Privacy Policy
Aiva - Privacy Policy
Version: 1.0 Effective date: 2026-06-30 Last updated: 2026-06-30
This Privacy Policy explains how Verlox Limited ("Verlox Ltd", "we", "us", "our") collects, uses, stores, and protects personal data when you use Aiva ("the Service").
Verlox Ltd is the data controller for personal data described in this Policy.
We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Controller: Verlox Limited Company number: [TO BE INSERTED] Registered address: [TO BE INSERTED] ICO registration number: ZC108946 Privacy contact: [email protected]
2. What Personal Data We Collect
2.1 Account and Identity Data
When you register for the Service, we collect:
- Full name
- Work email address
- Organisation name and role
- Password (stored as a hashed value, never in plaintext)
- Profile picture (if uploaded)
2.2 Billing Data
When you subscribe to a paid plan:
- Billing name and address
- VAT number (if applicable)
- Payment card details (collected and stored by our payment processor, Stripe; we do not store full card numbers)
- Transaction history and invoices
2.3 Usage Data
As you use the Service, we automatically collect:
- Log data: IP address (hashed for storage), browser type, operating system, pages visited, actions taken, timestamps
- Feature usage: which features and tools you use and how frequently
- Error and diagnostic data: crash reports, error logs, performance metrics
- Session identifiers
2.4 Communications Data
If you contact us for support, submit feedback, or communicate with us by email, we collect:
- Your name and email address
- The content of your communications
- Timestamps and reference numbers
2.5 Customer Data (Data Processed on Your Behalf)
Where you upload or generate content in the Service (documents, AI outputs, workspace data), that content may contain personal data. Verlox Ltd processes this as a data processor acting on your instructions. This is governed by the Data Processing Agreement, not this Privacy Policy.
3. How We Use Your Personal Data
We process personal data on the following lawful bases:
3.1 Performance of Contract (UK GDPR Article 6(1)(b))
We use your Account and Identity Data and Billing Data to:
- Create and manage your account
- Provide the Service you have subscribed to
- Process payments and issue invoices
- Send transactional emails (account confirmation, password reset, billing notifications)
- Respond to support requests
3.2 Legitimate Interests (UK GDPR Article 6(1)(f))
We use Usage Data to:
- Improve the Service and fix bugs
- Monitor system security and detect fraudulent activity
- Analyse how the Service is used to inform product development
- Send product update announcements and feature notifications
Our legitimate interest in operating and improving a secure, reliable service outweighs any privacy impact, given that the data is processed in aggregated or pseudonymised form where practicable.
3.3 Compliance with Legal Obligations (UK GDPR Article 6(1)(c))
We retain certain records (invoices, transaction logs) to comply with financial and tax obligations under UK law.
3.4 Consent (UK GDPR Article 6(1)(a))
Where we send marketing communications, we will do so only with your explicit consent. You may withdraw consent at any time by clicking "unsubscribe" in any marketing email or by contacting [email protected].
4. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account data | For the duration of your account, plus 30 days after closure |
| Billing records and invoices | 7 years (UK tax and accounting requirements) |
| Usage and log data | 12 months from collection |
| Support communications | 3 years from resolution |
| Legal acceptance records (ToS, DPA) | 7 years from acceptance date |
| AI-generated content and workspace data | 30 days after account closure, then deleted |
We review retention periods annually and delete data that is no longer necessary.
5. Who We Share Your Data With
We do not sell personal data. We share personal data only in the following circumstances:
5.1 Sub-processors
We use the following third-party sub-processors to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | UK/EU (Stripe is certified under UK data transfer mechanisms) |
| Resend, Inc. (primary) / Postmark by ActiveCampaign (fallback) | Transactional email delivery | United States (SCCs in place) |
| Contabo GmbH | Infrastructure hosting | UK (VPS hosted in UK region) |
We have written agreements with all sub-processors requiring them to process personal data only on our instructions and to implement appropriate security measures.
A current list of sub-processors is maintained at carinaai.uk/legal/sub-processors.
5.2 Legal Requirements
We may disclose personal data to law enforcement, regulators, or courts where required by law, a court order, or to protect the rights, property, or safety of Verlox Ltd, our customers, or the public.
5.3 Business Transfers
If Verlox Ltd undergoes a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals and provide choices where required by law.
6. International Transfers
All personal data processed by Verlox Ltd is stored and processed on UK-based infrastructure (Contabo VPS, UK region). We do not transfer personal data outside the UK except where a sub-processor (such as Stripe) operates internationally under appropriate transfer mechanisms recognised by the ICO.
Where transfers occur, we ensure they are protected by: (a) an adequacy decision from the UK Secretary of State; (b) UK International Data Transfer Agreements (IDTAs); or (c) UK Addendum to the EU Standard Contractual Clauses.
7. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Ask us to delete your personal data where there is no lawful basis to retain it. |
| Restriction | Ask us to pause processing your data in certain circumstances. |
| Portability | Request a machine-readable copy of data you have provided to us. |
| Objection | Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds. |
| Withdraw consent | Where we rely on consent, withdraw it at any time without affecting past processing. |
| Not be subject to automated decisions | Where a significant decision is made about you solely by automated means, you have the right to human review. |
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. We may need to verify your identity before processing a request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly.
8. Cookies
The Service uses cookies and similar technologies. A full description of the cookies we use
is in our Cookie Policy at carinaai.uk/legal/cookies.
In summary:
- Essential cookies: Required for the Service to function (authentication, session management). Cannot be disabled.
- Analytics cookies: Used to understand how the Service is used. You can disable these in account settings.
- No advertising cookies: We do not use cookies for advertising or third-party tracking.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.2 minimum)
- Encryption of sensitive data at rest
- Access controls limiting data access to authorised personnel
- Regular security assessments
- Incident response procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR (without undue delay and within 72 hours of becoming aware of the breach where feasible).
10. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Where a change is material, we will notify you by email or in-app notice at least 14 days before it takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy.
12. Contact and Complaints
For privacy-related questions or to exercise your rights:
Email: [email protected] Post: Verlox Limited, [registered address TO BE INSERTED]
If you are not satisfied with our response, you may contact the ICO:
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
This Privacy Policy requires legal review by a qualified UK solicitor before publication. Version 1.0 draft prepared 2026-06-30.