Privacy Policy for Iamwendi.ai


Effective Date: 1st of July 2025

1. Who We Are

Iamwendi.ai (“Wendi”) is an enterprise AI agent developed and operated by Cubode LTD (”The company”, “Cubode”, “we”, “us”, “our”), registered in in England and Wales under company number (13981853), with its registered office at C/O Stuart McBain Ltd (Accountants) Unit 14, Tower Street, Brunswick Business Park, Liverpool, England, L3 4BJ.

For the purposes of the EU General Data Protection Regulation and the UK GDPR (“GDPR”), Cubode LTD is the Data Controller of Personal Data processed through Wendi, except where we act strictly on behalf of a customer under a Data Processing Agreement (“DPA”), in which case we are the Data Processor and the customer is the Data Controller.

2. Scope of this Policy

This Policy explains how we collect, use, disclose and safeguard Personal Data when enterprise customers and their authorised users (“Users”) interact with Wendi through:

3. What Personal Data We Collect

CategoryExamplesSource
Account DataName, business e-mail, role, authentication identifiers (SSO/SCIM), licence tier, billing contact, usage metrics.Provided by customer admin or identity provider.
Integration Tokens & MetadataOAuth tokens, connection scopes, workspace IDs, meeting IDs, channel or project IDs, file references.Generated during customer-initiated OAuth flow.
Interaction ContentNatural-language prompts, messages, voice/video transcripts (if the customer enables meeting transcription), files or snippets shared with Wendi.Entered/uploaded by Users; pulled (with consent) from Connected Platforms.
HR Repository DataCompany handbooks, policies, procedures, salary bands, company’s organigramme, job descriptions, other documents chosen by the customer.Uploaded by customer.
Diagnostics & Log DataIP address, device/browser info, timestamps, request/response hashes, API latencies, error traces.Collected automatically by our services and third-party observability tools.

We do not intentionally collect special categories of data (e.g., health, biometric, or children’s data). If a customer chooses to store such data in the HR Repository, they are responsible for obtaining all required consents or lawful bases.

PurposeLegal Basis (GDPR Art. 6)
Provide, secure and maintain Wendi’s core functionality, including prompt processing, retrieval-augmented generation, analytics and customer support.Art. 6 (1)(b) – Contract performance.
Integrate with Connected Platforms to fetch contextual data requested by Users.Art. 6 (1)(b) – Contract performance.
Maintain tenant isolation, role-based access controls and encryption.Art. 6 (1)(c) – Legal obligation (security), plus (b).
Improve models, fine-tune prompts, develop new features, produce aggregated statistics.Art. 6 (1)(f) – Legitimate interests or Art. 6 (1)(a) – Consent, depending on customer contract. We never include customer-provided confidential data in global training unless expressly permitted.
Send administrative or security notifications.Art. 6 (1)(c) – Legal obligation; Art. 6 (1)(f) – Legitimate interest.
Comply with legal requests, detect fraud or abuse.Art. 6 (1)(c) / (e).

Where consent is used (e.g., optional beta features), Users may withdraw it at any time via in-product settings or by contacting us.

5. Automated Decision-Making & AI Transparency

Wendi uses large-language-model (“LLM”) sub-processors (currently Google LLC for inference, hosted in the EU or US/EU datacentres) to transform User prompts and contextual data into natural-language responses.

6. Data Sharing & Sub-Processors

We never sell Personal Data. We share it only with:

RecipientRoleSafeguards
Infrastructure-as-a-Service providers (e.g., GCP EU Region)Hosting, encryption key storage.EU-hosted; contractual data protection terms; working towards ISO 27001/SOC 2.
LLM Inference provider (GCP on EU data centres)Stateless prompt processing.EU SCCs + Data Processing Addendum; prompts stored ≤30 days solely for abuse monitoring.
Wendi AI System (our own backend)Retains prompts and responses to personalize user experience and improve AI assistance over time.Lawful basis: contractual necessity or legitimate interest; user-level deletion supported; stored in secure, access-controlled EU infrastructure.
Authentication/SSO providers (if customer opts in)Identity federation.Contractual DPA; data minimality.
Analytics & Observability vendorsTelemetry and error diagnostics.Pseudonymisation data; EU datacentres.
Professional advisers & auditorsLegal, accounting, security auditing.Confidentiality agreements.
AuthoritiesLegal compliance.Only on valid, narrow lawful request.

A live list of sub-processors and notification mechanism is maintained and available upon request.

7. International Transfers

If Personal Data is transferred outside the UK/EEA to a country without an adequacy decision (e.g., United States), we rely on EU Standard Contractual Clauses (2021/914 & UK Addendum) and risk assessments, plus encryption in transit and at rest.

8. Security Measures

9. Data Retention & Deletion

10. Your Rights

Data TypeDefault RetentionDeletion Method
Interaction Content<30 days for inference provider. (Google). Wendi AI retains prompts and responses to personalize user experience. Can be deleted upon user request.Hard delete from primary & replicas; backups aged-out ≤30 days later.
HR RepositoryUntil customer deletes or contract terminates + 90-day grace period.Secure wipe (crypto-erase).
Account & Billing6 years post-termination (statutory).Archival deletion after statutory limit.
Logs & Telemetry12 months rolling.Aggregated/anon retained, raw logs deleted.

Under GDPR/UK GDPR you may have the right to:

  1. Access your Personal Data;
  2. Rectify inaccurate data;
  3. Erase data (“right to be forgotten”);
  4. Restrict or object to processing;
  5. Data portability;
  6. Lodge a complaint with your Supervisory Authority (see § 12).

Requests may be submitted via privacy@iamwendi.ai or the in-product DSR portal. We will verify identity and respond within one month (extendable by two months for complex requests).

11. Data Subject Requests from End-Employees

Because Wendi is deployed within enterprises, many requests must be routed through the customer’s admin (Data Controller). Where Cubode acts as Processor, we will forward the request to the Controller and assist them under the DPA.

12. Supervisory Authority

If you believe we have not handled your request correctly, you may complain to your local authority.

13. Children

Wendi is designed exclusively for enterprise customers. We do not knowingly process data of anyone under 16. If you become aware of such data, please contact us for prompt deletion.

14. Data Breach Notification

In the event of a Personal Data Breach likely to result in risk to individuals’ rights and freedoms, The company will notify affected customers without undue delay and, where required, the relevant Supervisory Authority within 72 hours, in line with art. 33 & 34 GDPR and our incident-response plan.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified to customer admins via e-mail and in-product banners at least 30 days before taking effect, unless changes are required sooner by law.

16. Contact

E-mail: privacy@iamwendi.ai