Privacy Policy

STIMULIR TECHNOLOGY LIMITED

Registered in England and Wales (company number 16834317)

Registered Office: 66 Paul Street, London, EC2A 4NA

Email: privacy@stimulir.com

For the purposes of UK GDPR, Stimulir is the data controller in respect of personal data collected directly from you, such as account registration, marketing communications, and platform usage. Where Stimulir processes personal data on behalf of a customer, Stimulir acts as a data processor and the customer is the data controller.

Stimulir has appointed a designated privacy contact. If you have questions or concerns about this Privacy Policy or our data processing practices, contact privacy@stimulir.com.

Account Information

• Name, email address, organisation name, role/title
• Login credentials stored in hashed or encrypted form; we do not store plaintext passwords
• Billing information, where provided; payment card data is processed by our payment processor and is not stored by Stimulir

Usage Data

• Interaction logs, API usage, system events, performance metrics
• Feature usage and session data, error logs and diagnostic information

Uploaded Content

You may submit documents, structured data, or contextual materials into the platform for processing. Where such content contains personal data, Stimulir acts as a data processor on behalf of the customer.

Technical Data

• IP address, browser type and version, device information
• Cookies and analytics data, approximate geolocation derived from IP address

Special Category Data

Stimulir does not intentionally collect special category personal data as defined in Article 9 UK GDPR. Customers must not submit special category data to the platform without an appropriate Data Processing Agreement.

• Providing, operating, and maintaining the platform and services
• Executing AI workflows and contextual processing as directed by customers
• Improving the reliability, security, and performance of the services using aggregated and anonymised data only; we do not use identifiable customer data to train models without consent
• Detecting, investigating, and preventing security incidents, fraud, and abuse
• Communicating with users regarding their accounts, service updates, and where consent has been given, marketing communications
• Complying with applicable legal and regulatory obligations
• Enforcing our Terms of Service and other agreements
• We do not sell personal data. We do not share personal data with third parties for their own direct marketing purposes without your explicit consent.

When you choose to connect Google Workspace services to Stimulir, we may access or process Google user data only through the OAuth scopes you authorise and only to provide user-facing Stimulir features that you request.

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

For Google Workspace API data, Stimulir does not:

• Sell Google Workspace user data
• Use Google Workspace user data for advertising or retargeting purposes
• Transfer Google Workspace user data except as necessary to provide or improve user-facing features
• Allow humans to read Google Workspace user data except with your explicit consent
• Use identifiable Google Workspace user data to train or improve general AI or machine learning models

You may revoke Stimulir's access through your Google Account settings or by contacting privacy@stimulir.com.

• Article 6(1)(b) — Performance of a contract: processing necessary to provide the services to you
• Article 6(1)(f) — Legitimate interests: processing necessary for our legitimate business interests
• Article 6(1)(c) — Legal obligation: processing necessary to comply with a legal obligation
• Article 6(1)(a) — Consent: where we rely on consent, such as for marketing communications or non-essential cookies
• Article 6(1)(d) — Vital interests: in rare circumstances, to protect the vital interests of a natural person

We implement appropriate technical and organisational security measures. Our measures include:

• Encryption of data at rest and in transit using TLS 1.2 or higher
• Access controls and role-based permissions with least-privilege principles
• Multi-factor authentication for administrative access
• Regular penetration testing and vulnerability assessments
• Employee security training and data protection awareness
• Incident response and breach management procedures

In the event of a personal data breach, we will notify the Information Commissioner's Office without undue delay and, where feasible, within 72 hours.

• Account and profile data: retained for the duration of your account and 90 days following closure
• Customer-submitted content and usage data: retained for the subscription term and 30 days thereafter
• Financial and billing records: retained for six years in accordance with HMRC requirements
• Security and audit logs: retained for up to 12 months
• Marketing consent records: retained until consent is withdrawn and for three years thereafter

Stimulir engages the following categories of sub-processors:

• Cloud infrastructure providers (e.g. Amazon Web Services, Google Cloud Platform)
• Payment processors (e.g. Stripe) — payment card data is not stored by Stimulir
• Analytics services (e.g. Mixpanel, Segment)
• AI model providers, where third-party AI models are used in delivering services
• Customer communications providers (e.g. Intercom, Sendgrid)
• Identity and authentication providers (e.g. Auth0)

We do not permit AI sub-processors to use Customer Data for training their own models. A current list of sub-processors is available upon request at privacy@stimulir.com.

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements or EU Standard Contractual Clauses
• Binding corporate rules, where applicable
• Any other safeguard permitted under Article 46 UK GDPR

Copies of applicable transfer safeguards are available upon request from privacy@stimulir.com.

Under UK GDPR, you may have the following rights:

• Article 15 — Right of access: obtain a copy of the personal data we hold about you
• Article 16 — Right to rectification: require correction of inaccurate personal data
• Article 17 — Right to erasure: request deletion of your personal data
• Article 18 — Right to restriction: restrict processing in certain circumstances
• Article 21 — Right to object: object to processing based on legitimate interests
• Article 20 — Right to data portability: receive your data in a machine-readable format
• Right to withdraw consent: withdraw consent at any time

To exercise these rights, contact privacy@stimulir.com. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office.

Essential Cookies — strictly necessary for the platform to function. Cannot be disabled.

Analytical / Performance Cookies — collect anonymised usage statistics. Only placed with your consent where required.

Functional Cookies — enable enhanced functionality and personalisation. Only placed with your consent where required.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

The services are intended for use by businesses and professional users only. They are not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18. Contact privacy@stimulir.com if you believe a child has provided personal data.

• Stimulir does not make automated decisions with legal or significant effects solely on customer personal data without human oversight
• Where AI systems generate outputs based on personal data, those outputs are probabilistic and may contain inaccuracies; customers are responsible for reviewing outputs before acting
• Stimulir does not use identifiable Customer Data to train, fine-tune, or improve its AI models for use by third parties without explicit written consent
• Aggregated and anonymised data may be used to improve the reliability and performance of Stimulir's platform

We may update this Privacy Policy from time to time. Where changes are material, we will provide at least 30 days' prior notice by email or a prominent notice on our website. The effective date at the top of this page will always reflect the date of the most recent update.

STIMULIR TECHNOLOGY LIMITED — Privacy Team

privacy@stimulir.com · 66 Paul Street, London, EC2A 4NA

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office: ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.