What does this Privacy Policy cover?

We are Pencil AI Limited (“Pencil”, “we”, “us” or “our”). At Pencil, we understand that your privacy is important to you and that you care about how your Personal Data is used. We respect your privacy and are committed to protecting your Personal Data.  

This Privacy Policy applies to our collection, use and sharing of your Personal Data when making available our websites that link to this Privacy Policy (together, the “Site”) and providing you with access to our AI-powered Pencil platform and associated technologies owned or operated by Pencil (the “Platform”), as well as associated marketing activities and any other activities described in this Privacy Policy. Under the GDPR, we are a ‘controller’ for the activities covered by this Privacy Policy.

For reference, when we refer to “Personal Data”, we mean any information which identifies you as an individual or which otherwise renders you identifiable. When we use the term “GDPR”, we are referring to both the so-called UK General Data Protection Regulation (“UK GDPR”) and/or the European Union’s General Data Protection Regulation 2016/679 (“EU GDPR”) (as and where applicable in the circumstances).

What doesn’t this Privacy Policy cover?

This Privacy Policy does not cover our use of Personal Data on behalf of our customers through their use of the Platform. We are a ‘processor’ when processing Personal Data on behalf of our customers. Any such processing of Personal Data on behalf of our customers as their processor is governed by our Pencil: Data Processing Addendum or other similar agreements, addenda or terms agreed with such customers. 

If you have any questions about any customer’s use of your Personal Data when they use our Platform, you can either review such customer’s own privacy policy(ies) and/or you can contact them directly.   

What Personal Data we collect

The Personal Data we typically collect about you is outlined in the table below.

Category of Personal Data

What this means

Contact Data

Your full name, email address, as well as any entity you work for and your role/title. 

Authentication Data

Authentication information to verify that you are a valid authorised user of the Platform and to manage your access to the Platform. 

Technical Data

Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Site and/or Platform.  

As a note: some of this information may be collected via the technologies described in ‘How we use cookies & other similar technologies’ below

Communications Data

Information you exchange with us in your communications with us, plus your preferences relating to our emails and other communications (e.g., whether you have opted in to receive marketing communications), as well as your interactions with our communications (e.g., whether you open and/or forward emails).

This includes any Personal Data you provide to us via any ‘chatbot’ functionality on the Site or in any other free-text ‘message’ fields via which you can use to communicate with us.

As a note: some of this information may be collected via the technologies described in ‘How we use cookies & other similar technologies’ below

Analytics Data

Statistical demographic or event-based analytics based on your use of the Site and/or Platform, including information related to your interactions with our Site and Platform (such as the URL of the pages you visit, the duration of your sessions, and information related to the websites you came through and the methods used to exit our Site or Platform)

As a note: some of this information may be collected via the technologies described in ‘How we use cookies & other similar technologies’ below

No obligation to provide Personal Data. You do not have to provide Personal Data to us. However, where we need to process your Personal Data either to comply with applicable law or to deliver our Platform and/or Site, and you fail to do so where required, we may not be able to provide some or all parts of our Platform and/or Site (as applicable). We will notify you if this is the case at the time.

Don’t give us sensitive information. We ask that you do not provide us with any sensitive types of Personal Data (e.g., health-related information, information related to racial or ethnic origin, political opinions, religion or other beliefs, criminal convictions information etc) – whether through the Site, the Platform or otherwise. For example, please do not input any of these types of sensitive information in any ‘chatbot’ functionality on the Site nor in any other free-text ‘message’ fields via which you can use to communicate with us.

How we use your Personal Data and why

We use your Personal Data for the purposes listed below and any associated sharing of Personal Data (see the section called ‘How we share your Personal Data’, below). 

In respect of each of the purposes for which we use your Personal Data, the GDPR requires us to establish a ‘legal basis’ for that use. Our legal bases for processing your Personal Data described in this Privacy Policy are listed below.

• Where we need to perform a contract we have entered into with you or are about to enter into with you (“Contractual Necessity”).
• Where it is necessary for our pursuit of legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). 
• Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
• Where we have your specific consent to carry out the processing for the purpose in question (“Consent”).  

‍

SITE OPERATION

Purpose: To provide, operate and secure the Site.

Categories of Personal Data: 

• Contact Data
• Authentication Data
• Technical Data

Legal basis:

• Contractual Necessity
• Legitimate Interests. We have a legitimate interest in ensuring the ongoing security and proper operation of our Site, our business and associated IT services, systems and networks.

PLATFORM OPERATION

Purpose: To provide, operate and secure the Platform – including managing access and use of the Platform, allowing us to perform our agreements with our customers, and securing the operation of and access to the Platform.

Categories of Personal Data: 

• Contact Data
• Authentication Data
• Technical Data 

Legal basis: Legitimate Interests. We have a legitimate interest in managing access of authorised users, ensuring the ongoing security and proper operation of our Platform, as well as performing our obligations under our agreements with customers.

BUSINESS AND CONTRACT ADMINISTRATION

Purpose: Administration and operation of our business, contracting and negotiation (e.g., with our customers), and business planning activities, including to analyse, adapt and improve these processes and activities.

Categories of Personal Data: 

• Contact Data
• Communications Data
• Technical Data
• Analytics Data

Legal basis: Legitimate Interests. We have a legitimate interest in administering and operating our business, contracting and negotiation, and business planning practices (including associated analysis, adaptation and improvement).  

PERSONALISATION

Purpose: To personalise your experience with the Site and/or Platform (including remembering your selections and preferences as you navigate).

Categories of Personal Data: 

• Contact Data
• Authentication Data
• Technical Data 

Legal basis:

• Legitimate Interests. We have a legitimate interest in providing you with a good service which is personalised to you and that remembers your selections and preferences.
• Consent. Applicable in respect of any optional processing relevant to such personalisation (including processing directly associated with any optional cookies used for this purpose).

DEALING WITH YOUR CONTACTS WITH US 

Purpose: To deal with any contact you might make with us using any ‘chatbot’ functionality on the Site, via any ‘Contact Us’ functions or any similar functions on the Site (e.g., any free-text fields) or via any other method of communication (e.g., by email), as well as any issues arising from such contacts (including replying to you). 

Categories of Personal Data: 

• Contact Data
• Technical Data
• Communications Data

Legal basis: Legitimate Interests. We have a legitimate interest in communicating with you and dealing with your contacts with us, as well as handling any issues that may arise from such contacts.

MARKETING

Purpose: To communicate with you (including to provide updates on our activities, the Site, the Platform and any other products or services).

Categories of Personal Data: 

• Contact Data
• Communications Data

Legal basis:

• Legitimate Interests. We have a legitimate interest in promoting our business and sending marketing.
• Consent. Applicable in circumstances or in jurisdictions where consent is required for the sending of any given marketing communications.

IMPROVEMENT AND ANALYTICS

Purpose: To analyse your usage of our Site and Platform, understand user activity, and improve the Site and Platform (including through the use of automated systems and processes).

Categories of Personal Data: 

• Technical Data
• Analytics Data

Legal basis:

• Legitimate Interests. We have a legitimate interest in improving our Site and Platform.
• Consent. Applicable in respect of any optional cookies used for this purpose and associated processing.

PRIVACY PROTECTIVE STEPS

Purpose: We may aggregate, deidentify or anonymise certain Personal Data for our legitimate business purposes. If we aggregate, deidentify or anonymise your Personal Data such that it is no longer Personal Data (i.e., it can no longer be associated with you), we may use this information as non-Personal Data indefinitely without further notice to you.

Categories of Personal Data: Any and all data types relevant in the circumstances. 

Legal basis: Legitimate Interests. We have a legitimate interest in taking steps to ensure that how we use Personal Data is as un-privacy intrusive as possible. We believe it is also in your interests that we take these privacy protective steps.

COMPLIANCE AND PROTECTION

Purpose: To comply with applicable laws, lawful requests, and legal process (such as to respond to disclosure orders or similar, as well as investigations or requests from government authorities); to protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); to audit our internal processes for compliance with legal and contractual requirements or our internal policies; to enforce the terms of agreements that govern access to the Site and/or Platform (including our agreements with customers); and to prevent, identify, investigate and deter fraudulent, harmful, unauthorised, unethical or illegal activity, including cyberattacks and identity theft.  

Categories of Personal Data: Any and all data types relevant in the circumstances.

Legal basis:

• Compliance with Law.
• Legitimate Interests. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.

CORPORATE EVENTS

Purpose: To facilitate or carry out any corporate events (including providing Personal Data to allow third parties to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations).

Categories of Personal Data: Any and all data types relevant in the circumstances.

Legal basis: Legitimate interests. We and any relevant third parties have a legitimate interest in us providing information to certain third parties who are involved in or assisting with actual or prospective corporate events for these purposes. 

FURTHER USES

Purpose: We may use your Personal Data for further uses beyond those described above, we only do this with your consent or whether those further purposes are compatible with the initial purpose for which Personal Data was collected. 

Categories of Personal Data: Any and all data types relevant in the circumstances.

Legal basis:

• The original legal basis, for ‘compatible further uses’. 
• Consent. Applicable for ‘non-compatible further uses’. 

How we use cookies & other similar technologies

We also use cookies and other similar technologies on our Site and Platform. This helps us to provide you with a good experience and also allows us to improve our Site and Platform.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree.

We use the following cookies:

• Necessary cookies. These cookies are essential in order to enable our Site and Platform to provide the function you have requested, such as by helping to ensure that the content of a page loads quickly and effectively.
• Preferences cookie. These cookies allow us to provide enhanced personalisation and functionality, such as tailoring content to you, remembering your choices and preferences on the Site and Platform (e.g. language, text size, etc.) or remembering search parameters.
• Statistics cookies. These cookies collect information on how users interact with our Site and Platform and enable us to improve how it operates and our business more widely.
• Marketing cookies.  These cookies are deployed on the Site and collect information about your browsing habits in order to provide advertising which is more relevant to you and your interests – for example, they remember the websites you have visited and share that information with other parties such as advertising technology service providers.

You can find further information about cookies and manage your preferences by using the Cookie Preference Centre.

Your rights 

What are your rights?

The GDPR may give you certain rights regarding your Personal Data and how we process it in certain circumstances, meaning you may ask us to take the following actions in relation to your Personal Data:

• Access. Provide you with information about our processing of your Personal Data and give you access to your Personal Data.
• Correct. Update or correct inaccuracies in your Personal Data.
• Delete. Delete your Personal Data where there is no good reason for us continuing to process it - you also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below). 
• Transfer. Transfer to you or a third party of your choice a machine-readable copy of your Personal Data which you have provided to us.
• Restrict. Restrict the processing of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it.
• Object. Object to our processing of your Personal Data where we are relying on Legitimate Interests – you also have the right to object where we are processing your Personal Data for direct marketing purposes.
• Withdraw Consent. When we use your Personal Data based on your consent, you have the right to withdraw that consent at any time.  

Exercising your rights

To exercise any of the rights described above, please contact us using the contact details shown below. 

We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your Personal Data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions. Typically, you will not have to pay a fee to exercise your rights; however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. 

Timing

We try to respond to all legitimate requests within a month of receipt. It may take us longer than a month if your request is particularly complex or if you have made a number of requests; in this case, we will notify you and keep you updated. 

How we share your Personal Data

We may share your Personal Data with the following categories of recipient and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.  

Affiliates. Our subsidiaries and affiliates (from time to time).

Customers. We may share certain Personal Data we collect about authorised users of the Platform with the relevant customer on whose behalf they use the Platform (e.g., where needed to perform our agreement with that customer). 

Service providers. Third parties that provide services on our behalf or help us operate parts of the Site or the Platform or our business (such as our hosting providers, information technology/security providers, customer support, email delivery, marketing, research and analytics). 

Third-party accounts. Where you use our Site or Platform to access accounts on any third-party websites, platforms, or applications, depending on the nature of the integration and authentication process (at your direction) we may share certain Personal Data with those third parties.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate in the circumstances

Parties to corporate events. We may disclose Personal Data in the context of actual or prospective corporate events (e.g., investments in Pencil, financing of Pencil, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain Personal Data with prospective counterparties and their advisers. We may also disclose your Personal Data to an acquirer, successor, or assignee of Pencil as part of any acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which Personal Data is transferred to one or more third parties as one of our business assets.

Transfers outside Europe

We may share your Personal Data with third parties who are based outside the UK and European Economic Area (“Europe”), including the United States. 

Where we share your Personal Data with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by implementing one of the following mechanisms: 

• Transfers to territories with an adequacy decision. We may transfer your Personal Data to countries or territories whose laws have been deemed to provide an adequate level of protection for Personal Data by the European Commission or UK Government (as and where applicable) (from time to time) or under specific adequacy frameworks approved by the European Commission or UK Government (as and where applicable) (from time to time), such as the EU-U.S. Data Privacy Framework or the UK Extension to the EU-U.S. Data Privacy Framework.

• Transfers to territories without an adequacy decision. 
  
  • We may transfer your Personal Data to countries or territories whose laws have not been deemed to provide such an adequate level of protection (e.g., the United States).  
  • However, in these cases:
    
    • we may use specific appropriate safeguards, which are designed to give Personal Data effectively the same protection it has in Europe – for example, standard-form contracts approved by relevant authorities for this purpose; or 
    • in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your Personal Data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.

You may contact us using the details below if you want further information on the specific mechanism used by us when transferring your Personal Data outside of Europe.

Security

We employ technical, organisational and physical safeguards designed to protect your Personal Data (including to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed).  For example, we limit access to your Personal Data to only those employees and other staff who have a business need to have such access. All such people are subject to a duty of confidentiality.

In addition, we have put in place procedures to deal with potential personal data breaches affecting your Personal Data. In the event of any such breach, we have systems in place to notify and work with applicable regulators where required. In addition, in certain circumstances (e.g., where we are legally required to do so) we may notify you of more serious personal data breaches affecting your Personal Data.

Please note that despite the efforts described above, as our Site and Platform are hosted electronically, we can make no guarantees as to the security or privacy of your information.

Retention

We are committed to only keeping your Personal Data for so long as we reasonably need to use it for the purposes set out above. This general rule applies unless a longer retention period is required by law.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

When we no longer require the Personal Data that we have collected about you, we will either delete or anonymise it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible. 

Third-party links

This Site and Platform may include links to third-party websites, platforms, plug-ins and applications (including to access and integrate accounts on those other services). Clicking on those links or enabling those connections may allow third parties to collect or share your Personal Data. 

We do not control these third-party websites and are not responsible for their privacy statements or practices. When you leave our Site or Platform, we encourage you to read the privacy policy of every site you visit.

Complaints

If you would like to make a complaint regarding this Privacy Policy or our practices in relation to your Personal Data, please contact us using the contact details shown below. We will reply to your complaint as soon as we can.

If you feel that your complaint has not been adequately addressed, please note that data protection laws give you the right to contact the regulator directly:

• Where you are based in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
• Where you are based in the UK – the contact information for the UK data protection regulator can be found here: https://ico.org.uk/make-a-complaint/ 

Contact details 

Contact Pencil

You can contact us directly at privacy@trypencil.com.

Updates

Any changes will be made available here (or another page we notify to you at a later date) and where applicable we might also notify you via email and/or in our Site or Platform.