Privacy Policy

Introduction

WINIQ AI LTD, trading as WinIQ ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered PreSales Operating System and website.

Data Controller

WINIQ AI LTD (trading as WinIQ)

86-90 Paul Street

London, England, EC2A 4NE

United Kingdom

ICO Registration Reference: ZC109190

Data Protection Contact: privacy@winiq.ai

Definitions

For the purposes of this Privacy Policy, the following definitions apply:

Term	Definition
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)
UK GDPR	The GDPR as incorporated into UK law under the Data Protection Act 2018 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)
ICO	The UK Information Commissioner's Office, the independent supervisory authority responsible for enforcing UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR)
CCPA/CPRA	The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (effective 1 January 2023)
Data Controller	The entity that determines the purposes and means of processing personal data
Data Processor	An entity that processes personal data on behalf of a Data Controller

Our Role: Controller vs Processor

WinIQ's role under data protection law depends on the type of data being processed:

WinIQ as Data Controller

WinIQ acts as the Data Controller for:

Website visitor data and analytics
Marketing and communications data
Account registration information
Contact form submissions
Billing and payment information

WinIQ as Data Processor

WinIQ acts as a Data Processor for:

Customer-uploaded documents (RFPs, product docs)
Customer content processed within the platform
AI-generated analysis outputs on customer data
Any personal data contained in customer files

For enterprise customers: A Data Processing Agreement (DPA) is available upon request. The DPA sets out WinIQ's obligations as a processor, including security measures, subprocessor use, data subject rights assistance, and breach notification procedures. Contact to request a DPA.

Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

Register for an account
Request a demo
Contact us for support
Subscribe to our communications

This information may include: name, email address, phone number, company name, job title, and other contact details.

Document Data

When you use our platform, you upload documents including:

RFP, RFQ, and RFI documents
Product documentation and specifications
Company information and capabilities

Usage Data

We automatically collect certain information when you use our platform, including:

IP address and browser type
Device information
Pages visited and features used
Time and date of access
Performance and error logs

How We Use Your Information and Lawful Basis

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out our purposes and the corresponding legal basis for each.

Purpose	Lawful Basis (GDPR Art. 6)
Provide and maintain our AI-powered PreSales services	Performance of a contract (Art. 6(1)(b))
Process your documents and generate analysis	Performance of a contract (Art. 6(1)(b))
Respond to demo requests and provide support	Pre-contractual measures at your request (Art. 6(1)(b))
Send administrative information and service updates	Performance of a contract (Art. 6(1)(b))
Send marketing communications	Consent (Art. 6(1)(a)) — you may withdraw at any time
Website analytics (Google Analytics)	Consent (Art. 6(1)(a)) — via cookie consent banner
Improve and optimise our platform and user experience	Legitimate interest (Art. 6(1)(f)) — improving our services
Detect and prevent fraud or security issues	Legitimate interest (Art. 6(1)(f)) — security of our platform
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

Important: Your documents and data are never used to train AI models. We use third-party AI APIs in a stateless manner where your data is processed to deliver the service and is not retained by the AI provider for training purposes.

AI Processing and Third-Party Services

Important AI Disclaimer

WinIQ uses third-party AI services (including OpenAI and Anthropic) to analyse your documents. Your uploaded documents and data are processed by these AI providers solely to deliver the service. Your data is not retained by these providers for model training.

Subprocessors

We use the following third-party subprocessors to deliver our services. Data Processing Agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) are in place with each provider.

Provider	Purpose	Location
OpenAI	AI language model (GPT-4, GPT-4o-mini)	United States
Azure OpenAI	AI language model (EU-configurable)	EU (configurable)
Anthropic	AI language model (Claude)	United States
Google (Gemini)	AI language model	United States
Google Analytics (GA4)	Website analytics (with consent)	United States
FormSubmit	Contact form processing	United States
Stripe	Payment processing	United States / Ireland (EU)
Google Cloud Platform (GCP)	Application hosting, database, compute infrastructure	United States / EU (configurable)
IONOS	Website hosting	United Kingdom

For more information on how these providers handle data, please review their respective privacy policies:

OpenAI: openai.com/privacy
Anthropic: anthropic.com/privacy
Google: policies.google.com/privacy
Stripe: stripe.com/privacy
Google Cloud: cloud.google.com/terms/cloud-privacy-notice
IONOS: ionos.co.uk/terms-gtc/privacy-policy

Data Security

We implement appropriate technical and organizational security measures to protect your information, including:

Encryption of data in transit using SSL/TLS
Secure API authentication and authorization
Role-based access control
Regular security audits and monitoring
Containerized deployment with Docker

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

Data Retention

We retain your information for as long as necessary to:

Provide our services to you
Comply with legal obligations
Resolve disputes and enforce agreements

You may request deletion of your data at any time by contacting us. Upon deletion, your documents and analysis results will be permanently removed from our systems, subject to legal retention requirements.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

Access: Request a copy of your personal information
Correction: Request correction of inaccurate information
Deletion: Request deletion of your information
Portability: Request transfer of your data
Objection: Object to processing of your information
Restriction: Request restriction of processing

To exercise these rights, please contact us at . We will respond to your request within one month.

Right to Lodge a Complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO):

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113

Cookies and Tracking

We use cookies and similar technologies on our website. We categorise these as follows:

Strictly Necessary

These are essential for the website to function and cannot be disabled. They include:

Storage	Purpose	Duration
cookie_consent_given (localStorage)	Records that you have made a cookie consent choice	Persistent (until cleared)
cookie_consent_analytics (localStorage)	Records your analytics cookie preference	Persistent (until cleared)
cookie_consent_date (localStorage)	Timestamp of your consent decision	Persistent (until cleared)

Analytics (Consent Required)

These cookies are only set if you consent via our cookie banner. We use Google Analytics 4 (GA4) with IP anonymisation enabled.

Cookie	Provider	Purpose	Duration
_ga	Google	Distinguishes unique users	2 years
_ga_<ID>	Google	Maintains session state	2 years

You can change your cookie preferences at any time using the "Manage Cookie Preferences" link in the footer of every page. You can also control cookies through your browser settings. For full details, see our Cookie Policy.

Consent Receipt Storage

To comply with GDPR Article 7 (demonstrating valid consent) and ICO guidance on consent records, we store a server-side record of your cookie consent choice. This allows us to demonstrate, if required by regulators, that valid consent was obtained.

Data Element	Description	Purpose
Hashed IP Address	Your IP address hashed with SHA-256 (one-way, non-reversible)	Identify unique visitors without storing actual IP
Visitor ID (consent only)	Anonymous UUID generated only when you grant consent	Link consent records across sessions (not created if you reject)
Consent Action	Your choice (Accept All, Reject All, or Save Preferences)	Record what action you took
Consent Choices	Analytics and marketing consent status (true/false)	Record specific preferences granted
Consent Version	Version of the consent banner shown	Track which consent text was presented
Page URL	The page where consent was given	Record context of consent
Referrer	How you arrived at our website	Audit context
Timestamp	Date and time consent was recorded	Prove when consent was obtained

Lawful Basis: Legitimate interest (GDPR Art. 6(1)(f)) — maintaining records to demonstrate compliance with consent requirements under GDPR Article 7 and UK PECR regulations.

Retention: Consent receipts are retained for 3 years from the date of consent, in line with ICO guidance and potential regulatory review periods.

International Data Transfers

WinIQ is based in the United Kingdom. Some of the third-party services we use (see Subprocessors above) are located in the United States and other countries that may not have been deemed to provide an adequate level of data protection by the UK government.

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

EU-US Data Privacy Framework (DPF): Where our US-based subprocessors are certified under the EU-US DPF and UK Extension to the DPF (including Google and Microsoft), we rely on this adequacy decision as the legal basis for transfers
Standard Contractual Clauses (SCCs): For subprocessors not certified under the DPF, we have entered into the UK International Data Transfer Addendum (IDTA) or EU SCCs
Data Processing Agreements (DPAs): All subprocessors have signed DPAs governing how they handle your data
EU data residency: Enterprise customers can opt for EU-based data processing via Azure OpenAI

You can verify DPF certification status at dataprivacyframework.gov. You can request a copy of the relevant safeguards by contacting us at .

Regional Data Protection Frameworks

WinIQ complies with applicable data protection laws depending on customer location, including:

EU General Data Protection Regulation (GDPR)
UK GDPR and the UK Data Protection Act 2018
California Consumer Privacy Act (CCPA) as amended by the CPRA
Brazil LGPD
Canada PIPEDA
Singapore PDPA
Japan APPI
Swiss Federal Act on Data Protection (FADP)
South Africa POPIA

Global Standard: We apply a GDPR-level baseline of controls globally.

Alignment with equivalent frameworks does not constitute formal legal certification under those regimes unless contractually agreed.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, this section applies to you under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

Category	Examples	Source
Identifiers	Name, email address, account name	Directly from you
Commercial Information	Subscription history, billing records	Directly from you, payment processor
Internet/Network Activity	Browsing history on our site, feature usage	Automatically collected
Professional Information	Job title, company name	Directly from you
Inferences	Usage patterns, preferences	Derived from other categories

Sale or Sharing of Personal Information

We do not sell or share your personal information. WinIQ does not sell personal information to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.

Your California Privacy Rights

As a California resident, you have the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information (not applicable as we do not sell or share)
Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

How to Exercise Your Rights

To exercise your California privacy rights, please contact us at with the subject line "California Privacy Request". We will verify your identity before processing your request and respond within 45 days.

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Sending you an email notification (for material changes)

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: