Effective date: 01/01/26

This Privacy Policy explains how Artifact AI Ltd ("Artifact AI", "we", "us", "our"), a company registered in England and Wales (company number 15744501), collects, uses, shares and protects personal data when you visit our websites, use our products and services, or otherwise interact with us.

This policy covers our role as a controller of personal data (for example, your contact and account data). When we process personal data contained in customer content on behalf of our business customers, we act as a processor under our Data Privacy Policy — see Section 12.

1. Who this policy applies to

This policy applies to:

• visitors to our websites,

• prospects and people who contact us,

• users of our Services (including Authorised Users of our business customers, in respect of their account data),

• our business customers.

It also describes rights available to data subjects in the United Kingdom and EEA under the UK GDPR / EU GDPR, in California under the CCPA/CPRA, and in other US states with comparable laws (Virginia, Colorado, Connecticut, Utah, and others as enacted).

2. Personal data we collect

2.1 Information you provide. Name, business email, telephone, job title, employer, billing details, account credentials, content you submit through the Services (including chat messages and documents), and any information in support requests.

2.2 Information collected automatically. IP address, device and browser identifiers, operating system, pages viewed, referring URLs, timestamps, log data, and similar telemetry. We use first- and third-party cookies and similar technologies — see our Cookie Notice at https://www.getartifact.com/cookies

2.3 Customer Content. Our business customers and their authorised users submit content through the Services that may contain personal data relating to their employees, clients and other third parties ("Customer Content"). When we process personal data in Customer Content, we act as a processor (or sub-processor where applicable) on the documented instructions of our business customer, who is the controller, under the customer agreement and applicable data protection law including Article 28 UK GDPR. We process Customer Content only to provide, secure and support the Services, and do not use it to train generalised AI/ML models.

2.4 Sensitive data. We do not seek to collect special category data (UK/EU GDPR) or sensitive personal information (CCPA/CPRA). If you submit such data via Customer content, we process it on behalf of our customer in accordance with our Data Privacy Policy.

3. How we use personal data, and our legal bases (UK/EU GDPR)

Provide, operate and maintain the Services and your account — Performance of contract

Customer support — Performance of contract; legitimate interests

Billing, invoicing, and collections — Performance of contract; legal obligation

Security, fraud prevention, abuse detection, audit logging — Legitimate interests; legal obligation

Analytics to improve product, performance and reliability — Legitimate interests

Direct marketing to business prospects and existing customers — Legitimate interests; consent where required

Compliance with law (including financial regulations, AML, tax) — Legal obligation

Corporate transactions (e.g., M&A) — Legitimate interests

For US state laws (CCPA/CPRA and similar), we use personal information for the business and commercial purposes set out above. We do not sell personal information and we do not "share" it for cross-context behavioural advertising as those terms are defined under CCPA/CPRA.

4. AI processing and automated decision-making

We use AI/ML to operate the Services (for example, to extract data from documents, suggest classifications, and automate workflows). We do not use Customer Data to train, fine-tune or improve any generalised or non-personalised AI/ML model that is made available outside the customer's account. Where personalisation occurs, the resulting weights, embeddings and learned configurations remain associated with the customer's tenant.

We do not use the Services to make decisions producing legal or similarly significant effects about individuals based solely on automated processing without meaningful human review by our customer.

5. Cookies and tracking

We use strictly necessary cookies to operate the Services and, with your consent where required, performance, functional and analytics cookies. You can manage preferences via our cookie banner or browser settings. We honour Global Privacy Control (GPC) signals where applicable.

6. Sharing personal data

We share personal data with:

• Subprocessors and service providers. Categories include cloud hosting, AI/ML inference, email delivery, analytics, payments and customer support.

• Affiliates within our corporate group, under the same protections as this policy.

• Professional advisers — lawyers, auditors, accountants, insurers, bound by confidentiality.

• Authorities and other third parties where required by law, to enforce our rights, or to protect the safety of any person.

• Acquirers in a merger, acquisition, financing or sale of assets, subject to equivalent privacy commitments.

We do not sell your personal information.

7. International transfers

Where we transfer personal data outside the UK or EEA (including to the United States), we rely on:

• the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for transfers from the UK,

• the EU Standard Contractual Clauses for transfers from the EEA, and, where applicable,

• the EU-U.S. Data Privacy Framework, UK Extension and Swiss-U.S. Data Privacy Framework for certified recipients.

We carry out transfer impact assessments and apply supplementary measures (encryption in transit and at rest, access controls, contractual safeguards) as appropriate.

8. Security

We maintain a written information security programme that is independently audited and certified to:

• SOC 2 Type II (Trust Services Criteria: Security, Availability, Confidentiality)

Our programme includes encryption of data in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, MFA for production systems, code review and SAST/DAST scanning, vulnerability management, annual penetration testing, security awareness training, vendor risk management, and 24/7 monitoring with documented incident response.

In the event of a confirmed personal data breach, we will notify our business customers without undue delay and within 72 hours where feasible, and will notify supervisory authorities and affected individuals where required by law.

9. Data retention

We retain personal data only as long as necessary for the purposes described in this policy, taking into account legal, accounting, regulatory and contractual obligations:

• Account data: for the duration of the account and up to 90 days after closure (then deleted or anonymised, except as required by law).

• Customer Data processed on behalf of customers: governed by the customer agreement and Data Privacy Policy — typically available for export for 30 days after termination, then deleted within 90 days.

• Backups: rolling encrypted backups retained for up to 35 days.

• Audit logs and security telemetry: at least 12 months, consistent with SOC 2 and ISO 27001 requirements.

• Billing and tax records: at least 7 years (or longer where local law requires).

• Marketing data: until you opt out or object, then deleted within 30 days.

• Support correspondence: up to 24 months after the matter is closed.

10. Your rights

10.1 UK and EEA (UK GDPR / EU GDPR). You have the rights to: access; rectification; erasure; restriction of processing; data portability; object to processing (including direct marketing); and withdraw consent at any time where consent is the legal basis. You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

10.2 California (CCPA/CPRA). You have the rights to know, access, correct, delete, limit use of sensitive personal information, opt out of "sale" or "sharing" (we do neither), and to non-discrimination. You may submit verifiable requests as set out in Section 11. We do not knowingly collect personal information from minors under 16 for sale or sharing.

10.3 Other US states. Residents of Virginia, Colorado, Connecticut, Utah, and other states with comparable laws have rights similar to those above. We will respond as required by your state's law and timelines.

10.4 Authorised agents. California and certain other state laws permit you to use an authorised agent to submit requests on your behalf. We will require proof of authorisation and may request verification from you.

11. How to exercise your rights

To exercise your rights, contact us at privacy@artifactai.uk (or support@artifactai.uk if not yet provisioned). If you are an Authorised User of one of our business customers, please first contact that customer, who is the controller of your data within the Services; we will assist them in responding.

We will respond within the timelines required by applicable law (typically one month under UK/EU GDPR, 45 days under CCPA/CPRA, with permitted extensions). We may need to verify your identity before acting on a request.

12. Our role as processor

When we process personal data contained in Customer content on behalf of our business customers, we act as a processor under our Data Privacy Policy (https://www.getartifact.com/privacy) which governs subprocessors, transfers, security, audit rights, and data subject request assistance.

13. Children

The Services are not directed to individuals under 18 and we do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us and we will delete it.

14. Third-party services

The Services integrate with third-party services (for example, Xero, QuickBooks, Google Workspace, Microsoft 365, payment providers). Your use of those services is governed by their own terms and privacy policies. We use Google Workspace APIs in compliance with the Google API Services User Data Policy, including the Limited Use requirements. Google Workspace APIs are not used to develop, improve, or train generalised or non-personalised AI/ML models.

15. Open Banking

Artifact AI Ltd is an agent of Plaid Financial Ltd, an authorised payment institution regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 804718). Plaid provides regulated account information services through Artifact AI Ltd as its agent.

16. Changes to this policy

We may update this Privacy Policy from time to time. For material changes we will give reasonable advance notice (for example, via email or in-product notice) and will update the "Effective date" above.

17. Contact us

Artifact AI Ltd. Email: privacy@artifactai.uk