717375af-3efe-4552-a8b7-7adf4bc14040

Login 

Try it free

🔐 Privacy Policy

Effective Date: August 27, 2025

Last Updated: August 27, 2025

This Privacy Policy explains how She Knows Digital Sp z o.o. (“we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use InvuAI (navajowhite-dog-492217.hostingersite.com) (the “Service”), a brand monitoring platform operated at https://www.navajowhite-dog-492217.hostingersite.com.

We are committed to complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), EU GDPR, and the California Consumer Privacy Act (CCPA).

Important: The Service is offered solely for business and professional use. By using the Service, you confirm you are acting in a business capacity and not as a consumer.

📌 1. Who We Are

She Knows Digital Sp z o.o.

TAX ID 5482741469, KRS 0000944812

Registered in Poland

Email: feedback@navajowhite-dog-492217.hostingersite.com

Data Protection Officer: Mags Sikora (dpo@navajowhite-dog-492217.hostingersite.com)

Controller vs Processor Roles

  • We act as Data Controller for: Account data, usage analytics, communications, cookies
  • We act as Data Processor for: Brand monitoring data you process through our Service
  • You act as Data Controller for: Any third-party data you upload or process

📘 2. Key Definitions

  • Personal Data: Any information relating to an identifiable person
  • Processing: Any operation performed on personal data (e.g., collection, storage, use)
  • Service: The InvuAI platform accessible at https://www.navajowhite-dog-492217.hostingersite.com
  • Business User: Any individual acting in a business or professional capacity
  • Profiling: Automated processing to analyze or predict behavior
  • Special Categories: Sensitive data including racial origin, health, sexual orientation

📊 3. What Data We Collect

We collect and process the following categories of personal data:

Data TypeExamplesController/ProcessorPurpose
Account DataBusiness email, name, company nameWe are ControllerB2B service provision
Usage DataIP address, browser type, login timesWe are ControllerService optimization
Prompt & Brand DataUser-defined prompts, competitor namesWe are ProcessorService delivery
Communication DataSupport messages, feedbackWe are ControllerCustomer support
Cookies & TrackingCookie preferences, device typeWe are ControllerUser experience
Payment DataProcessed via Stripe (we don’t store card details)Stripe is ProcessorSubscription billing

Note: We do not store payment card information. All payment data is processed directly by Stripe, our PCI-compliant payment processor.

⚖️ 4. Legal Basis for Processing

We process your data lawfully under the following legal bases:

PurposeLegal BasisRetention
Account setup and authenticationPerformance of B2B contractUntil account deletion
Service delivery and prompt processingPerformance of B2B contractUntil account deletion
Payment processingPerformance of B2B contract7 years (tax law)
Analytics and usage insightsLegitimate business interestAnonymized after 12 months
Customer supportLegitimate business interest30 days after resolution
Legal compliance (tax, invoicing)Legal obligation7 years (UK tax law)
Marketing to businessesLegitimate interest / ConsentUntil withdrawn

You may withdraw consent at any time where applicable.

🤖 5. Automated Processing, Profiling & AI Use

5.1 No Automated Decision-Making

We DO NOT use automated processing for decisions with legal or similarly significant effects on your business.

5.2 Limited Business Profiling

We conduct minimal profiling solely for:

  • Service improvement (analyzing feature usage patterns)
  • Security (detecting unusual access patterns)
  • Performance optimization (identifying system bottlenecks)
  • Business analytics (aggregated usage trends)

This profiling:

  • Does NOT result in automated decisions affecting your business
  • Is NOT sold to third parties
  • Can be objected to at any time via dpo@navajowhite-dog-492217.hostingersite.com

5.3 AI Processing Disclosure

We use third-party AI services (including OpenAI and Anthropic) to analyze text-based prompts. These services:

  • Process brand and competitor names to generate business insights
  • Do NOT make decisions about your business
  • Provide informational outputs only
  • May exhibit biases or inaccuracies
  • Do NOT guarantee uniqueness or freedom from IP claims

Critical Compliance Warning:

  • DO NOT submit personal data of individuals, sensitive data, or special category data through AI prompts
  • We implement reasonable technical measures to detect potential personal data patterns in prompts, but cannot guarantee complete prevention
  • Detection systems may not identify all personal data, particularly if obfuscated, encoded, or in non-standard formats
  • If you submit personal data despite warnings, you acknowledge:
    • You are the Data Controller for that submission
    • You have lawful basis for such processing
    • You indemnify She Knows Digital Sp z o.o. against any resulting regulatory action or claims
    • You accept full liability for any GDPR violations
    • Regulatory authorities may still investigate or fine us initially, requiring us to seek recovery from you

Your Indemnification: If you submit personal data, special category data, or consumer information into prompts in violation of this Policy, you acknowledge sole responsibility as Data Controller and agree to indemnify She Knows Digital Sp z o.o. against any resulting claims, fines, or damages, including costs of regulatory proceedings.

🍪 6. Cookies & Tracking

We use cookies and similar technologies for business service delivery:

Cookie TypePurposeLegal Basis
EssentialAuthentication, session managementLegitimate business interest
FunctionalUI preferences, language settingsLegitimate business interest
AnalyticsBusiness usage insightsConsent (via banner)
MarketingB2B remarketing (if applicable)Consent (via banner)

For full details, see our Cookie Policy.

🔗 7. How We Share Your Data

We work with carefully selected third parties to provide the Service.

To avoid confusion, we distinguish between:

  • Personal Data Processors – parties that process identifiable personal data (account info, payment data, etc.)
  • Non-Personal AI Providers – parties that only process non-personal business text (e.g., brand names, competitor names, generic prompts)

📂 Personal Data Processors

These subprocessors handle identifiable business/personal data. All are bound by GDPR-compliant Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreements (IDTAs).

PartyPurposeLocationSafeguards
StripePayment processingUSA/EUPCI-DSS certified, DPA + SCCs/IDTA
SupabaseAuthentication, account data, databaseSwitzerland (primary), USA (failover only)Adequacy decision (CH), DPA + SCCs/IDTA (USA fallback)
ResendTransactional emailsUSADPA + SCCs/IDTA
Lovable.devApplication hostingEUAdequacy Decision

🤖 Non-Personal AI Providers

These providers only process non-personal business text (e.g., brand names, product categories, competitor terms). We do not transmit personal data to these services, and therefore no Data Processing Agreements are required.

ProviderPurposeLocationSafeguards
OpenAIPrompt analysis, AI outputsUSAContractual + technical restrictions (no personal data transmitted)
AnthropicPrompt analysis, AI outputsUSAContractual + technical restrictions (no personal data transmitted)

Important Notes:

  • We prohibit submitting personal data to AI providers
  • If you submit personal data despite this restriction, you act as the Data Controller and assume full liability
  • These providers never handle account information, payment details, or identifiable personal data
  • We may add other AI providers (e.g., Cohere, Google AI) as non-personal processors in the future

📩 Subprocessor Updates

  • We maintain a current list at navajowhite-dog-492217.hostingersite.com/subprocessors
  • We will notify users at least 30 days before engaging any new subprocessor that materially changes how data is processed
  • Objection rights: You may object within 14 days. If no alternative is feasible, your sole remedy is to terminate the Service

Other Sharing

  • Affiliates under common control
  • Acquirers in business merger/sale scenarios
  • Regulators where legally required
  • With your explicit consent

We DO NOT sell your business data to third parties.

🌍 8. International Data Transfers

Primary Storage

All user data is primarily stored and processed on servers located in Switzerland, recognized by both UK Government and European Commission as providing adequate data protection.

Transfer Scenarios

Data may be transferred outside Switzerland/EEA in the following specific circumstances:

ScenarioLocationSafeguardsUser Notification
Normal operationsSwitzerlandAdequacy decisionNot required
Disaster recovery (Supabase)USASCCs + DPAVia status page
AI processing (OpenAI/Anthropic)USASCCs + DPAIn this policy
Payment processing (Stripe)USA/EUPCI-DSS + SCCsAt checkout
Email delivery (Resend)USASCCs + DPAIn this policy

Failover Documentation: Failover to USA is rare and temporary, typically lasting less than 24 hours during critical incidents. We maintain logs of all failover events for accountability and can provide documentation upon request to dpo@navajowhite-dog-492217.hostingersite.com.

Safeguards

For all transfers outside adequate jurisdictions, we ensure:

  • Executed Standard Contractual Clauses (SCCs) approved by European Commission
  • UK International Data Transfer Agreements (IDTAs) where required
  • Appropriate technical and organizational measures
  • Regular audits of transfer mechanisms

Contact dpo@navajowhite-dog-492217.hostingersite.com for copies of our transfer safeguards.

🔒 9. Data Security

We implement enterprise-grade security measures:

Technical Measures

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest
  • Role-based access control (RBAC)
  • Multi-factor authentication available
  • PCI-DSS compliance (via Stripe for payments)
  • Regular security audits

Organizational Measures

  • Employee confidentiality agreements
  • Limited access (need-to-know basis)
  • Security training
  • Incident response procedures
  • Business continuity planning

No system is 100% secure. You acknowledge this inherent business risk.

📁 10. Data Retention

Data TypeRetention PeriodDeletion Method
Account & Prompt DataImmediately upon account closurePermanent deletion
Aggregated Analytics12 months (anonymized)Automatic purge
Legal Records7 years (as required by law)Secure disposal
Communications30 days after account closurePermanent deletion
System Backups7 days maximum after deletionAutomated scrubbing
Audit Logs90 daysAutomatic rotation

Critical: Account deletion triggers immediate, irreversible data loss. Export data before cancellation.

🧾 11. Your Rights

GDPR/UK GDPR Rights (All Users)

  • Access your business data
  • Rectify inaccurate information
  • Delete your data (“right to erasure”)
  • Restrict processing
  • Portability (machine-readable format)
  • Object to processing
  • Withdraw consent

CCPA Rights (California Businesses)

  • Know what information is collected
  • Delete business information
  • Opt-out of sale (we don’t sell data)
  • Non-discrimination for exercising rights
  • Correct inaccurate information
  • Limit use of sensitive information

Exercising Your Rights

To exercise rights: dpo@navajowhite-dog-492217.hostingersite.com

Response time: 30 days (45 for complex requests)

Fees: Requests are free of charge unless manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged or the request may be refused (in accordance with GDPR Article 12(5)).

🚸 12. Age and Business Verification

Business Users Only

The Service is for business use only. We verify this through:

  • Business email domain validation
  • Terms acceptance requiring business capacity
  • Monitoring for consumer use indicators

No Minors

We do not knowingly collect data from individuals under 18. If discovered, such data is immediately deleted.

🧠 13. Your Business Responsibilities

You are responsible for:

  • Data Export: Backing up data before cancellation
  • Legal Compliance: Ensuring lawful basis for data processing
  • Business Authority: Having authority to bind your organization
  • Third-Party Consent: Obtaining consent for any third-party data
  • Understanding Deletion: Accepting permanent data loss on termination
  • Personal Data Prevention: Not submitting personal data into AI prompts

Technical Enforcement & Warnings

We implement reasonable technical measures including:

  • Automated detection of potential personal data patterns in prompts
  • Warning messages when possible personal data indicators are detected
  • Logging of warnings dismissed by users
  • Right to suspend accounts that repeatedly violate data submission policies

Important Disclaimer:

Our detection systems are designed to discourage submission of personal data but cannot guarantee prevention. These systems may not identify all personal data, particularly if:

  • Data is obfuscated, encoded, or encrypted
  • Personal information is in non-standard formats
  • Names or identifiers are partial or misspelled
  • Data is embedded in larger text blocks

Responsibility remains with you as Data Controller for ensuring no personal data is submitted.

Insurance Requirements

If you operate in regulated industries or handle sensitive data, you must maintain adequate professional liability and cyber insurance appropriate to your business risks. Our liability limitations assume you carry appropriate business coverage. This requirement is a binding contractual obligation as stated in our Terms and Conditions.

🧯 14. Data Breaches & Regulatory Proceedings

Breach Response

In case of a breach affecting your business data:

  1. Regulatory Notification: Within 72 hours where required
  2. Business Notification: Without undue delay if high risk
  3. Information Provided:
    • Nature and extent of breach
    • Likely business consequences
    • Mitigation measures taken
  4. Support: Dedicated incident response team

Regulatory Investigations

If regulatory authorities investigate our data processing:

  • We will notify affected users unless prohibited by law
  • We may seek indemnification from users who violated this Policy
  • Users who submitted personal data against our instructions must cover:
    • Our legal defense costs
    • Any fines or penalties attributed to their actions
    • Administrative costs of the investigation
  • We maintain audit logs to demonstrate policy violations by users

Indemnification Capability: You are responsible for ensuring your organization has sufficient resources (including appropriate insurance coverage) to meet any indemnification obligations arising from your breach of this Policy or our Terms.

🔄 15. Account Deletion Process

When you terminate your business account:

StepActionTimeframe
1Access terminatedImmediate
2Active data deletedWithin 24 hours
3Backups scrubbedWithin 7 days
4Confirmation sentWithin 24 hours
5Legal records onlyAs required by law

This process is IRREVERSIBLE.

📊 16. California Business Disclosures (CCPA)

B2B Context Notice

We process California business contact data solely in the business-to-business context. This data is not made available for consumer marketing purposes and is used exclusively for B2B service delivery.

Information Collected

  • Business identifiers (email, IP address)
  • Commercial information (subscription details)
  • Internet activity (usage data)
  • Business inferences (usage patterns)

Business Purposes

  • B2B service delivery
  • Security and fraud prevention
  • Legal compliance
  • Service improvement

“Do Not Sell” Declaration

We do not sell, rent, or share business information for monetary or other valuable consideration. To verify or opt-out of any future practices: privacy@navajowhite-dog-492217.hostingersite.com

California B2B Processing

We honor applicable rights under CCPA to the extent they apply to B2B contexts, including:

  • Right to know what business information is collected
  • Right to delete (subject to legal retention requirements)
  • Right to correct inaccurate information
  • Right to opt-out of sale (we don’t sell data)
  • Right to non-discrimination

These rights are provided in the context of business-to-business services.

DSAR Processing: We commit to fulfilling valid Data Subject Access Requests (DSARs) from California business contacts within 45 days. We reserve the right to verify business relationship before processing requests. Excessive or repetitive requests may be subject to reasonable administrative fees as permitted by CCPA.

🔄 17. Changes to Privacy Policy

We may update this Policy for business, legal, or operational reasons.

Notification

  • Email for material changes
  • Dashboard notice for updates
  • 30 days notice for material changes

Your Options

  • Review before acceptance
  • Export data before changes
  • Terminate if you disagree

📩 18. Contact Information

Data Protection Officer

Mags Sikora

Email: dpo@navajowhite-dog-492217.hostingersite.com

Response: Within 30 days

General Inquiries

She Knows Digital Sp z o.o.

Registered in Poland

Email: feedback@navajowhite-dog-492217.hostingersite.com

TAX ID 5482741469, KRS 0000944812

Supervisory Authorities

You may lodge complaints with:

  • UK: Information Commissioner’s Office (ICO)
  • EU: Your local data protection authority
  • California: California Attorney General

19. Export Controls and Compliance

In accordance with our Terms and Conditions, you confirm that:

  • You are not subject to UK, EU, or US sanctions
  • You will not use the Service in violation of export controls
  • You comply with all applicable data protection and business regulations

By using the Service, you acknowledge that you have read and understood this Privacy Policy and that you are acting in a business capacity