Privacy Policy

1. Scope

This Privacy Policy outlines how Weco AI LTD ("we," "us," or "our") collects, uses, stores, and discloses personal data when you use our AI Function Builder Google Sheets Add-on ("Add-on"). It applies to all users of the Add-on, regardless of their geographical location, and covers all personal data processed by us, including data related to:

• Users: Individuals who use the Add-on within Google Sheets.

• Employees and Contractors: Personnel involved in the development, maintenance, and support of the Add-on.

• Clients and Suppliers: Organizations or individuals that provide services to or receive services from us in relation to the Add-on.

• Third Parties: Any other entities handling personal data on our behalf, such as service providers and partners.

This policy applies to personal data collected through:

• Use of the Add-on: Any interaction with the Add-on within Google Sheets.

• Our Website: Information collected when you visit our website or online platforms associated with the Add-on.

• Communications: Emails, support tickets, or any other form of communication between you and us.

By using the Add-on, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your personal data as described herein.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable individual. This includes, but is not limited to, names, email addresses, IP addresses, user-generated content, and any other data that can directly or indirectly identify a person.

• Data Subject: The individual whose personal data is being processed. This includes users of the Add-on and any individuals whose personal data is input into the Add-on.

• Processing: Any operation or set of operations performed on personal data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

• Third Party: Any natural or legal person, public authority, agency, or body other than the data subject, us, or our employees, who processes personal data on our behalf. This includes service providers, partners, and affiliates.

• Sensitive Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying an individual, health information, or data concerning an individual's sex life or sexual orientation.

• AI Function: A specialized API endpoint powered by a Large Language Model (LLM) that performs specific tasks by mapping inputs to outputs. It is configured using a prompt, LLM selection, and output schema to provide structured and predictable outputs.

• Add-on: The AI Function Builder Google Sheets Add-on that enables users to create and integrate customized AI functions within Google Sheets, allowing for the seamless incorporation of advanced AI capabilities into spreadsheet workflows.

• LLM (Large Language Model): A type of artificial intelligence model, such as GPT-4, used within the Add-on to process inputs and generate outputs for AI Functions.

• Output Schema: A formal definition of the expected output structure from an AI Function, ensuring that responses are consistent, reliable, and adhere to a predefined format.

• User Content: Any data, information, or content input by users into the Add-on, including text, numbers, images, or any other data processed by the AI Functions.

3. Legal Grounds for Processing Personal Data

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. Our legal grounds for processing personal data include:

• Consent: We may process your personal data if you have given clear and explicit consent for a specific purpose. This includes instances where you have agreed to receive marketing communications or have consented to the processing of sensitive data.

• Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract. This includes providing and maintaining the Add-on, managing user accounts, and offering customer support.

• Legal Obligation: We process personal data to comply with our legal obligations under UK law and other applicable regulations. This includes obligations related to accounting, taxation, fraud prevention, and responding to lawful requests from public authorities.

• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided that your fundamental rights and freedoms do not override these interests. Our legitimate interests include improving our services, developing new features, enhancing user experience, and ensuring the security of our systems.

• Vital Interests: In rare cases, we may process personal data to protect your vital interests or those of another individual, such as in emergency situations requiring immediate action.

For users located in the United States, we comply with applicable federal and state data protection laws, including the California Consumer Privacy Act (CCPA) where applicable. Our processing activities are designed to meet the requirements of these laws, ensuring that personal data is handled responsibly and in compliance with legal standards.

4. Privacy Notices

We are committed to transparency regarding how we collect, use, and share your personal data. Our privacy notices provide clear and accessible information about:

• Data Collection:
  • Types of Data Collected: We collect personal data such as your name, email address, IP address, usage data, and any user-generated content input into the Add-on.
  • Methods of Collection: Data is collected when you install and use the Add-on, interact with our website, or communicate with us via email or support channels.
  • Third-Party Sources: We may receive personal data from third parties, such as Google, when you use your Google account to access the Add-on.

• Purpose of Processing:
  • Service Provision: To provide, maintain, and improve the Add-on and related services.
  • User Support: To respond to your inquiries, provide customer support, and address technical issues.
  • Analytics and Improvements: To analyze usage patterns and improve user experience.
  • Marketing Communications: To send you updates, newsletters, and promotional materials, subject to your consent where required.
  • Legal Compliance: To comply with legal obligations and protect our legal rights.

• Legal Basis for Processing:
  • Detailed explanations of the legal grounds for processing your personal data, as outlined in Section 3 above.

• Data Sharing:
  • Third-Party Service Providers: We share personal data with trusted third parties who assist us in operating the Add-on, such as cloud hosting providers, analytics services, and customer support platforms.
  • Legal Requirements: We may disclose personal data to comply with legal obligations or in response to valid requests by public authorities.
  • Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to a new owner.

• International Data Transfers:
  • Data Transfer Mechanisms: Personal data may be transferred to countries outside the UK or European Economic Area (EEA). We use appropriate safeguards, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), to protect your data during such transfers.
  • US Data Transfers: For users in the US, personal data may be stored and processed in the United States, and we take steps to ensure it is protected in accordance with applicable laws.

• Data Retention:
  • We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.
  • Criteria for Retention: Retention periods are determined based on the nature of the data, the purposes for processing, and legal requirements.

• Your Rights:
  • Access and Correction: You have the right to request access to your personal data and to correct any inaccuracies.
  • Erasure: You may request the deletion of your personal data under certain conditions.
  • Restriction and Objection: You can request that we restrict processing of your personal data or object to certain processing activities.
  • Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Withdrawal of Consent: Where processing is based on consent, you have the right to withdraw consent at any time.
  • Lodging a Complaint: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or other relevant supervisory authority.

• How to Exercise Your Rights:
  • Contact us using the information provided in the Contact Us section of this Privacy Policy.

• Security Measures:
  • Information on how we protect your personal data through technical and organizational measures, such as encryption, access controls, and regular security assessments.

• Cookies and Similar Technologies:
  • Details about our use of cookies and how you can manage your cookie preferences.

• Updates to the Privacy Policy:
  • Information on how we will notify you of significant changes to this Privacy Policy, such as through email notifications or in-app messages.

Our privacy notices are made available at the point of data collection and are written in clear, plain language to ensure understanding. For example:

• Upon Installation: When you install the Add-on, you will be presented with a link to this Privacy Policy and any additional privacy notices relevant to the Add-on's functionalities.

• In-App Notifications: We may provide contextual privacy information within the Add-on to explain how specific features process personal data.

• Website Notices: Our website includes a privacy notice explaining how we collect and process data when you visit our site or interact with online content.

By providing comprehensive and accessible privacy notices, we aim to ensure that you are fully informed about how your personal data is used and your rights regarding that data.

5. Data Minimization and Accuracy

We are committed to collecting and processing only the personal data that is necessary for the purposes outlined in this Privacy Policy.

Data Minimization

• Purpose Limitation: Personal data is collected solely for specified, explicit, and legitimate purposes. We ensure that data collection aligns strictly with the functionalities of the Add-on and related services.

• Limited Collection: We collect the minimum amount of personal data required to provide and improve our services. This includes:
  • User Account Information: Such as your name and email address for authentication and communication purposes.
  • Usage Data: Information about how you interact with the Add-on to help us enhance user experience.
  • Support Communications: Data you provide when contacting customer support to resolve issues.

Accuracy

• Data Quality Assurance: We take reasonable steps to ensure that the personal data we process is accurate, complete, and up to date.

• User Responsibility: We encourage you to keep your personal data accurate and current. You can update your information through your account settings or by contacting us directly.

• Regular Reviews: We periodically review our data collection and storage practices to maintain data accuracy and relevance.

• Data Input in the Add-on:
  • User Content: When you input data into the Add-on, you are responsible for ensuring that the data is accurate and does not include unnecessary personal or sensitive information.
  • Third-Party Data: If you input personal data about third parties, you must ensure you have the legal right to do so and that the data is accurate.

6. Security Measures

We prioritize the security of your personal data and have implemented appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

• Encryption:
  • Data in Transit: Personal data is encrypted using industry-standard protocols (such as TLS/SSL) when transmitted over networks.
  • Data at Rest: Sensitive personal data is encrypted when stored on our servers.

• Access Controls:
  • Authentication: Strong authentication mechanisms are in place to prevent unauthorized access to user accounts.
  • Authorization: Access to personal data is restricted to authorized personnel who require it for their job functions.
  • Least Privilege Principle: Employees and contractors have access only to the data necessary for their responsibilities.

• Network Security:
  • Firewalls and Intrusion Detection: We use firewalls and intrusion detection systems to protect our network from unauthorized access.
  • Secure Development Practices: Our software development lifecycle includes security assessments and code reviews to identify and mitigate vulnerabilities.

Organizational Measures

• Policies and Training:
  • Employee Training: All employees and contractors receive training on data protection and privacy best practices.
  • Security Policies: We have comprehensive security policies that are regularly reviewed and updated.

• Incident Response Plan:
  • Preparation: Procedures are in place to detect and respond to security incidents promptly.
  • Notification: In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by law.

• Vendor Management:
  • Due Diligence: We conduct thorough assessments of third-party service providers to ensure they have robust security measures.
  • Contracts: Agreements with third parties include data protection obligations consistent with this Privacy Policy and applicable laws.

Regular Assessments

• Audits and Reviews: We perform regular audits and security assessments to ensure ongoing protection of personal data.

• Compliance Monitoring: We monitor compliance with security policies and legal requirements.

User Practices

• Password Security: We encourage you to use strong, unique passwords for your account and to keep them confidential.

• Phishing Awareness: Be cautious of unsolicited communications asking for your personal data and report any suspicious activity.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Retention Periods

• User Account Information:
  • Active Accounts: Personal data associated with your account is retained for as long as your account remains active.
  • Account Closure: If you close your account, we will delete or anonymize your personal data within a reasonable period, unless retention is required by law.

• Usage Data:
  • Analytics: Aggregated usage data that does not identify individual users may be retained indefinitely for analytical purposes.
  • Logs: Server logs and audit trails are retained for a limited time to ensure security and for troubleshooting purposes.

• Support Communications:
  • Retention: Communications with customer support may be retained for a period necessary to address your inquiry and improve our services.

Legal Obligations and Disputes

• Compliance with Laws: We may retain personal data for longer periods if required by law or to comply with legal obligations.

• Dispute Resolution: In the event of a dispute or claim, we may retain relevant personal data until the matter is resolved.

Data Deletion and Anonymization

• Deletion Procedures: Personal data scheduled for deletion is securely erased using methods appropriate to the sensitivity of the data.

• Anonymization: In some cases, we may anonymize your personal data so that it can no longer be associated with you. Anonymized data may be retained indefinitely without further notice.

Data Backup and Recovery

• Backups: Personal data may be stored in backup archives, which are securely maintained and only accessed for disaster recovery purposes.

• Retention in Backups: When data is deleted from our active systems, it may remain in backups for a limited period until backups are updated.

Your Rights Regarding Retention

• Right to Erasure: You have the right to request the deletion of your personal data. We will comply with such requests unless we are legally required or have legitimate grounds to retain the data.

• Withdrawal of Consent: If processing is based on consent, you can withdraw your consent, and we will delete your personal data unless another legal basis for processing exists.

Data Retention Policy Updates

• Periodic Review: We periodically review our data retention policies to ensure they comply with legal requirements and best practices.

• Policy Changes: Any significant changes to our data retention practices will be communicated to you via updates to this Privacy Policy.

8. International Data Transfers

Given the global nature of our services, your personal data may be transferred to, stored, or processed in countries outside the United Kingdom (UK) or the European Economic Area (EEA), including the United States and other jurisdictions that may not have equivalent data protection laws.

Transfers Outside the UK and EEA

• Adequacy Decisions: When transferring personal data to countries deemed by the UK government or European Commission to provide an adequate level of data protection, we rely on those adequacy decisions.

• Standard Contractual Clauses (SCCs):
  • For transfers to countries without an adequacy decision, we use UK-approved Standard Contractual Clauses or International Data Transfer Agreements (IDTAs) to ensure that appropriate safeguards are in place.
  • These contractual agreements oblige the recipient to protect your personal data according to standards equivalent to UK data protection laws.

Data Transfer Mechanisms

• Data Processing Agreements: We have data processing agreements with our third-party service providers, which include clauses to protect your personal data during international transfers.

• Additional Safeguards:
  • Encryption: Personal data is encrypted during transit and at rest where applicable.
  • Access Controls: Strict access controls are implemented to prevent unauthorized access to your data.

US Data Transfers

• Compliance with US Laws: For users located in the United States, personal data may be processed in compliance with federal and state laws, including the California Consumer Privacy Act (CCPA) where applicable.

• Third-Party Service Providers:
  • We may use service providers based in the US for cloud storage, analytics, and customer support.
  • These providers are contractually obligated to protect your personal data in accordance with applicable data protection laws.

Your Rights and Remedies

• Information and Copies: You have the right to request information about the international transfer of your personal data and copies of the appropriate safeguards in place.

• Objections: If you object to your personal data being transferred outside the UK or EEA, please contact us using the details provided in the Contact Us section. Please note that objecting to such transfers may impact our ability to provide you with some or all of the services.

Updates to Transfer Mechanisms

• We continually assess our data transfer mechanisms to ensure they comply with legal requirements and provide robust protection for your personal data.

9. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors.

Notification of Changes

• Material Changes: If we make significant changes to this Privacy Policy, we will notify you by:
  • Email: Sending an email to the address associated with your account.
  • In-App Notification: Providing a notice within the Add-on.
  • Website Notice: Posting a prominent notice on our website.

• Non-Material Changes: For minor updates that do not materially affect your rights, we may update the Privacy Policy with a new effective date and post the revised policy on our website.

Effective Date

• Date of Updates: The "Last Updated" date at the top of this Privacy Policy indicates when the policy was last revised.

• Continued Use: By continuing to use the Add-on after the effective date of any changes, you acknowledge and agree to the updated Privacy Policy.

Your Responsibility

• Reviewing the Policy: We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personal data.

• Acceptance of Changes: If you do not agree with the changes to the Privacy Policy, you should discontinue use of the Add-on and contact us to deactivate your account if applicable.