CinaTech: AI-Powered Strategic Analysis for Marketing Agencies

1. INTRODUCTION

At CinaTech, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your personal data, and sets out your privacy rights and how the law protects you.

This policy is governed by the following legal frameworks, each applied on the basis described:

UK General Data Protection Regulation (UK GDPR) as supplemented by the Data Protection Act 2018 (DPA 2018) — applicable to all individuals in the United Kingdom.
EU General Data Protection Regulation (EU GDPR) — applicable where we process personal data of individuals located in the European Economic Area (EEA).
California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — applicable where we process personal data of California residents.

Where the same processing activity falls under more than one framework, we apply the more protective standard. References to "UK/EU GDPR" throughout this policy indicate that both instruments apply unless otherwise stated.

2. THE DATA WE COLLECT

We may collect, use, store, and transfer the following categories of personal data about you:

Identity Data: First name, last name.
Contact Data: Email address.
Technical Data: Internet protocol (IP) address, browser type and version, time zone setting, device identifiers.
Usage Data: Information about how you use our website and services, including pages visited, features accessed, and interaction timestamps.
Financial Data: Payment card details and transaction history, processed by our payment processor Stripe. We do not store full card details on our own systems.
Client Data: Documents and onboarding forms you upload to the platform for AI-assisted analysis.
Cookie and Tracking Data: Information collected via cookies and similar tracking technologies. Please refer to our Cookie Policy for full details.

2.1 Special Category Data and Client Documents

Client documents you upload may contain special category data within the meaning of Article 9 UK/EU GDPR — for example, health records, financial information, or legally privileged materials. By uploading such documents, you confirm that you have a lawful basis to share this data with us for processing, and that you have obtained any necessary consents from the individuals whose data is contained within those documents. We process such data solely on your documented instruction under Article 9(2)(a) or (b) UK/EU GDPR as applicable, and only for the purpose of generating your requested analysis.

2.2 Data We Do Not Collect from Third Parties

We do not currently purchase or obtain personal data from third-party data brokers. Where this changes, this policy will be updated accordingly.

3. HOW WE USE YOUR DATA

We will only use your personal data where we have a lawful basis to do so under UK/EU GDPR. The table below maps each category of data to its processing purpose and lawful basis.

Data Category	Purpose	Lawful Basis
Identity & Contact Data	Account creation, service delivery, communications	Article 6(1)(b) UK/EU GDPR — contract performance
Client Data	AI-assisted document analysis to generate strategic reports	Article 6(1)(b) UK/EU GDPR — contract performance
Technical Data	Platform security, fraud prevention, service stability	Article 6(1)(f) UK/EU GDPR — legitimate interests
Usage Data	Platform improvement and optimisation	Article 6(1)(f) UK/EU GDPR — legitimate interests
Financial Data	Payment processing and statutory compliance	Article 6(1)(b) and 6(1)(c) UK/EU GDPR — contract and legal obligation

3.1 Legitimate Interests

Where we rely on legitimate interests as our lawful basis, we have conducted a Legitimate Interests Assessment (LIA) to balance our interests against your rights and freedoms. You may request a summary of any LIA by contacting us at joseph@cinatech.ai.

3.2 Automated Decision-Making and AI Processing

Our platform uses AI-assisted analysis (via the Anthropic Claude API) to process client documents and generate strategic reports. This processing does not constitute solely automated decision-making within the meaning of Article 22 UK GDPR, as the outputs of our AI analysis are provided as informational reports and are not used to make legally significant or similarly significant decisions about individuals without human review.

Where AI-generated outputs are used in a way that may constitute automated decision-making with significant effects, we will inform you of this at the point of collection and ensure your rights under Article 22 are preserved, including the right to request human intervention, to express your point of view, and to contest the decision.

3.3 Marketing

We will only send you marketing communications where you have provided your consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.

4. DATA SHARING AND THIRD-PARTY PROCESSORS

We do not sell your personal data to third parties. We do not share your data for cross-context behavioural advertising.

We share your personal data with the following trusted third-party service providers acting as data processors under written Data Processing Agreements (DPAs) compliant with Article 28 UK/EU GDPR. Each processor is contractually obligated to process your data only on our documented instructions, to implement appropriate security measures, and not to engage sub-processors without our authorisation.

Processor	Service Provided	Location / Transfer Mechanism
Anthropic	AI document analysis (Claude API)	USA — UK IDTA / EU SCCs + DPA in place
Vercel	Application hosting and deployment	USA — UK IDTA / EU SCCs + DPA in place
Supabase	Database storage	USA — UK IDTA / EU SCCs + DPA in place
Resend	Transactional email delivery	USA — UK IDTA / EU SCCs + DPA in place
Cal.com	Meeting scheduling and confirmation emails	UK / EU / USA — UK IDTA / EU SCCs + DPA in place
Stripe	Payment processing	USA — UK IDTA / EU SCCs + DPA in place

We may also disclose your personal data to: (a) competent authorities, regulators, or courts where required by law; (b) professional advisers such as lawyers and auditors acting in their professional capacity; (c) third parties in connection with the potential sale, transfer, or restructuring of our business, subject to appropriate confidentiality obligations.

5. INTERNATIONAL DATA TRANSFERS

All of the third-party processors listed in Section 4 are based in the United States. As such, your personal data may be transferred to, stored in, and processed in the United States, which does not have a blanket adequacy decision from the UK.

We ensure that all transfers of personal data outside the UK are subject to appropriate safeguards as follows:

UK transfers: We rely on the International Data Transfer Agreement (IDTA), as approved by the UK Secretary of State under Section 119A of the Data Protection Act 2018, as the lawful transfer mechanism for transfers from the UK to the United States.
EEA transfers: Where EU GDPR applies, we rely on the EU Standard Contractual Clauses (SCCs) in the form adopted by the European Commission on 4 June 2021.
Transfer Impact Assessments (TIAs): We have conducted Transfer Impact Assessments for all transfers to the United States as required following Schrems II (C-311/18). These assessments are available on request.
UK-US Data Bridge: Where a processor has certified under the UK Extension to the EU-US Data Privacy Framework, we may additionally rely on this adequacy mechanism for UK-origin transfers.

You may request copies of the relevant transfer safeguards by contacting us at joseph@cinatech.ai.

6. DATA SECURITY

We have implemented appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Encryption of personal data in transit using Transport Layer Security (TLS).
Encryption of personal data at rest using industry-standard encryption protocols.
Access controls based on the principle of least privilege, ensuring only authorised personnel can access personal data on a strict need-to-know basis.
Contractual security obligations imposed on all data processors.
Regular review of our security practices and infrastructure.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with Article 34 UK GDPR.

7. DATA RETENTION

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

Data Category	Retention Period	Basis
Identity & Contact Data	Duration of contract + 6 years	Statutory limitation period
Client Documents	Deleted on user request; auto-deleted after 90 days of account inactivity	Contractual necessity
Technical / Usage Data	12 months	Legitimate interests
Financial / Transaction Records	7 years	HMRC legal obligation
AI-Generated Report Outputs	Duration of contract + 6 years unless earlier deletion requested	Contractual necessity

Where you request deletion of your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law. Note that deletion of client documents removes the source material but does not automatically delete AI-generated report outputs, which are retained for the contractual period set out above unless you separately request their deletion.

8. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies on our website and platform. We use the following categories of cookies:

Strictly Necessary Cookies: Required for the operation of our platform (e.g. authentication, session management). These cannot be disabled.
Analytical / Performance Cookies: Allow us to recognise and count visitors and understand how users interact with our platform. These are only set with your consent.
Functional Cookies: Remember your preferences to provide a personalised experience. These are only set with your consent.

You may manage your cookie preferences at any time via our cookie consent banner or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our platform. Our use of cookies is subject to the Privacy and Electronic Communications Regulations 2003 (PECR) as well as UK GDPR.

9. YOUR LEGAL RIGHTS

9.1 Rights Under UK GDPR and EU GDPR

Under UK/EU GDPR, you have the following rights in relation to your personal data:

Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Right to Restrict Processing (Article 18): You have the right to request that we limit the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Rights in Relation to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and to request human review of such decisions.

We will respond to all valid requests within one calendar month of receipt. If your request is complex or numerous, we may extend this period by a further two months, in which case we will notify you. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

9.2 Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you have the following additional rights:

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom it is shared.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioural advertising. No opt-out action is required, but you may contact us to confirm this.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to purposes necessary to provide the requested services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any CCPA/CPRA rights, please contact us at joseph@cinatech.ai. We will respond to verifiable consumer requests within 45 days.

10. CHILDREN'S PRIVACY

Our services are not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at joseph@cinatech.ai and we will take steps to delete the relevant data.

11. CHANGES TO THIS PRIVACY POLICY

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or via a notice on our platform.

Privacy Policy

DATA CONTROLLER DETAILS