Introduction This Privacy Policy explains how Excede Solutions Ltd ("Excede," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our SaaS product, Excede LOA.

Personal Data We Collect We collect and process the following categories of personal data: Identity Data: Name, job title, organisation. Contact Data: Email address, telephone number, billing address. Usage Data: IP address, browser type/version, pages visited, time and date of visit, time spent on pages, and other diagnostic data. Document Data: Uploaded files and extracted text processed through Excede LOA. Integration Data: Metadata and logs from integrated services (e.g., CRM, document vaults).

How We Collect Data We collect personal data through: Direct user input via web forms and application features. Automatically through cookies, server logs, and tracking technologies. Connected third-party platforms and integrations.

Lawful Basis for Processing We rely on the following lawful bases under the UK GDPR: Contractual necessity – to provide and support our services. Legitimate interest – to improve our services, prevent fraud, and secure our systems. Consent – where required for optional cookies or communications. Legal obligation – to comply with applicable laws and regulations.

How We Use Personal Data We use personal data to: Provide, operate, and support Excede LOA. Respond to support tickets and service requests. Improve platform functionality and user experience. Monitor and analyse usage for service improvement. Comply with legal or contractual obligations. 5A. Marketing Communications We will only send you marketing communications where you have opted-in to receive them or where you are an existing customer and we rely on the soft opt-in exemption under PECR. You can opt out of marketing at any time by clicking the unsubscribe link in our emails or by contacting us at [email protected].

Automated Processing & Profiling We use automated systems, including AI tools (e.g., OpenAI, Mistral OCR), for: Analysing document content Generating summaries Identifying patterns. These automated tools do not result in decisions producing legal or similarly significant effects. The logic involved in our automated processing includes extracting key data fields from documents, identifying document types, and summarising text content using AI models. These processes are used solely to assist you in managing and understanding your documents more efficiently.

Sharing and Disclosure We share personal data with: Subprocessors (e.g., AWS, Firebase, Mongo Atlas, Stripe, Cloudflare, OpenAI) for infrastructure, security, payments, and analytics. Professional advisors (legal, financial, insurance). Regulators or law enforcement when legally required. We do not sell personal data.

International Transfers Where personal data is transferred outside the UK or EEA (e.g., via subprocessors), we ensure appropriate safeguards are in place such as: UK-approved Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable. Data processing agreements with subprocessors Additional technical and organisational measures

Data Retention We retain personal data for as long as necessary to fulfil the purposes for which it was collected. Specifically: Account and transaction data: up to 6 years for compliance. Integration and platform usage data: automatically deleted after 6 months. Support data: retained while the account remains active.

Data Security We implement ISO 27001-compliant controls and are certified under Cyber Essentials Plus. Safeguards include: Data encryption in transit and at rest Role-based access controls Logging and monitoring of access Regular penetration testing

Your Rights Under UK GDPR, you have the right to: Access the personal data we hold about you Request correction or deletion of data Object to or restrict processing Request data portability Withdraw consent at any time (if applicable) Lodge a complaint with the Information Commissioner's Office (ICO) To exercise your rights, contact us at [email protected]. We will respond to all requests within one calendar month, in accordance with UK GDPR. Requests are free of charge unless manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act.

Cookies We use cookies to: Enable essential functionality Improve website usability Analyse visitor behaviour anonymously
Our cookie banner allows you to opt-in to non-essential cookies, in line with the UK Privacy and Electronic Communications Regulations (PECR). Essential cookies will always be active as they are required for the operation of our site. See our full Cookie Policy on our website or below for details

Cookie Policy We use cookies and tracking technologies to enhance your browsing experience and understand website traffic. Types of cookies used: Strictly Necessary Cookies – required for site operation Performance Cookies – analytics and tracking Functionality Cookies – user preferences You can adjust your cookie preferences or withdraw consent at any time using your browser settings or our cookie banner.

Children's Data Our services are not directed to individuals under 18. We do not knowingly collect personal data from children under the age of 13. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will delete that information promptly.

Third-Party Links Our platform may link to third-party websites. We are not responsible for their privacy practices.

Changes to this Policy We may update this Privacy Policy periodically. Material changes will be communicated via email or platform notice. We encourage users to review this Privacy Policy regularly to stay informed of how we process personal data.