DIGITAL ONION® PRIVACY POLICY

This Privacy Policy (“Policy”) explains how ONION Central Limited (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Digital ONION® platform (the “Service”).

ONION Central Limited is incorporated in England and Wales and acts as the data controller for the purposes of applicable data protection legislation.

By creating an account or using the Service, you acknowledge that you have read and understood this Policy.

1. Information We Collect

We collect the following categories of information:

Account Information

• Name and email address provided at registration
• Password (stored in hashed form only)
• Account preferences and settings

Conversation Data

• Text you enter during coaching sessions (“Input”)
• Responses generated by the Service (“Output”)
• Session metadata (timestamps, duration)

Technical Data

• IP address and approximate location
• Browser type and version
• Device type and operating system
• Pages visited and feature usage

Payment Data

• If you purchase a subscription, payment is processed by our third-party payment provider. We do not store full payment card details.

2. How We Use Your Information

We use your information to:

• Provide and operate the Service
• Authenticate your identity and manage your account
• Process transactions and manage subscriptions
• Communicate service updates and important notices
• Analyse aggregated and anonymised usage patterns to improve the Service
• Maintain platform safety and prevent misuse
• Comply with legal obligations

3. AI Processing

Your Input is sent to third-party AI providers (such as OpenAI and Anthropic) to generate Output.

We do not use your conversations to train AI models.

Third-party AI providers process your Input under their own data processing agreements with us, which prohibit them from using your data for model training.

4. Legal Basis for Processing (UK/EEA Users)

We process your personal data on the following legal bases:

• Contract: Processing necessary to provide the Service you have requested
• Legitimate interests: Improving the Service, maintaining security, and preventing fraud
• Legal obligation: Where required to comply with applicable law
• Consent: Where you have given specific consent for a particular use

5. Data Sharing

We do not sell your personal data to third parties.

We may share your data with:

• AI providers: To generate responses (see section 3)
• Infrastructure providers: Hosting and database services (e.g. Vercel, PostgreSQL providers)
• Payment processors: To process subscription payments
• Legal authorities: Where required by law or to protect our rights

All third-party service providers are bound by appropriate data processing agreements.

6. Data Security

We implement appropriate technical and organisational measures:

• Encryption in transit: All data is transmitted over TLS 1.3 (HTTPS)
• Encryption at rest: Data is encrypted at the database level via AES-256
• Access controls: Strict role-based access to production systems
• Audit logging: Access to sensitive data is logged for compliance purposes

No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

7. Data Retention

• Conversations: Retained while your account is active. You may delete conversations at any time. Deleted content is permanently erased within 30 days.
• Account data: Retained while your account is active and for a reasonable period thereafter to comply with legal obligations.
• Inactive accounts: If your account is inactive for 12 consecutive months, conversation history may be deleted.
• Billing records: Retained as required by applicable tax and accounting law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your personal data
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@onioncentral.com.

We will respond within 30 days of receiving your request.

9. International Data Transfers

Your data may be processed in countries outside the UK and EEA, including the United States, where our infrastructure and AI providers are located.

Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the relevant authorities.

10. Cookies & Analytics

We use essential cookies to authenticate your session and maintain security.

We may use analytics tools to understand how users interact with the Service. Where analytics are used, data is aggregated and anonymised.

We do not use third-party advertising cookies or tracking pixels.

11. Children’s Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via email or a notice within the Service before they take effect.

Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions about this Policy or wish to exercise your data protection rights, please contact:

ONION Central Limited
Email: privacy@onioncentral.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO).