Privacy Policy

1. Introduction

VoltaServices Limited ("we", "us", "our") operates the VoltaAI platform, an API gateway and chat interface for artificial intelligence models. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

VoltaServices Limited is a company registered in England and Wales. Company Number: 16178827. ICO Registration Number: ZB874097.

By accessing or using VoltaAI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Information We Collect

We collect information that you provide directly to us, as well as information generated through your use of our services:

• Account Information: When you register for an account, we collect your email address, first name, and surname. Your password is stored using industry-standard hashing algorithms and is never stored in plain text.
• Usage Data: We automatically collect information about your use of the platform, including API calls made, models used, token counts, request timestamps, and response status codes. This data is used for billing, rate limiting, and service improvement.
• Payment Information: Payment processing is handled by Stripe and GoCardless. We do not store your full credit card numbers, bank account details, or other sensitive payment credentials on our servers. We may retain transaction identifiers, payment amounts, and billing history for record-keeping purposes.
• Device and Browser Information: We may collect information about the device and browser you use to access our services, including IP address, browser type, operating system, and referring URLs. This information is used for security monitoring and service optimisation.
• Conversation Data: Messages sent through the VoltaAI chat interface are stored in our database to enable conversation history functionality. Conversation data is stored encrypted and is associated with your user account.
• Email Data (AI Email Management): If you connect a Microsoft email account through our AI Email Management feature, we access your email data via the Microsoft Graph API under your explicit OAuth 2.0 authorisation. This includes email subject lines, sender and recipient addresses, message body content, folder structure, and mailbox settings. We store email classification results (pathway assignments and confidence scores) and message identifiers in our database. We do not permanently store the full content of your emails on our servers — email content is fetched in real time from Microsoft's servers when you view or interact with messages.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Maintain Services: To operate, deliver, and improve the VoltaAI platform, including processing your API requests, managing your account, and enabling chat functionality.
• Process Payments: To process subscription payments, wallet top-ups, and refunds through our payment partners.
• Send Notifications: To send you essential communications related to your account, including email verification, password reset links, MFA codes, billing notifications, and service announcements.
• AI Email Classification: To provide intelligent email organisation, we process email metadata (subject lines, sender addresses) and limited body content through AI language models to classify emails into organisational categories such as Important, Newsletters, Social, Finance, Shopping, and Notifications. This processing occurs when you first connect your email account and when new emails arrive.
• Improve Our Services: To analyse usage patterns, diagnose technical issues, and develop new features. We use anonymised and aggregated data for analytics purposes.
• Comply with Legal Obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to protect the rights, property, and safety of VoltaServices Limited, our users, and the public.

4. Data Storage and Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:

• Secure Servers: Your data is stored on secure servers with appropriate physical and logical access controls in place.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at Rest: Sensitive data, including passwords and conversation content, is encrypted at rest using industry-standard encryption algorithms.
• Regular Security Audits: We conduct regular security assessments and audits to identify and address potential vulnerabilities in our systems.
• Access Controls: Access to personal data is restricted to authorised personnel who require it to perform their duties. All access is logged and monitored.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account Data: Retained for as long as your account remains active. Upon account deletion, personal data is removed within 30 days, subject to our legal obligations.
• Usage Logs: API usage logs are retained for a period of 12 months for billing reconciliation, security monitoring, and service improvement purposes.
• Conversation Data: Conversation history is retained until you choose to delete it. You may delete individual conversations or request deletion of all conversation data at any time.
• Payment Records: Financial transaction records are retained for a minimum of 6 years as required by UK tax and accounting regulations.
• Email Classification Data: AI-generated email classifications (pathway assignments and confidence scores) are retained for as long as your email account remains connected. Upon disconnecting your email account, classification data is deleted within 30 days. If your subscription drops below the Premium tier, classification data is retained for up to 90 days to allow for resubscription, after which it is automatically deleted.
• Microsoft OAuth Tokens: Encrypted OAuth tokens used to access your Microsoft email account are stored for as long as your account is connected. Tokens are immediately deleted when you disconnect your email account. We do not have access to your Microsoft account password at any time.

6. Third-Party Services

We use the following third-party service providers to deliver and support our platform. Each provider has been selected for their commitment to data protection and security:

• Stripe: Processes credit and debit card payments. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
• GoCardless: Processes Direct Debit payments. GoCardless is FCA-authorised. GoCardless Privacy Policy
• Microsoft (Graph API): If you connect your Microsoft email account, we use the Microsoft Graph API to access your mailbox data on your behalf. Microsoft processes your email data in accordance with their own privacy practices. Your authorisation can be revoked at any time from within VoltaAI or from your Microsoft account security settings. Microsoft Privacy Statement
• Pollinations AI: Provides the underlying AI model inference for text and image generation, as well as processing email metadata for AI classification. Prompts, generated content, and email excerpts sent for classification are processed through Pollinations' servers. Pollinations does not retain request data beyond the duration of the API call.
• Vonage: Delivers SMS messages for multi-factor authentication. Your phone number is shared with Vonage solely for the purpose of sending verification codes.
• Postmark: Sends transactional emails, including verification emails, password resets, and account notifications. Your email address is shared with Postmark for delivery purposes.

7. Cookies and Local Storage

We use a minimal set of cookies and local storage to provide essential functionality:

• Session Cookies: We use session cookies to maintain your authenticated state after you log in. These cookies are essential for the operation of the platform and cannot be disabled.
• Local Storage: We may use your browser's local storage to save user interface preferences, such as selected themes or display settings, to enhance your experience.
• No Third-Party Tracking Cookies: We do not use third-party tracking cookies, advertising cookies, or any analytics cookies that track your activity across other websites.

8. AI Email Management — Data Processing

This section provides additional detail about how your data is processed when you use the AI Email Management feature:

• Lawful Basis: We process your email data on the basis of your explicit consent, which you provide by authorising the Microsoft OAuth connection. You may withdraw consent at any time by disconnecting your email account, at which point all email-related data processing will cease and stored classification data will be deleted.
• Data Minimisation: We only access the email data necessary to provide classification and management features. We do not access your calendar, contacts, OneDrive files, or any other Microsoft 365 data beyond email and mailbox settings.
• AI Processing: Email metadata (subject lines, sender addresses, and brief content excerpts) is sent to AI language model providers for classification purposes. We send the minimum amount of content necessary for accurate classification. Full email bodies are not sent to AI providers — only subject lines, sender information, and short excerpts are transmitted.
• No Human Review: Your email content is processed entirely by automated AI systems. No VoltaAI employee or contractor manually reads your emails, unless you explicitly share email content with our support team for troubleshooting purposes.
• Microsoft API Compliance: Our use of the Microsoft Graph API complies with the Microsoft API Terms of Use. We access only the permissions you have explicitly granted (Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read) and do not use your email data for advertising, data mining, or any purpose unrelated to the services you have requested.
• Disconnection and Deletion: You may disconnect your Microsoft email account at any time from the email management settings page. Upon disconnection, your OAuth tokens are deleted immediately, and all stored email classification data is deleted within 30 days. Your emails remain unaffected in your Microsoft mailbox — we do not modify or delete your emails when you disconnect.

9. Your Rights (GDPR)

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you. We will respond to your request within one month.
• Right to Rectification: You have the right to request that we correct any inaccurate personal data or complete any incomplete personal data we hold about you.
• Right to Erasure: You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object: You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes.

To exercise any of these rights, please contact us at privacy@voltaservices.co.uk. We will respond to your request within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

10. Children's Privacy

The VoltaAI platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as promptly as possible.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@voltaservices.co.uk so that we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you by email or by posting a prominent notice on our website prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after any modifications to this policy constitutes your acceptance of the updated terms.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: VoltaServices Limited
• Email: privacy@voltaservices.co.uk
• Company Number: 16178827 (England and Wales)
• ICO Registration: ZB874097