Privacy Policy

1. Introduction

Issoria Limited, trading as ChangeAble Limited ("we," "our," or "us") operates the ChangeAble.ai platform (the "Service"). We are committed to protecting your privacy and personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our AI-powered change management platform. Please read this policy carefully to understand our practices regarding your personal data.

Data Controller:
Issoria Limited, trading as ChangeAble Limited
Email: info@issoriachange.com

2. Information We Collect

2.1 Personal Information You Provide

When you use our Service, we may collect the following personal information:

• Account Information: Name, email address, password, organization name, and job title
• Payment Information: Billing address, payment card details (processed securely by our payment provider)
• Profile Information: Professional information you choose to add to your profile
• Communications: Information you provide when you contact us for support or inquiries

2.2 Project and Business Data

When you use ChangeAble to manage change initiatives, we process:

• Uploaded Documents: Project documentation, plans, reports, and other files you upload
• Stakeholder Information: Names, roles, departments, and other stakeholder data you input
• Project Data: Change impact assessments, benefits tracking, communications plans, training materials, and other change management deliverables you create
• AI-Generated Content: Insights, drafts, and recommendations generated by our AI based on your inputs

2.3 Usage and Technical Data

We automatically collect certain information when you use our Service:

• Log Data: IP address, browser type and version, time zone settings, operating system
• Usage Information: Pages visited, features used, time spent on the platform, interaction patterns
• Device Information: Device type, unique device identifiers, mobile network information
• Cookies and Similar Technologies: See our Cookie Policy for details

3. How We Use Your Information

We process your personal data for the following purposes, based on the legal grounds specified:

3.1 To Provide Our Service (Contract Performance)

• Create and manage your account
• Process AI-powered analysis of your project documentation
• Generate change management deliverables and insights
• Store and organize your project data in vector databases
• Enable collaboration features within your organization
• Process payments and manage subscriptions

3.2 AI Processing (Contract Performance & Legitimate Interest)

We use OpenAI's advanced AI models (including o3 and o4-mini) to:

• Analyze uploaded documents and extract relevant information
• Auto-populate change impact assessments and other tools
• Generate draft communications, training plans, and benefits trackers
• Provide AI-powered insights and recommendations
• Create and maintain project-specific vector stores for contextual responses

3.3 Service Improvement (Legitimate Interest)

• Analyze usage patterns to improve our platform
• Develop new features and functionality
• Conduct research and analytics
• Test and optimize AI model performance

3.4 Communications (Consent & Legitimate Interest)

• Send transactional emails (account notifications, service updates)
• Provide customer support
• Send marketing communications (with your consent, which you may withdraw)

3.5 Legal Compliance (Legal Obligation)

• Comply with legal obligations and regulations
• Prevent fraud and ensure platform security
• Enforce our Terms of Service

4. How We Share Your Information

We do not sell your personal data. We may share your information with the following categories of third parties:

4.1 Service Providers

• OpenAI: AI processing and model hosting (subject to OpenAI's data usage policies)
• Supabase: Database hosting and backend infrastructure
• Payment Processors: Secure payment processing (e.g., Stripe)
• Cloud Hosting Providers: Infrastructure and storage services
• Analytics Providers: Platform analytics and performance monitoring

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Enterprise Deployments

For Enterprise customers, ChangeAble can be deployed in your private cloud environment, ensuring your data never leaves your tenant and uses your internal AI infrastructure.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government agencies).

4.4 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

Your information may be transferred to and processed in countries outside the United Kingdom, including the United States, where our service providers (such as OpenAI and cloud infrastructure providers) are located.

When we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the UK authorities
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules and certifications where applicable

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Account Data: Retained while your account is active and for a reasonable period after closure for legal and operational purposes
• Project Data: Retained while your subscription is active, with the option to export or delete
• Uploaded Documents: Stored in project-specific vector databases until you delete them or close your account
• Payment Records: Retained as required by tax and accounting regulations (typically 7 years)
• Marketing Data: Retained until you withdraw consent or request deletion

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where we must retain certain information for legal compliance.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and vulnerability testing
• Access controls and authentication mechanisms
• Row-level security (RLS) policies in our database
• Regular backups and disaster recovery procedures
• Employee training on data protection and security

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

8. Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Request transfer of your data to another service
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, please contact us at info@issoriachange.com. We will respond to your request within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly. Visit ico.org.uk for more information.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information.

11. AI Processing and Transparency

11.1 How AI Processes Your Data

ChangeAble uses artificial intelligence to analyze your project documentation and generate change management deliverables. When you upload documents or input data:

• Your content is sent to OpenAI's API for processing
• A project-specific vector store is created to enable contextual AI responses
• AI models analyze your data to generate insights, drafts, and recommendations
• Generated content is stored in our database for your access and editing

11.2 AI Limitations and Human Review

AI-generated content is intended to assist and accelerate your work, not replace professional judgment. All AI outputs should be reviewed and validated by users before use. We do not make automated decisions that produce legal or similarly significant effects without human involvement.

11.3 OpenAI Data Usage

We use OpenAI's API services, which are subject to OpenAI's data usage policies. OpenAI does not use data submitted via the API to train their models. For more information, see OpenAI's Privacy Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending you an email notification (for significant changes)
• Displaying a prominent notice on our platform

Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: