Privacy Policy

1. Data We Collect

1.1 Information You Provide

• Account and registration data: name, email address, job title, company name, billing details;
• Communications: support tickets, email correspondence, feedback, and survey responses;
• Content and inputs: text, files, prompts, and data submitted to AI Features;
• Payment information: processed via third-party processors; we do not store full card data.

1.2 Information Collected Automatically

• Usage data: feature interactions, AI queries, workflow configurations, timestamps;
• Technical data: IP address, browser type, operating system, device identifiers;
• Log data: access logs, error logs, API request logs;
• Cookies and tracking: session cookies, analytics cookies, authentication tokens (see Section 10).

1.3 Information from Third Parties

• Information provided through resellers or channel partners.
• Publicly available professional information, where permitted and applicable by law.

1.4 AI-Specific Data

When you use AI Features, we may process:

• Prompts and inputs submitted to AI models.
• AI Outputs generated in response to those inputs.
• Model performance and safety data.
• Feedback on AI Output quality.
• Automated decision signals and usage patterns (see Section 11 — Automated Decision-Making).

2. How We Use Your Data

2.1 Service Provision

We use your data to provide, operate, and maintain the Platform; process transactions; authenticate users; deliver AI Features; and provide customer support.

2.2 AI Model Operation and Improvement

We use data to operate and serve AI Features. Unless you have opted out or your organisation has an Enterprise Agreement restricting model training, we may use de-identified, aggregated interaction data to improve model safety and performance. We will not use identifiable Customer Data to train AI models without your explicit, freely given consent. Consent for AI model training may be withdrawn at any time via your account settings or by contacting legal@meetviro.com.

2.3 Communications

We send service notifications essential to the operation of the Platform. Marketing communications are sent only with your consent (where required by law) or on the basis of legitimate interest (where permitted), and you may opt out at any time by clicking the “Unsubscribe” link in any marketing email, adjusting your notification preferences in your account settings, or emailing legal@meetviro.com. We will honour opt-out requests within 10 business days.

2.4 Analytics and Product Improvement

We analyse aggregated, anonymised usage data to improve the Platform’s features, performance, and user experience. We do not use identified personal data for analytics without a lawful basis.

2.5 Legal and Compliance

We use data to comply with applicable laws and lawful government requests, enforce our Terms, and detect, investigate, and prevent fraud, abuse, and security incidents.

3. Legal Bases for Processing — Global Framework

We process personal data only where we have a valid legal basis to do so. The applicable legal basis varies depending on your jurisdiction. The table below identifies the primary legislation and supervisory authority applicable in key jurisdictions:

3.1 Legal Bases — EEA, UK, and Switzerland (GDPR / UK GDPR / revFADP)

• Contract Performance: Processing necessary to fulfil our agreement with you.
• Legitimate Interests: Analytics, fraud prevention, security, and product improvement, balanced against your rights.
• Legal Obligation: Compliance with applicable law and regulatory requirements.
• Consent: Marketing, optional cookies, and AI training on identified data; withdrawable at any time.

3.3 Legal Bases — United States

We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. California residents have additional rights under the CCPA/CPRA, detailed in Section 8. For other US states with enacted comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, et al.), we apply equivalent rights and processes to those described for California residents. We implement appropriate technical and organisational measures for all US users consistent with the FTC’s reasonable data security standards.

3.4 Legal Bases — Brazil (LGPD)

For Brazilian data subjects, processing is based on consent, contract performance, legal obligation, protection of life, legitimate interest, or exercise of rights — as applicable under Articles 7 and 11 of the LGPD. Brazilian data subjects may contact our privacy team to exercise their LGPD rights, including confirmation of processing, access, correction, anonymisation, portability, and deletion.

3.5 Legal Bases — South Africa (POPIA)

For South African data subjects, we process personal information in accordance with the conditions for lawful processing set out in POPIA, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. South African data subjects may lodge complaints with the Information Regulator at inforeg.org.za.

3.6 Legal Bases — Canada (PIPEDA)

We collect, use, and disclose personal information of Canadian residents with knowledge and consent (express or implied), except where a legal exception applies. We retain data only as long as necessary for the identified purpose and implement appropriate security safeguards consistent with the sensitivity of the information.

4. Third-Party Subprocessors

We engage trusted third-party sub-processors to support our services. Categories of subprocessors include:

• AI model providers; for AI inference and model serving
• Cloud infrastructure providers; for storage, compute, and database services
• Analytics platforms; for aggregated product usage analytics
• Customer support tools; for ticketing and communications management
• Payment processors; for billing and subscription management
• Security and monitoring services; for threat detection and incident response
• Email delivery services; for transactional and marketing communications.

All subprocessors are bound by data processing agreements that meet the applicable legal standards of the jurisdictions in which we operate. An up-to-date list of subprocessors is available upon request at legal@meetviro.com.

We will notify you of material changes to our subprocessor list in accordance with our DPA.

5. Data Sharing

We do not sell your personal data. We do not share personal data for cross-context behavioural advertising. We share data only in the following circumstances:

• With sub-processors as described in Section 4, under binding data processing agreements;
• With your organisation’s administrators, if you access the Platform through an organisational account;
• With professional advisors (lawyers, accountants, auditors) under strict confidentiality obligations;
• In connection with a merger, acquisition, or asset sale — in which case we will notify affected users;
• To comply with legal obligations, court orders, or lawful government requests;
• To protect the rights, property, or safety of The Scaling Company, our users, or the public.

6. Data Retention and Deletion

6.1 Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

6.2 Deletion Requests

You may request deletion of your personal data by contacting legal@meetviro.com. We will process verified requests within 30 days (or within the timeframe required by applicable law in your jurisdiction). Deletion may be subject to our legal retention obligations and cannot apply to data that has already been irreversibly anonymised.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These transfers are made only where there is a lawful mechanism in place, appropriate to your jurisdiction:

• EEA and UK transfers: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions where applicable; Binding Corporate Rules where relevant.
• Brazilian transfers: Transfers are made in accordance with Chapter V of the LGPD, using standard contractual clauses, adequacy decisions, or specific contractual clauses.
• South African transfers: Transfers to third parties in foreign countries are subject to contracts imposing equivalent data protection obligations under POPIA Section 72.
• All other jurisdictions: Equivalent contractual or regulatory mechanisms are applied as required by local law.

We conduct Transfer Impact Assessments (TIAs) for transfers to countries without an adequacy determination where required, and we implement supplementary technical measures (such as end-to-end encryption) where necessary.

8. Your Rights

Subject to applicable law and your jurisdiction, you may have some or all of the following rights with respect to your personal data:

To exercise any of these rights, contact us at privacy@thescalingcompany.com. We will respond within 30 days (or within the shorter period required by your jurisdiction’s law). We may require identity verification before processing your request. We will not charge a fee for reasonable requests.

9. Data Protection Officer and Privacy Contact

We have designated a Data Protection Officer (DPO) responsible for overseeing our compliance with applicable data protection laws. You may contact our DPO / Legal Officer at: legal@meetviro.com.

10. Security

We implement technical and organisational security measures appropriate to the risk, including:

• Role-based access controls and multi-factor authentication (MFA);
• Regular security assessments, vulnerability scanning, and penetration testing;
• Incident response procedures with regulatory notification timelines met;
• Vendor risk assessments for all subprocessors.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR), or within the period required by applicable law in your jurisdiction, and will notify affected individuals without undue delay where required.

11. Automated Decision-Making and Profiling

As an AI-powered platform, certain features may involve automated processing of your data to generate outputs, recommendations, or classifications. We are committed to transparency about how automated decision-making is used on our Platform:

• We may use automated systems to detect fraud, security threats, or policy violations;
• AI Features generate outputs based on your inputs; these outputs are tools to assist you, not binding decisions made about you;
• Where any automated process produces a decision that significantly affects you legally or similarly, you have the right to: (a) request human review of that decision, (b) express your point of view, and (c) contest the decision — as provided under GDPR Article 22, and equivalent laws in other countries and regions.

We do not use solely automated processing to make decisions about your eligibility for services, employment, creditworthiness, or other significant matters without human oversight, except where expressly permitted by law and subject to appropriate safeguards.

12. Cookies and Tracking Technologies

We use the following categories of cookies and similar tracking technologies:

• Essential cookies: Strictly necessary for the Platform to function (authentication, security, session management). These cannot be disabled.
• Analytics cookies: Help us understand how users interact with the Platform (page views, feature usage, error tracking). Deployed only with your consent.
• Preference cookies: Remember your settings and personalisation choices. Deployed only with your consent.
• Marketing cookies: Where applicable, to measure the effectiveness of communications. Deployed only with your explicit consent.

You may manage your cookie preferences at any time through our cookie consent manager (accessible via the cookie icon in the Platform footer). Withdrawing consent for non-essential cookies will not affect the operation of the core Platform. Analytics cookies are retained for a maximum of 13 months before resetting.

13. Children’s Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at legal@meetviro.com and we will promptly delete such data. Where local law sets a higher minimum age for consent to data processing, we comply with that higher standard.

In jurisdictions subject to the US Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal data from children under the age of 13.

14. Third-Party Links and Integrations

The Platform may contain links to third-party websites or allow integrations with third-party services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before sharing your data with them.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify you by email and by in-platform notice at least 30 days before the effective date of the updated Policy. The notification will clearly describe what has changed and why. We will not reduce your rights under this Policy without your explicit consent where required by law.

16. Contact and Complaints

For all privacy-related enquiries, requests, and complaints: