Privacy Policy

Effective Date December 18, 2024

1. INTRODUCTION

UniCap Growth Capital Ltd, trading as Chordian.ai ("CAI," "we," "us," or "our"), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you access or use our websites at www.chordian.ai and beta.chordian.ai (collectively, the "Website"), our AI orchestration platform, and related services (collectively, the "Services").

We recognize that privacy and data protection are fundamental rights, and we are committed to compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, and other applicable data protection legislation.

By accessing or using our Website or Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use our Website or Services.

2. INFORMATION WE COLLECT

We collect information that identifies, relates to, describes, or could reasonably be linked with you or your device ("Personal Information"). The categories of Personal Information we collect depend on how you interact with our Services.

2.1 Information You Provide Directly

Account and Registration Information:
When you create an account or register for our Services, we collect:

  • Full name and professional title

  • Email address

  • Company name and business information

  • Job role and department

  • Phone number (optional)

  • Account credentials (username and encrypted password)

  • Billing and payment information (processed by third-party payment processors)

  • Professional interests and use case information

Communications and Correspondence:
When you contact us, communicate with our support team, or participate in surveys, we collect:

  • Content of your communications

  • Contact details and preferences

  • Feedback, questions, and inquiries

  • Survey responses and research participation data

Platform Usage Data:
When you use our AI orchestration platform, we collect:

  • Search queries and semantic search inputs

  • Data uploaded for analysis or optimization

  • Workflow configurations and agent deployments

  • API requests and integration settings

  • Custom model configurations

  • Project and workspace information

  • Team collaboration data

2.2 Information Collected Automatically

Technical and Usage Information:
We automatically collect information about your interaction with our Services:

  • IP address and geolocation data

  • Device information (type, operating system, browser type and version)

  • Unique device identifiers

  • Network information and connection type

  • Pages visited, features used, and navigation patterns

  • Time spent on pages and interaction data

  • Referral source and exit pages

  • Date and time stamps of activities

  • Click-stream data and session recordings (when enabled)

Server Log Files:
Our hosting infrastructure automatically records:

  • HTTP requests and responses

  • System software and version information

  • Hostname of accessing device

  • Error logs and diagnostic information

  • API call logs and performance metrics

Cookies and Tracking Technologies:
We use cookies, web beacons, pixels, local storage, and similar technologies to collect information about your browsing behavior. See Section 8 for detailed information about cookies.

2.3 Information from Third-Party Sources

We may receive information about you from:

  • Single sign-on (SSO) providers (Google Workspace, Microsoft Azure AD, Okta)

  • Business partners and integration partners

  • Public databases and data enrichment services

  • Analytics and marketing service providers

  • Fraud prevention and security service providers

  • Professional networking platforms (LinkedIn)

2.4 Aggregated and De-identified Data

We may create aggregated, anonymized, or de-identified data from Personal Information by removing elements that make the data personally identifiable. We may use such data for any purpose, including research, analytics, and product improvement, without restriction.

3. HOW WE USE YOUR INFORMATION

We use Personal Information for the following purposes, based on legitimate legal grounds:

3.1 Service Delivery and Performance

To provide and operate the Services:

  • Create and manage your account

  • Process and fulfill your requests

  • Provide access to platform features and functionality

  • Execute AI orchestration, semantic search, and optimization services

  • Process and store data you upload or generate

  • Enable collaboration and team features

  • Provide customer support and technical assistance

  • Respond to your inquiries and communications

3.2 Service Improvement and Development

To maintain, improve, and develop our Services:

  • Analyze usage patterns and trends

  • Conduct research and development

  • Test new features and functionality

  • Monitor and improve AI model performance

  • Optimize platform infrastructure and performance

  • Develop new products and services

  • Conduct data analytics and business intelligence

3.3 Security and Fraud Prevention

To protect our Services and users:

  • Detect, prevent, and investigate security incidents

  • Identify and prevent fraud, abuse, and unauthorized access

  • Monitor and analyze security threats

  • Enforce our Terms of Use and other policies

  • Comply with security and data protection obligations

  • Conduct security audits and vulnerability assessments

3.4 Communication and Marketing

To communicate with you:

  • Send transactional emails (account notifications, service updates)

  • Provide customer support and respond to inquiries

  • Send marketing communications about our Services (with consent where required)

  • Conduct surveys and request feedback

  • Send newsletters and thought leadership content

  • Notify you about platform updates and new features

You may opt out of marketing communications at any time using the unsubscribe mechanism in our emails or by contacting us.

3.5 Legal and Compliance

To comply with legal obligations:

  • Respond to legal requests and court orders

  • Comply with regulatory requirements

  • Enforce our legal rights and defend against claims

  • Prevent illegal activities

  • Comply with tax and accounting obligations

  • Maintain records as required by law

3.6 Business Operations

To support our business operations:

  • Process payments and manage billing

  • Conduct financial reporting and auditing

  • Manage vendor and partner relationships

  • Facilitate business transactions (mergers, acquisitions, asset sales)

  • Manage corporate governance and compliance programs

3.7 Third party integrations and connectors

Chordian provides optional integrations (“Connectors”) that allow users to connect third‑party services to the platform. These connectors are enabled only with explicit user authorization and can be disconnected at any time.

The data accessed through each connector is used solely to provide the requested functionality within chordian.ai and is not used for advertising or sold to third parties.

Microsoft Outlook Connector

When you connect your Microsoft Outlook or Microsoft 365 account, Chordian may access and process:

  • Email metadata (sender, recipient, subject, timestamps)

  • Email content, including message body and signature blocks

  • Contact information contained within emails

  • Calendar event metadata (title, time, participants)

  • Basic profile information (name, email address)

Purpose of access:

  • To analyze and extract structured information

  • To enable search, orchestration, and workflow intelligence

  • To support productivity and automation features requested by the user

Email content is processed programmatically. Chordian does not monitor user inboxes beyond the scope of granted permissions.

Gmail Connector

When you connect your Gmail account, Chordian may access and process:

  • Email headers and metadata

  • Email body content, including signatures

  • Contact information embedded in emails

  • Account email address and profile name

Purpose of access:

  • To extract relevant information for search and workflow automation

  • To improve contextual understanding across connected systems

Chordian’s use of Gmail data complies with Google API Services User Data Policy, including Limited Use requirements. Gmail data is not used for advertising purposes.

Google Drive Connector

When you connect Google Drive, Chordian may access and process:

  • File metadata (file name, type, owner, timestamps)

  • File content for supported document types

  • Folder structure and organization

Purpose of access:

  • To index and retrieve information across documents

  • To enable enterprise search and AI‑assisted analysis

  • To support workflow intelligence and orchestration

Files are accessed only as required to deliver the connected functionality.

Data Retention for Connectors

  • Data accessed via connectors is processed in accordance with this Privacy Policy

  • Users may revoke access to any connector at any time

  • Upon disconnection, Chordian stops further data access from that service

4. LEGAL BASIS FOR PROCESSING (UK/EU GDPR)

Under UK and EU data protection law, we must have a legal basis to process your Personal Information. We rely on the following legal bases:

Contract Performance (Article 6(1)(b) UK/EU GDPR):
Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g., providing Services, managing your account).

Legitimate Interests (Article 6(1)(f) UK/EU GDPR):
Processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests:

  • Operating and improving our Services

  • Ensuring network and information security

  • Fraud prevention and risk management

  • Marketing and business development

  • Analytics and performance optimization

  • Internal administration and business efficiency

Legal Obligation (Article 6(1)(c) UK/EU GDPR):
Processing is necessary to comply with legal obligations to which we are subject (e.g., tax laws, regulatory requirements, court orders).

Consent (Article 6(1)(a) UK/EU GDPR):
Where required by law, we obtain your explicit consent before processing (e.g., marketing communications, optional cookies). You may withdraw consent at any time.

Vital Interests (Article 6(1)(d) UK/EU GDPR):
Processing is necessary to protect your vital interests or those of another person (e.g., in emergency situations).

5. HOW WE SHARE YOUR INFORMATION

We do not sell your Personal Information. We share Personal Information only in the limited circumstances described below:

5.1 Service Providers and Processors

We engage trusted third-party service providers who process Personal Information on our behalf to support our business operations:

  • Cloud infrastructure and hosting providers (AWS, Microsoft Azure, Google Cloud Platform)

  • Payment processors and financial services providers

  • Customer relationship management (CRM) platforms

  • Email and communication service providers

  • Analytics and performance monitoring services

  • Security and fraud prevention services

  • Customer support and helpdesk platforms

  • Marketing and advertising platforms

These service providers are contractually obligated to:

  • Process Personal Information only as instructed by us

  • Implement appropriate technical and organizational security measures

  • Comply with applicable data protection laws

  • Maintain confidentiality

  • Assist with data subject rights requests

5.2 Business Partners and Integrations

With your consent or at your direction, we may share information with:

  • Third-party applications you integrate with our platform

  • Collaboration tools and productivity platforms

  • Data sources and APIs you connect

  • Business intelligence and analytics tools

5.3 Corporate Transactions

We may disclose or transfer Personal Information in connection with:

  • Mergers, acquisitions, or asset sales

  • Corporate reorganizations or restructuring

  • Financing or investment transactions

  • Bankruptcy or insolvency proceedings

In such events, we require the receiving party to honor this Privacy Policy.

5.4 Legal Requirements and Protection

We may disclose Personal Information when required or permitted by law:

  • To comply with legal obligations, court orders, or legal processes

  • To respond to lawful requests from government authorities or law enforcement

  • To enforce our Terms of Use and other agreements

  • To protect our rights, property, or safety, or that of our users or the public

  • To detect, prevent, or investigate fraud, security incidents, or illegal activities

  • To defend against legal claims or litigation

5.5 Aggregated and De-identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, or other purposes.

5.6 With Your Consent

We may share Personal Information for other purposes with your explicit consent or at your direction.

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Storage and Processing Locations

Your Personal Information is primarily processed and stored on servers located in the United Kingdom and European Economic Area (EEA). However, our global infrastructure and service providers may result in transfers to other jurisdictions, including:

  • United States

  • Switzerland

  • Other countries where our service providers operate

6.2 Transfer Safeguards

When we transfer Personal Information outside the UK or EEA to countries not deemed to provide adequate data protection, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use UK and EU-approved Standard Contractual Clauses with our service providers and partners

  • Adequacy Decisions: We transfer data to countries recognized by the UK or EU as providing adequate protection

  • Binding Corporate Rules: Where applicable, we rely on approved binding corporate rules

  • Additional Security Measures: We implement supplementary technical and organizational measures to ensure data protection

6.3 UK-EEA Data Flows

We have implemented mechanisms to ensure lawful data transfers between the UK and EEA following the UK's departure from the EU, including the UK-EU Trade and Cooperation Agreement and UK adequacy decisions.


7. DATA SECURITY

7.1 Security Measures

We implement comprehensive technical and organizational security measures to protect Personal Information against unauthorized access, disclosure, alteration, and destruction:

Technical Safeguards:

  • End-to-end encryption for data in transit (TLS 1.3+)

  • Encryption at rest for stored data (AES-256)

  • Multi-factor authentication (MFA) for account access

  • Role-based access controls (RBAC)

  • Network segmentation and firewall protection

  • Intrusion detection and prevention systems

  • Regular security scanning and vulnerability assessments

  • Secure API authentication and authorization

  • Automated security monitoring and logging

Organizational Safeguards:

  • Employee training on data protection and security

  • Confidentiality agreements with staff and contractors

  • Background checks for personnel with data access

  • Incident response and breach notification procedures

  • Regular security audits and compliance assessments

  • Data minimization and purpose limitation policies

  • Secure development lifecycle practices

  • Third-party security due diligence

Enterprise-Grade Security:

  • SOC 2 Type II certification (in progress)

  • ISO 27001 compliance framework implementation

  • Regular penetration testing and security assessments

  • Dedicated security operations center (SOC)

  • 24/7 security monitoring and threat intelligence

  • Business continuity and disaster recovery planning

7.2 Security Limitations

While we implement industry-leading security measures, no system is completely secure. We cannot guarantee absolute security of Personal Information transmitted through the internet or stored electronically. You acknowledge and accept these inherent risks.

7.3 Your Security Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your account credentials

  • Using strong, unique passwords

  • Enabling multi-factor authentication

  • Promptly reporting suspected security incidents

  • Securing your devices and network connections

  • Complying with our security policies and best practices

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 What Are Cookies

Cookies are small text files stored on your device by your web browser. We use cookies and similar technologies (web beacons, pixels, local storage) to collect information about your browsing behavior and preferences.

8.2 Types of Cookies We Use

Strictly Necessary Cookies:
Essential for the operation of our Website and Services. These cookies enable core functionality such as security, authentication, and session management. They cannot be disabled.

Examples:

  • Authentication and session cookies

  • Security and fraud prevention cookies

  • Load balancing and performance cookies

Functional Cookies:
Enable enhanced functionality and personalization, such as remembering your preferences and settings.

Examples:

  • Language and region preferences

  • User interface customization

  • Feature preferences and settings

Analytics and Performance Cookies:
Help us understand how visitors interact with our Website and Services, enabling us to improve functionality and user experience.

Examples:

  • Google Analytics

  • Platform usage analytics

  • Performance monitoring

  • Error tracking and debugging

Marketing and Advertising Cookies:
Used to deliver relevant advertisements and marketing communications based on your interests.

Examples:

  • LinkedIn Insight Tag

  • Google Ads conversion tracking

  • Retargeting pixels

  • Campaign performance tracking

8.3 Third-Party Cookies

We use third-party services that may place cookies on your device:

  • Google Analytics (analytics)

  • LinkedIn (marketing and analytics)

  • Intercom or similar (customer support)

  • Stripe (payment processing)

  • Content delivery networks (performance)

These third parties have their own privacy policies governing their use of cookies and data collection.

8.4 Managing Cookies

Browser Settings:
Most browsers allow you to control cookies through settings. You can:

  • Block all cookies

  • Block third-party cookies only

  • Delete existing cookies

  • Receive notifications when cookies are set

Please note that disabling certain cookies may limit functionality of our Services.

Cookie Consent Management:
Upon your first visit, we display a cookie banner allowing you to accept or reject non-essential cookies. You can update your preferences at any time through our cookie settings interface.

Opt-Out Links:

8.5 Do Not Track Signals

Our Website does not currently respond to "Do Not Track" browser signals due to lack of industry-wide standards. We will update this policy if standards are established.


9. DATA RETENTION

9.1 Retention Principles

We retain Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

9.2 Retention Periods

Account Information:

  • Active accounts: Duration of account existence plus 90 days

  • Inactive accounts: Automatically deleted after 24 months of inactivity (with prior notice)

  • Closed accounts: 30 days after closure (to allow for account recovery), then permanently deleted

Usage and Technical Data:

  • Server logs: 90 days

  • Analytics data: 26 months (aggregated form)

  • Security logs: 12 months minimum (longer if required for investigations)

Communications:

  • Customer support tickets: 3 years after resolution

  • Marketing communications: Until you unsubscribe or object

  • Transactional emails: 7 years (for accounting and legal purposes)

Financial Records:

  • Payment and billing information: 7 years (for tax and accounting requirements)

Legal Holds:

  • Data subject to legal proceedings, investigations, or regulatory inquiries: Until the matter is resolved

9.3 Deletion and Anonymization

After retention periods expire, we:

  • Permanently delete Personal Information from our active systems

  • Anonymize or aggregate data that must be retained for analytical purposes

  • Ensure backups containing Personal Information are overwritten according to our backup rotation schedule

  • Instruct service providers to delete Personal Information

9.4 Extended Retention

We may retain Personal Information beyond standard retention periods when:

  • Required by applicable law or regulation

  • Necessary to comply with legal obligations

  • Needed to resolve disputes or enforce agreements

  • Essential for fraud prevention or security purposes

  • You have consented to longer retention

10. YOUR RIGHTS AND CHOICES

9.1 Links to Third-Party Websites

The Website may contain links to third-party websites, services, or resources not owned or controlled by CAI. These links are provided solely for your convenience and information. The inclusion of any link does not imply:

  • Endorsement, sponsorship, or recommendation by CAI;

  • Any relationship between CAI and the linked website operator;

  • CAI's responsibility for the content, accuracy, or practices of the linked website.

9.2 Third-Party Risks

You acknowledge and agree that:

  • CAI has no control over third-party websites, their content, products, services, or operators;

  • Your access to and use of third-party websites is entirely at your own risk;

  • Third-party websites are governed by their own terms of use and privacy policies;

  • CAI is not responsible for any loss, damage, or liability arising from your use of third-party websites;

  • CAI makes no representations or warranties regarding third-party content or services.

9.3 Links to CAI from Other Websites

You are not permitted to display hyperlinks, frames, inline links, or any other references to the Website on your own websites or in any other context without entering into a separate written agreement with CAI. Accessing the Website does not grant you any right to use CAI's names, logos, trademarks, or copyrighted materials without CAI's express written consent.

9.4 Requesting Permission

To request permission to link to the Website or use CAI's intellectual property, please submit your request in writing to:

UniCap Growth Capital Ltd
85 Great Portland Street
1st Floor
London, W1W 7LT
United Kingdom

10. DATA SECURITY AND TRANSMISSIONS

Under UK and EU data protection law, you have the following rights regarding your Personal Information:

10.1 Right of Access (Article 15 UK/EU GDPR)

You have the right to request confirmation of whether we process your Personal Information and to obtain a copy of such information, along with details about:

  • Categories of Personal Information processed

  • Purposes of processing

  • Recipients or categories of recipients

  • Retention periods

  • Data sources

  • Existence of automated decision-making

10.2 Right to Rectification (Article 16 UK/EU GDPR)

You have the right to request correction of inaccurate Personal Information and completion of incomplete Personal Information.

10.3 Right to Erasure / "Right to be Forgotten" (Article 17 UK/EU GDPR)

You have the right to request deletion of your Personal Information in certain circumstances:

  • Personal Information is no longer necessary for the purposes for which it was collected

  • You withdraw consent and there is no other legal basis for processing

  • You object to processing and there are no overriding legitimate grounds

  • Personal Information was unlawfully processed

  • Deletion is required to comply with a legal obligation

This right is not absolute and may be limited by legal obligations or legitimate interests.

10.4 Right to Restriction of Processing (Article 18 UK/EU GDPR)

You have the right to request restriction of processing in certain circumstances:

  • You contest the accuracy of Personal Information (during verification)

  • Processing is unlawful but you prefer restriction over deletion

  • We no longer need the data but you need it for legal claims

  • You have objected to processing (pending verification of overriding legitimate grounds)

10.5 Right to Data Portability (Article 20 UK/EU GDPR)

You have the right to receive Personal Information you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller, where:

  • Processing is based on consent or contract

  • Processing is carried out by automated means

10.6 Right to Object (Article 21 UK/EU GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Direct Marketing:
You have an absolute right to object to processing for direct marketing purposes at any time.

10.7 Rights Related to Automated Decision-Making (Article 22 UK/EU GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently engage in such automated decision-making without human intervention.

10.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

United Kingdom:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk
Tel: 0303 123 1113

European Union:
Contact your local data protection authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en

10.10 How to Exercise Your Rights

To exercise any of these rights, please submit a written request to:

UniCap Growth Capital Ltd
Data Protection Officer
85 Great Portland Street
1st Floor
London, W1W 7LT
United Kingdom

Or indicate "Data Subject Rights Request" in your correspondence.

Verification Requirements:
To protect your privacy and security, we will verify your identity before responding to requests. We may request additional information to confirm your identity.

Response Timeline:
We will respond to verified requests within one (1) month. This period may be extended by two (2) additional months where necessary, considering the complexity and number of requests.

No Fee:
We do not charge a fee to process requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

11. CHILDREN'S PRIVACY

Our Services are not intended for children under the age of 16 (or the minimum age specified by applicable law in your jurisdiction). We do not knowingly collect Personal Information from children.

If you are a parent or guardian and believe your child has provided us with Personal Information, please contact us immediately. If we become aware that we have collected Personal Information from a child without parental consent, we will take steps to delete such information promptly.

12. CHANGES TO THIS PRIVACY POLICY

12.1 Updates

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Effective Date" at the top of this Privacy Policy.

12.2 Notification of Material Changes

For material changes that significantly affect your rights or how we use Personal Information, we will provide notice through:

  • Email notification to registered users

  • Prominent notice on our Website

  • In-application notifications

12.3 Continued Use

Your continued access to or use of the Services after the effective date of changes constitutes acceptance of the revised Privacy Policy. If you do not agree to changes, you must cease using the Services.

12.4 Review Responsibility

We encourage you to review this Privacy Policy periodically to stay informed about our information practices and your rights.

13. CONTACT INFORMATION

13.1 General Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

UniCap Growth Capital Ltd
85 Great Portland Street
1st Floor
London, W1W 7LT
United Kingdom

Please clearly mark correspondence as "Privacy Inquiry."

13.2 Data Protection Officer

For matters specifically related to data protection and your rights under UK/EU GDPR:

Data Protection Officer
UniCap Growth Capital Ltd
85 Great Portland Street
1st Floor
London, W1W 7LT
United Kingdom

Please mark correspondence as "Attention: Data Protection Officer."

13.3 Supervisory Authority

You have the right to contact the relevant supervisory authority if you have concerns about our data processing practices:

UK Residents:
Information Commissioner's Office (ICO)
https://ico.org.uk

EU Residents:
Your local data protection authority
https://edpb.europa.eu/about-edpb/board/members_en

14. ADDITIONAL INFORMATION

14.1 California Privacy Rights

While CAI is UK-based, if you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Please contact us for information about exercising California-specific rights.

14.2 Nevada Privacy Rights

Nevada residents may opt out of the sale of certain covered information. We do not sell Personal Information as defined under Nevada law. If you have questions, please contact us using the information above.

14.3 Other Jurisdictions

If you are located in a jurisdiction with specific privacy laws not addressed in this Privacy Policy, please contact us to understand how those laws may apply to you.

15. ACKNOWLEDGMENT

BY ACCESSING OR USING THE WEBSITE OR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY.

Last Updated: December 18, 2024

© 2024 UniCap Growth Capital Ltd. All rights reserved.

This Privacy Policy is designed to comply with UK and EU data protection requirements. If you have questions about how this Privacy Policy applies to you, please consult with qualified legal counsel or contact us using the information provided above.