Privacy Policy

Ndozi Ltd is the data controller for personal data processed through the Ndozi platform (ndozisystem.com). We are registered in England and Wales. For all privacy enquiries, contact us at privacy@ndozisystem.com

• Account data — your name, email address and encrypted password when you sign up.
• Profile data — business information you provide during onboarding, including your niche, industry, goals and brand voice details.
• Usage data — token consumption, agent interactions, features used and actions taken within the platform.
• Payment data — processed by Stripe. We do not store card details or payment instrument data.
• Technical data — IP address, browser type, device identifiers, and session data collected automatically.
• Social and website data — publicly available content from URLs and social handles you provide for agent training.
• Communications data — messages you send to our support team or via the contact form.

• Providing, maintaining and improving the Ndozi platform
• Personalising your AI agents with your business context
• Processing your subscription payments via Stripe
• Sending transactional emails (account updates, receipts, security alerts)
• Sending product updates and feature announcements where you have opted in
• Analysing usage patterns to improve platform performance and agent quality
• Complying with legal obligations and preventing fraud and abuse

• Contract performance — processing necessary to deliver the platform as described in our Terms of Use.
• Legitimate interests — platform improvement, fraud prevention, security monitoring and support operations.
• Consent — marketing communications, where you have actively opted in.
• Legal obligation — retaining records required by UK law, responding to lawful requests from authorities.

We share data only with the following GDPR-compliant processors, each bound by data processing agreements:

• Supabase — database and authentication infrastructure, hosted in the EU.
• Stripe — payment processing. Stripe is PCI DSS compliant.
• OpenRouter — AI model routing. Prompts are processed to generate responses. No data is retained for model training by default.
• Phyllo — social media analytics where you connect social accounts.
• Resend — transactional email delivery.
• Vercel — hosting infrastructure.

We do not sell your data. We do not share your data with advertisers or data brokers.

• Account and profile data is retained while your account is active and for 2 years after deletion for fraud prevention.
• Payment records are retained for 7 years as required by UK financial regulations.
• Agent interaction logs are retained for 12 months then automatically deleted.
• Support communications are retained for 3 years.

Under UK GDPR you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data (right to be forgotten).
• Portability — receive your data in a structured, machine-readable format.
• Restriction — request that we limit processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.

To exercise any right, contact privacy@ndozisystem.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use strictly necessary cookies for authentication (Supabase session management) and functional cookies for user preferences such as theme settings. We do not use advertising cookies or cross-site tracking cookies. You can manage cookie preferences in your browser settings. Disabling essential cookies will prevent you from staying logged in.

We implement industry-standard security measures including HTTPS encryption in transit, encrypted data at rest via Supabase, row-level security policies on all database tables, API key authentication on all endpoints, and regular security reviews. No transmission over the internet can be guaranteed 100% secure.

The Ndozi platform is not intended for users under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact privacy@ndozisystem.com and we will delete the account promptly.

We may update this Privacy Policy periodically. For material changes, we will notify you by email with at least 30 days notice before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

For privacy enquiries: privacy@ndozisystem.com

By post: Ndozi Ltd, England, United Kingdom.