Privacy Policy

Effective Date: 2025-Sep-24
Last Updated: 2025-Sep-25
Next Review: 2026-Sep-23

1. Introduction

Treoir AI Ltd (“we,” “us,” “our,” or “Treoir AI”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, and protect your information when you use our AI-powered career coaching service. This policy should be read alongside our Cookie Policy and Terms and Conditions.

Data Controller Information:

• Company: Treoir AI Ltd
• Address: 128 City Road, London, EC1V 2NX, United Kingdom
• Data Protection Officer: dpo@treoir.ai

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Service Availability: Our service is currently available only to users located in the United Kingdom. We use technical measures to restrict access from other jurisdictions.

2. What information we collect, use, and why

2.1 To Provide Our Services

We collect the following information:

• Identity Data: Your name (from LinkedIn authentication)
• Contact Data: Your email address (from LinkedIn authentication)
• Usage Data: Website activity, user journeys, and interaction patterns
• Technical Data: IP addresses, browser type, device information
• Transaction Data: Payment details and subscription information
• Content Data: Your chat messages and AI coaching interactions

2.2 For Marketing (With Your Consent)

• Your name and email address
• Marketing preferences and communication history
• Website engagement metrics

2.3 For Customer Support

• Your name and email address
• Details of your query, complaint, or claim
• Correspondence history

2.4 Children’s Data

Our service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately using the details at the top of this privacy policy.

3. Lawful bases and data protection rights

3.1 Your data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
• Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
• Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

3.2 Our lawful bases for the collection and use of your data

We use contract performance as our lawful basis for collecting or using personal information to provide our services. This processing is necessary to deliver the AI career coaching service you’ve signed up for. All of your data protection rights may apply.

We use consent as our lawful basis for collecting or using personal information for service updates or marketing purposes. We have permission from you after we gave you all relevant information. All of your data protection rights may apply, except the right to object. To be clear, you have the right to withdraw your consent at any time.

When dealing with queries, complaints, or claims, we use legitimate interests as our lawful basis. We are collecting or using your information because it benefits you, our organisation, or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. We collect this personal information to ensure that we correctly identify any account you have with us and to protect the security of your data in that account.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

4. Where we get personal information from

Directly from you:

• Information you provide during registration
• Communications you send us
• Messages within our AI coaching service

From third parties:

• When you sign in with LinkedIn, your name and email are shared with our authentication provider Clerk

Automatically collected:

• Technical data about your device and browsing behavior
• Usage data about how you interact with our service

5. How long we keep information

We retain your data only as long as necessary for the purposes collected:

• Account data: Duration of your account plus 6 months
• Marketing data: 6 months from when you withdraw consent, or immediately upon requesting deletion
• Support queries: 2 years from resolution
• Financial records: 7 years (legal requirement)
• Coaching conversation history: Duration of your account unless you request earlier deletion

6. Who we share information with

6.1 Data Processors

We share your data with carefully selected processors who help us deliver our services:

Authentication & Identity

• Clerk (United States): Manages user authentication including LinkedIn social sign-in. Processes your name and email address.

Communications

• Plunk (EU): Sends service and marketing emails with your consent. Processes your email address and name.
• ProtonMail (Switzerland): Provides secure email services for our company communications. Processes email correspondence when you contact us directly.

Analytics & Insights

• PostHog (EU): Provides product analytics and user behavior insights. Processes technical data, usage patterns, and interaction data.

Payments

• Stripe (Ireland/EU): Processes payments and manages subscriptions. We share your email address; they separately collect payment details.

AI Services

• Cortecs (Austria/EU): Routes your messages to GDPR-compliant AI language models.

Infrastructure

• Fly.io (Ireland/EU): Hosts our application and services.
• Turso (Ireland/EU): Stores your data in encrypted databases.

6.2. Sharing information outside the UK

Some of our providers operate outside the UK. We ensure your data is protected through:

For EU-based providers (Plunk, Stripe, PostHog, Cortecs, Turso, Fly.io):

• Transfers are covered by the UK’s adequacy decision for the EEA
• No additional safeguards required as the EU provides equivalent data protection

For Switzerland-based providers (ProtonMail):

• Transfers are covered by the UK’s adequacy decision for Switzerland
• Switzerland provides data protection standards recognised as adequate by the UK

For US-based providers (Clerk):

• We verify participation in the UK Extension to the EU-US Data Privacy Framework, OR
• We implement International Data Transfer Agreements (IDTAs) with appropriate safeguards
• We conduct transfer risk assessments to ensure your data remains protected

We never transfer your data outside these arrangements without appropriate safeguards.

7. Security

We protect your data using industry-standard security measures including encryption in transit and at rest, access controls, and regular security assessments.

8. Automated Decision-Making

Our AI coaching provides personalised career guidance and suggestions based on your inputs. These are recommendations for your consideration and do not constitute automated decision-making with legal or similarly significant effects.

9. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email or through our service. The “Last Updated” date at the top shows the latest revision.

10. How to Complain

If you’re concerned about how we handle your data please contact us in the first instance. You can use the details at the top of this page. We aim to resolve issues as quickly as possible.

If you remain unsatisfied, you can complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

This Privacy Policy is effective as of the date listed above. For information about cookies and tracking technologies we use, please see our Cookie Policy. By using our service, you acknowledge that you have read and understood this Privacy Policy and our Cookie Policy.