Last updated: March 2026
1. Data Controller
N90 Labs Ltd (“N90 Labs”, “we”, “us”) is a company registered in England & Wales. We are the data controller for the personal data described in this policy.
Contact: privacy@n90.ai
2. Information We Collect
Contact form & booking page
Name, email address, company name (optional), phone number (optional), and project description. If you use Google or LinkedIn to pre-fill the form, we receive your name, email, and profile URL from the provider.
Customer portal & purchases
Email address, name, company, payment details (processed by Stripe — we do not store card numbers), purchase history, service tier, and intake form responses (target URL, platform, GitHub repository selections, security concerns).
Calendar bookings
Name, email, and selected time slot when you book a discovery call. A Google Calendar event is created on your behalf.
Usage and log data
Our hosting provider (Vercel) automatically collects standard log data including IP addresses, browser type, and pages visited. IP addresses are used for rate limiting and abuse prevention.
Analytics data
With your consent, we collect analytics data via Google Analytics 4 and LinkedIn Insight Tag. These only load after you accept analytics cookies via our consent banner.
3. Lawful Basis for Processing
Under UK GDPR, we process your personal data on the following bases:
- Legitimate interests (Art. 6(1)(f)) — responding to enquiries, operating our website, rate limiting, fraud prevention, and improving our services.
- Contract performance (Art. 6(1)(b)) — processing purchases, delivering security assessments, managing your customer portal account, and booking discovery calls.
- Consent (Art. 6(1)(a)) — analytics cookies (Google Analytics 4, LinkedIn Insight Tag). You can withdraw consent at any time via the cookie banner.
4. How We Use Your Information
- Respond to enquiries — we use your contact details to reply to your message and send a branded confirmation email.
- AI-powered services — your project description is processed by Anthropic Claude to generate AI briefs, field suggestions, and assessment reports. This processing happens in real time via Anthropic’s API.
- Process payments — Stripe processes your payment and we store the transaction record (tier, amount, status) in our database.
- Deliver services — security assessments, customer portal access, calendar scheduling, and Slack channel creation for project communication.
- Company identification — we use your email domain to identify your company for a better experience. This is done client-side and via our suggestions API.
5. Third-Party Processors
We share personal data with the following processors, each operating under their own privacy policies and appropriate safeguards:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, customer portal | EU (Ireland) |
| Stripe | Payment processing, invoicing | US |
| Anthropic | AI brief generation, field suggestions, assessments | US |
| Resend | Transactional email delivery | US |
| Slack | Project channel creation, team communication | US |
| Google Workspace | Calendar scheduling, OAuth authentication | US |
| OAuth authentication, conversion tracking (with consent) | US | |
| Vercel | Hosting, edge network, cookieless analytics | US |
| Google (GA4) | Website analytics (consent required) | US |
6. AI Processing
We use Anthropic’s Claude AI models to process text you submit through our website. Specifically:
- Contact form AI brief generation — your project description is sent to Anthropic to generate a structured brief.
- Field suggestions — your company name and email domain are used to suggest relevant information.
- FileMaker assessment tool — your responses are processed to generate a platform assessment.
- Security assessment chat — your questions are processed to provide relevant security guidance.
Anthropic processes this data under their privacy policy. Data sent to the API is not used to train their models.
7. Data Retention
We store personal data in our database (hosted by Supabase in the EU) and retain it for the following periods:
- Contact enquiries — 2 years from submission, then deleted.
- Customer & purchase records — retained for the duration of the business relationship, plus 6 years for tax and legal compliance.
- Calendar bookings — retained for 1 year after the meeting date.
- Activity logs — retained for 1 year for security and operational purposes.
- OAuth tokens — not stored. Used only during the authentication flow.
- Rate limiting data — held in-memory only, not persisted.
8. Cookies & Analytics
Essential cookies: We set authentication cookies for the admin dashboard and customer portal (Supabase auth). These are necessary for the service to function.
Cookieless analytics: Vercel Web Analytics and Speed Insights operate without cookies and do not track individual users. These do not require consent.
Consent-gated analytics: Google Analytics 4 and LinkedIn Insight Tag only load after you give explicit consent via our cookie banner. You can withdraw consent at any time by clicking the cookie preferences link in our footer.
9. International Transfers
Our database is hosted in the EU (Supabase, Ireland). Some processors (Stripe, Anthropic, Resend, Slack, Google, LinkedIn, Vercel) are based in the United States. Where personal data is transferred outside the UK, transfers are protected by the UK International Data Transfer Agreement (UK IDTA) or standard contractual clauses (SCCs) as required by UK GDPR.
10. Your Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the right to:
- Access the personal data we hold about you
- Request rectification of inaccurate data
- Request erasure of your data
- Request restriction of processing
- Data portability
- Object to processing based on legitimate interests
- Withdraw consent at any time (where processing is based on consent)
- Not be subject to automated decision-making with legal effects
To exercise any of these rights, contact us at privacy@n90.ai. We will respond within one month.
11. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.
12. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Material changes will be highlighted on the website.
13. Contact
If you have any questions about this privacy policy or how we handle your data, contact us at privacy@n90.ai.