Privacy Policy

Authentlix Ltd (“Authentlix”, “Company”, “we”, “us”, or “our”) operates the NumenaOS platform, website, applications, and related services (collectively, the “Service”). This Privacy Policy (“Policy”) describes in detail the types of personal data and non-personal information that we collect from and about you when you access, visit, or use the Service, how we use, process, store, share, and protect that information, and the choices and rights available to you regarding such information.

This Policy applies to all users of the Service worldwide, including visitors who do not create an account, users who register for our waitlist, registered account holders, and any other individuals whose information we may process in connection with the Service. By accessing or using the Service in any manner, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree to the practices described herein, you should not access or use the Service.

We may update this Policy periodically as described in Section 18. We encourage you to review this Policy regularly to stay informed about our data practices.

For the purposes of applicable data protection legislation (including, without limitation, the UK General Data Protection Regulation, the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), the Brazilian Lei Geral de Proteção de Dados (“LGPD”), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), and all other applicable privacy and data protection laws), the data controller responsible for your personal data is:

Authentlix Ltd
Email: privacy@authentlix.com

If you have any questions, concerns, or requests regarding this Policy or our data practices, you may contact us using the details above at any time.

We collect and process various categories of information in connection with the Service. The types of information we collect depend on how you interact with the Service and the choices you make, including your privacy settings and the features you use.

3.1 Information You Provide Directly

When you interact with the Service, you may choose to provide certain information directly, including but not limited to:

• Account and registration data: Name, email address, password, date of birth, time of birth, place of birth, and other demographic information you provide during account creation or profile completion.
• Waitlist and enquiry data: Name, email address, and any additional information submitted through our waitlist, contact forms, or other intake mechanisms.
• User-generated content: Any content you create, upload, or input into the Service, including journal entries, notes, feedback, survey responses, AI conversation history, and interactions with the Service’s analytical and structural intelligence features.
• Communications: Information contained in correspondence you send to us, including support requests, feedback, and other communications through any channel.
• Payment information: If and when payment features are available, billing details and transaction information processed by our payment service providers.

3.2 Information Collected Automatically

When you access or use the Service, we may automatically collect certain information using cookies, web beacons, pixels, scripts, browser fingerprinting technologies, server logs, and other similar data collection and tracking technologies. Where required by applicable law, such collection occurs only after you have provided your consent through our cookie consent mechanism. Automatically collected information may include:

• Device and hardware information: Device type (mobile, tablet, desktop), operating system and version, browser type and version, screen resolution and dimensions, colour depth, pixel ratio, CPU core count, GPU renderer and vendor identifiers, available device memory, maximum touch points supported, and device platform identifier.
• Browser and technical identifiers: We may generate one or more non-reversible hash values derived from a combination of your browser’s technical characteristics, including but not limited to: HTML5 canvas rendering output, WebGL rendering properties and extensions, AudioContext processing characteristics, installed and available font inventory, and other browser-level attributes. These hashes are used as technical identifiers to recognise returning visitors, improve service quality, detect fraud and automated abuse, and support analytics. These identifiers do not contain your name, email, or other directly identifying information, but they may constitute personal data in certain jurisdictions when combined with other information.
• Network and location information: Internet Protocol (IP) address, approximate geographic location inferred from your IP address (which may include city, region, country, latitude, longitude, and timezone), internet service provider, connection type and speed (effective type, downlink bandwidth, round-trip time), and indicators of network characteristics such as VPN, proxy, or anonymisation service usage.
• Usage and behavioural data: Pages and screens viewed, the order in which they were viewed, time and date of access, time spent on each page or screen, scroll depth and scroll behaviour, click and tap patterns, navigation paths within the Service, content interaction patterns, search queries, referral source (the URL or application that directed you to the Service), exit pages, and campaign tracking parameters (such as UTM source, medium, campaign, term, and content identifiers).
• Engagement and interaction signals: We may collect information about how you engage with the Service in order to understand user experience, identify areas for improvement, and optimise the Service. This may include scroll depth milestone events, tab and window visibility changes, periods of user inactivity or idle state, browser window resize and orientation change events, text selection and copy events, rapid repeated interaction patterns (which may indicate user frustration or interface issues), and viewport dimensions.
• Language and locale information: Browser language preferences, timezone setting, and locale configuration.

3.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including our hosting and infrastructure providers (such as server-side geolocation data derived from network headers), authentication providers, analytics partners, and publicly available sources. We may combine this information with other data we collect about you.

3.4 Cookies, Local Storage, and Similar Technologies

We use cookies (small text files placed on your device), browser localStorage, sessionStorage, and other similar client-side storage mechanisms to facilitate the operation of the Service, maintain your session state, store your consent preferences, and support analytics and performance measurement. For a comprehensive description of the specific technologies we use, their purposes, durations, and categories, please refer to our Cookie Policy.

We process your personal data on the basis of one or more of the following legal grounds, as applicable under the GDPR and equivalent provisions of other applicable data protection laws:

• Consent (GDPR Art. 6(1)(a)): Where you have given clear, affirmative consent for us to process your personal data for specific purposes, including the deployment of analytics tracking technologies, browser fingerprinting, engagement monitoring, and marketing-related data processing. You may withdraw your consent at any time as described in Section 12.
• Performance of a contract (GDPR Art. 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This includes processing required to create and maintain your account, deliver the features and functionality of the Service, and provide customer support.
• Legitimate interests (GDPR Art. 6(1)(f)): Where processing is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include: protecting the Service and its users from fraud, automated abuse, and security threats; understanding aggregate usage patterns to improve and develop the Service; maintaining and improving the reliability, performance, and security of our systems; conducting internal research and development; and exercising or defending legal claims.
• Legal obligation (GDPR Art. 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject, including tax, accounting, and regulatory requirements.

We use the information we collect for a range of purposes, including but not limited to the following:

5.1 Service Delivery and Operations

• To provide, operate, maintain, and make available the features and functionality of the Service.
• To create, manage, and authenticate your account.
• To process your requests, transactions, and communications.
• To deliver personalised content, insights, and structural analysis results based on the information you provide.

5.2 Analytics, Research, and Service Improvement

• To measure, analyse, and understand how users access and use the Service, including which features are most popular, how users navigate the Service, and where users encounter difficulties.
• To conduct internal research, analysis, and development activities aimed at improving, enhancing, and expanding the Service and developing new products, services, features, and technologies.
• To train, develop, and improve our algorithms, artificial intelligence models, machine learning systems, and analytical capabilities using aggregated, de-identified, or anonymised data derived from user interactions with the Service.
• To generate aggregated, statistical, and de-identified insights and reports regarding usage trends, demographic patterns, and behavioural analytics that do not identify any individual user.

5.3 Personalisation and User Experience

• To personalise and customise the Service to your preferences, interests, and usage patterns.
• To develop and display content and features tailored to your interests, including personalised recommendations, insights, and experiences.
• To build and maintain user interest profiles based on your interactions with the Service, which may be used to deliver more relevant content, features, and communications.

5.4 Communications and Marketing

• To send you service-related notices, updates, security alerts, and administrative messages.
• To send you marketing and promotional communications about products, services, offers, and events offered by us or our partners, where you have consented to receive such communications or where otherwise permitted by applicable law.
• To measure the effectiveness of our marketing campaigns and communications.

5.5 Security and Fraud Prevention

• To detect, investigate, and prevent fraudulent activity, unauthorised access, automated abuse, and other illegal or harmful activities.
• To identify and block bots, scrapers, and other automated agents.
• To enforce our Terms of Service and other applicable policies.
• To protect the rights, property, and safety of Authentlix, our users, and the public.

5.6 Legal and Compliance

• To comply with applicable laws, regulations, legal processes, and governmental requests.
• To establish, exercise, or defend legal claims.
• To respond to lawful requests from public authorities, including law enforcement and national security agencies.

We may share your information in the following circumstances and with the following categories of recipients:

6.1 Service Providers and Processors

We engage third-party companies and individuals to perform services on our behalf, including hosting and infrastructure (Vercel Inc.), database and authentication services (Supabase Inc.), email delivery, analytics, payment processing, and customer support. These service providers have access to your information only to the extent necessary to perform their functions and are contractually obligated to maintain the confidentiality and security of your data and to process it only in accordance with our instructions.

6.2 Business Partners and Affiliates

We may share information with our current and future parent companies, subsidiaries, affiliates, and other companies under common control or ownership (“Affiliates”) for the purposes described in this Policy. Additionally, with your consent where required, we may share certain information with trusted business partners to offer you relevant products, services, or promotions that we believe may be of interest to you.

6.3 Aggregated and De-identified Data

We may share aggregated, statistical, or de-identified information that does not reasonably identify any individual with any third party for any lawful purpose, including industry analysis, demographic profiling, research, marketing, advertising, and other commercial purposes. Such aggregated data is not subject to the restrictions of this Policy.

6.4 Business Transfers

In the event that Authentlix is involved in a merger, acquisition, reorganisation, divestiture, dissolution, bankruptcy, sale of all or a portion of its assets, or other change of control or corporate transaction, your information may be transferred, sold, or otherwise shared as part of that transaction. In such event, we will use reasonable efforts to direct the transferee to use your information in a manner consistent with this Policy, and we will notify you (for example, via a message to the email address associated with your account or a notice on the Service) of any change in applicable policy.

6.5 Legal Obligations and Protection of Rights

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable laws, regulations, legal processes, or enforceable governmental requests; (b) enforce our Terms of Service or other applicable agreements; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Authentlix, our users, or the public as required or permitted by law.

6.6 With Your Consent

We may share your information with other third parties when you have given us your explicit consent or directed us to do so.

Your information may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States and other jurisdictions where our service providers and Affiliates operate. These countries may have data protection laws that are different from, and potentially less protective than, the laws of your country of residence.

Where we transfer personal data outside the United Kingdom, the European Economic Area, or other jurisdictions that restrict cross-border data transfers, we implement appropriate safeguards to ensure that your data receives an adequate level of protection, including: execution of Standard Contractual Clauses (SCCs) as approved by the European Commission and/or the UK Information Commissioner’s Office; reliance on adequacy decisions where available; and implementation of supplementary technical and organisational measures as necessary.

We retain your information for as long as reasonably necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and to protect our legitimate interests. Specific retention periods vary depending on the category of data:

• Analytics and behavioural data: Retained for up to 26 months from the date of collection, after which it is automatically deleted or irreversibly anonymised. Aggregated and de-identified derivatives of such data may be retained indefinitely.
• Account and profile data: Retained for the duration of your account and for up to 90 days following account deletion to facilitate account recovery and comply with legal obligations.
• Waitlist and enquiry data: Retained until you request removal, until the waitlist is closed, or for up to 24 months from the date of submission, whichever occurs first.
• Security and threat data: Retained for up to 180 days for security monitoring and forensic analysis purposes.
• User-generated content: Retained for the duration of your account. Following account deletion, content may be retained in anonymised or aggregated form for research and service improvement purposes.
• Legal and compliance records: Retained for the period required by applicable law or regulation.

The Service uses automated processing, including algorithmic analysis and artificial intelligence, to generate structural insights, personalised content, and user experience optimisations. These processes analyse the information you provide (such as birth data and user inputs) alongside behavioural and technical data to deliver the core features of the Service.

We may also use automated processing to create user profiles for the purposes of analytics, personalisation, content relevance, and service improvement. These profiles may incorporate data from multiple sources and interactions over time. Such profiling does not produce legal effects concerning you or similarly significantly affect you, and is carried out on the basis of your consent or our legitimate interests in improving the Service.

Where automated processing, including profiling, produces legal effects concerning you or similarly significantly affects you, you have the right to obtain human intervention, express your point of view, and contest the decision, as described in Section 12.

The Service incorporates artificial intelligence and machine learning technologies to deliver its core features, including structural analysis, personalised insights, and interactive experiences. In connection with the operation and improvement of these features:

• Your interactions with AI-powered features (including inputs, outputs, and conversation history) may be processed to provide, maintain, and improve those features.
• We may use aggregated, de-identified, or anonymised data derived from user interactions to train, develop, validate, and improve our AI models, algorithms, and analytical capabilities.
• Insights generated by the Service are based on the data and inputs you provide and the analytical models we develop. Such insights are provided for informational and reflective purposes and do not constitute professional advice.

Your personal AI-generated insights, structural analysis results, and other personalised outputs are accessible only through your authenticated account and are not directly visible to other users or to our administrative teams in their individualised form, except as necessary for technical support, security, or legal compliance.

Depending on your jurisdiction, you may have certain rights with respect to your personal data. We are committed to facilitating the exercise of these rights in accordance with applicable law.

11.1 Rights Under GDPR (EU/UK)

• Right of access (Art. 15): You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to such data and a copy thereof.
• Right to rectification (Art. 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.
• Right to erasure (Art. 17): You have the right to request the deletion of your personal data in certain circumstances, including where it is no longer necessary for the purpose for which it was collected.
• Right to restriction of processing (Art. 18): You have the right to request the restriction of processing in certain circumstances, such as where you contest the accuracy of the data.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object (Art. 21): You have the right to object to the processing of your personal data where such processing is based on legitimate interests, including profiling.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

11.2 Rights Under CCPA/CPRA (California, USA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know: You have the right to know what categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared.
• Right to delete: You have the right to request that we delete your personal information, subject to certain exceptions.
• Right to correct: You have the right to request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: You have the right to opt out of the “sale” or “sharing” of your personal information as those terms are defined under the CCPA. As of the date of this Policy, we do not sell personal information in exchange for monetary consideration. However, certain data sharing activities described in this Policy (such as sharing with business partners or for targeted advertising purposes) may constitute a “sale” or “sharing” under the CCPA’s broad definitions. You may opt out by adjusting your cookie preferences or contacting us.
• Right to limit use of sensitive personal information: You have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Service.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

11.3 Rights Under Other Jurisdictions

If you are located in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), South Africa (POPIA), India (DPDPA 2023), or any other jurisdiction that grants specific data protection rights, you may exercise those rights by contacting us as described in Section 16. We will respond to your request in accordance with the applicable law of your jurisdiction.

To exercise any of the rights described in Section 11, you may:

• Contact us at privacy@authentlix.com with a description of your request.
• Update your cookie and tracking preferences at any time by clicking “Cookie Settings” in the footer of any page on the Service, which will allow you to modify or withdraw your consent for non-essential tracking technologies.
• Delete your account through the Service’s account settings (where available) or by contacting us.

We will respond to verifiable requests within 30 days (or such shorter period as required by applicable law). In certain circumstances, we may need to verify your identity before processing your request. If we are unable to fulfil your request, we will explain the reasons and inform you of any applicable exceptions or limitations.

We implement and maintain appropriate technical and organisational measures designed to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption of data in transit using Transport Layer Security (TLS/HTTPS).
• Encryption of data at rest in our database systems.
• Row-level security (RLS) policies that restrict data access based on user role and identity.
• Role-based access controls for administrative and operational functions.
• Automated bot detection, rate limiting, and threat monitoring systems.
• Regular security assessments and code reviews.
• Access controls limiting personnel access to personal data on a need-to-know basis.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

The Service is not directed to, and we do not knowingly collect personal data from, children under the age of 16 (or such higher age as may be required by applicable law in your jurisdiction). If we become aware that we have inadvertently collected personal data from a child under the applicable minimum age, we will take reasonable steps to delete such data as promptly as practicable. If you believe that a child has provided personal data to us, please contact us immediately using the details in Section 16.

The Service may contain links to, or integrations with, third-party websites, applications, or services that are not operated or controlled by us. This Policy does not apply to such third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

If you have questions, concerns, or requests regarding this Policy, our data practices, or the exercise of your rights, please contact us at:

Authentlix Ltd
Email: privacy@authentlix.com

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with a data protection supervisory authority, you have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data infringes applicable data protection law. In the United Kingdom, the relevant authority is the Information Commissioner’s Office (ICO) at ico.org.uk.

We reserve the right to modify, amend, or update this Policy at any time at our sole discretion. When we make material changes to this Policy, we will update the “Last updated” date at the top of this page and, where required by applicable law or where the changes materially affect the nature of our data processing, we will take appropriate steps to notify you, which may include posting a prominent notice on the Service, sending you a notification, or re-requesting your consent through our cookie consent mechanism.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the revised Policy. If you do not agree to the changes, you should stop using the Service and, if applicable, delete your account.