Skip to main content

Privacy Policy

Last updated:

1. Data Controller

Nicholas Letts trading as Curvit
19 Jay Close, Bicester, OX26 6XN
privacy@curvit.co.uk

2. Scope

This policy governs all processing of personal data within Curvit.

3. Data Categories

We process the following categories of personal data: account data, uploads, generated outputs, technical data, and payment references.

4. Purposes

Your data is used for: service delivery, AI processing, security, analytics, and service improvement.

5. Lawful Basis

We process personal data on the following lawful bases: contract performance, legitimate interests, consent, and legal obligation.

6. Retention

  • Account data: retained while active plus 30 days after closure.
  • Uploads and generated outputs: 20 days.
  • Technical logs: 90 days.
  • Analytics data: 26 months.
  • Payment records: 6–7 years (legal obligation).

7. Processors

We engage the following sub-processors to operate the service: Google, Azure UK South, OpenAI/Claude, Stripe, Google Analytics, and SendGrid. Each is bound by a data processing agreement and may not use your data for their own purposes.

8. International Transfers

Where personal data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) or applicable adequacy decisions to ensure an equivalent level of protection.

9. Your Rights

Under UK GDPR and applicable data protection law you have the right to access, rectify, erase, restrict, and object to processing of your personal data. To exercise any of these rights, contact us at privacy@curvit.co.uk .

10. Security

We protect your data using encryption at rest and in transit, strict access controls, and continuous security monitoring.

11. Updates

This policy is updated periodically. Material changes will be communicated via email or an in-product notice. Continued use of the service after the effective date constitutes acceptance.