Privacy & Data Protection

1. Introduction

This Global Privacy and Data Protection Statement ("Statement") describes how Innvia Tech Lab Limited ("Nanda", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Nanda AI-powered personal assistant service (the "Service").

We are committed to processing your personal data lawfully, fairly, and transparently in accordance with applicable data protection legislation. This Statement applies to all users of the Service, regardless of the jurisdiction from which they access it.

1.1 EU Representative (GDPR Art. 27)

Users located in the European Economic Area have the following point of contact for EU GDPR purposes: Lilian Pontes, EU Representative for Innvia Tech Lab Limited. Email: privacy@hinanda.com.

2. Regulatory Framework

• United Kingdom: UK GDPR and Data Protection Act 2018
• European Union: Regulation (EU) 2016/679 (GDPR)
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)
• California, United States: California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)

Where multiple jurisdictions apply, we apply the standard that affords the greatest protection to the individual.

3. Categories of Personal Data Processed

3.1 Account and Identity Data

• Full name and email address
• Authentication credentials (passwords stored as hashes, never in plaintext)
• Date of birth (collected at signup for age verification; §13)
• Account preferences and settings

3.2 Interaction and Usage Data

• Inputs, prompts, instructions, and messages submitted to the assistant
• Feature usage patterns and in-app activity logs
• Device type, operating system, browser version
• IP address and approximate geographic location (country/city level)
• Session timestamps and duration

3.3 Calendar Integration Data

Where you have explicitly authorised integration with Google Calendar or Microsoft Outlook Calendar via the respective OAuth consent flow, the following categories of calendar data may be accessed:

• Event titles, dates, start and end times
• Event descriptions and location fields (where present)
• Calendar availability and free/busy status
• The list of calendars on the user's account (for selecting which to sync)

4. Purposes and Legal Bases for Processing

Purpose	Data Used	Legal Basis (UK / EU GDPR)
Account creation and authentication	Name, email, credentials	Contract performance (Art. 6(1)(b))
Providing the AI assistant service	Inputs, usage data, calendar data (if authorised)	Contract performance (Art. 6(1)(b))
Calendar integration (Google and Microsoft, read and write)	Calendar event data	Explicit consent (Art. 6(1)(a)) — revocable at any time
Service improvement and AI training (opt-in)	Aggregated / de-identified interaction data. Calendar data from Google or Microsoft is explicitly excluded.	Consent (Art. 6(1)(a)) — off by default; opt-in from Settings
Website analytics (Google Analytics 4, public site only)	Pseudonymous usage data, truncated IP, page URLs, device / browser type	Consent (Art. 6(1)(a)) — off by default; opt-in via the cookie banner; signed-in users excluded
Security monitoring and fraud prevention	Log data, IP address, usage patterns	Legitimate interests (Art. 6(1)(f)) — LIA documented
Compliance with legal obligations	As required by applicable law	Legal obligation (Art. 6(1)(c))

5. AI Processing

5.1 AI Model Training

• Calendar data obtained via Google APIs or Microsoft Graph is never used for AI model training, fine-tuning, or evaluation, as required by Google's API Services User Data Policy and Microsoft's Graph Terms of Use.
• Before any identifiable user data is used for training, explicit opt-in consent is obtained. This setting is off by default for all users.
• Where possible, data is aggregated or anonymised before use in training processes.
• You may opt out (or change your preference) at any time in Settings → Privacy, or by emailing privacy@hinanda.com.

5.2 Automated Decision-Making

Nanda does not make solely automated decisions that produce legal effects or similarly significant effects on users (within the meaning of GDPR Article 22). All significant outcomes are executed at the explicit request of and confirmed by the user.

6. Calendar Integrations — Detailed Governance

Nanda supports two calendar providers: Google Calendar and Microsoft Outlook Calendar. The commitments below apply uniformly to both. Provider-specific scopes and references are listed in §6.4 and §6.5.

6.1 Permitted Uses

• Checking the user's availability before scheduling a new event
• Identifying and avoiding scheduling conflicts at the user's request
• Creating, updating, and deleting calendar events as explicitly directed by the user
• Displaying the user's schedule within the Nanda interface
• Listing the user's calendars so the user can choose which ones Nanda syncs

6.2 Absolute Restrictions (apply to data from both providers)

• No AI training: Calendar data is never used to train, develop, improve, or evaluate any AI or machine learning model.
• No advertising: Calendar data is never used for advertising purposes, including targeted advertisements.
• No onward transfer: Calendar data is never transferred to third parties for their own purposes. It is only accessible to infrastructure processors (cloud hosting) under strict data processing agreements.
• No transfer to data brokers: Calendar data is never sold or transferred to data brokers or information resellers.
• No human access without consent: No Nanda employee or contractor accesses individual users' calendar data except (a) with explicit user consent, (b) for security investigations of specific reported incidents, or (c) as required by law.

6.3 Data Handling on Revocation

When a user disconnects a calendar account from Nanda or revokes access from the provider's account settings:

• Nanda immediately ceases all API calls against that account.
• For Google, the refresh token is revoked at Google's endpoint.
• Cached calendar data is deleted immediately; within 24 hours at the outside.
• No residual calendar data is retained beyond what is strictly necessary for legal compliance or security incident investigation.

6.4 Google Calendar — Scopes and Policy Reference

Nanda requests the minimum scopes necessary. We do NOT request the full calendar or calendar.readonly scopes.

• https://www.googleapis.com/auth/calendar.events — read, create, update, and delete individual calendar events.
• https://www.googleapis.com/auth/calendar.calendarlist.readonly — read the list of the user's calendars for the sync-selection UI.

Nanda's use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.

6.5 Microsoft Outlook Calendar — Scopes and Policy Reference

Nanda requests the minimum Microsoft Graph scopes necessary. We do NOT request Mail.*, Files.*, Contacts.*, or any .All (tenant-wide) scope.

• offline_access — refresh tokens so sync keeps working without repeated prompts.
• openid — OIDC base required by the Microsoft identity platform.
• User.Read — read the signed-in user's basic profile (/me), used only to show which account is connected.
• Calendars.ReadWrite — list the user's calendars and read / create / update / delete events. On Microsoft Graph this single scope covers both the calendar-list and event-CRUD endpoints.

Nanda's use of Microsoft Graph data complies with the Microsoft Services Agreement and the Microsoft Graph Terms of Use. Users may revoke Nanda's access at any time from myapps.microsoft.com.

7. Data Sharing, Processors, and Third Parties

Processors process personal data on Nanda's behalf under a Data Processing Agreement (DPA), solely for purposes instructed by Nanda. Third parties receive personal data for their own independent purposes — Nanda does not share personal data with third parties for their own purposes, except where required by law.

Categories of processors used to deliver the Service:

• Cloud infrastructure and hosting providers (security standards ≥ ISO 27001)
• AI model API providers (only the minimum data necessary is sent)
• Authentication providers
• Website analytics — Google Analytics 4, provided by Google Ireland Limited and Google LLC. Used on our public marketing site only, and only where you have given Analytics consent in the cookie banner. Configured with IP anonymisation enabled and Google Signals disabled. We do not send your name, account email, conversation content, or calendar data to Google. Google acts as our processor under the Google Analytics Data Processing Terms. See Cookie Policy for the specific cookies and durations.
• PCI-DSS compliant payment processors

8. International Data Transfers

Transfers outside the UK / EEA are protected by Standard Contractual Clauses (UK IDTA and EU SCCs under Commission Implementing Decision 2021/914), adequacy decisions, or Binding Corporate Rules as appropriate. Copies of the applicable safeguards can be requested from privacy@hinanda.com.

Specifically, Google Analytics data (see §7) is processed by Google LLC in the United States. This transfer relies on Google LLC's certification under the EU–US and UK Extension of the Data Privacy Framework, supported by the EU Standard Contractual Clauses and the UK IDTA incorporated into the Google Analytics Data Processing Terms. IP addresses are anonymised before storage.

9. Data Retention

Data Category	Retention Period	Basis
Account data (name, email, credentials, date of birth)	Active account + 30 days after deletion	Contract; legal compliance
Interaction and input data (messages, prompts)	Active subscription + 90 days after account deletion, unless earlier deletion requested	Service delivery; legitimate interest
Calendar data (Google or Microsoft, event details)	Cached to provide ongoing scheduling assistance. Events are automatically purged 90 days after their end time. Upon disconnect, all cached data is deleted within 24 hours.	Consent; service delivery
Log data and technical metadata	90 days	Security; fraud prevention
Billing and transaction records	7 years from transaction date	UK tax and accounting law
Website analytics data (Google Analytics 4)	User- and event-level data retained for 14 months in Google Analytics, then automatically deleted; aggregated reports may be kept longer	Consent
Consent audit records (including cookie consent)	3 years	Accountability; regulatory audit
Security incident records	5 years	Legal obligation

10. Security

• In transit: TLS 1.2+
• At rest: AES-256 or equivalent
• Role-based access controls (RBAC) and least-privilege
• Multi-factor authentication required for all administrative access
• Regular security assessments and vulnerability scanning
• Security integrated into the software development lifecycle
• Documented incident response plan

11. Your Rights

• Access: request a copy of your personal data and how it is processed
• Rectification: correct inaccurate or incomplete data
• Erasure ('Right to be Forgotten'): request deletion of your data
• Restriction: restrict processing in certain circumstances
• Data Portability: receive your data in a structured, machine-readable format
• Object: object to processing based on legitimate interests or direct marketing
• Withdraw Consent: at any time, without retroactive effect

To exercise any right, contact privacy@hinanda.com. We respond within 30 days (extendable by up to two months in complex cases, with notification).

11.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom it is shared.
• Right to Delete: request deletion of personal information we have collected from you, subject to legal exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: we do not sell personal information in the traditional sense, and we do not share it for cross-context behavioural advertising. If this ever changes, we will provide a clear "Do Not Sell or Share My Personal Information" mechanism.
• Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
• Right to Non-Discrimination: we will not deny you the Service, charge a different price, or provide a different level of service because you exercised any CCPA right.
• Authorised Agent: you may designate an authorised agent to make a request on your behalf. We may require verification of the agent's authority and your identity.

California requests can be submitted to privacy@hinanda.com. We verify identity before disclosing or deleting personal information and respond within 45 days (extendable by an additional 45 days where reasonably necessary, with notice).

11.2 Brazilian Residents (LGPD)

If you are located in Brazil, in addition to the rights listed in §11, you have the following LGPD-specific rights under Art. 18:

• Confirmação e acesso: confirmation that we process your personal data and access to the data itself.
• Anonimização, bloqueio ou eliminação: anonymisation, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
• Portabilidade: data portability to another service or product provider, subject to ANPD regulations.
• Informação sobre uso compartilhado: information about public and private entities with which we have shared your data.
• Revogação de consentimento: you may revoke consent at any time, free of charge, by a simplified procedure.

You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

12. Data Breach Notification

• All suspected breaches are assessed within 24 hours of discovery to determine severity and scope.
• Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (ICO for UK users; relevant EU DPA for EEA users) within 72 hours of becoming aware of the breach (UK GDPR Art. 33 / GDPR Art. 33).
• Where a breach is likely to result in high risk to individuals, affected users are notified without undue delay.
• We comply with PIPEDA breach reporting obligations for Canadian users and LGPD Art. 48 for Brazilian users.

13. Children's Data

The Service is not directed at children under the age of 16 (or under 13 in jurisdictions where a lower threshold applies, such as the United States under COPPA). We do not knowingly collect personal data from children below the applicable age threshold. If we become aware that we have inadvertently collected such data without verifiable parental consent, we delete it promptly.

New accounts require an age declaration at signup. Parents or guardians who believe that a child may have provided personal data to Nanda are encouraged to contact privacy@hinanda.com.

14. Cookies and Tracking Technologies

Nanda always uses strictly-necessary cookies (session, authentication, CSRF protection, and your cookie-preference record). On our public marketing site we also use Google Analytics 4 for aggregated usage statistics — but only where you have enabled the Analytics category in the cookie banner. The Analytics category is off by default, the Google Analytics script is not loaded until you opt in, IP addresses are anonymised, Google Signals is disabled, and signed-in users are never tracked by analytics. We do not set marketing or cross-site advertising cookies. If this changes, we will request prior opt-in consent where required by law.

See our Cookie Policy for the full list of cookies, durations, and how to withdraw consent.

15. Affiliate Programs and Partner Attribution

Nanda may, in the future, participate in affiliate programs that pay a commission when a user follows an outbound link from Nanda and completes a purchase or booking on a partner's site. Where this is enabled:

• What we share with the partner. When you click a partner link, we may pass an anonymous tracking identifier so the partner can attribute the visit to Nanda. We do not share your identity, your account email, the contents of your conversations with the assistant, or any data from your calendar or other integrations.
• What we receive back. We may receive aggregated, anonymised reports about which clicks led to commissionable events. We do not receive identifying information about the purchases you make on the partner's site.
• Editorial independence. Compensation from any affiliate program does not influence the recommendations or guidance Nanda surfaces. When any such program is active, full programme-specific disclosures will be made available alongside this Statement.
• Your control. Partner attribution cookies are not loaded unless you have given Marketing consent in the cookie banner. You can withdraw that consent at any time from the Cookie settings link in the footer.

16. International Supervisory Authorities

Jurisdiction	Authority
United Kingdom	Information Commissioner's Office (ICO) — ico.org.uk
European Union	Your national DPA (directory at edpb.europa.eu)
Canada	Office of the Privacy Commissioner of Canada — priv.gc.ca
Brazil	Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
California, United States	California Privacy Protection Agency (CPPA) — cppa.ca.gov

We encourage users to contact us directly before lodging a regulatory complaint so that we have the opportunity to address concerns promptly.

17. Changes to This Statement

We review and update this Statement periodically. For material changes that affect users' rights, we notify users by email at least 30 days before the changes take effect. Non-material updates (clarifications, typographical corrections) are published without prior individual notification. Continued use of the Service after the effective date of an updated Statement constitutes acceptance of the updated terms, subject to any rights of objection available under applicable law.

18. Contact

For any privacy-related query, data subject rights request, or concern: privacy@hinanda.com.

Version 2.2 · Effective: 15 May 2026 · © Innvia Tech Lab Limited