Privacy & Data Protection

1. Introduction

This Global Privacy and Data Protection Statement ("Statement") describes how Innvia Tech Lab Limited ("Nanda", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Nanda AI-powered personal assistant service (the "Service").

We are committed to processing your personal data lawfully, fairly, and transparently in accordance with applicable data protection legislation. This Statement applies to all users of the Service, regardless of the jurisdiction from which they access it.

1.1 EU Representative (GDPR Art. 27)

Users located in the European Economic Area have the following point of contact for EU GDPR purposes: Lilian Pontes, EU Representative for Innvia Tech Lab Limited. Email: privacy@hinanda.com.

2. Regulatory Framework

• United Kingdom: UK GDPR and Data Protection Act 2018
• European Union: Regulation (EU) 2016/679 (GDPR)
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)

Where multiple jurisdictions apply, we apply the standard that affords the greatest protection to the individual.

3. Categories of Personal Data Processed

3.1 Account and Identity Data

• Full name and email address
• Authentication credentials (passwords stored as hashes, never in plaintext)
• Date of birth (collected at signup for age verification; §13)
• Account preferences and settings

3.2 Interaction and Usage Data

• Inputs, prompts, instructions, and messages submitted to the assistant
• Feature usage patterns and in-app activity logs
• Device type, operating system, browser version
• IP address and approximate geographic location (country/city level)
• Session timestamps and duration

3.3 Calendar Integration Data

Where you have explicitly authorised integration with Google Calendar or Microsoft Outlook Calendar via the respective OAuth consent flow, the following categories of calendar data may be accessed:

• Event titles, dates, start and end times
• Event descriptions and location fields (where present)
• Calendar availability and free/busy status
• The list of calendars on the user's account (for selecting which to sync)

4. Purposes and Legal Bases for Processing

Purpose	Data Used	Legal Basis (UK / EU GDPR)
Account creation and authentication	Name, email, credentials	Contract performance (Art. 6(1)(b))
Providing the AI assistant service	Inputs, usage data, calendar data (if authorised)	Contract performance (Art. 6(1)(b))
Calendar integration (Google and Microsoft, read and write)	Calendar event data	Explicit consent (Art. 6(1)(a)) — revocable at any time
Service improvement and AI training (opt-in)	Aggregated / de-identified interaction data. Calendar data from Google or Microsoft is explicitly excluded.	Consent (Art. 6(1)(a)) — off by default; opt-in from Settings
Security monitoring and fraud prevention	Log data, IP address, usage patterns	Legitimate interests (Art. 6(1)(f)) — LIA documented
Compliance with legal obligations	As required by applicable law	Legal obligation (Art. 6(1)(c))

5. AI Processing

5.1 AI Model Training

• Calendar data obtained via Google APIs or Microsoft Graph is never used for AI model training, fine-tuning, or evaluation, as required by Google's API Services User Data Policy and Microsoft's Graph Terms of Use.
• Before any identifiable user data is used for training, explicit opt-in consent is obtained. This setting is off by default for all users.
• Where possible, data is aggregated or anonymised before use in training processes.
• You may opt out (or change your preference) at any time in Settings → Privacy, or by emailing privacy@hinanda.com.

5.2 Automated Decision-Making

Nanda does not make solely automated decisions that produce legal effects or similarly significant effects on users (within the meaning of GDPR Article 22). All significant outcomes are executed at the explicit request of and confirmed by the user.

6. Calendar Integrations — Detailed Governance

Nanda supports two calendar providers: Google Calendar and Microsoft Outlook Calendar. The commitments below apply uniformly to both. Provider-specific scopes and references are listed in §6.4 and §6.5.

6.1 Permitted Uses

• Checking the user's availability before scheduling a new event
• Identifying and avoiding scheduling conflicts at the user's request
• Creating, updating, and deleting calendar events as explicitly directed by the user
• Displaying the user's schedule within the Nanda interface
• Listing the user's calendars so the user can choose which ones Nanda syncs

6.2 Absolute Restrictions (apply to data from both providers)

• No AI training: Calendar data is never used to train, develop, improve, or evaluate any AI or machine learning model.
• No advertising: Calendar data is never used for advertising purposes, including targeted advertisements.
• No onward transfer: Calendar data is never transferred to third parties for their own purposes. It is only accessible to infrastructure processors (cloud hosting) under strict data processing agreements.
• No transfer to data brokers: Calendar data is never sold or transferred to data brokers or information resellers.
• No human access without consent: No Nanda employee or contractor accesses individual users' calendar data except (a) with explicit user consent, (b) for security investigations of specific reported incidents, or (c) as required by law.

6.3 Data Handling on Revocation

When a user disconnects a calendar account from Nanda or revokes access from the provider's account settings:

• Nanda immediately ceases all API calls against that account.
• For Google, the refresh token is revoked at Google's endpoint.
• Cached calendar data is deleted immediately; within 24 hours at the outside.
• No residual calendar data is retained beyond what is strictly necessary for legal compliance or security incident investigation.

6.4 Google Calendar — Scopes and Policy Reference

Nanda requests the minimum scopes necessary. We do NOT request the full calendar or calendar.readonly scopes.

• https://www.googleapis.com/auth/calendar.events — read, create, update, and delete individual calendar events.
• https://www.googleapis.com/auth/calendar.calendarlist.readonly — read the list of the user's calendars for the sync-selection UI.

Nanda's use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.

6.5 Microsoft Outlook Calendar — Scopes and Policy Reference

Nanda requests the minimum Microsoft Graph scopes necessary. We do NOT request Mail.*, Files.*, Contacts.*, or any .All (tenant-wide) scope.

• offline_access — refresh tokens so sync keeps working without repeated prompts.
• openid — OIDC base required by the Microsoft identity platform.
• User.Read — read the signed-in user's basic profile (/me), used only to show which account is connected.
• Calendars.ReadWrite — list the user's calendars and read / create / update / delete events. On Microsoft Graph this single scope covers both the calendar-list and event-CRUD endpoints.

Nanda's use of Microsoft Graph data complies with the Microsoft Services Agreement and the Microsoft Graph Terms of Use. Users may revoke Nanda's access at any time from myapps.microsoft.com.

7. Data Sharing, Processors, and Third Parties

Processors process personal data on Nanda's behalf under a Data Processing Agreement (DPA), solely for purposes instructed by Nanda. Third parties receive personal data for their own independent purposes — Nanda does not share personal data with third parties for their own purposes, except where required by law.

Categories of processors used to deliver the Service:

• Cloud infrastructure and hosting providers (security standards ≥ ISO 27001)
• AI model API providers (only the minimum data necessary is sent)
• Authentication providers
• Analytics providers (aggregated and de-identified data only)
• PCI-DSS compliant payment processors

8. International Data Transfers

Transfers outside the UK / EEA are protected by Standard Contractual Clauses (UK IDTA and EU SCCs under Commission Implementing Decision 2021/914), adequacy decisions, or Binding Corporate Rules as appropriate. Copies of the applicable safeguards can be requested from privacy@hinanda.com.

9. Data Retention

Data Category	Retention Period	Basis
Account data (name, email, credentials, date of birth)	Active account + 30 days after deletion	Contract; legal compliance
Interaction and input data (messages, prompts)	Active subscription + 90 days after account deletion, unless earlier deletion requested	Service delivery; legitimate interest
Calendar data (Google or Microsoft, event details)	Cached to provide ongoing scheduling assistance. Events are automatically purged 90 days after their end time. Upon disconnect, all cached data is deleted within 24 hours.	Consent; service delivery
Log data and technical metadata	90 days	Security; fraud prevention
Billing and transaction records	7 years from transaction date	UK tax and accounting law
Consent audit records (including cookie consent)	3 years	Accountability; regulatory audit
Security incident records	5 years	Legal obligation

10. Security

• In transit: TLS 1.2+
• At rest: AES-256 or equivalent
• Role-based access controls (RBAC) and least-privilege
• Multi-factor authentication required for all administrative access
• Regular security assessments and vulnerability scanning
• Security integrated into the software development lifecycle
• Documented incident response plan

11. Your Rights

• Access: request a copy of your personal data and how it is processed
• Rectification: correct inaccurate or incomplete data
• Erasure ('Right to be Forgotten'): request deletion of your data
• Restriction: restrict processing in certain circumstances
• Data Portability: receive your data in a structured, machine-readable format
• Object: object to processing based on legitimate interests or direct marketing
• Withdraw Consent: at any time, without retroactive effect

To exercise any right, contact privacy@hinanda.com. We respond within 30 days (extendable by up to two months in complex cases, with notification).

12. Data Breach Notification

• All suspected breaches are assessed within 24 hours of discovery to determine severity and scope.
• Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (ICO for UK users; relevant EU DPA for EEA users) within 72 hours of becoming aware of the breach (UK GDPR Art. 33 / GDPR Art. 33).
• Where a breach is likely to result in high risk to individuals, affected users are notified without undue delay.
• We comply with PIPEDA breach reporting obligations for Canadian users and LGPD Art. 48 for Brazilian users.

13. Children's Data

The Service is not directed at children under the age of 16 (or under 13 in jurisdictions where a lower threshold applies, such as the United States under COPPA). We do not knowingly collect personal data from children below the applicable age threshold. If we become aware that we have inadvertently collected such data without verifiable parental consent, we delete it promptly.

New accounts require an age declaration at signup. Parents or guardians who believe that a child may have provided personal data to Nanda are encouraged to contact privacy@hinanda.com.

14. Cookies and Tracking Technologies

Nanda currently uses only strictly-necessary cookies (session, authentication, CSRF protection, and your cookie-preference record). We do not currently set analytics, marketing, or third-party tracking cookies. If this changes, we will request prior opt-in consent where required by law.

See our Cookie Policy for the full list of cookies in use.

15. International Supervisory Authorities

Jurisdiction	Authority
United Kingdom	Information Commissioner's Office (ICO) — ico.org.uk
European Union	Your national DPA (directory at edpb.europa.eu)
Canada	Office of the Privacy Commissioner of Canada — priv.gc.ca
Brazil	Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd

We encourage users to contact us directly before lodging a regulatory complaint so that we have the opportunity to address concerns promptly.

16. Changes to This Statement

We review and update this Statement periodically. For material changes that affect users' rights, we notify users by email at least 30 days before the changes take effect. Non-material updates (clarifications, typographical corrections) are published without prior individual notification. Continued use of the Service after the effective date of an updated Statement constitutes acceptance of the updated terms, subject to any rights of objection available under applicable law.

17. Contact

For any privacy-related query, data subject rights request, or concern: privacy@hinanda.com.

Version 2.0 · Effective: 15 January 2026 · © Innvia Tech Lab Limited