1. Introduction

This Privacy Policy explains how Elevyn Technology Group Limited ("we", "us", "our", "Elevyn", or "the Company") collects, uses, stores, and protects your personal data when you use Bounda ("the Service", "the Platform"), our HR compliance and handbook management platform.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed.

By using Bounda, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Who We Are

Bounda is operated by Elevyn Technology Group Limited, a company registered in England and Wales.

• Company Name: Elevyn Technology Group Limited
• Company Number: 16954601
• Registered Address: 167-169 Great Portland Street, London, W1W 5PF, United Kingdom
• Contact Email: support@bounda.co.uk

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Elevyn Technology Group Limited is the "data controller" responsible for your personal data.

3. Data We Collect

We collect and process different types of personal data depending on how you interact with our Service:

3.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Company/organisation name
• Job title (optional)
• Password (stored in encrypted form)
• Account preferences and settings

3.2 Handbook and Policy Content

When you use the Service, we process:

• Employee handbook content you create or upload
• Individual policy sections and their text
• HR documents you generate or analyse
• Compliance analysis results and recommendations
• Version history and change records
• Tone profile settings

Important: Your handbook content may contain personal data about your employees (such as references to roles, procedures, or example scenarios). You are responsible for ensuring you have the appropriate legal basis to process any employee personal data included in your handbook content.

3.3 Chatbot Interactions

If you use the Handbook Chatbot feature, we process:

• Questions submitted to the chatbot
• Conversation history within sessions
• Source citations and responses generated

3.4 Payment Information

When you subscribe to a paid plan, we collect:

• Billing name and address
• Payment card details (processed securely by Stripe; we do not store full card numbers)
• Transaction history and invoices
• VAT number (if applicable)

3.5 Technical and Usage Data

We automatically collect:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Time spent on the Service
• Referring website or source
• Error logs and performance data

3.6 Communications

When you contact us, we collect:

• Email correspondence
• Support tickets and their content
• Feedback and survey responses

3.7 Email newsletter

If you subscribe to The Bounda Brief newsletter, we collect your email address solely for the purpose of sending you the monthly newsletter. We use Beehiiv (operated by Beehiiv Inc.) as our email service provider. Beehiiv processes your email address on our behalf and stores it in line with their privacy policy. You can unsubscribe at any time using the link at the bottom of every newsletter email, or by emailing hello@bounda.co.uk. When you unsubscribe, your email is removed from active subscriptions but may remain in Beehiiv's archive logs for a short retention period.

The legal basis for processing is your consent (UK GDPR Article 6(1)(a)). You can withdraw consent at any time.

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Providing the Service

• Creating and managing your account
• Processing and storing your handbook content
• Performing AI-powered compliance analysis
• Generating AI redrafts and recommendations
• Providing chatbot responses based on your handbook
• Generating HR documents
• Exporting your handbook in various formats

4.2 Payment Processing

• Processing subscription payments
• Managing billing and invoicing
• Handling refunds and disputes

4.3 Communication

• Sending service-related notifications (e.g., password resets, security alerts)
• Responding to support requests
• Sending product updates and feature announcements
• Sending marketing communications (with your consent)

4.4 Improvement and Analytics

• Analysing usage patterns to improve the Service
• Identifying and fixing bugs and errors
• Developing new features
• Understanding how users interact with the platform

4.5 Legal and Security

• Complying with legal obligations
• Enforcing our Terms of Service
• Protecting against fraud and abuse
• Maintaining security and integrity of the Service

5. Legal Basis for Processing

Under UK GDPR, we must have a valid legal basis for processing your personal data. We rely on the following bases:

5.1 Contract Performance

Processing necessary to perform our contract with you, including:

• Providing access to the Service
• Processing your handbook content
• Managing your account
• Processing payments

5.2 Legitimate Interests

Processing necessary for our legitimate interests (or those of a third party), where your interests and fundamental rights do not override those interests, including:

• Improving and developing the Service
• Analytics and usage analysis
• Fraud prevention and security
• Business administration

5.3 Consent

Where you have given clear consent for us to process your personal data for a specific purpose, such as:

• Marketing communications
• Non-essential cookies

You can withdraw consent at any time by contacting us at support@bounda.co.uk or using the unsubscribe link in marketing emails.

5.4 Legal Obligation

Processing necessary to comply with our legal obligations, such as:

• Tax and accounting requirements
• Responding to lawful requests from authorities

6. Data Sharing

We do not sell your personal data. We share your data only in the following circumstances:

6.1 Service Providers

We use trusted third-party service providers to help us operate the Service:

All service providers are bound by data processing agreements and are required to protect your data in accordance with UK GDPR.

6.2 Legal Requirements

We may disclose your data if required to do so by law or in response to:

• Valid legal process (court orders, subpoenas)
• Requests from law enforcement or regulatory authorities
• To protect our rights, privacy, safety, or property
• To enforce our Terms of Service

6.3 Business Transfers

If Elevyn Technology Group Limited is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

6.4 With Your Consent

We may share your data with third parties when you have given us explicit consent to do so.

7. International Data Transfers

Your data is primarily stored and processed in the United Kingdom and European Union. However, some of our service providers operate in the United States or other countries outside the UK/EU.

7.1 Data Residency

Your handbook content and primary account data is stored on Microsoft Azure servers located in the United Kingdom (UK South) or European Union. We do not store your core handbook data outside the UK/EU.

7.2 AI Processing

When we process your handbook content using AI (for compliance analysis, redrafting, or chatbot responses), this processing occurs on Azure OpenAI Service servers located in the European Union (Sweden). Your data is not used by Microsoft or OpenAI to train AI models.

7.3 Transfers to Third Countries

Where we transfer data to service providers outside the UK/EU (such as authentication or analytics services), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide adequate protection
• UK International Data Transfer Agreement (IDTA): UK-specific addendum to SCCs
• Adequacy Decisions: Where the UK/EU has determined a country provides adequate data protection

You can request a copy of the safeguards we use by contacting us at support@bounda.co.uk.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, unless a longer retention period is required by law.

8.1 Retention Periods

8.2 Account Deletion

When you delete your account or request data deletion:

• Your handbook content is permanently deleted within 30 days
• Your account information is anonymised or deleted
• Backups are purged within 90 days
• Some data may be retained where required by law (e.g., billing records)

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

9.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Encryption at Rest: All stored data is encrypted using AES-256
• Access Controls: Role-based access controls limit who can access your data
• Authentication: Secure password hashing and optional multi-factor authentication
• Infrastructure Security: Hosted on Microsoft Azure with SOC 2 Type II certification

9.2 Organisational Measures

• Staff training on data protection and security
• Limited access to personal data on a need-to-know basis
• Regular security reviews and assessments
• Incident response procedures
• Confidentiality obligations for all staff

9.3 Certifications

We are working towards ISO 27001 certification. Our infrastructure providers (Microsoft Azure, Stripe) maintain SOC 2, ISO 27001, and PCI-DSS certifications as applicable.

9.4 Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours
• Notify affected individuals without undue delay where required
• Document the breach and our response

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

10.1 Right of Access

You have the right to request a copy of the personal data we hold about you (a "Subject Access Request"). We will respond within one month.

10.2 Right to Rectification

You have the right to request correction of inaccurate personal data. You can update most account information directly in the Service.

10.3 Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected.

10.4 Right to Restriction

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest its accuracy.

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your handbook content in Word or PDF, or PDF format at any time.

10.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

10.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 12 for details on our AI processing.

10.8 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: support@bounda.co.uk
• Subject Line: "Data Protection Request"

We may need to verify your identity before processing your request. We will respond within one month, or inform you if we need an extension.

10.9 Complaints

If you are not satisfied with our response to your request, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Cookies and Analytics

We use cookies and similar technologies to provide, protect, and improve the Service.

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and understand how you use our Service.

11.2 Cookies We Use

11.3 Google Analytics

We use Google Analytics to understand how visitors use our website. Google Analytics collects information such as:

• Pages visited and time spent
• Traffic sources and referrers
• Device and browser information
• Geographic location (country/city level)

We have configured Google Analytics to:

• Anonymise IP addresses
• Disable data sharing with Google for advertising
• Retain data for 26 months

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

11.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

For more information, see our Cookie Policy.

12. AI and Automated Processing

Bounda uses artificial intelligence to provide compliance analysis, redrafting suggestions, and chatbot responses. We believe in transparency about how AI processes your data.

12.1 How We Use AI

AI is used to:

• Analyse your policy text for compliance issues
• Generate redrafted versions of policies
• Answer questions about your handbook via the chatbot
• Generate HR documents based on your handbook content
• Detect gaps in your policy coverage

12.2 AI Provider

We use Microsoft Azure OpenAI Service for AI processing. This service is hosted in the European Union (Sweden) and is subject to Microsoft's enterprise data protection commitments:

• Your data is not used to train OpenAI models
• Your data is not shared with OpenAI
• Your data is not accessible to other Azure customers
• Processing is subject to Microsoft's GDPR compliance

12.3 Human Oversight

AI-generated content in Bounda is always presented as a suggestion for your review. You maintain full control over:

• Whether to accept, reject, or modify AI suggestions
• What content is saved to your handbook
• What documents are generated and exported

We do not make automated decisions that produce legal or similarly significant effects on you without human involvement.

12.4 AI Limitations

While we strive for accuracy, AI-generated content should be reviewed before use. Bounda provides compliance guidance but does not constitute legal advice. For complex or high-stakes situations, we recommend consulting a qualified employment law professional.

13. Children's Privacy

Bounda is a business service not intended for use by children under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@bounda.co.uk and we will delete such information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

• We will update the "Last updated" date at the top of this policy
• For significant changes, we will notify you by email or prominent notice in the Service
• We will give you reasonable time to review changes before they take effect

We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection specific enquiries, please include "Data Protection" in your email subject line to ensure prompt handling.

We aim to respond to all enquiries within 5 business days.