Privacy policy

Last Updated: July 1, 2025

Innex.ai Ltd. ("innex.ai", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our website at innex.ai and our services (collectively, the "Services").

We are registered with the Information Commissioner's Office (ICO) in the UK under registration number ZB768535.

1. Definitions

For the purposes of this Privacy Policy:

  • Controller (or Data Controller): The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of the personal data we collect about you as a user of our Services, innex.ai is the Controller. In the context of personal data contained within "Site-specific Documents" uploaded by your organisation, your organisation is the Controller, and innex.ai acts as a Processor.

  • Data Protection Law: All applicable legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications in the UK and EU, including, but not limited to, the UK GDPR, the EU GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as each may be amended, extended, or re-enacted from time to time.

  • Data Subject: The identified or identifiable natural person to whom personal data relates.

  • EU GDPR (European Union General Data Protection Regulation): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

  • Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • Processor (or Data Processor): A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

  • Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  • UK GDPR (United Kingdom General Data Protection Regulation): The EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

  • User: Any individual who uses our Services.

2. What Information Do We Collect About You (as a User)?

We collect various types of Personal Data from and about you when you interact with our Services:

  • Information You Provide to Us Directly:

    • Account and Contact Data: When you register for an account or contact us, we collect your name, email address, job title, organisation name, and professional contact details.

    • Communication Data: If you contact us via email, support channels, or other means, we collect the content of your communications.

    • Feedback, Case Study, and Research Data: If you voluntarily participate in feedback sessions, research case studies, interviews, observations, or surveys, we may collect your name, role, organisation, opinions, and other insights you choose to provide. This may include quotes or testimonials.

  • Information We Collect Automatically (Usage Data):

    • When you interact with our Services, we automatically collect certain technical and usage information for internal analytics purposes. This data is initially collected as identifiable Personal Data.

    • Device Information: This includes your browser type, operating system, unique device identifiers, and other technical identifiers.

    • IP Address: Your Internet Protocol (IP) address.

    • Usage and Interaction Data: Information about how you use our Services, such as the pages you visit, features you use, time spent on pages, search queries, documents you interact with, clicks, and session length. This data is collected through cookies and similar technologies (see our Cookie Policy below).

We do not intentionally collect Special Categories of Personal Data (such as health data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning a person's sex life or sexual orientation) directly from you or through your usage of our Services. While our Services allow for the uploading of "Site-specific Documents" which may contain Personal Data (as described below), our processing of such documents does not involve the intentional processing of Special Categories of Personal Data, and your organisation (as the Data Controller) is responsible for ensuring the lawfulness of such content.

3. How We Use Your Information and Our Lawful Bases

We use the Personal Data we collect about you for the following purposes and rely on the following lawful bases under Data Protection Law:

Purpose of Processing Type of Data Used Lawful Basis (UK GDPR Article 6)
To Provide and Maintain Our Services: To register your account, provide access to our platform, deliver core service functionality, and provide customer support. Account and Contact Data, Communication Data, Usage Data (as necessary for service delivery) Performance of a Contract: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
For Internal Analytics and Service Improvement: To understand how users interact with our Services, improve user experience, optimise features, and diagnose technical issues. Usage Data (Device Information, IP Address, Usage & Interaction Data) Consent: For the placement and access of analytics cookies/similar technologies (under PECR). The subsequent processing of this data for internal analytics (within our Azure environment) and for sharing with third parties (where it is pseudonymised) is also based on your consent. You provide this consent via our cookie banner. You can withdraw your consent at any time (see Section 9).
For Feedback, Case Studies, and Research: To validate, improve, and promote our service offerings through user insights, testimonials, and collaborative research. Feedback, Case Study, and Research Data (names, roles, opinions, quotes) Consent: Your explicit consent is obtained for participation in these activities and the use of your Personal Data for these specific purposes. You have the right to withdraw your consent at any time.
For Marketing and Publicity (where Personal Data is involved): To list your name/organisation as a customer or partner, provide testimonials, or serve as a reference. Account and Contact Data (specifically, identifiable names/roles/quotes) Consent: Your explicit consent is obtained for the use of your Personal Data in marketing and publicity materials. You have the right to withdraw your consent at any time.
To Comply with Legal Obligations: To meet legal, regulatory, and compliance requirements. Any relevant Personal Data Legal Obligation: Processing is necessary for compliance with a legal obligation to which innex.ai is subject (e.g., tax, accounting, or regulatory reporting).
For Our Legitimate Interests (and others'): For purposes such as ensuring the security of our Services, fraud prevention, system administration, and defending legal claims. Any relevant Personal Data Legitimate Interest: Processing is necessary for our legitimate interests (or those of a third party), provided these do not override your fundamental rights and freedoms. We conduct balancing tests to ensure our legitimate interests are proportionate to your rights.

 

4. Processing of Personal Data within "Site-specific Documents" (Our Role as Processor)

Our Services enable our organisational clients to upload "Site-specific Documents" which may contain Personal Data of their employees, contractors, or other individuals. This data is integral to the core functionality of our Services, such as semantic search and information retrieval within your organisation's specific content.

  • Our Role: For this Personal Data within "Site-specific Documents," innex.ai acts as a Data Processor. This means we process this data strictly on behalf of and according to the documented instructions of our clients (your organisation), who are the Data Controllers.

  • Your Organisation's Responsibility: Your organisation, as the Data Controller, is responsible for ensuring that it has a valid legal basis under Data Protection Law for collecting and providing this Personal Data to us, and for ensuring the accuracy and lawfulness of the content within these documents.

  • Our Legal Basis as Processor: Our processing of Personal Data within "Site-specific Documents" is primarily based on the Performance of a Contract with your organisation. This processing is necessary for us to provide the Services as agreed in our terms and conditions and any related Data Processing Addendum (DPA). We may also process this data based on Legitimate Interest for operational purposes such as ensuring the security and integrity of the platform, system maintenance, and performance monitoring.

  • No Special Categories: As stated above, we do not intentionally process Special Categories of Personal Data within these documents. Our DPA with our clients specifies our obligations and responsibilities concerning the types of data we process.

5. How We Share Your Information

We may share your Personal Data with the following categories of third parties for the purposes outlined in this Privacy Policy:

  • Cloud Hosting and Infrastructure Providers: These providers host our platform and process data on our behalf, ensuring the security, scalability, and functionality of our Services (e.g., Microsoft Azure).

  • Analytics Service Providers: These help us understand how our Services are used. 

  • Customer Relationship Management (CRM) System Providers: These help us manage customer interactions, sales, and support activities efficiently.

  • Legal and Professional Advisors: We may share your data with our lawyers, auditors, accountants, or other professional advisors where necessary to obtain advice or otherwise protect our legal interests.

  • Law Enforcement and Other Authorities: We may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Services, protect the personal safety of users of the Services or the public, or protect against legal liability.

  • In the Event of Business Transfer: If innex.ai is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred as a business asset. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

We enter into legally binding data processing agreements (DPAs) with all third-party processors to ensure they comply with Data Protection Law and protect your data adequately.

6. International Data Transfers

Innex.ai Ltd. is a UK-based company. We primarily store and process Personal Data within the United Kingdom and the European Economic Area (EEA).

The UK and the EEA benefit from mutual adequacy regulations, meaning that personal data can flow freely between these regions with a high standard of data protection.

We do not currently transfer your Personal Data to countries outside the UK or EEA that have not been deemed to provide an adequate level of data protection by the relevant authorities (i.e., the UK Government or European Commission). Should this change in the future, we will update this Privacy Policy and implement appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), to ensure your Personal Data remains protected.

7. Data Security

We take the security of your Personal Data seriously. We implement appropriate technical and organisational measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Our commitment to data security is demonstrated by:

  • Our Cyber Essentials Plus certification, which confirms our adherence to a robust baseline of cyber security controls.

  • Our completion of the NHS Data Security and Protection Toolkit (DSPT) self-assessment, indicating our commitment to high data security standards, particularly relevant for environments interacting with healthcare data.

While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

8. Data Retention

We will retain your personal data for no longer than is necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations, including for the purposes of satisfying any legal, accounting, or reporting requirements. We establish specific retention periods for different types of data, which are reviewed periodically.

  • User Account Data (Your Customers - Controllers):

    • Active Accounts: We retain your account information and associated personal data for the entire duration that your account is active and you are using our Services.

    • Upon Account Closure or Contract Termination: Upon your request for account deletion, or upon the termination of your organisation's contract, your core identifiable personal data (e.g., name, email, contact information) will be retained for a period of up to 7 years. This period is necessary to comply with legal obligations (such as tax and accounting requirements, and the UK's Limitation Act 1980 which allows for contract claims for up to six years) and to resolve any potential disputes or legal proceedings. After this 7-year period, your core identifiable data will be securely deleted or permanently anonymised (meaning it can no longer be linked to you).

  • Usage Analytics Data (Your Data, based on Consent):

    • Usage analytics data, collected based on your consent for internal analytics and service improvement, is retained for up to 7 years. This period allows us to analyse long-term trends, improve our services, and understand feature adoption over time. After this period, the data is either securely deleted or further aggregated/anonymised to the point where it can no longer be linked to an individual.

  • Personal Data in Site-specific Documents (as Processor):

    • Personal data contained within Site-specific Documents is processed by innex.ai Ltd. as a Data Processor on behalf of our clients (Data Controllers). We retain this data strictly in accordance with our contractual agreements with our clients, including any Data Processing Addendum (DPA), and their documented instructions. This data is retained for no longer than necessary to provide the contracted Services. Upon termination of a client contract, we will delete or return this data in accordance with the terms of our specific agreement with that client.

  • Data for Feedback, Case Studies, and Research (Consent-based):

    • Personal data collected for feedback sessions, research case studies, or qualitative/quantitative research, based on your explicit consent, will be retained for the duration necessary to fulfil the stated purpose of the specific research or marketing activity. This period will not exceed 7 years from the date of collection unless otherwise specifically agreed with you or required by law. You have the right to withdraw your consent at any time, upon which we will cease processing and securely delete your relevant personal data, unless other legal obligations or legitimate reasons for continued retention apply.

9. Your Rights as a Data Subject

nder Data Protection Law, you have certain rights concerning your Personal Data. We are committed to upholding these rights:

  • The Right to Be Informed: You have the right to be informed about how your Personal Data is collected and used. This Privacy Policy serves to fulfil this right.

  • The Right to Access: You have the right to request a copy of the Personal Data we hold about you.

  • The Right to Rectification: You have the right to request that we correct any Personal Data that you believe is inaccurate or incomplete.

  • The Right to Erasure (Right to Be Forgotten): You have the right to request the deletion of your Personal Data under certain circumstances (e.g., where the data is no longer necessary for the purpose it was collected, or you withdraw consent).

  • The Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data under certain circumstances (e.g., if you contest the accuracy of the data, or the lawfulness of the processing).

  • The Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

  • The Right to Object: You have the right to object to our processing of your Personal Data in certain situations, particularly where the processing is based on legitimate interests or for direct marketing purposes.

  • The Right to Withdraw Consent: Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights:

To exercise any of these rights, please contact us using the details provided in Section 11 of this Privacy Policy. We will respond to your request without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In such a case, we will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. We may need to verify your identity before fulfilling your request.

No Automated Decision-Making or Profiling:

Innex.ai Ltd. does not engage in automated decision-making, including profiling, that produces legal effects concerning individuals or similarly significantly affects them.

10. Cookies Policy

Our Services use cookies and similar technologies to enhance your experience and collect usage data. A "cookie" is a small piece of data stored on your device.

  • Types of Cookies Used: We use essential cookies necessary for the operation of our Services (e.g., for user authentication, security, or maintaining your session) which do not require your consent under PECR. We also use analytics cookies to collect usage data for internal analytics and service improvement, for which we require your consent.

  • Consent for Analytics Cookies: In accordance with Data Protection Law (specifically PECR), we will obtain your explicit, opt-in consent before setting non-essential cookies, such as analytics cookies, on your device. You will be presented with a clear cookie banner, allowing you to manage your preferences.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

12. Contact Us

If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise any of your rights, please contact us:

Innex.ai Ltd. Email: contact@innex.ai

Address: Canterbury House 1 Royal Street London SE1 7LL

Complaints:

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, if you believe your rights have been infringed.

Information Commissioner's Office (ICO): Website: www.ico.org.uk Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113

Empowering those who keep the built world running.

Find out more

Company

Contact us

Follow us on LinkedIn
2025 INNEX AI Ltd. All Rights reserved.