Privacy
Privacy policy.
Last updated May 2026
The Vidai product runs on your infrastructure. Your AI prompts and responses never reach us. It does not phone home. This policy covers personal data we handle on the marketing site (vidai.uk) and the customer portal (portal.vidai.uk).
Who we are
Vidai UK Limited is the data controller. We are a private limited company registered in Scotland, company no. SC863190, with registered office at 48 West George Street, Clyde Offices, 2nd Floor, Glasgow, Scotland, G2 1BP. We are registered with the UK Information Commissioner's Office (ICO), registration reference ZC112994.
Two ways to reach us about privacy:
- Email [email protected] for data-protection requests (access, correction, deletion, objection, withdrawal of consent).
- Use the contact form for anything else.
What we collect, and why
The marketing site (vidai.uk)
If you submit the contact form (Request a Demo) we receive the details you provide (work email, name, company, role, message), used solely to arrange and have that conversation. Legal basis: our legitimate interest in responding to an enquiry you initiated. Submissions are stored as a contact in our email tool (Brevo, EU-hosted) so we can reply to you and so we have a record of the enquiry; we also send you a confirmation email at the same time. See the vendor table below.
The Community edition is now self-serve through the customer portal; the marketing site no longer carries a licence-request form. See the Customer portal section below for the disclosure that covers portal sign-in.
The customer portal (portal.vidai.uk)
When you sign in to the portal (using Google, LinkedIn, GitHub, or email), we receive only:
- your name (
user.full_name) - your primary email address (
user.primary_email_address) and whether it is verified - your profile image URL (
user.image_url)
We associate this with the Vidai licence keys we have issued to you and the editions (Community / Enterprise) you are entitled to. We use it to deliver and administer the licence: to authenticate you, to make your keys available for download, to support you, to keep accurate records of what we have licensed to whom, and to meet our own legal and tax record-keeping obligations.
Legal bases. For paying Enterprise customers: performance of a contract (UK GDPR Article 6(1)(b)). For Community-edition users (the licence is royalty-free but is still issued under our Community Licence Agreement): the same Article 6(1)(b) basis applies — we need name and email to issue and administer the licence you have accepted. For our internal records of who we have licensed software to: our legitimate interest, and our legal obligation to keep accurate business records.
Rate-card service
Our rate-card service returns provider pricing data in response to API requests. It validates the API key issued to you through the portal, then returns a JSON response. We do not store any usage data, prompt/response content, token counts, or per-call analytics from this service. Standard server logs (including the requesting IP address and timestamp) may be retained for a short period for security and abuse-prevention purposes, then rotated out.
Product updates and release notes
Once we have implemented an explicit opt-in in the portal, we will only send product updates and release notes to portal users who have ticked an unticked-by-default consent box, and every such email will include a one-click unsubscribe. Until that is in place, we do not send marketing or product-update emails from portal accounts. Operational emails strictly necessary to your licence (e.g. licence expiry, security advisories, breaking changes) are not marketing and are sent on the contractual basis above.
Who processes your data on our behalf
We use the following processors. Each is bound by a Data Processing Agreement. International transfers (outside the UK / EEA) rely on the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with the UK Addendum.
| Vendor | Purpose | Surface | Data | Location | Transfer mechanism |
|---|---|---|---|---|---|
| Clerk Clerk DPA & SCCs ↗ | Portal sign-in (Google, LinkedIn, GitHub, email) and account session management | Portal (portal.vidai.uk) | Name, email, email-verified flag, profile image URL, OAuth provider identifier, session/IP metadata | United States | UK IDTA + EU SCCs (per Clerk DPA, schedules 3 and 5) |
| Hetzner Hetzner DPA ↗ | Storage of portal account records, licence keys and download history | Portal (portal.vidai.uk) | Account record: name, email, licence keys issued, edition (Community / Enterprise), timestamps | European Union (Germany / Finland data centres) | — |
| Brevo (Sendinblue) Brevo privacy ↗ | Records demo-request submissions from /contact as a contact in our email tool, and sends the confirmation reply to you and the internal alert to our team | Marketing site (vidai.uk) — /contact form | Whatever you type into the contact form (work email, name, company, role, message), plus the source page | European Union (Brevo's EU data residency) | — |
| Cloudflare Turnstile Cloudflare privacy ↗ | Blocks automated abuse on the /contact form | Marketing site (vidai.uk) — /contact form | Limited technical signals to distinguish humans from bots (IP, headers, interaction) | United States | UK IDTA / EU SCCs |
| Google Analytics 4 (Google Ireland) Google Analytics privacy ↗ | Page-level usage statistics — loaded only after you click “Accept” on the cookie banner | Marketing site (vidai.uk) | Page views, anonymised IP, device/browser, approximate location. No advertising or data-sharing features enabled. | European Union (with onward transfer to United States by Google) | EU SCCs + UK Addendum (Google) |
Cookies and similar technologies
The marketing site sets no analytics or tracking cookies unless you choose “Accept” on the cookie banner. Declining keeps the site fully usable; we simply do not load Google Analytics.
If you accept, we load Google Analytics 4, which sets the following cookies (typical names; Google may vary these):
_ga— distinguishes visitors. Lifetime: ~2 years._ga_<container-id>— session state for the GA4 container. Lifetime: ~2 years.
IP addresses are anonymised and Google advertising and data-sharing features are disabled. A single technical entry in your browser's local storage records your banner choice (key: vidai-cookie-consent) so we do not ask again; this is strictly necessary and not used for tracking.
The portal sets only strictly necessary cookies and tokens for sign-in and session management via Clerk. These do not require consent under UK PECR. The portal links back to this page for the full privacy notice.
Withdrawing consent
You can withdraw analytics consent at any time by clearing this site's data in your browser (which removes the stored choice and shows the banner again), or by using your browser's cookie controls. Once we offer a product-update mailing list, you will be able to unsubscribe with one click from any email we send.
Retention
- Contact-form enquiries — kept only as long as needed to handle your request and any follow-up, then deleted.
- Portal account records (name, email, licence keys, edition) — kept for the duration of your relationship with us and for up to 6 years after it ends, to meet UK contract and tax record-keeping requirements.
- Rate-card service logs — short rolling window for security and abuse prevention; no usage analytics are stored.
- Analytics data — retained per Google Analytics' configured retention period.
Your rights
Under UK GDPR you can ask what data we hold about you and request access, correction, deletion, restriction or portability, and you can object to processing or withdraw consent where consent is the basis. Email [email protected] or use the contact form and we will action it. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).
Changes to this policy
If we change this policy we will update the “Last updated” date above. Material changes (for example, adding a new processor in a new country) will be highlighted on this page for a reasonable period.
This page is a plain-language summary, not a substitute for the formal terms provided during procurement (see also Legal).