Privacy Policy

Depending on the context in which personal information is processed, Cubix Analytics may act in one of two roles:

• As a data controller, when we determine the purposes and means of processing - for example, when you visit our website, register for an account or a demonstration, or communicate with us directly.

• As a data processor (or service provider), when we process data contained within the Cubix Analytics platform on behalf of a business customer that uses the Services. In this role we process such data strictly in accordance with the customer's instructions and the applicable written agreement (such as a Master Services Agreement, SaaS Agreement, Order Form, or Data Processing Agreement).

Where we act as a processor, the business customer is the controller of the relevant data and is responsible for the lawful basis, notices, and consents required for that data. Customer data processed through the platform remains owned and controlled by the customer; Cubix Analytics does not acquire ownership rights in it.

We use personal information for the following purposes:

• To authenticate users and maintain accounts.

• To provide, operate, secure, maintain, and support the Services.

• To personalise and improve platform features, performance, and reliability.

• To monitor system performance, integrity, and security, and to detect and prevent misuse.

• To communicate with you about service updates, technical notices, and product changes, and where you have consented marketing communications.

• To comply with applicable legal, regulatory, contractual, and audit obligations.

We do not sell personal information, and we do not disclose identifiable content from your conversations, queries, or Customer Data except as described in this Policy or as authorised under the applicable agreement.

Cubix Analytics uses enterprise-grade AI model providers to deliver AI-assisted analytics, natural-language query, summarisation, forecasting support, and related capabilities. Our use of data in connection with AI is governed by the following principles:

• We do not use Customer Data, prompts, outputs, queries, business logic, configurations, or feedback to train or fine-tune shared AI models, to improve third-party foundation models, or for other unrelated commercial purposes, unless expressly agreed in writing with the customer.

• We do not input Customer Data into public, consumer, shared, or non-enterprise AI tools. AI processing is performed through approved enterprise, business, or private model endpoints.

• Customer Data sent to an AI model provider is used only for the requested AI operation and is not retained by the provider beyond applicable provider terms, unless otherwise agreed.

• For enterprise customers, data submitted through their environments is not used for AI model training unless expressly permitted in a written agreement.

• Aggregated operational metadata that does not identify the customer, users, Customer Data, prompts, outputs, or confidential information may be used to maintain and improve service reliability, security, and capacity planning.

Where we act as a controller for an individual's personal information, you may object to or opt out of optional uses of your data by contacting us using the details in the "Contact Us" section below.

Where the EU or UK General Data Protection Regulation applies and we act as a controller, we rely on the following legal bases:

• Performance of a contract: to provide the Services you or your organisation request.

• Legitimate interests: to secure, operate, improve, and develop our products, provided your interests and rights do not override those interests.

• Consent: for optional cookies, analytics, and marketing communications.

• Legal obligation: to comply with applicable data protection, accounting, and regulatory requirements.

We may share personal information with the following categories of recipients:

• Service providers and subprocessors that support hosting, data storage, authentication, analytics, monitoring, support, and AI operations. Such providers are bound by appropriate confidentiality, security, and data-protection commitments and may only process data as necessary to provide their services to us.

• Authorities or other parties where disclosure is required by law, regulation, or legal process, or is reasonably necessary to protect the rights, safety, or security of users, the public, or our Services.

• Successors or acquirers in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to this Policy or a successor policy providing comparable protection.

Where required by the applicable agreement, we maintain a written list of approved subprocessors and provide affected customers with prior notice of material changes.

We may process and store personal information in countries other than the one in which you are located. Where personal information is transferred across borders, we use appropriate safeguards, such as Standard Contractual Clauses and vendor due diligence, to protect that information in accordance with applicable law.

For customer-controlled cloud or data-warehouse deployments, Customer Data may remain within the customer's selected region or environment, subject to the deployment architecture agreed by the parties.

We retain personal information only for as long as necessary for the purposes described in this Policy, to provide the Services, and to satisfy legal, audit, or regulatory obligations:

• Account information: for the duration your account is active, plus a limited additional period for backups and operational continuity.

• Customer Data: for the period defined in the applicable agreement and the customer's configuration. On termination or expiry, or on the customer's request, Customer Data under our control is deleted or returned in accordance with the agreed offboarding process.

• Logs and operational records: in accordance with the applicable retention configuration and our security and governance practices.

You may request deletion or anonymisation of your personal information using the details in the "Contact Us" section. Where we act as a processor, requests relating to Customer Data should be directed to the relevant customer (controller), and we will support the customer in responding.

We maintain administrative, technical, and organisational measures designed to protect personal information, including:

• Encryption of data in transit using TLS 1.2 or higher, and commercially reasonable encryption of data at rest.

• Role-based access controls, support for multi-factor authentication, and tenant isolation designed to prevent unauthorised access between customers.

• Logging, monitoring, and vulnerability management practices.

• Confidentiality obligations and security training for personnel with access to personal information.

• Incident response procedures informed by recognised industry frameworks such as ISO/IEC 27001. Where we become aware of a confirmed security incident that materially affects personal information, we will notify affected parties without undue delay and in accordance with applicable law and the relevant agreement.

We use cookies and similar technologies to maintain session security, remember preferences, collect analytics, and, where you have consented, support marketing. We do not use advertising or cross-site tracking cookies on our enterprise platforms. You can manage cookie preferences through your browser settings or any cookie controls we provide.

Subject to applicable law, including the GDPR and the California Consumer Privacy Act (as amended), you may have the right to:

• Access, correct, update, delete, or obtain a portable copy of your personal information.

• Restrict or object to certain processing of your personal information.

• Withdraw consent at any time, where processing is based on consent.

• Appoint an authorised agent to make a request on your behalf, where permitted.

• Not receive discriminatory treatment for exercising your rights.

To exercise these rights, please contact us using the details below. Where the request relates to Customer Data for which we act as a processor, we will refer the request to, or assist, the relevant customer (controller).

The Services are intended for business and professional use and are not directed to, or intended for use by, children. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected such information without appropriate authorisation, we will delete it promptly.

We may update this Policy from time to time to reflect changes in our practices, the Services, or legal requirements. Material changes will be communicated through our website, by email, or via in-app notice. Your continued use of the Services after an update takes effect constitutes acceptance of the revised Policy.

If you have questions, concerns, or requests regarding this Policy or your personal information, please contact us: