Servita SME Platform - Privacy Policy

Servita SME Limited ("Servita," "we," "us," or "our") values your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information about you and your business when you use our AI Opportunity Assessment, the Servita SME Transformation Platform, and our related services (collectively, the "Services"). We operate globally, and this policy is designed to comply with major data protection laws, including the UK GDPR, the EU GDPR, and the California Consumer Privacy Act (CCPA) along with other US State Privacy Laws.

Role of Servita: Under the GDPR, Servita acts as the Data Controller for your Account Information, Billing Data, and Usage Data. For the confidential business data you upload into the Platform for Assessments or Packs ("Customer Data"), Servita acts as the Data Processor, processing such data in accordance with your instructions and our Terms of Service.

1. Information We Collect

We collect information directly from you, automatically through your use of the Services, and from third parties.

1.1. Information You Provide to Us:

• Account Information: Name, email address, password, job title, and company name when you register.
• Assessment, Intake, and Consultation Data: Detailed information about your business operations, strategy, technology stack, and personnel that you provide during the "Intake" process for the AI Opportunity Assessment or "Packs", or during Consultations with us.
• Expert Calls: Information you share during booked calls with our Experts. We may record these calls and store the transcripts for quality assurance, training purposes, and to improve the service we provide to you.
• Community Contributions: Information you share in the Community, including in chats, forums, roundtables, and live events.
• Communications: Content of your interactions with our "Assistant" (AI chatbot), support inquiries, and feedback.
• Website Chatbot Interactions: Content of your conversations with the AI-powered chatbot on our website (the "Website Chatbot"), which is provided by Botpress, Inc. ("Botpress"). This may include any enquiries, messages, or personal data you voluntarily submit during a chatbot conversation. Please note that this data is transmitted to and processed by Botpress and its sub-processors (including third-party LLM providers) to generate responses. You should not submit sensitive personal data or confidential business information to the Website Chatbot.
• Social Media Interactions: Information you provide when you interact with our pages on social media sites like LinkedIn or YouTube, such as contact details or the content of your posts/messages.
• Payment Information: We collect billing addresses and tax IDs. Note: We do not store raw credit card numbers; payments are processed by our third-party provider, Stripe.
• Other Data: Any other information you provide to Servita via the Platform or other means.

1.2. Information We Collect Automatically:

• Usage Data: We collect telemetry data on how you interact with the Platform, including pages visited, "Packs" downloaded, features used, time spent, and clickstream data.
• Device & Log Data: IP address, browser type, operating system, and device identifiers.

1.3. Information from Third Parties & Public Sources:

• Partners: If you sign up using a partner's referral link or code, we receive attribution data from our partner management platform (Rewardful) to link your account to that partner.
• Integrations: If you link third-party accounts (e.g., Google Calendar via Calendly), we receive the necessary data to facilitate that integration.
• Publicly Available Information: To enhance your Assessment and verify business details, we may collect information from public sources such as company registries (e.g., Companies House), professional networks (e.g., LinkedIn), and your corporate website.

Call Recording: We may record telephone or video calls for the following purposes:

1. To perform our contractual obligations with you and deliver the Services;
2. For training and quality assurance;
3. To monitor compliance with our policies and applicable laws;
4. To resolve queries or disputes.

The lawful bases for this processing are:

• Performance of a contract (Article 6(1)(b) UK GDPR), where the call relates to the delivery of our Services; and
• Legitimate interests (Article 6(1)(f) UK GDPR), where we have a business interest in ensuring service quality, staff training, and maintaining accurate records. You have the right to object to processing based on our legitimate interests. If you do not wish for your call to be recorded, please inform us at the start of the call, and we will provide alternative communication arrangements where possible.

2. How We Use Your Information & Legal Bases

We use your information for specific business purposes. Under GDPR, we must identify a "Legal Basis" for each use. The table below sets out how we use your information and the legal basis we rely on:

3. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to operate and improve the Services. The terminology below follows the categories in the Cookie Consent Manager.

• Necessary cookies: help make the website usable by enabling basic functions such as page navigation and access to secure areas of the Platform. The Services cannot function properly without these cookies.
• Preferences cookies: where enabled, allow the Platform to remember choices such as language or regional settings that change how the website behaves.
• Statistics cookies: help Servita understand how visitors interact with the Services by collecting and reporting information anonymously so we can improve functionality and onboarding.
• Marketing cookies: where enabled, track the effectiveness of campaigns and advertising activities and support measurement of referrals and commissions.
• Unclassified cookies: if any appear, are cookies that we are in the process of classifying together with the providers of individual cookies.

Your Choices: You can control cookies through browser settings or the Cookie Consent Manager on our website. Disabling non-necessary categories may affect parts of the Services such as login persistence or analytics measurement.

4. How We Share Your Information

We do not sell your Personal Data. We disclose your information only to the specific categories of third parties listed below:

4.1. AI Sub-Processors (Critical):

To provide our core value, AI-driven insights, we must transmit your text inputs (from Assessments, Packs, and Assistant chats) to third-party Large Language Model (LLM) providers, including OpenAI, Google (Gemini), and Anthropic.

Safeguard: We transmit data via secure, enterprise-grade APIs. These providers are authorized to use your data only to generate the specific outputs for you, not to train their public models (unless you have explicitly opted into a different arrangement).

4.2. Service Providers & Tech Stack:

We share data with trusted vendors who help us run the platform:

• Cloud Hosting: Amazon Web Services (AWS) / Microsoft Azure.
• CRM & Marketing: HubSpot (for managing our relationship with you).
• Community Platform: Circle.so (hosting the member community).
• Partner Management: Rewardful (tracking referrals).
• Scheduling: Calendly (booking experts).
• Payment Processing: Stripe.
• Website Chatbot: Botpress, Inc. (powering the AI chatbot on our website). Botpress may use its own sub-processors, including third-party LLM providers such as OpenAI, to process your chatbot conversations and generate responses. For details on Botpress's data handling practices, please refer to the Botpress Privacy Statement (available at botpress.com/legal/privacy-statement).

4.3. Servita Affiliates:

We may share information with other companies within the Servita Group (subsidiaries and affiliates) to provide operational support, such as payment processing or regional expert services.

4.4. Partners:

If you used a partner code/link, we share your status (e.g., "Assessment Purchased", "Subscribed") with that partner so they can receive their commission. We do not share the contents of your Assessment or your confidential business data with them.

4.5. Legal Requirements:

We may disclose information if required by law, subpoena, or legal process, or to protect the rights and safety of Servita and our users.

4.6. Business Transfers:

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be shared during the due diligence process and transferred to a successor entity as part of that transaction.

4.7. Professional Advisors:

We may share necessary information with our lawyers, accountants, auditors, and insurers to facilitate professional advice, audits, and risk management.

5. International Data Transfers

Servita SME Limited is located in the United Kingdom, but our Platform is global. Your information may be transferred, stored, and processed in countries outside of your residence. Specifically, data is processed in the United Arab Emirates, and cloud infrastructure (such as AWS) may be located in the United States, the United Kingdom, or Ireland. Data submitted to the Website Chatbot may also be processed by Botpress and its sub-processors in Canada and the United States.

For UK/EEA Users, when personal data is transferred outside the UK or EEA to countries not deemed "adequate" by data protection laws (like the US or UAE), we rely on legal mechanisms such as the International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) to protect your rights.

6. Your Rights and Choices

Depending on your location, you may have specific rights regarding your personal data:

• Access & Portability: You can request a copy of the data we hold about you.
• Correction: You can update your account information or correct errors.
• Deletion: You can request the deletion of your personal data, subject to legal retention requirements.
• Object/Restrict: Object to processing based on legitimate interests or request restriction of processing.
• Opt-Out of Marketing: Unsubscribe from emails via the link provided.

Automated Decision Making: Our Services provide AI-driven insights and recommendations to assist your decision-making. However, we do not use fully automated decision-making algorithms that produce legal or similarly significant effects on you without human intervention. You retain full responsibility for all business decisions.

US State Privacy Rights: If you are a resident of a US state with comprehensive privacy legislation (including but not limited to California, Virginia, Colorado, Connecticut, or Utah), you may have additional rights under state laws (like the CCPA/CPRA). This includes the right to opt-out of the "sale" or "sharing" of personal information. While we do not sell data for money, sharing data with advertising partners (like LinkedIn) for cross-context behavioral advertising may be considered "sharing" under these laws. You can opt-out of this via our Cookie Consent Manager or by contacting us.

To exercise these rights: Contact us at privacy-sme@servita.com. We respond within legal timeframes (e.g., 30 days for GDPR).

7. Security & Retention

• Security: We use industry-standard encryption (TLS) and access controls. However, no internet transmission is 100% secure.
• Retention: We retain Personal Data only as long as necessary to provide Services and comply with laws (e.g., tax records). When no longer needed, we securely delete or anonymize it.

8. Children's Privacy

Our Services are strictly B2B and intended for professionals. We do not knowingly collect data from individuals under the age of 18. If we become aware of having collected such data, we will take steps to delete it.

9. Changes to this Policy

This Privacy Policy may update. Material changes will be notified via the Platform or email. Continued use of Services constitutes acceptance.

10. Contact Us

Company Name: Servita SME Limited

Address:
13 Hanover Square
London
W1S 1HN
United Kingdom

Email: privacy-sme@servita.com

Data Protection Officer: dpo-sme@servita.com