Privacy Policy

1. Introduction

1.1 Important Information and Who We Are

Welcome to Horison AI Ltd's Privacy and Data Protection Policy (“Privacy Policy”).

At Horison AI Ltd (“we”, “us”, or “our”), we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and all other mandatory laws and regulations of the United Kingdom.

This Privacy Policy explains how we collect, process, and keep your data safe. It will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.

The individuals from which we may gather and use data can include:

• Customers and platform users
• Suppliers and business contacts
• Employees and staff members
• Third parties connected to your customers or referenced in uploaded documents

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

1.2 Your Data Controller

Horison AI Ltd is your Data Controller and responsible for your Personal Data. We are not obliged by the UK GDPR to appoint a data protection officer and have not voluntarily appointed one at this time. Therefore, any inquiries about your data should be sent to us:

By email: legal@horison.ai

By post: Horison AI Ltd, 167-169 Great Portland Street, Fifth Floor, London, England, W1W 5PF

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1.3 Data Processors

In discharging our responsibilities as a Data Controller, we have employees and third-party service providers who will deal with your data on our behalf (known as “Processors”). The Data Controller and our Processors have the following responsibilities:

• Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the UK GDPR.
• Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data.
• Obtain the prior specific or general authorisation of the Controller before engaging another Processor.
• Assist the Controller in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the UK GDPR.
• Maintain a record of all categories of processing activities carried out on behalf of a Controller.
• Cooperate, on request, with the ICO in the performance of its tasks.
• Notify the Controller without undue delay after becoming aware of a Personal Data breach.

2. Legal Basis for Data Collection

2.1 Types of Data

“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different kinds of Personal Data about you, which we have grouped together below. Not all of the following types of data will necessarily be collected from you, but this is the full scope of data that we collect:

• Profile/Identity Data: This is data relating to your first name, last name, job title, company name, and professional role.
• Contact Data: This is data relating to your phone number, addresses, email addresses, and professional contact details.
• Marketing and Communications Data: These are your preferences in receiving marketing information and other communications from us.
• Billing Data: This is information relating to your payment details such as the name attached to your payment method and your billing address.
• Financial Data: These are your banking details, e.g., your account number and sort code.
• Transactional Data: This is information about details and records of all payments you have made for our services.
• Technical Data: This includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Service.
• Usage Data: This includes information about how you use our Service, including features used, documents processed, and interaction patterns.
• Uploaded Content Data: This includes documents, financial models, investment memoranda, due diligence materials, and other files you upload to the Service for AI processing. This data may contain Personal Data relating to third parties (e.g., individuals named in deal documents).

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

2.2 The Legal Basis for Collecting That Data

There are a number of justifiable reasons under the UK GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:

• Consent: Certain situations allow us to collect your Personal Data, such as when you opt in to receive email newsletters from us or consent to specific data processing activities.
• Contractual Obligations: We may require certain information from you in order to fulfil our contractual obligations and provide you with the Service.
• Legal Compliance: We are required by law to collect and process certain types of data, such as for the prevention of fraudulent activity or other illegal actions.
• Legitimate Interest: We might need to collect certain information from you to meet our legitimate interests — this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedoms, or interests.

3. How We Use Your Personal Data

3.1 Our Data Uses

We will only use your Personal Data when the law allows us to. The primary uses of your data include:

• Providing and maintaining the Service, including processing your uploaded documents through our AI systems.
• Managing your account and subscription.
• Processing payments and billing.
• Communicating with you about the Service, including service updates and support.
• Improving and developing the Service, including training and improving our AI models using aggregated, anonymised data.
• Complying with legal obligations.

3.2 AI Processing of Your Data

When you upload documents to the Service, our AI systems will process the content of those documents to provide you with analysis, insights, and generated outputs. This processing is performed on the basis of our contractual obligations to you.

We implement appropriate safeguards to protect the confidentiality of uploaded documents, including encryption in transit and at rest, access controls, and data segregation between users.

Where uploaded documents contain Personal Data relating to third parties (e.g., individuals named in financial documents or deal materials), we process this data as a Processor acting on your instructions. You, as the Data Controller for such third-party data, are responsible for ensuring that you have a lawful basis for sharing such data with us.

3.3 Marketing and Content Updates

You will receive marketing and new content communications from us only where you have specifically consented to receive them, or where we have a legitimate interest in sending them (e.g., if you are an existing customer). You can ask us to stop sending you marketing messages at any time by contacting us at legal@horison.ai.

3.4 Change of Purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

4. Your Rights and How You Are Protected

4.1 Your Legal Rights

Under data protection laws, you have the following rights in relation to your Personal Data:

• Right to be informed: You have a right to be informed about our purposes for processing your Personal Data, how long we store it for, and who it will be shared with.
• Right of access: This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it (also known as a “data subject access request”).
• Right to rectification: You have a right to request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
• Right to erasure: You have the right to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request for specific legal reasons which will be notified to you at the time of your request.
• Right to object: You can object to the processing of Personal Data we hold about you. This effectively allows you to stop or prevent us from processing your Personal Data in certain circumstances, for example where we are processing your data for direct marketing purposes.
• Right to restrict processing: You have the right to request the restriction or suppression of your Personal Data in certain circumstances, for example if you want us to establish the data's accuracy or where our use of the data is unlawful but you do not want us to erase it.
• Right to data portability: You have the right to request the transfer of your Personal Data to you or to a third party in a structured, commonly used, machine-readable format.

If you wish to exercise any of these rights, please contact us at legal@horison.ai.

4.2 Your Control Over Your Data

You may delete your account at any time — this will remove your account and associated data from our systems. We do not guarantee the ability to delete all stored data immediately due to backup retention periods and legal requirements. If you would like us to delete or correct personally identifiable data, let us know and we will action your request as soon as practicable.

Your account information will be protected by a password for your privacy and security. You are responsible for preventing unauthorised access to your account by selecting and protecting your password appropriately and limiting access to your devices.

5. How We Protect Your Personal Data

We are committed to keeping your data secure and protecting it from inappropriate disclosure. We implement appropriate technical and organisational measures including:

• Encryption of data in transit (TLS) and at rest.
• Access controls limiting data access to authorised personnel only.
• Regular security assessments and penetration testing.
• Data segregation between customer accounts.
• Employee confidentiality obligations and training.

If and when we use subcontractors to store your data, we will not relinquish control of your Personal Data or expose it to security risks that would not have arisen had the data remained in our possession. However, no transmission of data over the internet is guaranteed to be completely secure. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any data you transmit to us. Any such transmission is done at your own risk.

6. Your Data and Third Parties

6.1 Sharing Your Data

We may share non-Personal Data with third parties. We may share your Personal Data with subcontractors or affiliates, subject to confidentiality obligations, to use it only for the purposes for which we disclose it to them and pursuant to our instructions.

We may also share Personal Data with interested parties in the event that Horison AI Ltd anticipates a change in control or the acquisition of all or part of our business or assets, or with interested parties in connection with the licensing of our technology.

If Horison AI Ltd is sold or makes a sale or transfer, we may transfer, sell, or assign your Personal Data to a third party as part of or in connection with that transaction. Upon such transfer, the Privacy Policy of the acquiring entity may govern the further use of your Personal Data.

We may share your Personal Data at any time if required for legal reasons or in order to enforce our Terms and Conditions or this Privacy Policy.

6.2 Third-Party Links

Our Service may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Service, we encourage you to read the privacy policy of every website you visit.

7. How Long We Retain Your Data

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

When you delete your account, we will delete or anonymise your Personal Data within 30 days, except where retention is required by law. Uploaded Content (including deal documents and financial materials) will be deleted within 30 days of account termination unless otherwise agreed in writing.

8. Age Limit

You must not use the Service unless you are aged 18 or older. If you are under 18 and you access the Service by misrepresenting your age, you must immediately stop using the Service.

This Service is not intended for children, and we do not knowingly collect data relating to children.

9. International Transfer of Data

Your information may be stored and processed in the United Kingdom or in other countries where Horison AI Ltd or its service providers maintain facilities.

Where we transfer your Personal Data outside the United Kingdom, we will ensure that appropriate safeguards are in place to protect your data in accordance with the UK GDPR. Such safeguards may include:

• Transferring to countries that have been deemed to provide an adequate level of protection by the UK Government.
• Using specific contracts approved by the UK Government (UK International Data Transfer Agreement or Addendum) with our service providers.
• Other appropriate safeguards as permitted under the UK GDPR.

10. Cookies and Tracking Technologies

Our Service may use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service. For more information about the cookies we use, please refer to our Cookie Policy on our website.

11. Changes to This Privacy Policy

We keep our Privacy Policy under regular review and will place any updates on this page. This version is dated 27 March 2026.

By using the Service, you consent to the collection and use of data by us as set out in this Privacy Policy. Continued access or use of the Service will constitute your express acceptance of any modifications to this Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of your data protection rights, you can contact us:

By email: legal@horison.ai

By post: Horison AI Ltd, 167-169 Great Portland Street, Fifth Floor, London, England, W1W 5PF

Company Number: 16837183

Please also see our Terms and Conditions which set out the terms, disclaimers, and limitations of liability governing your use of the Service.