data transfers and implementing additional technical measures where needed.

Links to Other Websites

Our Website may include links to external websites or services that are not operated by Numiva. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review that site's privacy policy before providing any personal data.

Business Transfers

If Numiva's business undergoes a change such as a merger, acquisition, or sale of assets, your personal data may be part of the assets transferred. The new owner would be permitted to use your data only for the same purposes for which it was originally collected and would be required to honour the terms of this Privacy Policy unless you are notified of changes.

Customer Support Access to Your Content

By default, our support team does not access the content you create or store on Numiva. Your projects, files, or any data you input are kept private to your account. If diagnosing a problem requires access to your specific content:

• We will ask for your one-time explicit permission before accessing any content.
• Access is limited strictly to the data necessary for the task.
• Access is temporary, logged, and automatically revoked when the issue is resolved.
• All staff are under strict confidentiality obligations and only authorised personnel with a need-to-know may access data.
• You can revoke access at any time by contacting info@numiva.ai.

Cookies and Similar Technologies

We use the following categories of cookies:

• Strictly Necessary: Essential for the operation of our Website (e.g. session cookies). These do not require consent and are always active.
• Preferences: Remember your settings like language or layout choices.
• Analytics: With consent, collect information about how visitors use our site to help us improve. Information collected is aggregated and does not directly identify you.
• Marketing: Only used with your consent, for tracking campaign effectiveness or retargeting.

We will not set non-essential cookies unless you opt-in. You can change your preferences at any time via our cookie settings or your browser settings. For more details, see our Cookie Policy.

No Model Training on Your Personal Content

We do NOT use your personal content to train third-party generalised AI models. The prompts, data, or documents you submit to our AI features are processed only for the purpose of providing you with the result or output you request.

If we utilise third-party AI providers, your content is sent to their system only to generate the specific output and not for them to retain or use in improving their own models. We do not feed the personal data or proprietary content of our users into broad training datasets. Any improvement to our AI features that might involve user data will either use anonymous, aggregated information or be done only with explicit user permission.

Your prompts and outputs belong to you. Other users will not see your content unless you choose to share it, and our AI will not learn personal details about you or the specifics of your content to repeat elsewhere.

Changes to this Privacy Policy

We may change this Privacy Policy from time to time. We will notify you if we make a significant change by contacting you through the contact details you have provided and by publishing an updated version on our website. Your continued use of the Website after any changes constitutes acceptance of those changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way Numiva handles your personal data, please do not hesitate to reach out to us.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.