Privacy Policy

1. Introduction and Identity of the Data Controller

This Privacy Policy ("Policy") describes how Vectara Systems Ltd ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects personal data in connection with the operation of the Platform at https://kozoon.com.

The Company acts as Data Controller in respect of personal data processed through the Platform and is in the process of registering with the Information Commissioner's Office (ICO) under the Data Protection (Charges and Information) Regulations 2018, in accordance with the Company's obligations as a data controller. All processing activities are conducted in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. Upon completion of ICO registration, the Company's registration reference will be made available on this page.

We recognize the importance of protecting the security and confidentiality of personal data. The nature and scope of personal data processed by the Company depend on the context of the User’s interaction with the Platform, the services and features used, the User’s location, and applicable legal requirements.

Queries regarding this Policy or the exercise of data subject rights should be directed to: [email protected].

2. Categories of Personal Data Collected

2.1. Data Provided Directly by the User

• Registration data: full name, email address, password (stored in hashed form), and, where applicable, billing address.
• Payment data: payment method details transmitted to and processed by certified third-party payment service providers. The Company does not store full card numbers or payment authentication data.
• Communications: content of support enquiries, feedback submissions, and correspondence addressed to the Company.
• Identity verification data: where required under AML/CTF obligations where applicable, government-issued identification documents and proof of address.
• Input and Output Data: content submitted by you (“Input”) and generated content (“Output”).

⚠️ Users are prohibited from submitting sensitive personal data (e.g. health data, financial data, government identifiers).

2.2. Data Collected Automatically

• Technical and log data: IP address, device type, browser type and version, operating system, access timestamps, and referring URLs.
• Usage data: pages visited, features accessed, Token consumption records, and interaction patterns within the Platform.
• Cookie and tracking data: as further described in our Cookie Policy.

2.3. Data from Third Parties

• Payment processors: transaction status, authorisation codes, and fraud screening signals.
• Identity verification providers: verification outcomes and risk assessments where applicable.
• Analytics providers: aggregated and pseudonymised usage analytics.

2.4. Sensitive Data and Minors

The Company is not intended for the collection or processing of sensitive personal data (as defined under applicable data protection laws, including Article 9 of the GDPR), such as information relating to health, biometric or genetic data, racial or ethnic origin, political views, or religious or philosophical beliefs. Users must not submit such information when using the Platform.

The Company does not intentionally collect or process personal data relating to minors. Access to the Platform is restricted to individuals who meet the minimum age requirements set out in the Terms of Use.

If the Company becomes aware that personal data has been submitted by or relates to a minor in violation of these requirements, it will take reasonable steps to delete such data without undue delay.

Parents or legal guardians who believe that a minor has provided personal data to the Company are encouraged to contact us promptly at [email protected].

3. Purposes and Lawful Bases for Processing

We only use personal data where we have a valid legal reason to do so under applicable data protection laws. Depending on how you interact with the Platform, we rely on the following grounds:

• Contract performance

We process your data where it is necessary to provide the services you’ve requested. This includes creating and managing your account, processing purchases, providing access to AI Services, delivering content, handling support requests, and managing your Token balance.

• Legal obligations

In some cases, we are required to process and retain certain data to comply with the law. This includes maintaining financial and transaction records for accounting and tax purposes, and meeting obligations under applicable AML/CTF laws. We may also process data to respond to lawful requests from regulators or other authorities.

• Legitimate interests

We use certain data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights. This includes keeping the Platform secure, detecting and preventing fraud or misuse, improving the performance and functionality of our services (including AI systems), and maintaining the reliability of our infrastructure.

• Consent

Where required, we rely on your consent, for example, for sending marketing communications or using non-essential cookies. You can withdraw your consent at any time, and this will not affect your ability to use the core features of the Platform.

4. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law:

• Account and transactional data: retained for the duration of the account relationship and for a period of six (6) years thereafter, in line with applicable limitation periods and tax and accounting requirements.
• AML/CTF identity and verification records: retained for a minimum of five (5) years following the end of the business relationship, in accordance with applicable AML laws.
• Marketing data: retained until the User withdraws consent or opts out of marketing communications, after which such data will be deleted or suppressed within a reasonable period.
• Technical log data: retained for a maximum of twelve (12) months unless longer retention is necessary for security, fraud prevention, or legal compliance purposes.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be associated with an identified or identifiable individual.

5. Data Sharing and Disclosure

• Internal Access

Access to personal data within the Company is limited to employees and contractors who need it to perform their roles. All such personnel are bound by confidentiality obligations and appropriate internal data protection policies.

• Third-Party Processors

We work with trusted third-party providers who process personal data on our behalf and strictly in line with our instructions. These may include:

• payment providers (to process transactions and help prevent fraud);
• cloud and infrastructure providers (to host and manage the Platform);
• identity verification providers (to support AML/CTF compliance, where applicable);
• analytics providers (to help us understand and improve how the Platform is used);
• communication providers (to send service-related emails and notifications).

All such providers are subject to contractual safeguards, including data processing agreements that require them to implement appropriate security measures and process personal data only as instructed by the Company.

• Legal Disclosures

We may disclose personal data where required to do so by law or where reasonably necessary to comply with legal obligations, enforce our rights, or respond to lawful requests from courts, regulators, or law enforcement authorities. Any such disclosure is limited to what is necessary in the circumstances.

• International Transfers

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place to protect it. These may include:

• UK International Data Transfer Agreements (IDTAs);
• Standard Contractual Clauses (where relevant, including for EU-originating data);
• adequacy regulations or other legally recognised transfer mechanisms.

6. Security Measures

We take the security of personal data seriously and implement appropriate technical and organisational measures designed to protect it against unauthorised access, loss, misuse, or alteration.

These measures include, among others:

• encryption of data in transit using industry-standard protocols (such as TLS);
• encryption of sensitive data at rest, where appropriate;
• role-based access controls and multi-factor authentication for critical systems;
• regular security testing, including vulnerability assessments;
• internal policies and training to ensure that personnel handle personal data securely;
• incident response and business continuity procedures.

While we take reasonable steps to protect personal data, no system can be completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach, we will take appropriate steps in accordance with applicable law, including notifying the relevant supervisory authority where required and informing affected individuals where the risk to their rights and freedoms is significant.

7. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights in relation to your personal data.

These include the right to:

• access your data - to request a copy of the personal data we hold about you, along with information on how it is used;
• correct your data - to ask us to update or fix any inaccurate or incomplete information;
• delete your data - to request that we erase your personal data where there is no valid reason for us to continue processing it;
• restrict how we use your data - in certain situations, you may ask us to limit the way we process your information;
• receive your data in a portable format - where technically feasible, to obtain the data you provided to us in a structured, commonly used, and machine-readable format;
• object to processing - to object to the use of your data where we rely on legitimate interests, including for profiling or direct marketing purposes;
• withdraw consent - where processing is based on your consent, you can withdraw it at any time without affecting earlier processing;
• be informed - to receive clear and transparent information about how your data is collected and used, as outlined in this Policy;
• lodge a complaint - you have the right to file a complaint with a relevant supervisory authority, including the UK Information Commissioner’s Office (ICO).

To exercise your rights, please contact us using the details provided in this Policy. We may need to verify your identity before processing your request.

8. AI Services and Data Use

When you use the AI Services, any content you submit as IInput is processed to generate results - Output as part of providing the requested functionality.

We use Input only to operate and deliver the AI Services. Your Input is not used to train or improve our AI models unless you have given explicit, separate consent for such use.

Input data is retained only for as long as necessary to generate and deliver the Output, unless you choose to save the interaction within your account.

If you store conversations or generated content, this information will remain available in your account and can be deleted by you at any time through your settings.

We may use aggregated and anonymised data derived from interactions with the AI Services to improve performance, reliability, and functionality. Such data does not identify you and is processed on the basis of our legitimate interests.

9. Automated Processing

Some features of the Platform rely on automated processing. In particular, the AI Services generate Output automatically based on the Input you provide. These results are created in response to your requests and are not intended to produce decisions that have legal or similarly significant effects.

We may also use automated systems to help detect fraud, assess potential risks, and maintain the security of the Platform. In certain cases, this may lead to actions such as restricting or suspending access to an account.

If you believe that an automated action has affected you in a significant way, you can request a manual review by contacting us at [email protected]. We will assess your request and respond within a reasonable timeframe.

In addition, we may analyse usage data in aggregated or pseudonymised form to better understand how the Platform is used and to improve our services. This type of analysis does not involve profiling that has legal or similarly significant effects on individuals.

10. Third-Party Sub-Processors

The Company engages third-party sub-processors to assist in delivering the Platform and Services. All sub-processors are subject to written data processing agreements that impose equivalent data protection obligations. The Company maintains an up-to-date list of sub-processors, which may be requested by Users at [email protected]. The Company will notify you of material changes to its sub-processor arrangements with reasonable advance notice where required by applicable law.

Key categories of sub-processors engaged at the date of this Policy include: cloud infrastructure and hosting providers; payment processing and fraud prevention services; identity verification providers; email delivery services; and analytics platforms. Where sub-processors are located outside the United Kingdom, appropriate transfer safeguards as described in Section 5 apply.

11. Cookies

The Platform uses cookies and similar tracking technologies. Detailed information regarding the categories of cookies deployed, their purposes, duration, and User controls is set out in the Company's Cookie Policy, which forms an integral part of this Policy. Non-essential cookies are only deployed following the User's informed consent.

12. Users in Other Jurisdictions

While the Company primarily operates under the UK data protection framework (including the UK GDPR and the Data Protection Act 2018), we aim to provide a consistent level of data protection across jurisdictions.

For users located in the European Economic Area, we apply standards aligned with the EU General Data Protection Regulation (GDPR), ensuring equivalent protections in the processing of personal data.

If you would like to exercise any rights available to you under the laws of your jurisdiction, please contact us at [email protected] and indicate the nature of your request. We may need to verify your identity before processing such requests.

13. How to Exercise Your Rights

If you wish to exercise any of your privacy rights described in this Policy, you can contact us at [email protected]. To help us process your request efficiently, please include “Data Subject Request” in the subject line and provide sufficient details about your request.

Before taking any action, we may need to verify your identity to ensure that your data is protected.

We will respond to your request within one month. If your request is particularly complex or if we receive multiple requests, this period may be extended by up to an additional two months. In such cases, we will inform you of the delay and the reasons for it.

Requests are generally handled free of charge. However, where a request is clearly unfounded or excessive, we may either charge a reasonable fee or decline to act on the request, as permitted by applicable law.

14. Changes to this Policy

The Company may update this Policy from time to time to reflect changes in applicable law, regulatory guidance, or the Company's data processing activities. Material changes will be notified to you via the Platform or by email prior to taking effect. Where a material change affects the lawful basis for processing personal data, separate notification will be provided and, where legally required, fresh consent will be sought. The revised Policy will bear an updated effective date. Continued use of the Platform does not constitute consent to material changes in data processing activities.

15. Contact Details

If you have any questions about this Policy or how your personal data is handled, you can contact us using the details below: