Legal

Privacy Policy — Chordian

Chordian.ai — Enterprise Memory Infrastructure · Effective December 18, 2024

1. Introduction

Chordian.ai ("Chordian," "CAI," "we," "us," or "our") is the private knowledge graph and enterprise memory infrastructure platform purpose-built for AI-powered organisations. Chordian provides secure, institutional-grade memory and intelligent search across multi-agent AI systems — enabling enterprises, financial institutions, and other highly regulated organisations to deploy AI with full data sovereignty and auditability.

Chordian was founded in Switzerland and operates with Swiss-standard privacy and security principles at its core. We serve a global customer base, with the United States as our primary market, and operate through a group of affiliated entities incorporated across multiple jurisdictions — including the United Kingdom, Switzerland, the United States (Delaware), and Luxembourg — to meet the compliance and data residency requirements of our institutional clients worldwide.

This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you access or use our websites at www.chordian.ai and beta.chordian.ai (collectively, the "Website"), our platform, and related services (collectively, the "Services"). References to "we," "us," or "our" refer to the Chordian group entity that acts as the data controller for your use of the Services.

We recognise that privacy and data protection are fundamental rights. We are committed to compliance with applicable data protection laws globally, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, applicable US state privacy laws, and other applicable data protection legislation in the jurisdictions where we operate.

By accessing or using our Website or Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use our Website or Services.

2. Universal Data Use Commitments

Chordian is purpose-built to serve highly regulated and institutional clients — including financial institutions, asset managers, professional services firms, healthcare organisations, and large enterprises — who demand the highest standards of data governance, security, and privacy. Our enterprise memory infrastructure handles sensitive organisational knowledge, and we treat that responsibility with corresponding rigour.

The following commitments apply universally to all data processed through the Services, including data accessed via third-party integrations and connectors. These are not connector-specific qualifications — they are platform-wide principles.

We do not, under any circumstances:

sell your Personal Information or connector data to third parties;
use your data to serve personalised advertising or build advertising profiles;
use data from third-party connectors (including Google, Microsoft, or any other provider) to train generalised artificial intelligence or machine learning models;
use your data for data brokerage activities;
use your data for purposes unrelated to the Services you have requested.

We use data from all connected accounts and services only to:

provide platform functionality explicitly requested by you;
improve the user-facing features and workflows you actively use;
maintain the security, reliability, and integrity of the Services.

These commitments satisfy requirements including, but not limited to, the Google API Services User Data Policy (Limited Use), Microsoft identity platform policies, and UK/EU GDPR purpose limitation principles.

3. Information We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked with you or your device ("Personal Information"). The categories collected depend on how you interact with our Services.

3.1 Information You Provide Directly

Account and Registration Information

When you create an account or register for our Services, we collect:

Full name and professional title
Email address
Company name and business information
Job role and department
Phone number (optional)
Account credentials (username and encrypted password)
Billing and payment information (processed by third-party payment processors)
Professional interests and use case information

Communications and Correspondence

When you contact us or participate in surveys, we collect:

Content of your communications
Contact details and preferences
Feedback, questions, and inquiries
Survey responses and research participation data

Platform Usage Data

When you use the platform, we collect:

Search queries and semantic search inputs
Data uploaded for processing and requested platform functionality
Workflow configurations and agent deployments
API requests and integration settings
Custom model configurations
Project and workspace information
Team collaboration data

3.2 Information Collected Automatically

Technical and Usage Information

IP address and geolocation data
Device information (type, operating system, browser type and version)
Unique device identifiers
Network information and connection type
Pages visited, features used, and navigation patterns
Time spent on pages and interaction data
Referral source and exit pages
Date and time stamps of activities
Click-stream data and session recordings (when enabled)

Server Log Files

Our hosting infrastructure automatically records:

HTTP requests and responses
System software and version information
Hostname of accessing device
Error logs and diagnostic information
API call logs and performance metrics

Cookies and Tracking Technologies

We use cookies, web beacons, pixels, local storage, and similar technologies. See Section 9 for full cookie details.

3.3 Information from Third-Party Sources

We may receive information from:

Single sign-on (SSO) providers (Google Workspace, Microsoft Azure AD, Okta)
Business partners and integration partners
Public databases and data enrichment services
Analytics and performance monitoring services
Fraud prevention and security service providers
Professional networking platforms (e.g. LinkedIn)

3.4 Aggregated and De-identified Data

We may create aggregated, anonymised, or de-identified information that cannot reasonably be used to identify an individual. Such information may be used for operational analytics, security monitoring, service reliability, and improving user-facing functionality of the Services. Aggregated data derived from any connector — including Google Workspace APIs — is not used to train generalised artificial intelligence or machine learning models.

4. How We Use Your Information

We use Personal Information for the following purposes, based on legitimate legal grounds:

4.1 Service Delivery and Performance

To provide and operate the Services:

Create and manage your account
Process and fulfil your requests
Provide access to platform features and functionality
Provide memory infrastructure, semantic search, and workflow features requested by users
Process and store data you upload or generate
Enable collaboration and team features
Provide customer support and technical assistance

4.2 Service Improvement and Reliability

We use information solely to maintain, secure, support, and improve user-facing functionality of the Services. This includes:

Monitoring platform reliability and uptime
Debugging and resolving technical issues
Improving search relevance and workflow performance
Maintaining infrastructure and system performance
Testing and validating platform functionality
Preventing abuse, fraud, and security incidents
Improving features directly requested or used by users

Data from third-party connectors (including Google Workspace APIs and Microsoft APIs) is used only to provide or improve user-facing features that are visible to and explicitly requested by the user. We do not use connector data to train generalised artificial intelligence or machine learning models, develop foundation models, create advertising profiles, serve personalised advertising, sell data to third parties, or conduct analytics unrelated to your use of the Services.

4.3 Security and Fraud Prevention

Detect, prevent, and investigate security incidents
Identify and prevent fraud, abuse, and unauthorised access
Monitor and analyse security threats
Enforce our Terms of Use and other policies
Comply with security and data protection obligations
Conduct security audits and vulnerability assessments

4.4 Communication and Marketing

To communicate with you:

Send transactional emails (account notifications, service updates)
Provide customer support and respond to inquiries
Send marketing communications about our Services (with consent where required)
Conduct surveys and request feedback
Send newsletters and thought leadership content
Notify you about platform updates and new features

You may opt out of marketing communications at any time using the unsubscribe mechanism in our emails or by contacting us.

4.5 Legal and Compliance

Respond to legal requests and court orders
Comply with regulatory requirements
Enforce our legal rights and defend against claims
Prevent illegal activities
Comply with tax and accounting obligations
Maintain records as required by law

4.6 Business Operations

Process payments and manage billing
Conduct financial reporting and auditing
Manage vendor and partner relationships
Facilitate business transactions (mergers, acquisitions, asset sales)
Manage corporate governance and compliance programmes

5. Third-Party Connectors

Chordian provides optional integrations ("Connectors") that allow users to connect third-party services to the platform. These Connectors are enabled only with explicit user authorisation and can be disconnected at any time. All connector data is governed by the Universal Data Use Commitments in Section 2.

The following subsections describe each connector's specific data access scope and purpose. Across all connectors, data is:

accessed only within the scope of your authorisation;
processed programmatically to provide requested functionality;
not used for advertising, profiling, data brokerage, or AI model training;
not sold to third parties.

5.1 Google Connectors

ChordianAI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This disclosure applies to all Google services connected through the platform.

Gmail Connector

When you connect your Gmail account, Chordian may access and process:

Email headers and metadata
Email body content, including signatures
Contact information embedded in emails
Account email address and profile name

Purpose of access:

To enable user-requested search and workflow functionality
To support orchestration and automation features initiated by the user
To retrieve and process information necessary for connected platform functionality

Gmail data compliance:

Gmail data is used only to provide or improve user-facing functionality explicitly requested by the user.
Gmail data is not used to train generalised AI or machine learning models.
Gmail data is not sold to third parties and is not used for advertising purposes.
ChordianAI's use of Gmail data complies with the Google API Services User Data Policy, including Limited Use requirements.

Google Drive Connector

When you connect Google Drive, Chordian may access and process:

File metadata (file name, type, owner, timestamps)
File content for supported document types
Folder structure and organisation

Purpose of access:

To index and retrieve information requested by the user
To enable document search and workflow functionality
To support connected platform features initiated by the user

Files are accessed and processed only as necessary to provide requested functionality. Google Drive data is not used to train generalised artificial intelligence or machine learning models.

Google Workspace SSO

When you authenticate via Google Workspace single sign-on, we access your basic profile information (name, email address) and authentication tokens solely to verify your identity and maintain your session. This data is not used for any purpose beyond authentication and account management.

Google API Limited Use Disclosure: ChordianAI's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide or improve user-facing functionality that is visible to and requested by the user. ChordianAI does not use Google user data for generalised AI or machine learning model training, advertising purposes, data brokerage, or creating user profiles unrelated to requested functionality.

5.2 Microsoft Connectors

ChordianAI's use of Microsoft APIs and services complies with the Microsoft identity platform terms of use and Microsoft's API usage policies. This disclosure applies to all Microsoft services connected through the platform.

Microsoft Outlook and Microsoft 365 Connector

When you connect your Microsoft Outlook or Microsoft 365 account, Chordian may access and process:

Email metadata (sender, recipient, subject, timestamps)
Email content, including message body and signature blocks
Contact information contained within emails
Calendar event metadata (title, time, participants)
Basic profile information (name, email address)

Purpose of access:

To analyse and extract structured information requested by the user
To enable search, orchestration, and workflow intelligence
To support productivity and automation features requested by the user

Microsoft connector data compliance:

Microsoft Outlook and Microsoft 365 data is used only to provide or improve user-facing functionality explicitly requested by the user.
Microsoft connector data is not used to train generalised AI or machine learning models.
Microsoft connector data is not sold to third parties and is not used for advertising or profiling purposes.
Email content is processed programmatically. Chordian does not monitor user inboxes beyond the scope of granted permissions.

Microsoft Azure AD / Entra ID (SSO)

When you authenticate via Microsoft Azure Active Directory or Microsoft Entra ID, we access your basic profile information and authentication tokens solely to verify your identity and maintain your session. This data is not used for any purpose beyond authentication and account management.

Microsoft OneDrive and SharePoint (where enabled)

When you connect Microsoft OneDrive or SharePoint, Chordian may access and process:

File metadata (file name, type, owner, timestamps)
File content for supported document types
Folder and site structure

Data accessed from OneDrive and SharePoint is used exclusively to provide search, indexing, and workflow functionality requested by the user. It is not used for advertising, profiling, or AI model training.

5.3 Other Connectors and Integrations

The platform supports additional connectors and integrations beyond Google and Microsoft. Regardless of the third-party service, the data use principles described in Section 2 apply universally. These may include, but are not limited to:

Productivity tools (Slack, Notion, Confluence, Jira)
CRM and sales intelligence platforms
Data warehouses and enterprise databases
Custom API integrations configured by enterprise customers

All connector data is processed only to provide platform functionality requested by the user. Third-party connector authorisations can be revoked at any time via your account settings.

6. Legal Basis for Processing (UK/EU GDPR)

Under UK and EU data protection law, we must have a legal basis to process your Personal Information. We rely on the following legal bases:

Contract Performance (Article 6(1)(b) UK/EU GDPR)

Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g., providing Services, managing your account).

Legitimate Interests (Article 6(1)(f) UK/EU GDPR)

Processing is necessary for our legitimate interests, provided your interests and fundamental rights do not override those interests:

Operating and improving our Services
Ensuring network and information security
Fraud prevention and risk management
Marketing and business development
Analytics and performance optimisation
Internal administration and business efficiency

Legal Obligation (Article 6(1)(c) UK/EU GDPR)

Processing is necessary to comply with legal obligations to which we are subject (e.g., tax laws, regulatory requirements, court orders).

Consent (Article 6(1)(a) UK/EU GDPR)

Where required by law, we obtain your explicit consent before processing (e.g., marketing communications, optional cookies). You may withdraw consent at any time.

Vital Interests (Article 6(1)(d) UK/EU GDPR)

Processing is necessary to protect your vital interests or those of another person in emergency situations.

7. How We Share Your Information

We do not sell your Personal Information. We share Personal Information only in the limited circumstances described below.

7.1 Service Providers and Processors

We engage trusted third-party service providers who process Personal Information on our behalf:

Cloud infrastructure and hosting providers (e.g. AWS, Microsoft Azure, Google Cloud Platform, IONOS, Exoscale, DigitalOcean)
Payment processors and financial services providers
Customer relationship management (CRM) platforms
Email and communication service providers
Analytics and performance monitoring services
Security and fraud prevention services
Customer support and helpdesk platforms
Marketing and advertising platforms

These service providers are contractually obligated to: process Personal Information only as instructed by us; implement appropriate technical and organisational security measures; comply with applicable data protection laws; maintain confidentiality; and assist with data subject rights requests.

7.2 Business Partners and Integrations

With your consent or at your direction, we may share information with third-party applications you integrate with our platform. Any sharing of Google user data or Microsoft user data through integrations is strictly limited to providing or improving user-facing functionality requested by the user. We do not share any connector data with third parties for advertising, profiling, data brokerage, or AI model training purposes.

7.3 Corporate Transactions

We may disclose or transfer Personal Information in connection with mergers, acquisitions, asset sales, corporate reorganisations, financing transactions, or insolvency proceedings. In such events, we require the receiving party to honour this Privacy Policy.

7.4 Legal Requirements and Protection

We may disclose Personal Information when required or permitted by law: to comply with legal obligations, court orders, or legal processes; to respond to lawful requests from government or law enforcement authorities; to enforce our Terms of Use; to protect our rights, property, or safety; or to detect, prevent, or investigate fraud, security incidents, or illegal activities.

7.5 Aggregated and De-identified Information

We may use or share aggregated, anonymised, or de-identified information that cannot reasonably be used to identify an individual, for purposes including service reliability, operational reporting, security monitoring, and improving user-facing platform functionality. De-identified information derived from any connector data (including Google Workspace APIs and Microsoft APIs) is not used to train generalised artificial intelligence or machine learning models.

7.6 With Your Consent

We may share Personal Information for other purposes with your explicit consent or at your direction.

8. International Data Transfers

8.1 Data Storage and Processing Locations

Your Personal Information is primarily processed and stored on servers located in the United Kingdom and European Economic Area (EEA). Our global infrastructure and service providers may result in transfers to other jurisdictions, including the United States, Switzerland, and other countries where our service providers operate.

8.2 Transfer Safeguards

When we transfer Personal Information outside the UK or EEA to countries not deemed to provide adequate data protection, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We use UK and EU-approved SCCs with our service providers and partners.
Adequacy Decisions: We transfer data to countries recognised by the UK or EU as providing adequate protection.
Binding Corporate Rules: Where applicable, we rely on approved binding corporate rules.
Additional Security Measures: We implement supplementary technical and organisational measures to ensure data protection.

8.3 UK-EEA Data Flows

We have implemented mechanisms to ensure lawful data transfers between the UK and EEA following the UK's departure from the EU, including reliance on the UK-EU Trade and Cooperation Agreement and UK adequacy decisions.

9. Data Security

9.1 Security Measures

We implement comprehensive technical and organisational security measures to protect Personal Information:

Technical Safeguards

End-to-end encryption for data in transit (TLS 1.3+)
Encryption at rest for stored data (AES-256)
Multi-factor authentication (MFA) for account access
Role-based access controls (RBAC)
Network segmentation and firewall protection
Intrusion detection and prevention systems
Regular security scanning and vulnerability assessments
Secure API authentication and authorisation
Automated security monitoring and logging

Organisational Safeguards

Employee training on data protection and security
Confidentiality agreements with staff and contractors
Background checks for personnel with data access
Incident response and breach notification procedures
Regular security audits and compliance assessments
Data minimisation and purpose limitation policies
Secure development lifecycle practices
Third-party security due diligence

Agent Governance Security Layer

Chordian operates a dedicated Agent Governance Security Layer — a control plane that sits across all AI agent interactions within the platform. This layer is specifically designed for the institutional clients and highly regulated organisations that Chordian serves, including financial institutions, asset managers, and enterprises operating under strict compliance mandates. It provides:

Policy-based access controls governing which agents can read, write, or act upon memory and knowledge graph data
Full auditability of agent actions, queries, and memory mutations — providing a tamper-evident log for compliance and forensic review
Agent identity verification and permissioning, ensuring no agent operates beyond its defined scope
Data isolation and tenancy controls, enforcing hard boundaries between client environments and agent workspaces
Real-time anomaly detection and alerting for agent behaviour that falls outside defined governance parameters

This governance layer is a core component of Chordian's institutional-grade security architecture and is available to all enterprise customers.

Enterprise-Grade Security Programme

Chordian is actively pursuing the following certifications and frameworks to meet the requirements of our highly regulated and institutional client base:

SOC 2 Type II certification (in progress): independent audit of security, availability, processing integrity, confidentiality, and privacy controls.
ISO 27001 compliance framework: systematic approach to managing sensitive information and information security risks.
UK GDPR and EU GDPR compliance: ongoing programme covering data mapping, DPIA processes, lawful basis documentation, and data subject rights management.
US state privacy law compliance (CCPA/CPRA and equivalents) in support of our US customer base.
Regular penetration testing and security assessments
24/7 security monitoring and threat intelligence
Business continuity and disaster recovery planning

9.2 Security Limitations

While we implement industry-leading security measures, no system is completely secure. We cannot guarantee absolute security of Personal Information transmitted through the internet or stored electronically. You acknowledge and accept these inherent risks.

9.3 Your Security Responsibilities

You are responsible for: maintaining the confidentiality of your account credentials; using strong, unique passwords; enabling multi-factor authentication; promptly reporting suspected security incidents; and securing your devices and network connections.

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device by your web browser. We use cookies and similar technologies (web beacons, pixels, local storage) to collect information about your browsing behaviour and preferences.

10.2 Types of Cookies We Use

Strictly Necessary Cookies

Essential for operation of our Website and Services. These enable core functionality such as security, authentication, and session management. They cannot be disabled. Examples: authentication/session cookies, security and fraud prevention cookies, load balancing cookies.

Functional Cookies

Enable enhanced functionality and personalisation. Examples: language and region preferences, user interface customisation, feature preferences and settings.

Analytics and Performance Cookies

Help us understand how visitors interact with our Services. Examples: Google Analytics, platform usage analytics, performance monitoring, error tracking.

Marketing and Advertising Cookies

Used to deliver relevant marketing communications. Examples: LinkedIn Insight Tag, Google Ads conversion tracking, retargeting pixels, campaign performance tracking.

10.3 Managing Cookies

Most browsers allow you to control cookies through settings. You can block all cookies, block third-party cookies, delete existing cookies, or receive notifications when cookies are set. Upon your first visit, we display a cookie banner allowing you to accept or reject non-essential cookies. You can update your preferences at any time through our cookie settings interface.

Opt-out resources:

Google Analytics: https://tools.google.com/dlpage/gaoptout
LinkedIn: https://www.linkedin.com/psettings/guest-controls
EDAA: http://www.youronlinechoices.eu/
NAI: http://optout.networkadvertising.org/

10.4 Do Not Track Signals

Our Website does not currently respond to "Do Not Track" browser signals due to the lack of industry-wide standards. We will update this policy if standards are established.

11. Data Retention

11.1 Retention Principles

We retain Personal Information only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

11.2 Retention Periods

Account Information

Active accounts: Duration of account existence plus 90 days
Inactive accounts: Automatically deleted after 24 months of inactivity (with prior notice)
Closed accounts: 30 days after closure (to allow for account recovery), then permanently deleted

Usage and Technical Data

Server logs: 90 days
Analytics data: 26 months (aggregated form)
Security logs: 12 months minimum (longer if required for investigations)

Communications

Customer support tickets: 3 years after resolution
Marketing communications: Until you unsubscribe or object
Transactional emails: 7 years (for accounting and legal purposes)

Financial Records

Payment and billing information: 7 years (for tax and accounting requirements)

11.3 Connector Data Retention

Data accessed through third-party connectors (including Google Workspace APIs, Microsoft APIs, and other integrations) is retained only for as long as necessary to provide requested functionality, maintain security, comply with legal obligations, and resolve disputes.

Users may revoke connector access at any time through their account settings or through the relevant third-party platform (e.g., Google Account settings, Microsoft Account settings). Upon connector disconnection or a verified deletion request, Chordian will stop further access to the connector data and delete associated stored data within a reasonable timeframe, subject to applicable legal and operational obligations.

11.4 Deletion and Anonymisation

After retention periods expire, we: permanently delete Personal Information from active systems; anonymise or aggregate data that must be retained for analytical purposes; ensure backups are overwritten according to our backup rotation schedule; and instruct service providers to delete Personal Information.

12. Third-Party Websites and Links

The Website may contain links to third-party websites or services not owned or controlled by CAI. These links are provided solely for convenience. CAI has no control over third-party websites, their content, or operators. Your access to and use of third-party websites is at your own risk and governed by their own terms and privacy policies. CAI is not responsible for any loss, damage, or liability arising from your use of third-party websites.

You are not permitted to display hyperlinks, frames, or inline links to the Website without entering into a separate written agreement with CAI. To request permission, please contact us in writing at the address in Section 15.

13. Your Rights and Choices

Under UK and EU data protection law, you have the following rights regarding your Personal Information:

13.1 Right of Access (Article 15 UK/EU GDPR)

You have the right to request confirmation of whether we process your Personal Information and to obtain a copy, along with details about categories processed, purposes, recipients, retention periods, data sources, and existence of automated decision-making.

13.2 Right to Rectification (Article 16 UK/EU GDPR)

You have the right to request correction of inaccurate Personal Information and completion of incomplete Personal Information.

13.3 Right to Erasure / "Right to be Forgotten" (Article 17 UK/EU GDPR)

You have the right to request deletion of your Personal Information where it is no longer necessary for the purposes collected, you withdraw consent with no other legal basis, you object with no overriding grounds, processing was unlawful, or deletion is legally required. This right is not absolute and may be limited by legal obligations or legitimate interests.

13.4 Right to Restriction of Processing (Article 18 UK/EU GDPR)

You have the right to request restriction of processing where you contest accuracy, processing is unlawful but you prefer restriction over deletion, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.

13.5 Right to Data Portability (Article 20 UK/EU GDPR)

You have the right to receive Personal Information you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

13.6 Right to Object (Article 21 UK/EU GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. You have an absolute right to object to processing for direct marketing at any time.

13.7 Rights Related to Automated Decision-Making (Article 22 UK/EU GDPR)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. We do not currently engage in such automated decision-making without human intervention.

13.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

13.9 Right to Lodge a Complaint

United Kingdom — Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF | ico.org.uk | 0303 123 1113

European Union — Your local data protection authority: edpb.europa.eu/about-edpb/board/members_en

13.10 How to Exercise Your Rights

To exercise any of these rights, please submit a written request, marked "Data Subject Rights Request," to:

UniCap Growth Capital Ltd — Data Protection Officer

85 Great Portland Street, 1st Floor, London, W1W 7LT, United Kingdom

We will respond to verified requests within one (1) month, extendable by two (2) additional months where necessary. We do not charge a fee unless requests are manifestly unfounded, excessive, or repetitive.

14. Children's Privacy

Our Services are not intended for children under the age of 16 (or the minimum age specified by applicable law in your jurisdiction). We do not knowingly collect Personal Information from children. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact us immediately. We will take steps to delete such information promptly.

15. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Effective Date" at the top of this Policy.

For material changes that significantly affect your rights or how we use Personal Information, we will provide notice through: email notification to registered users; prominent notice on our Website; and in-application notifications.

Your continued access to or use of the Services after the effective date of changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.

16. Contact Information

16.1 General Inquiries

For questions, concerns, or requests regarding this Privacy Policy, please contact:

UniCap Growth Capital Ltd

85 Great Portland Street, 1st Floor, London, W1W 7LT, United Kingdom

Please clearly mark correspondence as "Privacy Inquiry."

16.2 Data Protection Officer

Data Protection Officer — UniCap Growth Capital Ltd

85 Great Portland Street, 1st Floor, London, W1W 7LT, United Kingdom

Please mark correspondence as "Attention: Data Protection Officer."

16.3 Supervisory Authorities

UK Residents — Information Commissioner's Office (ICO): ico.org.uk

EU Residents — Your local data protection authority: edpb.europa.eu/about-edpb/board/members_en

17. Jurisdiction-Specific Rights

17.1 California Privacy Rights (CCPA/CPRA)

While CAI is UK-based, if you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Please contact us for information about exercising California-specific rights.

17.2 Nevada Privacy Rights

Nevada residents may opt out of the sale of certain covered information. We do not sell Personal Information as defined under Nevada law. If you have questions, please contact us using the information in Section 16.

17.3 Other Jurisdictions

If you are located in a jurisdiction with specific privacy laws not addressed in this Privacy Policy, please contact us to understand how those laws may apply to you.

BY ACCESSING OR USING THE WEBSITE OR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY.

This Privacy Policy is designed to comply with UK GDPR, EU GDPR, applicable US state privacy laws, the Google API Services User Data Policy, Microsoft identity platform policies, and other applicable data protection requirements.