Privacy Policy

Privacy Policy

1. General Provisions

1.1. This Privacy Policy of VIP STYLE STUDIOS LTD (hereinafter referred to as the “Company”) establishes the procedure for processing information relating to an identified or identifiable natural person (hereinafter referred to as “personal data”), as well as the measures taken by the Company to ensure the security of such personal data.

1.2. This Policy has been developed in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as well as other applicable laws and regulations of the United Kingdom regarding the protection of personal data.

1.3. The Company implements technical, organizational, and legal measures to protect personal data, as well as the rights and freedoms of individuals when processing their personal data.

1.4. This Policy applies to all personal data processed by the Company, except for data processed in the context of employment or administrative procedures (concerning employees or former employees), as well as cookie data. This Policy also applies to the processing of data of users of the website https://vai-chat.com (hereinafter – the “Website”), clients, individual contractors, job applicants, representatives of legal entities, and other individuals interacting with the Company.

1.5. Terms used in this Policy shall have the meanings ascribed to them under the applicable laws of the United Kingdom.

2. Principles, Purposes, and Rules of Personal Data Processing; Categories of Data Processed; Retention Periods

2.1. The purposes of processing personal data include:
2.1.1. Identifying individuals with whom the Company enters into contractual relationships;
2.1.2. Preparation, execution, fulfillment, and termination of agreements with counterparties;
2.1.3. Formation of reference materials for internal informational support of the Company’s activities;
2.1.4. Execution of judicial decisions or orders of other authorities or officials subject to enforcement under the laws of the United Kingdom;
2.1.5. Exercise of the Company’s rights and legitimate interests in the context of its financial and business activities or in the pursuit of public interest objectives;
2.1.6. Other lawful purposes;
2.1.7. Ensuring the operation of software services, AI services, and digital platforms used by users, including via integration with third-party APIs (e.g., Instagram, Meta, Telegram, etc.).

2.2. The Company processes personal data based on the principles of lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

2.3. The Company may process the following categories of personal data: full name; contact information (phone number, fax, email address); photographs; date of birth; place of residence or mailing address; passport number or other government-issued identification details (e.g. driving licence number); National Insurance Number (NINo); residential or business address.

The official Website collects and processes anonymized data about visitors (including cookies).

2.3.1. Special categories of personal data, including biometric data, may be processed if there is a lawful basis for such processing.

2.3.2. User-generated content: When using the platform, users may submit textual inputs (prompts) and other data to configure the functionality of the virtual assistant. This data is processed by the Company solely for service provision, technical support, and to monitor compliance with the terms of use. In the event of detected violations, the service administration reserves the right to suspend user account access.

2.3.3. Personal data collected via integration with Meta platforms (e.g., Instagram messages, profile data) is processed solely to provide the functionality of the AI assistant, including response generation and personalization, in accordance with UK GDPR and Meta’s policies.

2.4. The Company stores personal data in a form that allows identification of the data subject no longer than necessary to achieve the purposes declared and in compliance with applicable laws.

2.5. The Company ensures the security of personal data by implementing encryption (e.g., AES-256 for storage, HTTPS for transmission), access restrictions, regular security audits, and other technical and organizational measures in accordance with Article 32 of the UK GDPR.

2.6. The retention periods for personal data are determined in accordance with applicable laws and principles of data minimisation.

2.7. The Company stores personal data in a confidential manner, ensuring it cannot be lost or misused.

2.8. All personal data is kept in secure locations inaccessible to unauthorized persons — such as safes or other locked cabinets and restricted-access rooms.

2.9. Upon fulfillment of the processing purposes, the Company deletes personal data unless its longer retention is required by law.

3. Procedure and Conditions for Personal Data Processing

3.1. The collection of personal data is carried out with the consent of the individual whose personal data is processed by the Company (hereinafter – the “data subject”), unless otherwise provided by law.

3.2. The consent of the data subject constitutes a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.

3.3. Consent may be obtained in written form, as an electronic document, or in another electronic format.

3.3.1. Consent may be provided electronically, including by ticking a checkbox on the website interface, provided that the expression of will is informed and deliberate.

3.4. Data subjects have the following rights under the UK GDPR:
3.4.1. To withdraw consent for the processing of personal data;
3.4.2. To obtain information about the processing of their personal data and request rectification;
3.4.3. To request the cessation of processing and/or deletion of personal data;
3.4.4. To lodge a complaint regarding the Company’s actions or inaction related to personal data processing;
3.4.5. To access their personal data;
3.4.6. To restrict processing;
3.4.7. To require notification to all parties who previously received inaccurate or incomplete personal data;
3.4.8. To supplement their personal data with a statement expressing their own viewpoint (for evaluative data);
3.4.9. To exercise the right to data portability in a machine-readable format.

3.5. Personal data is processed by the Company solely for the purposes specified in this Policy.

3.6. The processing of personal data is carried out in accordance with applicable laws and the Company’s internal policies.

3.7. Personal data is not shared with third parties and is not subject to dissemination, except where required by law.

4. Authorized Processors and Cross-Border Data Transfer

4.1. The Company may engage authorized third parties to process personal data.

4.2. Authorized processors shall process personal data based on a data processing agreement with the Company.

4.2.1. Authorized processors shall comply with UK GDPR when processing data of UK or EU citizens.

4.2.2. When transferring data to Meta Platforms Inc. (1601 Willow Road, Menlo Park, CA 94025, USA), the Company enters into agreements ensuring compliance with UK GDPR and Meta’s policies.

4.3. Cross-border transfers of personal data are permitted where a valid legal basis exists.

4.4. Such transfers may occur based on the data subject’s consent, contract performance, or legal obligations.

4.5. When transferring data outside the United Kingdom, the Company ensures the application of appropriate legal mechanisms, including Standard Contractual Clauses (SCCs) or explicit consent of the data subject.

5. Rights and Obligations of Data Subjects

5.1. Data subjects have the following rights:
5.1.1. To receive full information about their personal data processed by the Company;
5.1.2. To access their personal data, including the right to obtain a copy, except in cases provided by law;
5.1.3. To request rectification, blocking, or erasure if the data is incomplete, outdated, inaccurate, or no longer necessary;
5.1.4. To supplement their evaluative personal data with a statement of their viewpoint;
5.1.5. To request that all parties who previously received inaccurate or incomplete data be informed of the corrections;
5.1.6. To withdraw consent for the processing of their personal data;
5.1.7. To appeal the Company’s actions or inaction related to personal data;
5.1.8. To exercise other rights provided by UK GDPR.

5.2. Data subjects are obliged to:
5.2.1. Provide accurate personal data;
5.2.2. Inform the Company of any changes;
5.2.3. Exercise their rights in accordance with UK law and internal policies;
5.2.4. Fulfill other duties established by applicable law.

5.3. Consent is not required in cases provided by law, such as:
5.3.1. When the personal data has been made publicly available by the data subject;
5.3.2. For employment purposes where permitted by law;
5.3.3. To protect vital interests of the data subject or others if obtaining consent is not possible.

5.4. Consent may be withdrawn at any time by submitting a request with the subject’s full name and email address (or other identifying information used during sign-up).

5.5. Upon receipt, the Company will review the request, cease processing, delete the data unless otherwise permitted by law, and notify the data subject.

For GDPR-related matters, the data subject may contact the Company’s Data Protection Officer at: [use contact@vai-chat.com instead of Gmail] or via https://vai-chat.com.

6. Final Provisions

6.1. The security of personal data is ensured through legal, organizational, and technical measures against unauthorized access, alteration, deletion, etc.

6.2. Internal monitoring of compliance with UK GDPR and Company policies is carried out regularly.

6.3. The designated person is responsible for organizing data processing and ensuring compliance.

6.4. Internal audits assess compliance with UK GDPR and international standards.

6.5. This Policy is publicly available on the Website and enters into force upon approval.

6.6. The Company may update this Policy. Any changes will be published on the Website. Where required, users will be informed directly in accordance with Articles 13–14 UK GDPR.

6.7. Where personal data processing poses a high risk, a Data Protection Impact Assessment (DPIA) will be conducted in accordance with Article 35 UK GDPR.