Privacy Policy
Last updated: 10 November 2025
1. Purpose and Scope
1.1 This Privacy Policy ("Policy") sets out the manner in which Eagle Eye Technology Ltd ("the Company", "we", "us", or "our") collects, processes, stores, discloses, and protects personal data relating to users ("you", "your", or "data subjects") who access or use our artificial-intelligence-based digital services ("the Service").
1.2 The Policy applies to all personal data processed by Eagle Eye Technology Ltd in connection with the Service, including data obtained through our website (https://heyvita.ai), mobile applications, connectors, and integrated third-party services.
1.3 This Policy is designed to ensure compliance with:
(a) the United Kingdom General Data Protection Regulation ("UK GDPR");
(b) the Data Protection Act 2018 ("DPA 2018");
(c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"); and
(d) where applicable, the European Union General Data Protection Regulation ("EU GDPR").
1.4 This Policy also satisfies the principles of fairness, transparency, and accountability under international privacy frameworks relevant to the jurisdictions in which the Company operates.
2. Data Controller and Contact Information
2.1 The data controller responsible for your personal data is:
Eagle Eye Technology Ltd
Registered Address: Austen House Units A-J, Station View, Guildford, Surrey, England, GU1 4AR
Company Registration Number: 04459434
Email: support@eagleeyetechnology.com
2.2 For users located within the European Economic Area (EEA), the Company may appoint an authorised representative where required by Applicable Law. Contact details for any such representative will be made available upon request.
2.3 The Company may also operate subsidiaries or affiliates in other jurisdictions. In all such cases, the Company remains the entity responsible for determining the purposes and means of processing your personal data.
3. Definitions
For the purposes of this Policy:
3.1 "Personal data" means any information relating to an identified or identifiable natural person.
3.2 "Processing" means any operation or set of operations performed on personal data, including collection, storage, adaptation, use, or deletion.
3.3 "AI agents" refers to automated software components within the Service capable of interpreting user inputs and performing actions or producing outputs without direct human intervention.
3.4 "Connector" refers to an optional or default software integration that enables the Service to access data or perform functions on external platforms.
3.5 "Applicable Law" means all data-protection and privacy legislation relevant to the Company's operations, including the UK GDPR, DPA 2018, PECR, and, where relevant, the EU GDPR.
4. Principles of Data Processing
The Company adheres to the following core principles when handling personal data:
4.1 Lawfulness, Fairness and Transparency: Processing shall be lawful, fair, and transparent to data subjects.
4.2 Purpose Limitation: Data shall be collected only for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
4.3 Data Minimisation: Only data necessary for the stated purposes shall be collected and processed.
4.4 Accuracy: Data shall be accurate and kept up to date.
4.5 Storage Limitation: Personal data shall not be kept longer than necessary.
4.6 Integrity and Confidentiality: Data shall be processed securely using appropriate technical and organisational measures.
4.7 Accountability: The Company shall demonstrate compliance with all principles and maintain relevant documentation.
5. Categories of Personal Data Collected
5.1 The Company collects and processes the following categories of data:
(a) Identity and Contact Data
Full name, username, profile image, email address, telephone number, and account identifiers.
(b) Account and Authentication Data
Login credentials, security tokens, multi-factor authentication details, and session records.
(c) Communication and Interaction Data
Messages, queries, feedback, and support correspondence submitted through the Service.
(d) AI Interaction Data
Textual or voice inputs provided to the AI agents, system prompts, chat logs, and preferences expressed (for example, "I do not like horror films").
This data is stored solely for the purpose of maintaining chat history and contextual responses and is not used to train or fine-tune the Company's AI models.
(e) Technical and Device Data
IP address, device type, operating system, browser version, language settings, time zone, and unique device identifiers.
(f) Usage and Analytics Data
Interaction frequency, feature usage, time spent on functions, error logs, and aggregate performance metrics.
(g) Connector Data
Data provided or retrieved through connectors that you enable, including authorisation tokens, account information from third parties, and usage records.
(h) Payment and Transaction Data
Transaction records, subscription status, billing information, and metadata associated with payments processed via third-party providers such as Stripe.
(i) Marketing and Preference Data
Consents, communication preferences, and responses to surveys or promotional offers.
5A. Children's Data
We do not knowingly collect personal data from individuals under the age of 16. If you believe we have collected such information, please contact us and we will delete it.
6. Lawful Bases for Processing
6.1 The Company processes personal data only where a lawful basis under Applicable Law exists.
6.2 The principal lawful bases are:
| Processing Purpose | Lawful Basis | Examples |
|---|---|---|
| Provision of the Service and user account management | Performance of a contract | Creating an account, delivering AI responses |
| Personalisation and AI-driven recommendations | Consent | Learning user preferences |
| Analytics and service improvement | Legitimate interests | Aggregated performance analysis |
| Compliance and record-keeping | Legal obligation | Tax and billing records |
| Fraud prevention and security | Legitimate interests | Access control and audit logging |
| Marketing communications | Consent | Newsletters, product updates |
6.3 Where processing is based on consent, you may withdraw that consent at any time by contacting privacy@heyvita.ai.
6.4 The Company conducts balancing tests for any processing based on legitimate interests to ensure that your rights are not overridden.
7. Purposes of Processing
7.1 Personal data is processed for the following specific purposes:
(a) To deliver and maintain the Service, including AI functionality and personalised responses.
(b) To administer accounts and subscriptions.
(c) To facilitate payments and transaction processing through trusted providers.
(d) To maintain chat history for contextual continuity and user convenience.
(e) To detect and prevent unauthorised use or fraud.
(f) To improve the accuracy and reliability of AI outputs through non-personal system testing and prompt engineering.
(g) To manage customer support and communications.
(h) To comply with legal and regulatory requirements.
(i) To conduct internal reporting and business analytics.
(j) To send marketing materials where lawfully permitted.
7.2 The Company shall not process personal data for any purpose that is materially incompatible with the above without notifying you and obtaining lawful authorisation where required.
We do not use your personal data or any content you submit to train or fine-tune our AI models.
8. Data Sharing and Disclosure
8.1 Processors and Sub-Processors
The Company may share personal data with authorised service providers who act as processors under written contracts that ensure compliance with Applicable Law.
Examples include:
(a) Cloud hosting providers;
(b) Payment processors (e.g. Stripe);
(c) Analytics and performance tools;
(d) Customer support software;
(e) Email and communication services.
8.2 Third-Party Connectors
Where you enable a connector, data necessary for that functionality may be shared with the relevant third party.
Such processing is carried out under the third party's own terms and privacy policy. The Company assumes no liability for the third party's processing beyond our obligation to obtain your consent and maintain secure integration channels.
8.3 Corporate Transactions
In the event of a merger, acquisition, reorganisation, or asset sale, personal data may be transferred to the successor entity under conditions preserving its integrity and security.
8.4 Legal and Regulatory Disclosures
We may disclose data where required to comply with applicable law, court orders, or law-enforcement requests, or to protect our rights and those of our users.
8.5 Aggregated or Anonymised Information
The Company may publish aggregate statistics relating to usage or performance, provided such data cannot reasonably identify any individual.
9. International Data Transfers
9.1 The Company may transfer personal data to countries outside the United Kingdom ("UK") and the European Economic Area ("EEA"), including to jurisdictions that may not provide the same level of data protection as the UK or EU.
9.2 Where such transfers occur, the Company ensures adequate safeguards are implemented in accordance with Applicable Law, including but not limited to:
(a) The use of the UK Information Commissioner's Office-approved International Data Transfer Agreement (IDTA);
(b) Where required, we rely on the EU Standard Contractual Clauses together with the UK Addendum as approved by the ICO for international transfers;
(c) Transfers to countries that have received an adequacy decision from the UK Government or European Commission; and
(d) Binding corporate rules or equivalent mechanisms for intra-group transfers where applicable.
9.3 The Company regularly reviews its international transfer arrangements to ensure ongoing compliance with legal requirements and to maintain the protection of individuals' rights.
9.4 A copy of the relevant safeguard documentation can be obtained by contacting privacy@heyvita.ai, subject to appropriate confidentiality considerations.
10. Data Retention and Disposal
10.1 We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
10.2 The specific retention periods depend on the nature of the data and its processing purpose. Typical examples include:
(a) Account data: retained for the duration of your active account and for up to twelve (12) months following account closure.
(b) Financial records: retained for a minimum of seven (7) years in accordance with statutory requirements.
(c) Chat history: retained for user convenience until the user deletes it or closes their account.
(d) Analytics and system logs: retained for up to twenty-four (24) months for performance monitoring and system integrity.
10.3 When data is no longer required, it is either securely deleted or anonymised so that it can no longer be associated with any identifiable individual.
10.4 The Company maintains a documented Data Retention and Disposal Policy, reviewed annually, that sets out retention schedules for all categories of personal data.
11. Security of Processing
11.1 The Company has implemented appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
11.2 These measures include, but are not limited to:
(a) Encryption of data both in transit and at rest using industry-standard protocols;
(b) Multi-factor authentication for administrative accounts;
(c) Network segmentation and intrusion detection systems;
(d) Regular vulnerability assessments and penetration testing;
(e) Secure data centre facilities with restricted access controls; and
(f) Ongoing staff training in data protection and cybersecurity.
11.3 In the event of a personal data breach, the Company shall:
(a) Assess the nature and scope of the incident;
(b) Contain and mitigate any identified risks;
(c) Notify the Information Commissioner's Office (ICO) and, where applicable, other supervisory authorities within seventy-two (72) hours if the breach is likely to result in a risk to individuals' rights and freedoms; and
(d) Notify affected individuals without undue delay where required by law.
11.4 All security measures are subject to regular internal audits, and significant incidents are reviewed by the Company's Data Protection Officer ("DPO").
12. Data Subject Rights
12.1 Data subjects have the following rights under the UK GDPR and, where applicable, the EU GDPR:
(a) Right of access: To request confirmation of whether personal data concerning you is being processed and to obtain a copy of such data.
(b) Right to rectification: To correct inaccurate or incomplete personal data.
(c) Right to erasure: To request deletion of personal data where processing is no longer necessary or lawful.
(d) Right to restriction: To request the restriction of processing under certain conditions.
(e) Right to data portability: To receive data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
(f) Right to object: To object to processing carried out under legitimate interests or for direct marketing.
(g) Right not to be subject to automated decision-making: To request human intervention in automated decisions producing legal or significant effects.
You can exercise these rights at any time by contacting us using the details provided in the Contact section of this Policy.
12.2 Requests to exercise any of the above rights may be made by email to privacy@heyvita.ai.
12.3 The Company shall respond to all legitimate requests without undue delay and within one (1) month of receipt, unless the request is complex, in which case an extension of up to two (2) additional months may be applied.
12.4 No fee shall be charged for exercising your rights unless a request is manifestly unfounded or excessive.
12.5 For identification purposes, the Company may require additional information before fulfilling a request.
12.6 Where a data subject is unsatisfied with the Company's response, they retain the right to lodge a complaint with the relevant supervisory authority, including:
(a) Information Commissioner's Office (ICO) in the United Kingdom; or
(b) The relevant Data Protection Authority (DPA) within the European Economic Area.
13. Enforcement, Monitoring and Governance
13.1 The Company maintains a comprehensive Data Protection Governance Framework, overseen by its Data Protection Officer, which includes:
(a) A documented Record of Processing Activities (RoPA);
(b) Data protection policies and employee training programmes;
(c) Regular internal audits to monitor compliance; and
(d) The performance of Data Protection Impact Assessments (DPIAs) for high-risk processing operations, including the use of AI technologies.
13.2 The Company operates an internal escalation process for data protection concerns and conducts annual reviews of this Policy to ensure ongoing compliance with Applicable Law.
13.3 All processors and sub-processors are subject to contractual obligations incorporating standard data-protection clauses and security requirements consistent with Article 28 of the UK GDPR.
13.4 Failure by employees or contractors to comply with this Policy may result in disciplinary or contractual action.
14. Automated Decision-Making and Profiling
14.1 The Service employs AI-driven processes capable of generating automated outputs or performing actions based on user input.
14.2 These processes may include the analysis of preferences, conversational context, or usage behaviour to deliver more relevant or efficient outcomes.
14.3 The Company does not engage in automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 of the UK GDPR.
14.4 Profiling activities are limited to personalisation and convenience features, such as avoiding unwanted content categories or prioritising preferred genres.
14.5 Data subjects retain the right to object to any profiling activities and may request human review of AI-based decisions by contacting privacy@heyvita.ai.
15. AI Ethics and Transparency Statement
15.1 The Company is committed to the ethical development, deployment, and governance of artificial intelligence. The following principles guide our approach to responsible AI:
(a) Transparency
We are committed to being clear about how our AI agents operate, including the fact that they are machine systems capable of processing input and generating output without direct human intervention. Users are informed whenever they interact with AI components of the Service.
(b) Fairness and Non-Discrimination
We design our systems to avoid bias and discrimination. While AI models may process large datasets, the Company actively tests and monitors outcomes to identify and mitigate potential bias.
(c) Human Oversight
AI functionality is subject to human review and governance. Users may request human assistance or review where decisions have meaningful impact.
(d) Data Minimisation and Contextual Awareness
AI agents only access and process data necessary to perform a requested function. Sensitive or unrelated data is excluded from analysis wherever possible.
(e) Safety and Accountability
All AI systems are subject to internal safety assessments before deployment. The Company maintains full accountability for how its AI services operate and ensures appropriate recourse is available to users.
(f) User Autonomy
Users retain ultimate control over AI interactions, including the ability to delete data, disable specific connectors, or cease use of AI-driven features at any time.
15.2 The Company adheres to emerging international standards on ethical AI, including the OECD Principles on Artificial Intelligence, the EU AI Act (as applicable), and the UK Government's Ethics, Transparency and Accountability Framework for Automated Decision-Making.
15.3 Our commitment to responsible AI development forms part of our broader information governance strategy, ensuring that innovation remains aligned with privacy, fairness, and public trust.
16. Data Retention Schedule
16.1 The following table outlines typical data retention periods. Actual retention may vary depending on legal obligations, operational needs, and system configuration.
| Data Category | Purpose | Retention Period | Disposal Method |
|---|---|---|---|
| Account registration and identity data | Account management and authentication | Duration of account + 12 months | Secure deletion or anonymisation |
| Payment and transaction data | Billing and statutory record-keeping | 7 years from transaction date | Secure deletion after expiry |
| Chat logs and AI interaction data | Contextual continuity and user convenience | Until account closure or user deletion | User-initiated deletion or secure erasure |
| Support and correspondence records | Customer support, dispute resolution | 3 years from closure of query | Secure deletion |
| System and analytics logs | Security, performance, and audit trail | Up to 24 months | Automated log rotation and overwriting |
| Marketing and consent records | Communication and legal compliance | Until consent withdrawn + 12 months | Secure deletion |
| Employment or contractor records (where applicable) | Compliance with employment law | 6 years post-termination | Secure disposal and certificate of destruction |
16.2 The Company conducts periodic reviews to ensure data retention aligns with the principles of storage limitation and minimisation under Article 5(1)(e) of the UK GDPR.
17. Lawful Basis and Processing Matrix
The table below details the legal basis for key processing activities undertaken by the Company.
| Processing Activity | Purpose | Data Types | Lawful Basis |
|---|---|---|---|
| Account creation | Establishing user accounts | Identity, Contact | Contractual necessity |
| Providing AI-driven responses | Delivering the Service | Interaction, Usage | Contractual necessity; legitimate interests |
| Personalised recommendations | User-specific tailoring | Preference, Interaction | Consent |
| Maintaining chat history | Contextual continuity | AI Interaction | Legitimate interests |
| Fraud prevention and system security | Detection and investigation | Technical, Log | Legal obligation; legitimate interests |
| Analytics and service optimisation | Improve accuracy and efficiency | Usage, Technical | Legitimate interests |
| Marketing communications | Product updates and offers | Contact, Preference | Consent |
| Processing payments | Transaction execution | Financial | Contractual necessity; legal obligation |
| Regulatory compliance | Statutory retention and reporting | Account, Financial | Legal obligation |
18. International Supervisory Authorities
18.1 If you are not satisfied with the way your personal data has been handled, you may contact the appropriate supervisory authority.
18.2 United Kingdom
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk
18.3 European Economic Area (EEA)
If you are based in the EEA, you may contact your local Data Protection Authority (DPA). Examples include:
- France: Commission Nationale de l'Informatique et des Libertés (CNIL) -- https://www.cnil.fr
- Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI) -- https://www.bfdi.bund.de
- Ireland: Data Protection Commission -- https://www.dataprotection.ie
- Netherlands: Autoriteit Persoonsgegevens -- https://autoriteitpersoonsgegevens.nl
18.4 United States (where applicable)
Although the Company is based in the UK, we recognise privacy frameworks such as the EU--US Data Privacy Framework and will cooperate with recognised oversight bodies if necessary.
18.5 You may also contact the Company's Data Protection Officer directly via privacy@heyvita.ai for escalation before approaching a regulator.
19. Data Protection Impact Assessments (DPIAs)
19.1 The Company conducts Data Protection Impact Assessments for high-risk processing operations, including but not limited to:
(a) AI-driven personalisation and profiling;
(b) Cross-border transfers of sensitive data;
(c) Integration of new connectors or analytics technologies; and
(d) Any processing involving automated decision-making.
19.2 DPIAs identify and mitigate privacy risks and are reviewed annually as part of the Company's Data Protection Governance Framework.
20. Data Protection Officer (DPO)
20.1 The Company has appointed a qualified Data Protection Officer responsible for oversight of compliance and liaison with supervisory authorities.
20.2 Contact details:
Data Protection Officer
Eagle Eye Technology Ltd
Email: privacy@heyvita.ai
Postal Address: Austen House Units A-J, Station View, Guildford, Surrey, England, GU1 4AR
20.3 The DPO acts independently and reports directly to senior management.
21. Compliance with PECR and Electronic Communications
21.1 Where the Service involves sending electronic marketing messages, setting cookies, or collecting telemetry data, the Company complies with the Privacy and Electronic Communications Regulations (PECR).
21.2 The Company obtains explicit consent before placing non-essential cookies or sending direct marketing messages.
21.3 Users can manage consent preferences at any time through the Service's privacy controls or by contacting privacy@heyvita.ai.
We may use cookies or similar technologies that are necessary for the core functionality and security of the Service.
22. International Users and Cross-Jurisdictional Application
22.1 The Service is available to users worldwide. Accordingly, personal data may be processed in multiple jurisdictions where the Company or its processors operate.
22.2 The Company shall comply with local privacy requirements to the extent they apply to data subjects within those territories.
22.3 In cases of conflict between this Policy and local laws, the stricter standard shall prevail to the benefit of the data subject.
23. Amendments and Version Control
23.1 The Company may revise this Policy from time to time to reflect:
(a) Changes in legal or regulatory requirements;
(b) Modifications to the Service or its technical infrastructure;
(c) Adoption of new AI or data-processing technologies; and
(d) Internal policy or governance updates.
23.2 Updated versions will be posted on https://heyvita.ai/privacy and will indicate the effective "Last Updated" date.
23.3 Where material changes affect your rights or obligations, the Company will notify you directly via email or within the Service interface.
24. Interpretation
24.1 Headings are included for convenience only and shall not affect the interpretation of this Policy.
24.2 References to "Applicable Law" include all amendments and re-enactments thereof.
24.3 Any waiver of rights or obligations must be in writing to be effective.
25. Governing Law and Jurisdiction
25.1 This Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of England and Wales.
25.2 The courts of England and Wales shall have exclusive jurisdiction over any proceedings relating to this Policy, subject to mandatory rights under local law where applicable.
26. Summary of Core Commitments
To reaffirm our position, Eagle Eye Technology Ltd commits to:
(a) Protecting personal data in accordance with the highest industry standards;
(b) Ensuring transparency and accountability in all processing operations;
(c) Providing clear mechanisms for user choice, control, and redress;
(d) Embedding privacy and ethical AI governance into the design of our services; and
(e) Maintaining open engagement with regulators and users on matters of privacy and data protection.
27. Contact and Further Information
For any questions, requests, or concerns regarding this Privacy Policy or the handling of your personal data, please contact:
Data Protection Officer
Eagle Eye Technology Ltd
Email: privacy@heyvita.ai
Postal Address: Austen House Units A-J, Station View, Guildford, Surrey, England, GU1 4AR
Website: https://heyvita.ai
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe your personal data has been mishandled.
If you remain dissatisfied, you may raise your concern with the Information Commissioner's Office (ICO) or the relevant supervisory authority in your jurisdiction.
Appendix A -- Definitions
| Term | Definition |
|---|---|
| "Applicable Law" | The UK GDPR, EU GDPR, DPA 2018, PECR, and any other data protection laws that apply to the Company. |
| "Connector" | A software integration that allows the Service to access external data or perform functions on third-party systems. |
| "Data Subject" | A natural person to whom personal data relates. |
| "Personal Data Breach" | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. |
| "Processor" | A natural or legal person that processes personal data on behalf of a controller. |
| "Profiling" | Automated processing of personal data to evaluate certain personal aspects of an individual. |
| "Supervisory Authority" | An independent public authority responsible for monitoring the application of data protection law. |
Appendix B -- Related Policies
This Policy should be read in conjunction with the following internal or public documents:
- Cookie and Data Usage Policy
- Information Security Policy
- Data Retention and Disposal Policy
- Acceptable Use Policy
- AI Data Processing and Learning Annex