GDPR Policy

1. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller responsible for your personal data is:

• Company Name: VoltaServices Ltd
• Company Number: 16178827 (registered in England and Wales)
• Registered Address: 16 Greenway, Newcastle upon Tyne, NE4 9TT
• ICO Registration Reference: ZB874097
• ICO Registration Date: 8 March 2025
• ICO Registration Expiry: 7 March 2027
• ICO Payment Tier: Tier 1

As the data controller, VoltaServices Ltd determines the purposes and means of processing personal data collected through the VoltaAI platform and associated services.

2. Data Protection Officer

VoltaServices Ltd has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the UK GDPR. The DPO is responsible for overseeing our data protection strategy, ensuring compliance with data protection legislation, and acting as the primary point of contact for data subjects and the Information Commissioner's Office (ICO).

• DPO Name: Mr Emre Dalar
• Email: emre.dalar@voltaservices.uk
• Postal Address: Data Protection Officer, VoltaServices Ltd, 16 Greenway, Newcastle upon Tyne, NE4 9TT

You may contact the DPO at any time regarding any matter related to the processing of your personal data or the exercise of your rights under data protection law.

3. Lawful Basis for Processing

Under Article 6 of the UK GDPR, we process personal data only where we have a valid lawful basis. The lawful bases we rely upon for each processing activity are as follows:

• Contract Performance (Article 6(1)(b)): Processing necessary for the performance of our contract with you when you create an account and use VoltaAI services. This includes account registration, authentication, API key management, processing API requests, managing subscriptions, processing payments and wallet transactions, and providing chat functionality.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided these are not overridden by your rights and freedoms. This includes security monitoring and fraud prevention, rate limiting and abuse detection, service improvement and performance analytics (using anonymised and aggregated data), debugging and error resolution, and maintaining platform stability.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject. This includes financial record-keeping under UK tax and accounting regulations (minimum 6-year retention of transaction records), responding to lawful requests from law enforcement or regulatory authorities, and compliance with the Privacy and Electronic Communications Regulations 2003.
• Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent. This includes connecting your Microsoft email account via OAuth 2.0 for the AI Email Management feature, receiving non-essential communications such as product updates or marketing emails, and the use of optional cookies or local storage for user interface preferences. Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4. Categories of Personal Data

We process the following categories of personal data in connection with the VoltaAI platform:

• Identity Data: First name, surname, and email address provided during account registration.
• Authentication Data: Password hashes (PBKDF2-SHA256 or bcrypt), multi-factor authentication method preferences, TOTP secrets (encrypted), and phone numbers (for SMS MFA).
• API Credential Data: API key prefixes and hashed keys (vk_ prefix), key labels, rate limit configurations, and allowed model lists. Full API keys are never stored.
• Usage and Technical Data: API request logs (endpoint, model, token counts, timestamps, status codes), chat usage statistics (message and image counts per model per day), rate limiting counters, and IP addresses.
• Conversation Data: Messages sent and received through the VoltaAI chat interface, conversation titles and metadata, generated images and their prompts, message embeddings for semantic search, and conversation summaries.
• Financial Data: Subscription tier and status, wallet balances and transaction history, payment provider identifiers (Stripe customer IDs, GoCardless mandate IDs), and transaction amounts. We do not store full card numbers or bank account details.
• Email Data (where applicable): Microsoft OAuth tokens (encrypted), email classification results (pathway assignments and confidence scores), and message identifiers. Full email content is fetched in real time from Microsoft servers and is not permanently stored by us.
• Support Data: Support ticket content and replies, and live chat messages.
• Knowledge Base Data: Uploaded PDF documents and extracted text chunks with vector embeddings.
• Device and Browser Data: IP addresses, browser type and version, operating system, and referring URLs collected automatically during service use.

5. Purposes of Processing

We process personal data for the following specific purposes:

• Account Management: Creating and maintaining user accounts, authenticating users, verifying email addresses, processing password resets, and managing multi-factor authentication.
• Service Delivery: Routing API requests to AI model providers, managing chat conversations, generating text and image content, providing conversation history and search, and enabling knowledge base functionality.
• Billing and Payments: Processing subscription payments through Stripe and GoCardless, managing wallet balances and top-ups, calculating and deducting API usage costs, issuing refunds, and maintaining financial records.
• Rate Limiting and Fair Use: Enforcing per-minute and per-day API rate limits, applying tier-based daily usage limits, and detecting and preventing abuse.
• Email Management: Classifying connected email accounts using AI models, organising emails into pathways, and providing email management tools (for Premium tier and above).
• Security: Monitoring for unauthorised access, detecting fraudulent activity, maintaining audit logs, and protecting the integrity of the platform.
• Service Improvement: Analysing anonymised and aggregated usage patterns, diagnosing technical issues, and developing new features.
• Communication: Sending transactional emails (verification, password reset, MFA codes), billing notifications, support ticket updates, and system announcements.
• Legal Compliance: Maintaining financial records as required by law, responding to legal and regulatory requests, and exercising or defending legal claims.

6. Data Sharing and Third-Party Processors

We share personal data with the following categories of third-party data processors, each of whom processes data on our behalf under a data processing agreement:

• AI Model Providers: Pollinations AI and Airforce receive prompts, conversation messages, and (where applicable) email metadata for AI inference. These providers process data in real time and do not retain request data beyond the duration of the API call. Freepik receives image generation prompts for its image models.
• Payment Processors: Stripe (PCI DSS Level 1 certified) processes credit and debit card payments. GoCardless (FCA-authorised) processes Direct Debit payments. We share your name, email, and payment amounts with these providers as necessary to process transactions.
• Email Infrastructure: Postmark (SMTP provider) receives email addresses for delivering transactional emails including verification, password reset, MFA codes, and support notifications.
• SMS Provider: Vonage receives phone numbers solely for delivering SMS-based multi-factor authentication codes.
• Microsoft (Graph API): Where you have connected your email account, Microsoft processes your email data in accordance with the Microsoft Privacy Statement. We access your mailbox data on your behalf under your explicit OAuth 2.0 authorisation.
• Infrastructure Providers: Our servers and database infrastructure are hosted on secure platforms with appropriate physical and logical access controls.

We do not sell, rent, or trade your personal data to any third party. We do not share personal data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our third-party service providers operate outside the United Kingdom. Where personal data is transferred to a country outside the UK, we ensure that appropriate safeguards are in place in accordance with Article 46 of the UK GDPR:

• Adequacy Decisions: Where the UK Secretary of State has determined that a third country provides an adequate level of data protection, we rely on that adequacy decision as the basis for the transfer.
• Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses approved by the ICO, ensuring that your data receives an equivalent level of protection.
• Supplementary Measures: Where necessary, we implement supplementary technical and organisational measures, such as encryption in transit and at rest, to provide additional protection for transferred data.

Specifically, transfers may occur to the following jurisdictions through our service providers:

• United States: Stripe, Postmark, Vonage, and Microsoft operate infrastructure in the United States. Transfers are protected by the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) where applicable, or by Standard Contractual Clauses.
• European Economic Area: GoCardless operates primarily within the EEA, which benefits from a UK adequacy decision.

You may request a copy of the relevant safeguards by contacting the Data Protection Officer.

8. Automated Decision-Making and Profiling

In accordance with Article 22 of the UK GDPR, we inform you of the following automated decision-making and profiling activities:

• Rate Limiting (Automated): We use automated systems to enforce per-minute and per-day API rate limits based on your subscription tier and API key configuration. This automated processing may result in temporary restriction of your access to the platform if limits are exceeded. This processing is necessary for the performance of our contract with you and to ensure fair access for all users.
• Email Classification (Automated, Consent-Based): If you connect your Microsoft email account, we use AI models to automatically classify your emails into organisational categories (Important, Newsletters, Social, Finance, Shopping, Notifications). This classification is provided on a best-effort basis and does not produce legal or similarly significant effects. You may review and override any classification at any time.
• Abuse Detection (Automated): We use automated monitoring to detect patterns of abuse, fraud, or policy violations. Where such patterns are detected, automated systems may temporarily throttle or suspend access pending manual review. We implement human oversight in all account suspension decisions.

We do not make any solely automated decisions that produce legal effects or similarly significantly affect you without human involvement, except where such processing is necessary for the performance of our contract with you, is authorised by law, or is based on your explicit consent.

You have the right to request human intervention in any automated decision, to express your point of view, and to contest any automated decision by contacting the Data Protection Officer.

9. Data Subject Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions provided by law.

• Right of Access (Article 15): You have the right to obtain confirmation as to whether we process your personal data and, where we do, to request a copy of that data together with supplementary information about how it is processed. We will provide this information free of charge within one calendar month of receiving your request. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.
• Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. You may update your name and email address directly through your account settings. For other rectification requests, please contact the DPO.
• Right to Erasure (Article 17): You have the right to request the deletion of your personal data where: the data is no longer necessary for the purpose for which it was collected; you withdraw consent (where consent is the lawful basis); you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. This right does not apply where processing is necessary to comply with a legal obligation or for the establishment, exercise, or defence of legal claims.
• Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing where: you contest the accuracy of the data (for a period enabling us to verify accuracy); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of legitimate grounds.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON) and to transmit that data to another controller without hindrance, where the processing is based on consent or contract and is carried out by automated means. VoltaAI provides a built-in export feature for conversation data in JSON, Markdown, and PDF formats.
• Right to Object (Article 21): You have the right to object at any time to the processing of your personal data based on legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims. You have an absolute right to object to processing for direct marketing purposes.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where automated decisions are made, you have the right to obtain human intervention, to express your point of view, and to contest the decision.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You may disconnect your Microsoft email account at any time to withdraw consent for email data processing.

10. Exercising Your Rights

To exercise any of the rights described above, you may:

• Email the DPO: Send your request to emre.dalar@voltaservices.uk with the subject line "Data Subject Request".
• Email Privacy: Send your request to privacy@voltaservices.co.uk.
• Write to us: Data Protection Officer, VoltaServices Ltd, 16 Greenway, Newcastle upon Tyne, NE4 9TT.

When submitting a request, please provide sufficient information for us to verify your identity (such as the email address associated with your account). We may request additional verification before actioning your request to prevent unauthorised access to personal data.

We will respond to all valid data subject requests within one calendar month. Where a request is complex or we have received a high volume of requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it within the first month.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account Data: Retained for the lifetime of the account. Upon account deletion or termination, personal data is erased within 30 days, except where retention is required by law.
• API Usage Logs: Retained for 12 months for billing reconciliation, security monitoring, and service improvement, then automatically purged.
• Conversation Data: Retained until you delete individual conversations or request deletion of all conversation data. Deleted conversations are permanently removed within 30 days.
• Financial Records: Transaction records, invoices, and payment history are retained for a minimum of 6 years as required by UK tax and accounting legislation (Companies Act 2006, VAT Act 1994).
• Email Classification Data: Retained for as long as your email account remains connected. Upon disconnection, classification data is deleted within 30 days. If your subscription drops below Premium tier, data is retained for up to 90 days before automatic deletion.
• OAuth Tokens: Encrypted Microsoft OAuth tokens are deleted immediately upon email account disconnection.
• Support Tickets: Retained for 24 months after ticket closure for quality assurance and dispute resolution, then archived or deleted.
• Knowledge Base Documents: Retained until you delete them. Upon account deletion, all associated knowledge base data is removed within 30 days.
• Security Logs: Access and authentication logs are retained for 12 months for security monitoring and incident investigation.

When personal data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.

12. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the UK GDPR. These measures include:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Passwords are hashed using PBKDF2-SHA256 or bcrypt. Sensitive credentials (OAuth tokens, TOTP secrets) are encrypted at rest. API keys are stored as cryptographic hashes; full keys are never stored.
• Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis. Administrative access is protected by multi-factor authentication.
• Infrastructure Security: Our servers are protected by firewalls, intrusion detection systems, and regular security patching.
• Regular Assessments: We conduct periodic security assessments to identify and remediate vulnerabilities.
• Data Minimisation: We collect only the minimum personal data necessary for each processing activity.

For full details of our security measures, please refer to our Data Protection Policy.

13. Data Protection Impact Assessments

In accordance with Article 35 of the UK GDPR, we carry out Data Protection Impact Assessments (DPIAs) before undertaking any processing that is likely to result in a high risk to the rights and freedoms of individuals. This includes:

• Systematic and extensive evaluation of personal aspects relating to individuals based on automated processing, including profiling.
• Processing on a large scale of special categories of data.
• Systematic monitoring of a publicly accessible area on a large scale.
• Use of new technologies or novel processing methods that may present elevated risks.

DPIAs were conducted prior to the introduction of the AI Email Management feature (involving automated classification of personal email data) and the semantic search and RAG memory injection features (involving vector embeddings of conversation content). Where a DPIA identifies high residual risk, we consult with the ICO prior to processing in accordance with Article 36.

14. Data Breach Notification

In the event of a personal data breach, we will comply with the notification requirements set out in Articles 33 and 34 of the UK GDPR:

• Supervisory Authority Notification (Article 33): Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where notification is not made within 72 hours, we will provide reasons for the delay.
• Data Subject Notification (Article 34): Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected data subjects without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.
• Breach Record: We maintain a record of all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, regardless of whether notification to the ICO is required.

15. Cookies and Tracking Technologies

Our use of cookies is minimal and limited to essential functionality:

• Essential Session Cookies: We use session cookies to maintain your authenticated state after login. These are strictly necessary for the operation of the platform and are exempt from consent requirements under Regulation 6(4) of the Privacy and Electronic Communications Regulations 2003.
• Local Storage: We may use browser local storage to save user interface preferences such as theme selection. This is functional and does not track your activity.
• No Third-Party Tracking: We do not use any third-party tracking cookies, advertising cookies, analytics platforms, or cross-site tracking technologies.

16. Children's Data

The VoltaAI platform is not directed at children under the age of 16. We do not knowingly collect or process personal data from individuals under 16 years of age. If we become aware that we have collected personal data from a child under 16, we will take immediate steps to delete that data in accordance with Article 8 of the UK GDPR.

If you are a parent or guardian and believe that your child has provided personal data to us, please contact the Data Protection Officer immediately.

17. Record of Processing Activities

In accordance with Article 30 of the UK GDPR, VoltaServices Ltd maintains a Record of Processing Activities (ROPA) documenting all processing activities carried out under our responsibility. This record includes the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a description of technical and organisational security measures.

A summary of our processing activities is available upon request from the Data Protection Officer.

18. Supervisory Authority

VoltaServices Ltd is registered with the Information Commissioner's Office (ICO), the UK's independent authority set up to uphold information rights in the public interest.

• ICO Registration Reference: ZB874097
• ICO Website: https://ico.org.uk
• ICO Helpline: 0303 123 1113
• ICO Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are not satisfied with our response to a data protection concern, or you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the ICO. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact our Data Protection Officer in the first instance.

19. Changes to This Policy

We may update this GDPR Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. When we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was most recently revised. We encourage you to review this policy periodically.

20. Contact

For any questions, concerns, or requests relating to this GDPR Policy or your personal data, please contact:

• Data Protection Officer: Mr Emre Dalar
• Email: emre.dalar@voltaservices.uk
• Privacy Email: privacy@voltaservices.co.uk
• Postal Address: VoltaServices Ltd, 16 Greenway, Newcastle upon Tyne, NE4 9TT
• Company Number: 16178827 (England and Wales)
• ICO Registration: ZB874097