Our Role
Zelvexia Ltd may act as either a data controller or a data processor, depending on the services we provide.
We act as a controller when we collect and use personal information for our own business activities, including managing enquiries, providing quotations, entering into contracts, billing, marketing our services, managing customer relationships, and operating our website.
We act as a processor when we provide AI chatbot services, business automations, system integrations or related technical services on behalf of our clients. In these cases, we process personal information only on our clients' documented instructions, and the client remains the data controller.
Unless otherwise stated, this privacy policy explains how we process personal information where we act as the data controller. Our clients are responsible for providing privacy information to individuals whose personal information they control.
Where we engage third-party service providers to assist in delivering our services, they act as our processors or sub-processors under written contractual arrangements that require them to protect personal information in accordance with applicable data protection law.
We are not required to appoint a Data Protection Officer under UK GDPR. If you have any questions about this privacy policy or our processing of personal information, please contact us using the details outlined within this policy.
Contact Details
You can contact us with any privacy-related queries or complaints via email at . We aim to respond to all data protection enquiries within 30 days.
What Information We Collect and Why
To provide services and goods
We collect or use the following information to provide our services and goods:
- Names and contact details
- Addresses
- Payment details, including card or bank information for transfers and direct debits
- Account information
- Website user information, including user journeys and cookie tracking where applicable
- Records of meetings and decisions
- Information relating to compliments or complaints
- Client-provided documents, website content, FAQs, knowledge base materials, chatbot conversation data, CRM data, business policies, integration data, reference documents and configuration data necessary to configure, operate, secure and improve the performance and reliability of our services
For service updates or marketing purposes
- Names and contact details
- Addresses
- Marketing preferences
- IP addresses
- Website and app user journey information
- Records of consent, where appropriate
To comply with legal requirements
- Name and contact information
- Financial transaction information
- Accounting and tax records
- Contractual records
- Information required to comply with applicable legal and regulatory obligations
For dealing with queries, complaints or claims
- Names and contact details
- Payment details and account information
- Purchase or service history
- Customer or client accounts and records
- Financial transaction information
- Chatbot conversation history, support tickets, implementation records and technical diagnostics where relevant to investigating or resolving a query, complaint or claim
To configure, maintain, secure and support AI chatbot services, business automations and system integrations on behalf of clients
When acting as a data processor on behalf of our clients, we may collect or use the following information:
- Names and contact details
- Addresses
- Purchase or account history
- Records of meetings and decisions
- Information relating to compliments or complaints
- Customer or client accounts and records
- IP addresses and website/app user journey information
- Client-uploaded documents, website content, FAQs, business policies, chatbot conversation history, knowledge base content, CRM records, automation workflows, reference documents and system integration data provided by the client for the purpose of configuring, operating, maintaining, securing and improving the performance and reliability of the client's AI assistant and related services
Lawful Basis and Your Data Protection Rights
Under UK data protection law, we must have a lawful basis for collecting and using your personal information. The lawful basis we rely on may affect your data protection rights.
Your rights
- Right of access - You have the right to ask us for copies of your personal information, including details about where we get it from and who we share it with.
- Right to rectification - You have the right to ask us to correct or complete personal information you think is inaccurate or incomplete.
- Right to erasure - You have the right to ask us to delete your personal information in certain circumstances.
- Right to restriction of processing - You have the right to ask us to restrict how we use your personal information.
- Right to object - You have the right to object to the processing of your personal information in certain circumstances.
- Right to data portability - You have the right to ask that we transfer personal information you gave us to another organisation, or to you, in certain circumstances.
- Right to withdraw consent - Where we rely on consent as our lawful basis, you have the right to withdraw it at any time, without affecting the lawfulness of prior processing.
If you make a request, we must respond without undue delay and in any event within 30 days. To make a data protection rights request, please contact us using the details in this policy.
Our lawful basis
- Providing services and goods: Contract to enter into or carry out a contract with you. Legitimate interests to deliver, maintain, secure and improve our AI chatbot and automation services, manage customer relationships, provide technical support, prevent misuse and operate our business efficiently.
- Service updates and marketing: Consent where you have given permission after receiving all relevant information. Legitimate interests in keeping existing and prospective clients informed about our services, product updates, new features and relevant business developments. We only send communications we believe are relevant and provide clear options to unsubscribe where required.
- Legal requirements: Legal obligation to comply with the law.
- Queries, complaints or claims: Contract, legal obligation and legitimate interests for responding to enquiries, resolving complaints, investigating issues, defending or pursuing legal claims and maintaining high standards of customer service.
- AI chatbot services, automations and integrations (processor): Contract to carry out a contract with you. Legitimate interests in configuring, maintaining, securing, monitoring and supporting AI chatbot services and automations. Where we act as a data processor, we do so on our client's documented instructions only.
Automated decision making
We do not use personal information to make decisions based solely on automated processing that produce legal effects or similarly significant effects for individuals under Article 22 of the UK GDPR.
Where our clients configure AI assistants or automations that support business processes, these tools are intended to assist users and do not replace human decision-making unless expressly agreed with the client.
Where We Get Personal Information From
- Directly from you
- Publicly available sources
- Suppliers and service providers
- Our clients
- Client-provided documents, knowledge bases, website content, CRM systems and other business systems authorised by the client for the purpose of configuring and operating AI chatbot and automation services
Personal information processed on behalf of clients
When delivering AI chatbot services, business automations and system integrations, we may process personal information contained within websites, documents, CRM systems, knowledge bases, chatbot conversations and other business systems that our clients provide or authorise us to access.
In these circumstances, Zelvexia Ltd acts as a data processor, processing personal information only on our client's documented instructions and for the agreed purposes. The client remains responsible for determining the purposes and means of processing and for meeting its obligations as the data controller under UK data protection law.
Cookies and Tracking
We use cookies and similar technologies on our website. These include:
- Essential cookies: Required for the website to function. No consent is required for these.
- Analytics cookies: Used to understand how visitors interact with our site. We anonymise IP addresses where possible.
On your first visit to our website, you will be presented with a cookie banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time using the cookie preferences tool available on our website, or through your browser settings. For full details, including the cookies we use and their retention periods, please see our Cookie Policy.
How Long We Keep Information
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including providing our services, complying with legal obligations, resolving disputes and enforcing our agreements.
| Data Type | Retention Period |
|---|---|
| Website enquiries and contact form submissions | Up to 24 months after last contact |
| Sales enquiries and quotations | Up to 24 months after last contact, unless they result in a client relationship |
| Client account information and CRM records | Duration of the client relationship, plus up to 6 years after the agreement ends |
| Service agreements and contracts | 6 years after termination |
| Invoices, payment records and accounting information | 6 years, or longer where required by law |
| Customer support requests and correspondence | Up to 3 years after the matter is resolved |
| Client-provided documents, AI configurations and knowledge bases | Duration of the service, then securely deleted within 30 days of the agreement ending |
| Chatbot conversation history | Duration of the service, then deleted within 90 days of termination, unless retained for legal, security or regulatory purposes |
| Marketing preferences and consent records | Until consent is withdrawn, or up to 2 years after the last marketing interaction, whichever comes first |
| Website analytics and cookies | In accordance with our Cookie Policy and the retention periods applied by our analytics providers |
| System logs and security records | Up to 12 months, or longer if required for security incidents, fraud prevention or legal obligations |
| Backup copies of data | In accordance with our backup schedule, typically overwritten or deleted within 90 days |
When personal information is no longer required, we securely delete or anonymise it. Where we are required by law to retain certain information for longer, we retain only what is necessary and securely delete it once the applicable period has expired.
Our full Data Retention Policy is available on request.
Who We Share Information With
We do not sell your personal data. We may share personal information with trusted third-party service providers where necessary to deliver our services, operate our business, process payments, host and secure our systems, and provide AI-powered functionality. We only share personal information where necessary and require all service providers to protect it appropriately under written agreements.
Categories of data processors we may use
- AI platform and infrastructure providers, including providers in the United States and other countries where appropriate safeguards are in place, supplying the cloud infrastructure and AI processing required to deliver chatbot and automation services
- CRM providers (UK and international) managing customer enquiries, onboarding, sales records, communications and support
- Payment processing providers (UK and international) processing online payments, direct debits, subscriptions and refunds securely. We do not store full card details.
- Cloud storage providers (UK and international) storing business documents, client files, operational records and backups
- Website hosting, content delivery and security providers (UK and international) hosting our website, improving performance and protecting against cyber threats
- Business communications and productivity providers (UK and international) facilitating communications, collaboration, scheduling and operational activities
Others we may share personal information with
- Professional or legal advisers
- Relevant regulatory authorities
- Professional consultants
- Organisations we are legally obliged to share personal information with
Sharing information outside the UK
Some of our service providers are located outside the United Kingdom, including in the United States. Where personal information is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
- UK International Data Transfer Agreements (IDTAs)
- The UK Addendum to the EU Standard Contractual Clauses
- Another lawful transfer mechanism recognised under UK data protection law, where applicable
We take reasonable steps to ensure that any overseas recipients provide an appropriate level of protection for personal information and process it only in accordance with our instructions and applicable law. You may request a copy of the relevant safeguards by contacting us using the details in this policy.
How We Protect Your Personal Information
We implement appropriate technical and organisational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures may include:
- Access controls and authentication
- Encryption where appropriate
- Secure cloud infrastructure
- Monitoring and alerting
- Backup and disaster recovery processes
- Regular review of our security practices
While no method of transmitting or storing information is completely secure, we continually review and improve our safeguards to reduce risk.
Children
Our website and services are directed at businesses and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately using the details in this policy and we will delete it promptly.
Changes to This Privacy Notice
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our operations. When we make material changes, we will update the "Last Updated" date on this page and, where appropriate, notify you by email. We encourage you to review this page periodically.
How to Complain
If you have any concerns about our use of your personal information, please contact us first using the details in this policy - we would appreciate the opportunity to resolve your concerns directly.
If you remain unhappy after raising a complaint with us, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).