Effective Date: 18th March 2025
Last Updated: 18th March 2025

Introduction

Poppy AI LTD, (Company Number 16219557) registered at 111 Buckingham Palace Road, London, England, SW1W 0SR ("Company," "we," "us," or "our") is committed to protecting your privacy. 

This Privacy Policy explains how we collect, use, and share personal data when you use Poppy AI, our AI-powered email assistant (the "Service"), which integrates with your nominated email account to analyse emails, generate summaries, and draft responses in your writing style.

We recognise the importance of privacy and are committed to ensuring that your personal data is handled responsibly and in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR)the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), and other relevant global privacy regulations.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

1. Scope

This Privacy Policy applies to the personal data we collect through:

• The Service, which accesses designated emails and attachments in Gmail and any other nominated email accounts

• User interactions with our platform, including account creation and AI-generated summaries

• AI models used for processing and improving the Service

This policy does not apply to any third-party services that may be integrated with or linked to our platform. We encourage you to review the privacy policies of those third-party services.

2. Information We Collect

To provide our Service, we collect and process the following types of personal data:

(a) Email & Calendar Data

• Emails from designated contacts, including but not limited to subject lines, body content, and attachments

• Calendar events, including location, date, time and other details and participant information

(b) User-Provided Information

• Email addresses added by users to manage contacts

• Information about parents, guardians, and children, where relevant

• Special category data, including that of children, such as dietary or medical information (processed only with explicit consent)

(c) AI-Generated and AI-Processed Data

• Summaries of emails and attachments

• AI-generated responses based on user preferences and writing style

• Evaluation data used to refine or improve prompt effectiveness exclusively

(d) Technical and Usage Data

• Device information, such as IP addresses and browser type

• Interaction logs, including timestamps and system diagnostics

By using the Service, parents/guardians are giving consent for us to collect or process personal data of individuals under the age of 16. Other than that, we do not knowingly collect or process personal data of individuals under the age of 16 without parental consent, in compliance with applicable regulations.

Compliance with Google API Services User Data Policy

We access certain data through Google API services, and we process this data in accordance with Google’s User Data Policy. Specifically:

• We do not use or transfer Google user data for serving ads, profiling, or any unrelated secondary purposes.

• We only use Google user data as necessary to provide and improve user-facing functionalities of our AI email assistant, such as generating summaries and responses.

• We adhere to all limited use requirements, ensuring that Google user data is not shared with third parties except as required to perform the Service’s core features (e.g., generating a response at the user’s request).

3. How We Use Your Information

We process personal data to:

• Provide and maintain the Service, including analysing emails and generating AI-powered summaries and responses

• Evaluate and refine prompts for the user-facing features of our Service, without feeding user data into any standalone or generalised AI/ML model.

• Enhance security and fraud prevention, including monitoring for unauthorised access or misuse

• Comply with legal obligations, where required by applicable laws or regulations

We do not use Google Workspace data to train or develop any generalised or custom AI/ML models; we only gather minimal data to evaluate and refine prompts for personalised user-facing features.

We do not use Google user data for any purpose other than delivering or improving these user-facing features. In particular, we do not use Google user data for targeted advertising, selling to data brokers, determining credit-worthiness, lending purposes, or any other activities unrelated to providing or enhancing the Service.

4. AI Evaluation and Data Retention

To continually improve and provide the user-facing features of our Service, we may use email content, summaries, and responses to evaluate and refine our prompt performance. We do not maintain any generalised or custom AI/ML model that trains on user data. We do not share this evaluation data with external or unrelated AI models; it is used exclusively to enhance the functionalities that users directly interact with.

We retain data for these evaluation purposes only as long as it is necessary to refine the Service. If you do not wish for your data to be used for prompt evaluation and refinement, you may opt-out by contacting us at support@hirepoppy.ai before using the Service. Please note that once certain data points have been incorporated into our evaluation processes, it may no longer be possible to remove them from aggregated sets.

We do not use user data to train any generalised or custom AI/ML models; we only gather limited evaluation sets to support and improve the Service’s user-facing features, and we do not use it for targeted advertising, creating unrelated databases, or similar activities.

We’ll retain your Personal Data for only as long as we need in order to provide our services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. 

How long we retain Personal Data will depend on a number of factors, such as:

• Our purpose for processing the data (such as whether we need to retain the data to provide our services);

• The amount, nature, and sensitivity of the information; 

• The potential risk of harm from unauthorised use or disclosure;

• Any legal requirements that we are subject to.

5. Legal Bases for Processing (UK/EU GDPR Compliance)

Our processing activities rely on the following legal bases:

• Consent – You explicitly authorise us to process and analyse emails for AI-powered summaries and responses.

• Legitimate Interests – We use data to improve AI accuracy, ensure system security, and enhance the user experience.

• Contractual Necessity – Certain data processing is required to provide core functionalities of the Service.

• Legal Compliance – We may process data to fulfil legal or regulatory obligations.

For sensitive data, such as dietary or medical information, we require explicit consent before processing.

6. Data Sharing and Third-Party Processing

We do not sell your personal data or transfer it to any third parties for targeted advertising, selling to data brokers, determining credit-worthiness, lending, or any other use beyond providing or improving the Service.

We may share information under the following circumstances:

• Cloud and AI Service Providers – We may partner with reputable third-party services, including large language models (LLMs), to help process email content and generate responses solely on our behalf. These providers are not permitted to use your personal data for their own purposes, such as independent AI training, advertising, or resale. 

• Business Transfers – If our company undergoes a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the commitments of this Privacy Policy.

• Legal and Regulatory Authorities – We may disclose data when required by law, in response to legal processes, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

• Affiliates – We may disclose your personal data to our affiliates (entities under common ownership or control) for purposes consistent with this Privacy Policy, never for unrelated or prohibited activities.

Use of Third-Party AI Tools

• We may occasionally use reputable third-party providers, including large language models, to help us generate or refine email summaries and responses. We only share user data where strictly necessary for these providers to perform the Service’s core functionality, and they are contractually barred from using the data for any other purpose (e.g., targeted advertising, reselling, or their own AI training). 

• Where AI processing takes place on external servers, it is subject to our security measures and the provider’s contractual obligations to protect data privacy. We carefully select each provider to ensure compliance with all relevant regulations, as well as Google’s User Data Policy. Should we introduce or replace any AI provider, we will maintain these same protections and obligations.

7. International Data Transfers

As we operate globally, your data may be transferred to and processed in countries outside your home jurisdiction, including countries that may not have the same level of data protection laws.

For transfers outside the UK/EU, we implement safeguards such as:

• Standard Contractual Clauses (SCCs) under GDPR

• UK International Data Transfer Agreements

• Binding Corporate Rules (BCRs), where applicable

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

UK/EU GDPR Rights

• Access – Request a copy of your personal data.

• Rectification – Correct inaccurate or incomplete data.

• Erasure – Request deletion of your personal data (note: AI training data cannot be removed).

• Restriction of Processing – Limit how we use your data, although restrictions may result in the Service becoming unworkable.

• Objection – Object to AI processing of your data, although objections may result in the Service becoming unworkable.

• Data Portability – Receive a structured, machine-readable format of your data.

US Privacy Rights (CCPA, COPPA, HIPAA)

• Right to Know – Learn what data we collect and how it is used.

• Right to Delete – Request deletion of account data.

• Right to Opt-Out – Prevent future AI processing of new data.

• Right to Non-Discrimination – No adverse treatment for exercising privacy rights.

To exercise your rights, please contact us at support@hirepoppy.ai.

9. Data Security

We implement commercially reasonable technical, administrative, and organisational measures designed to protect data from loss, misuse, and unauthorised access, disclosure, alteration, or destruction. 

However, no transmission of data is ever fully secure or error free. Therefore, you should take special care in deciding what information you provide to us. 

Our industry-standard security measures to protect your data include:

• Encryption – All data is encrypted in transit and at rest.

• Access Controls – AI access is restricted to designated emails only.

• Regular Audits – We conduct security and compliance reviews of our AI systems.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically. 

Continued use of the Service after an update constitutes acceptance of the revised terms.

11. Contact Us

If you have any questions or concerns about this Privacy Policy, you can contact us at:

Email: support@hirepoppy.ai
Address: 111 Buckingham Palace Road, London, England, SW1W 0SR 
Data Protection Officer: Angus Hills - angus@hirepoppy.ai