Last updated: April 2026
1. Data Controller
N90 Labs Ltd (“N90 Labs”, “we”, “us”) is a company registered in England & Wales. We are the data controller for the personal data described in this policy.
Contact: privacy@n90.ai
2. Information We Collect
Contact form & booking page
Name, email address, company name (optional), phone number (optional), and project description. If you use Google or LinkedIn to pre-fill the form, we receive your name, email, and profile URL from the provider.
Customer portal & purchases
Email address, name, company, payment details (processed by Stripe — we do not store card numbers), purchase history, service tier, and intake form responses (target URL, platform, GitHub repository selections, security concerns).
Calendar bookings
Name, email, and selected time slot when you book a discovery call. A Google Calendar event is created on your behalf.
Usage and log data
Our hosting provider (Vercel) automatically collects standard log data including IP addresses, browser type, and pages visited. IP addresses are used for rate limiting and abuse prevention.
Analytics data
With your consent, we collect analytics data via Google Analytics 4 and LinkedIn Insight Tag. These only load after you accept analytics cookies via our consent banner.
3. Lawful Basis for Processing
Under UK GDPR, we process your personal data on the following bases:
- Legitimate interests (Art. 6(1)(f)) — responding to enquiries, operating our website, rate limiting, fraud prevention, and improving our services.
- Contract performance (Art. 6(1)(b)) — processing purchases, delivering security assessments, managing your customer portal account, and booking discovery calls.
- Consent (Art. 6(1)(a)) — analytics cookies (Google Analytics 4, LinkedIn Insight Tag). You can withdraw consent at any time via the cookie banner.
4. How We Use Your Information
- Respond to enquiries — we use your contact details to reply to your message and send a branded confirmation email.
- AI-powered services — your project description is processed by Anthropic Claude to generate AI briefs, field suggestions, and assessment reports. This processing happens in real time via Anthropic’s API.
- Process payments — Stripe processes your payment and we store the transaction record (tier, amount, status) in our database.
- Deliver services — security assessments, customer portal access, calendar scheduling, and Slack channel creation for project communication.
- Company identification — we use your email domain to identify your company for a better experience. This is done client-side and via our suggestions API.
5. Third-Party Processors
We share personal data with the following processors, each operating under their own privacy policies and appropriate safeguards:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, customer portal | EU (Ireland) |
| Stripe | Payment processing, invoicing | US |
| Anthropic | AI brief generation, field suggestions, assessments | US |
| Resend | Transactional email delivery | US |
| Slack | Project channel creation, team communication | US |
| Google Workspace | Calendar scheduling, OAuth authentication | US |
| OAuth authentication, conversion tracking (with consent) | US | |
| Vercel | Hosting, edge network, cookieless analytics | US |
| Google (GA4) | Website analytics (consent required) | US |
6. AI Processing
We use Anthropic’s Claude AI models to process text you submit through our website. Specifically:
- Contact form AI brief generation — your project description is sent to Anthropic to generate a structured brief.
- Field suggestions — your company name and email domain are used to suggest relevant information.
- FileMaker assessment tool — your responses are processed to generate a platform assessment.
- Security assessment chat — your questions are processed to provide relevant security guidance.
Anthropic processes this data under their privacy policy. Data sent to the API is not used to train their models.
7. Data Retention
We store personal data in our database (hosted by Supabase in the EU) and retain it for the following periods:
- Contact enquiries — 2 years from submission, then deleted.
- Customer & purchase records — retained for the duration of the business relationship, plus 6 years for tax and legal compliance.
- Calendar bookings — retained for 1 year after the meeting date.
- Activity logs — retained for 1 year for security and operational purposes.
- OAuth tokens — not stored. Used only during the authentication flow.
- Rate limiting data — held in-memory only, not persisted.
8. Cookies & Analytics
Essential cookies: We set authentication cookies for the admin dashboard and customer portal (Supabase auth). These are necessary for the service to function.
Cookieless analytics: Vercel Web Analytics and Speed Insights operate without cookies and do not track individual users. These do not require consent.
Consent-gated analytics: Google Analytics 4 and LinkedIn Insight Tag only load after you give explicit consent via our cookie banner. You can withdraw consent at any time by clicking the cookie preferences link in our footer.
9. International Transfers
Our database is hosted in the EU (Supabase, Ireland). Some processors (Stripe, Anthropic, Resend, Slack, Google, LinkedIn, Vercel) are based in the United States. Where personal data is transferred outside the UK, transfers are protected by the UK International Data Transfer Agreement (UK IDTA) or standard contractual clauses (SCCs) as required by UK GDPR.
10. Your Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the right to:
- Access the personal data we hold about you
- Request rectification of inaccurate data
- Request erasure of your data
- Request restriction of processing
- Data portability
- Object to processing based on legitimate interests
- Withdraw consent at any time (where processing is based on consent)
- Not be subject to automated decision-making with legal effects
To exercise any of these rights, contact us at privacy@n90.ai. We will respond within one month.
11. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.
Categories of personal information we collect
| CCPA Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email, IP address, company name | Respond to enquiries, deliver services, prevent abuse |
| Commercial information | Purchase history, service tier, payment status | Process transactions, deliver purchased services |
| Internet or network activity | Browser type, pages visited, analytics data (with consent) | Website operation, analytics, rate limiting |
| Professional or employment information | Company name, job title, LinkedIn profile URL | Personalise communication, company identification |
| Inferences | AI-generated briefs, assessment results | Deliver AI-powered services requested by you |
Sale and sharing of personal information
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. We have not sold or shared personal information in the preceding 12 months.
Your rights under the CCPA
As a California resident, you have the right to:
- Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to delete — request that we delete the personal information we have collected from you, subject to certain exceptions (e.g. legal obligations, completing a transaction).
- Right to correct — request that we correct inaccurate personal information we maintain about you.
- Right to opt-out of sale/sharing — we do not sell or share your personal information, so this right is already satisfied.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CCPA.
- Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.
How to submit a request
To exercise any of these rights, contact us at privacy@n90.ai. We will verify your identity and respond within 45 days. You may also designate an authorised agent to make a request on your behalf.
12. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.
13. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Material changes will be highlighted on the website.
14. Contact
If you have any questions about this privacy policy or how we handle your data, contact us at privacy@n90.ai.