Privacy Policy

1. Introduction and who we are

This Privacy Policy explains how Unlimit Lab Limited ("Unlimit Lab", "we", "us", "our") collects, uses, stores, and protects your personal information when you use the Vennari platform, including our websites at vennari.ai, our iOS and Android mobile applications, our API, and any related services (collectively, the "Service").

Unlimit Lab Limited is a company registered in England and Wales (Company No. 16925967). We are the data controller for the purposes of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation ("EU GDPR").

Our Data Protection Officer can be contacted at privacy@vennari.ai. Our registered address is available upon written request.

2. Information we collect

We collect information in the following categories:

2.1 Information you provide directly

• Registration data: name, email address, phone number, and password when you create an account.
• Profile information: job title, company name, biography, and profile photo you choose to add.
• Session content: session names, notes, photos, video clips, and audio recordings you capture.
• Contacts: contact information you manually enter, import via business card scan (OCR), NFC exchange, or QR code.
• Communications: messages you send through the platform, support requests, and feedback.
• Payment information: billing address and payment card details (processed and stored by Stripe; we do not store full card numbers).
• Survey responses: product feedback and survey answers you voluntarily submit.

2.2 Information generated by your use of the Service

• Transcripts: text generated from ambient audio using on-device speech recognition (Whisper.cpp).
• AI-classified minutes: tasks, actions, decisions, questions, and informational items extracted by AI from transcripts.
• Face Vault embeddings: 512-float mathematical vectors generated on your device from voluntary facial enrolment (see Section 7).
• Storage metadata: file sizes, upload timestamps, storage tier, and access timestamps.
• Social post drafts: content you draft for post-session sharing.

2.3 Information collected automatically

• Device information: device model, operating system version, app version, unique device identifiers.
• Usage data: features accessed, session durations, interaction timestamps, and error logs.
• Network information: IP address, browser type, referring URL, and general geographic location derived from IP.
• Analytics: anonymous, aggregated usage patterns collected via self-hosted PostHog. No third-party advertising trackers are used.
• Cookies: strictly necessary session cookies and optional analytics cookies (see Section 6 and our Cookie Policy).

3. How we use your information

We use your personal information for the following purposes:

We do not use your data to train third-party AI models without separate, explicit, revocable consent. We do not display advertising or share data with advertisers.

4. Legal bases for processing (UK GDPR)

We rely on the following lawful bases under Article 6 of the UK GDPR:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the Vennari service you have signed up for, including account management, session capture, AI classification, and cloud storage.
• Legitimate interests (Art. 6(1)(f)): product improvement using anonymised data, security monitoring, fraud prevention, and maintaining the integrity of the Service. We have conducted a Legitimate Interest Assessment and are satisfied these interests do not override your rights.
• Consent (Art. 6(1)(a)): processing that requires your explicit consent, including Face Vault biometric processing (also under Art. 9(2)(a) for special category data), optional marketing communications, and non-essential analytics cookies.
• Legal obligation (Art. 6(1)(c)): where processing is required by law, such as responding to court orders or regulatory requirements.

Where we rely on consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. Sharing your information

We do not sell your personal data. We share your information only in the following limited circumstances:

We may also disclose information where required by law, to protect our legal rights, or in connection with a merger, acquisition, or sale of assets (in which case you would be notified).

6. Cookies and similar technologies

Our website and web application use cookies and similar technologies. A cookie is a small text file placed on your device to help us provide and improve the Service.

We use the following categories of cookies:

• Strictly necessary cookies: required for the website to function (authentication, security tokens, session management). These cannot be disabled.
• Analytics cookies: help us understand how visitors use the Service so we can improve it. We use self-hosted PostHog — no data is shared with third-party advertising networks. These are set only with your consent.
• Preference cookies: remember your choices such as theme, language, and display settings.

We do not use advertising, tracking, or social media cookies.

You can manage your cookie preferences at any time using the cookie settings banner, or by adjusting your browser settings. For full details, see our Cookie Policy.

7. Face Vault — biometric data

Face Vault is an entirely voluntary feature. The following special provisions apply due to the sensitive nature of biometric data:

• Explicit consent: enrolment requires affirmative action. You must tap "Enrol in Face Vault" and accept a specific consent prompt before any biometric processing occurs.
• On-device processing: the ArcFace MobileNetV2 model runs exclusively on your device. No photograph is ever transmitted to our servers.
• What is stored: only a 512-float mathematical vector (embedding). This vector cannot be reverse-engineered into a recognisable image of your face.
• Encryption: embeddings are stored using AES-256 column-level encryption (pgcrypto) with a dedicated AWS KMS key. The database table is architecturally isolated — no other service can access it.
• Notifications: you receive a push notification within 60 seconds every time another Vennari member scans and matches you.
• Revocation: you can permanently delete your face embedding at any time from Settings. Deletion propagates within 60 seconds and is irreversible.
• Non-members: individuals who are not enrolled in Face Vault will never be identified or stored by the system.

Processing of biometric data is based on your explicit consent under Article 9(2)(a) of the UK GDPR. You may withdraw consent at any time by unenrolling from Face Vault.

8. Data retention

We retain your personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

When you delete your account, all personal data is permanently erased within 30 days, except where retention is required by law.

9. International data transfers

Our primary infrastructure is hosted in AWS eu-west-2 (London, United Kingdom). We make every effort to keep your data within the UK and European Economic Area.

Where data is transferred outside the UK or EEA (for example, to AWS regions in the United States for certain redundancy features, or to third-party service providers), we rely on:

• UK International Data Transfer Agreement (IDTA) — the UK equivalent of EU Standard Contractual Clauses.
• EU Standard Contractual Clauses (SCCs) — for transfers subject to the EU GDPR.
• Adequacy decisions — where the UK or EU has determined a country provides adequate data protection.

Copies of our transfer safeguards are available upon request by emailing privacy@vennari.ai.

10. Your rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18): ask us to limit how we use your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON or CSV).
• Right to object (Art. 21): object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Right not to be subject to automated decision-making (Art. 22): we do not make decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email privacy@vennari.ai. We will acknowledge your request within 3 working days and respond fully within 30 days (extendable by a further 60 days for complex requests).

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. Children's privacy

Vennari is designed for professional use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such information promptly.

If you believe a child under 18 has provided personal data to us, please contact us at privacy@vennari.ai.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for all data at rest in AWS RDS and S3.
• Column-level encryption with dedicated KMS keys for biometric data.
• JWT token authentication with configurable HS256/RS256 algorithms.
• Multi-tier rate limiting and input validation middleware.
• Regular security audits and penetration testing.
• Staff access governed by least-privilege principles.

For more detail, see our Security page. No system is 100% secure. If you discover a vulnerability, please report it to security@vennari.ai.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and through an in-app notification at least 14 days before any change takes effect.

Continued use of the Service after the effective date of any updated Privacy Policy constitutes acceptance of the updated terms. The latest version is always available at vennari.ai/privacy.

14. Contact us

Unlimit Lab Limited · Company No. 16925967 · Registered in England & Wales
Postal address available on written request.