Privacy Policy
1. INTRODUCTION
1.1 Overview
Immersive Design Company Ltd ("Company," "we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Cleio AI platform and related services (the "Service").
1.2 Data Controller
For the purposes of applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:
Immersive Design Company Ltd
Company Registration Number: 10935926
60 Lexham Gardens
London W8 5JA
United Kingdom
Email: help@cleio.ai
1.3 Scope
This Privacy Policy applies to personal data we collect:
Through the Service
In email, text, and other electronic communications
When you interact with our advertising and applications on third-party websites and services
This Privacy Policy does not apply to information collected by third parties, including through any application or content that may link to or be accessible from the Service.
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
Account Information:
Full name
Email address
Organisation name
Job title or role
Profile photograph (optional)
Password (stored in encrypted form by our authentication provider)
Billing Information:
Payment card details (processed and stored by our payment processor)
Billing address
VAT registration number (where applicable)
User Content:
Video recordings uploaded to the Service
Research questions and hypotheses
Project names and descriptions
Annotations, tags, and notes
Team and collaboration settings
Communications:
Support requests and correspondence
Feedback and survey responses
Marketing preferences
2.2 Information Collected Automatically
Usage Data:
Pages visited and features accessed
Time spent on pages and features
Clickstream data and navigation paths
Search queries within the Service
Error logs and performance data
Device and Technical Data:
IP address
Browser type and version
Operating system
Device type and identifiers
Screen resolution
Time zone and language settings
Analytics Data:
Session duration and frequency
Referring URLs
Exit pages
Feature engagement metrics
2.3 Information from Third Parties
Authentication Providers:
We receive basic profile information when you authenticate using third-party services (e.g., Google, Microsoft).
Payment Processors:
We receive transaction confirmation and billing information from our payment processor.
2.4 Cookies and Similar Technologies
We use cookies, pixels, and similar tracking technologies to collect information about your browsing activities. For detailed information, please see Section 8 (Cookies and Tracking Technologies) below.
3. HOW WE USE YOUR INFORMATION
3.1 Legal Bases for Processing
We process your personal data on the following legal bases under UK GDPR:
PurposeLegal BasisProviding the ServicePerformance of contractProcessing paymentsPerformance of contractCustomer supportPerformance of contractService improvementsLegitimate interestsSecurity and fraud preventionLegitimate interestsMarketing communicationsConsent (where required) or legitimate interestsLegal complianceLegal obligationAnalyticsLegitimate interests
3.2 Specific Purposes
Service Delivery:
Creating and managing your account
Processing and storing your User Content
Generating transcripts and AI-powered analysis
Enabling collaboration features
Processing payments and managing subscriptions
Service Improvement:
Analysing usage patterns to improve features
Conducting research and development
Testing new features and functionality
Troubleshooting technical issues
Communication:
Sending transactional emails (e.g., password resets, payment confirmations)
Providing customer support
Sending service updates and announcements
Marketing communications (with your consent where required)
Security and Compliance:
Protecting against unauthorised access and abuse
Detecting and preventing fraud
Enforcing our Terms of Service
Complying with legal obligations
4. HOW WE SHARE YOUR INFORMATION
4.1 Service Providers
We share personal data with third-party service providers who perform services on our behalf:
ProviderPurposeData SharedLocationClerkAuthentication and identity managementName, email, profile dataUSACloudflare R2Video storage and content deliveryVideo files, metadataGlobal (encrypted)AssemblyAISpeech-to-text transcriptionAudio extracted from videosUSAAnthropicAI analysis and insightsTranscript text (anonymised where possible)USALemonSqueezyPayment processingBilling informationUSAPostHogAnalytics and product insightsUsage data (pseudonymised)EUNeonDatabase hostingAccount and project dataUSAResendTransactional email deliveryEmail addresses, message contentUSA
4.2 International Transfers
Some of our service providers are located outside the United Kingdom. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses approved by the UK Information Commissioner's Office
Adequacy decisions by the UK Government
Other lawful transfer mechanisms
4.3 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal data.
4.4 Legal Requirements
We may disclose your personal data where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to:
Protect our rights, privacy, safety, or property
Protect the rights, privacy, safety, or property of you or others
Enforce our Terms of Service
Respond to claims that content violates the rights of third parties
4.5 With Your Consent
We may share your personal data for other purposes with your explicit consent.
5. DATA RETENTION
5.1 Retention Periods
We retain personal data for as long as necessary to fulfil the purposes for which it was collected:
Data TypeRetention PeriodAccount informationDuration of account plus 2 yearsUser ContentDuration of account plus 30 daysBilling records7 years (legal requirement)Support communications3 yearsUsage analytics2 years (aggregated thereafter)Security logs1 year
5.2 Deletion
Upon account closure or deletion request:
User Content is deleted within 30 days
Account data is deleted within 90 days
Backup copies may persist for up to 90 additional days
Anonymised or aggregated data may be retained indefinitely
5.3 Legal Holds
We may retain data longer than stated above where required by law, regulation, or legal proceedings.
6. YOUR RIGHTS
6.1 Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access
You may request a copy of the personal data we hold about you.
Right to Rectification
You may request correction of inaccurate or incomplete personal data.
Right to Erasure
You may request deletion of your personal data in certain circumstances.
Right to Restriction
You may request that we restrict processing of your personal data in certain circumstances.
Right to Data Portability
You may request a copy of your personal data in a structured, commonly used, machine-readable format.
Right to Object
You may object to processing of your personal data based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time.
Right Not to Be Subject to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
6.2 Exercising Your Rights
To exercise any of these rights, please contact us at help@cleio.ai. We will respond to your request within one month, as required by law. We may request verification of your identity before processing your request.
6.3 Complaints
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Website: www.ico.org.uk
7. DATA SECURITY
7.1 Security Measures
We implement appropriate technical and organisational measures to protect personal data, including:
Encryption of data in transit (TLS/SSL) and at rest
Access controls and authentication requirements
Regular security assessments and penetration testing
Employee training on data protection
Incident response procedures
Secure development practices
7.2 Incident Response
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.
7.3 Your Responsibilities
You are responsible for maintaining the security of your account credentials and for any activities that occur under your account. Please notify us immediately if you suspect any unauthorised access.
8. COOKIES AND TRACKING TECHNOLOGIES
8.1 Types of Cookies We Use
Strictly Necessary Cookies
Required for the Service to function. These cannot be disabled.
Authentication and session management
Security features
Load balancing
Functional Cookies
Enable enhanced functionality and personalisation.
User preferences
Language settings
Recently viewed items
Analytics Cookies
Help us understand how visitors interact with the Service.
Page views and navigation
Feature usage
Performance metrics
8.2 Third-Party Cookies
Our analytics provider (PostHog) may set cookies to collect usage data. This data is used to improve the Service and is not sold to third parties.
8.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.
8.4 Do Not Track
The Service does not currently respond to "Do Not Track" browser signals.
9. CHILDREN'S PRIVACY
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us immediately at help@cleio.ai.
10. RESEARCH PARTICIPANT DATA
10.1 Your Responsibilities as Data Controller
When you upload video recordings containing personal data of research participants, you act as the data controller for that data. You are responsible for:
Obtaining valid, informed consent from participants
Providing appropriate privacy notices
Ensuring a lawful basis for processing
Responding to data subject rights requests
Complying with all applicable data protection requirements
10.2 Our Role as Data Processor
We process research participant data solely on your behalf and in accordance with your instructions. We do not use participant data for our own purposes.
10.3 Recommendations
We recommend that you:
Obtain explicit consent for video recording and AI analysis
Inform participants about how their data will be processed
Provide participants with your privacy notice
Establish procedures for handling participant data requests
11. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least thirty (30) days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
12. CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Protection Contact
Immersive Design Company Ltd
Company Registration Number: 10935926
60 Lexham Gardens
London W8 5JA
United Kingdom
Email: help@cleio.ai
We aim to respond to all enquiries within 5 business days.
©Cleio 2026 All Rights Reserved