Privacy Policy

1. Data Controller Information

Numonic Labs Ltd ("Numonic", "we", "us", or "our") is the data controller responsible for your personal data. We are committed to protecting and respecting your privacy in compliance with the UK GDPR and EU GDPR.

2. Information We Collect

We may collect and process the following categories of personal data:

• Identity Data: First name, last name, username or similar identifier
• Contact Data: Email address, telephone numbers, billing address, delivery address
• Financial Data: Payment card details (processed securely through our payment processors)
• Transaction Data: Details about payments to and from you and other details of products and services you have purchased from us
• Technical Data: Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform
• Profile Data: Your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses
• Usage Data: Information about how you use our website, products and services
• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences
• CRM Contact Data: Information about business contacts managed within our customer relationship management features, including names, email addresses, LinkedIn profile URLs, job titles, company names, pipeline stage, and engagement history. This may include data provided directly by you, collected through form submissions, or obtained from third-party enrichment providers (see Section 12)

3. Legal Basis for Processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Contract: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into such a contract
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject
• Consent: You have given consent to the processing of your personal data for one or more specific purposes

4. How We Use Your Information

We use your personal data for the following purposes:

• To register you as a new customer
• To process and deliver your order
• To manage your relationship with us
• To enable you to participate in a prize draw, competition or complete a survey
• To administer and protect our business and this website
• To deliver relevant website content and advertisements to you
• To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
• To make suggestions and recommendations to you about goods or services that may be of interest to you
• To manage business relationships through our CRM features, including tracking pipeline stages, scheduling follow-up tasks, and maintaining contact interaction history
• To link contact identities across channels (such as email addresses and LinkedIn profile URLs) into a unified contact profile for relationship management purposes
• To calculate engagement scores based on interaction history (such as form submissions, email responses, and platform usage) to prioritise outreach and personalise communications
• To enrich contact profiles using third-party data providers to supplement business contact information such as job title, company name, and professional details (see Section 12)

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are set out below.

When data reaches the end of its retention period, we securely delete or anonymise it. Where deletion is not immediately possible (for example, because data is held in backup archives), we isolate the data from further processing until deletion is feasible.

6. Your Rights Under GDPR

Under the UK GDPR and EU GDPR, you have the following rights:

• Right of Access: You have the right to request copies of your personal data
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete
• Right to Erasure: You have the right to request that we erase your personal data, under certain conditions
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions
• Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions
• Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions
• Right to Withdraw Consent: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time

To exercise any of these rights, please contact us at dpo@numonic.ai. We will respond to your request within one month as required by law.

7. International Transfers

Some of our sub-processors are based outside the UK and European Economic Area (EEA). Where personal data is transferred internationally, we ensure it is protected by one of the following safeguards:

• The UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) approved by the ICO and European Commission respectively
• An adequacy decision by the UK Secretary of State or the European Commission for the destination country
• The EU-US Data Privacy Framework (for US-based providers that are certified)

The following sub-processors process data outside the UK/EEA:

You may request a copy of the relevant transfer safeguards by contacting us at dpo@numonic.ai.

8. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication measures
• Employee training on data protection
• Incident response procedures

9. Cookies

Our website uses cookies to ensure proper functionality and, with your consent, to measure the effectiveness of our advertising campaigns. We use Cookiebot as our consent management platform. When you first visit our website, a consent banner allows you to choose which categories of cookies to accept.

Strictly Necessary Cookies

These cookies are essential for the proper functioning of our Service and do not require your consent under GDPR and UK GDPR:

• Authentication cookies: Set by Supabase (our authentication provider) to maintain your login session and ensure secure access to your account. These include session tokens and security verification codes.
• Consent cookies: Set by Cookiebot to remember your cookie consent preferences across visits.

Advertising Cookies

With your explicit consent, we use advertising cookies from the following providers to measure the effectiveness of our marketing campaigns:

• Google Ads: We use Google Ads conversion tracking to understand how visitors find Numonic through our advertising campaigns. These cookies are only set when you grant advertising consent. For more information, see Google's Privacy Policy.
• Meta Pixel (Facebook and Instagram): We use the Meta Pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram and to build audiences for future campaigns. The Pixel records page views, the contact form submission event ("Lead"), and the sign-up completion event ("CompleteRegistration"). It is only loaded and only sets cookies when you grant advertising consent. For more information, see Meta's Privacy Policy.

No advertising cookies are set unless you explicitly grant consent. If you decline, no personal data is shared with these providers and the advertising scripts do not load.

Managing Your Cookie Preferences

You can change or withdraw your cookie consent at any time by clicking the "Cookie Settings" link in our website footer. Withdrawing consent takes effect immediately and prevents advertising cookies from being set on subsequent page loads.

You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. Please note that if you disable or refuse the strictly necessary authentication cookies, you will not be able to log in or access the Service.

For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.

10. Web Analytics and Performance Monitoring

We use Vercel Web Analytics and Vercel Speed Insights to understand how visitors use our website and to monitor performance for improvement. These solutions are designed with privacy in mind and operate without the use of cookies.

Data Collected by Web Analytics

Vercel Web Analytics collects only anonymous, aggregated data that cannot be used to identify individual users:

• Page URLs visited and referrer URLs
• Geolocation (country, region, and city level—not precise location)
• Device type (mobile, desktop, or tablet)
• Operating system and browser type
• Time of visit

Data Collected by Speed Insights

Vercel Speed Insights collects Core Web Vitals performance metrics to help us optimize page loading and user experience:

• Largest Contentful Paint (LCP): Loading performance measurement
• First Input Delay (FID): Interactivity measurement
• Cumulative Layout Shift (CLS): Visual stability measurement
• First Contentful Paint (FCP): Initial render time
• Time to First Byte (TTFB): Server response time
• Interaction to Next Paint (INP): Responsiveness measurement

Privacy-First Approach

Both Web Analytics and Speed Insights include the following privacy-protective measures:

• No cookies: Visitor identification uses a hash of the incoming request, not persistent tracking cookies
• No personal identifiers: No data is collected that could identify or track individual users across websites
• 24-hour data expiry: Session data is automatically discarded after 24 hours
• No cross-site tracking: Analytics data cannot be used to track users across different applications or websites

Legal Basis

We process this analytics and performance data based on our legitimate interest in understanding website usage and performance to improve our Service (Article 6(1)(f) of GDPR). Given the privacy-protective nature of these solutions (no cookies, no personal identifiers, automatic data expiry), we have determined that this processing does not override your rights and freedoms.

11. Search Interaction Data

To improve the quality and relevance of search results, we collect anonymized search interaction data when you use our search and asset browsing features. This includes:

• Search queries: The text you enter in the search bar
• Result interactions: Which assets you click on from search results, and the position of clicked results
• Browsing patterns: Pages of results viewed during gallery browsing

Purpose

This data is used solely to improve search result ordering and relevance for your team. It is not used for advertising or shared with third parties.

Data Scope

Search interaction data is scoped to your organisation (tenant) and is never combined with data from other organisations.

Retention

Search interaction data is retained for 90 days, after which it is automatically deleted.

Legal Basis (GDPR)

We process this data under legitimate interest (Article 6(1)(f)) to improve core product functionality that you actively use. You can contact us at dpo@numonic.ai to object to this processing.

12. Third-Party Data Sources and Enrichment

To support our CRM and business relationship management features, we may obtain professional and business contact information from third-party data providers. This enrichment supplements data you have provided to us or that we have collected through your interactions with our Service.

What Data We Obtain

Third-party enrichment is limited to professional and business information:

• Job title and professional role
• Company name, industry, and size
• Business email address and phone number
• Professional social media profile URLs
• Company technology stack (for enterprise sales)

Enrichment Providers

We may use the following categories of data providers:

• Business contact databases (such as Apollo.io) for broad professional contact information
• People data platforms (such as People Data Labs) for in-depth professional profile data on high-priority business contacts

Legal Basis

We process enrichment data based on our legitimate interest in maintaining accurate business contact records and conducting effective B2B outreach (Article 6(1)(f) of GDPR). We limit enrichment to professional and business data, apply it only to contacts within active business relationships or pipeline prospects, and provide data subjects with the ability to request access, correction, or deletion of their data at any time (see Section 6).

13. AI Processing and Content Scanning

Numonic uses artificial intelligence to provide core platform features. This section describes how AI processes your data and the safeguards we apply.

AI-Assisted Features

The following AI features may process your uploaded content:

• Auto-tagging: Generates descriptive tags for your assets to improve searchability
• Auto-titling: Suggests titles for untitled assets based on visual or textual content
• Auto-description: Generates descriptive text for assets to support accessibility and search
• Metadata extraction: Reads embedded metadata (EXIF, IPTC, XMP, C2PA) from uploaded files to populate asset records
• Semantic search: Generates vector embeddings from your content to enable similarity-based search within your organisation
• AI Librarian: Accesses your content to generate notes, summaries, and recommendations, helping you organise and discover assets within your library

How We Use Your Content

Your uploaded content is processed to deliver the platform features described above, including the generation of embeddings for semantic search and AI-assisted features such as the AI Librarian, which may access your content to generate notes, summaries, and recommendations within your organisation. All such processing is scoped to your tenant and is never combined with data from other organisations. We will never share your content with third parties for any purpose without your explicit, informed consent. If we introduce optional data licensing or model training programmes in the future, participation will always be opt-in, transparently disclosed, and subject to a separate agreement.

Upload Security Validation

We perform automated security validation on all uploaded files to protect the integrity of the platform. This includes:

• File type verification (validating that file contents match the declared format)
• Blocking of executable and potentially dangerous file types
• Detection of embedded scripts, malicious patterns, and archive-based attacks
• Runs automatically on upload
• Does not analyse the subject matter, quality, or nature of your content
• Files that fail validation are rejected and the uploading user is notified

Opting Out of AI-Assisted Features

You may disable AI-assisted features (auto-tagging, auto-titling, auto-description, semantic search embeddings, and AI Librarian) at any time through your organisation's settings. Disabling these features will stop further AI processing of your content, though previously generated tags, titles, descriptions, and embeddings will remain unless you request their deletion. Upload security validation cannot be disabled.

Legal Basis

AI-assisted features are processed under legitimate interest (Article 6(1)(f)), as they form part of the core service functionality that improves asset discoverability and organisation. You may object to this processing by opting out through your organisation's settings (see above). Security Upload security validation is processed under legitimate interest (Article 6(1)(f)) for protecting the integrity of the platform.

14. Sub-Processors

We use the following third-party service providers (sub-processors) to help us deliver our Service. Each sub-processor processes personal data only as necessary for the purposes described below.

We maintain data processing agreements with all sub-processors and ensure they provide adequate data protection safeguards. We will notify existing customers before adding new sub-processors that process personal data on their behalf. This list is updated when we add or change sub-processors.

15. Third-Party Links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

16. Age Restrictions

Our Service is restricted to users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you are under 18, you may not use this Service. If we learn that we have collected personal data from anyone under 18, we will take steps to delete that information.

If you are a parent or guardian and you are aware that someone under 18 has provided us with personal data, please contact us immediately at dpo@numonic.ai.

17. Data Breach Notification

In the event of a personal data breach:

• We will notify the ICO within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, as required by UK GDPR Article 33
• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (UK GDPR Article 34)
• We maintain an internal breach register recording all incidents, their effects, and the remedial actions taken

18. Automated Processing and Engagement Scoring

Our CRM features use automated processing to calculate engagement scores for business contacts. These scores are based on interaction history (such as form submissions, email responses, website visits, and platform usage) and help us prioritise outreach and personalise communications.

How Scoring Works

• Each interaction type is assigned a weight reflecting its significance (for example, a demo request is weighted higher than a newsletter signup)
• Scores decay over time so that recent interactions are weighted more heavily than older ones
• Scores are recalculated periodically and used to rank contacts for outreach prioritisation

What Scoring Does Not Do

Engagement scoring does not:

• Produce legal effects or similarly significantly affect you
• Determine your access to services, pricing, or eligibility for any offering
• Make automated decisions without human review

Scoring is used solely as an internal tool to help us manage business relationships more effectively. All outreach decisions based on engagement scores involve human review. You may contact us at dpo@numonic.ai to request information about any scores associated with your contact record, or to object to this processing.

19. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes).

20. Complaints

If you have any concerns about how we handle your personal data, you have the right to lodge a complaint with a supervisory authority:

22. Referral Programme Data Processing

When enabled for your account, the Numonic Referral Programme lets you share a personal referral link, track the status of referred accounts, and receive platform credits when those accounts activate. This section describes the specific data processing that supports the programme and supplements the general provisions of Sections 2-6 above.

Data Collected for Referrals

• Referral link records: Your unique referral code and the relationships between your account and the accounts of users who have successfully claimed your link. Stored as append-only audit records to preserve the integrity of reward decisions.
• Claim and activation status: Whether a referred account has signed up, activated (completed the first asset upload), and been rewarded. Each transition is recorded as a separate status row to support dispute resolution.
• Reward grants: The credits or other incentives granted to you as a result of successful referrals, with a link to the specific referred account.
• Abuse-detection signals: A 24-hour log of hashed IP address and hashed email-domain for each claim attempt, used to detect self-referral and duplicate-account patterns. The log does not retain the raw IP or the raw email; only salted, one-way hashes. Entries are auto-purged after 24 hours.
• Masked referee display: When you view your referral statistics, the accounts you have referred are displayed with the first character of their email address followed by a masked suffix (for examplea***@example.com). We do not display the full email address of a referred user to you at any point.
• CRM source attribution: Where a contact is tracked in our CRM features (Section 12), a signal noting that the contact was acquired via the Referral Programme may be attached to their contact record. This does not create a new category of personal data; it is a label on existing records.

Legal Basis

• Reward calculation and grant: Contract performance (Article 6(1)(b) of GDPR); the Terms of Service create the obligation to grant credits for activated referrals.
• Abuse detection: Legitimate interest (Article 6(1)(f) of GDPR) in preventing fraudulent self-referrals. The hashed, time-limited nature of the detection log is specifically designed so that the processing does not override your rights or freedoms.
• Masked referee display: Legitimate interest in providing you visibility into your own referral history while protecting the privacy of the referred user. Masking ensures you cannot derive the referee's full identifying details from the dashboard.

Retention

• Referral link, status, and reward records are retained indefinitely as part of the platform's append-only audit record (see Section 5).
• Abuse-detection signals (hashed IP + email domain) are automatically deleted 24 hours after capture.
• If you exercise your right to erasure (Section 6), we will delete your personal identifiers from the referrer record while preserving the append-only audit entries in pseudonymised form, as required to maintain the integrity of reward decisions affecting other users.

Your Choices

Participation in the Referral Programme is voluntary. If you do not wish to receive referral rewards, simply do not share your referral link. If you wish to object to the legitimate-interest processing described above, contact us at dpo@numonic.ai.

23. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

When contacting us, please provide as much information as possible to help us address your query efficiently. We aim to respond to all privacy-related inquiries within 30 days.