Privacy Policy

Unlikely Artificial Intelligence Limited

Victoria Hall, Victoria Street, Cambridge, United Kingdom, CB1 1JP | Company No. 11445207

Version 4.0 | Last Updated: March 2026

1. Introduction

Nothing in this Privacy Policy is intended to limit in any way your statutory rights, including your rights to a remedy or other means of enforcement.

Unlikely Artificial Intelligence Limited ("UnlikelyAI", "we", "us", "our") is committed to protecting the privacy of individuals who interact with our platform, services, and website. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our AI platform and related services (the "Platform"), and your rights in relation to that data.

The Platform applies neurosymbolic reasoning and language models to ingest regulatory, financial, and policy documents, enabling enterprise users to perform automated analysis, receive answers, and generate explanations. Our current products include UnInvest, a conversational AI for financial services, and UnCheck, an automated disclosure-checking tool for audit and accounting. The nature of data processing varies between these products, as described in Section 3 below.

This policy applies to:

visitors to our website;
enterprise customers and their authorised users who access the Platform under a licence agreement;
individuals who interact with the Platform through a customer’s deployment (for example, end-users of the UnInvest chatbot);
individuals whose data may be processed in connection with our services; and
individuals who enquire about our services or with whom we have a business relationship.

We are the data controller in respect of personal data collected directly by us. Where we process personal data on behalf of our customers (for example, data submitted by a customer’s users to the Platform), we act as a data processor, and our processing activities are governed by the relevant data processing agreement with that customer.

2. Legal Basis and Applicable Law

We process personal data in accordance with applicable data protection law, including:

the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (for individuals in the United Kingdom);
the EU General Data Protection Regulation (EU GDPR 2016/679) (for individuals in the European Economic Area, including Ireland);
the EU AI Act (Regulation 2024/1689), which imposes transparency and human oversight obligations on providers of AI systems used in high-risk contexts such as financial services decision-making and regulatory compliance; and
other applicable privacy and data protection legislation where relevant, including guidance published by the UK Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) on AI transparency and data protection.

3. Personal Data We Collect

3.1 Data You Provide Directly

We collect personal data that you voluntarily provide to us, including:

Identity and contact data: name, job title, employer, email address, telephone number, and postal address, provided when you enquire about our services, enter into a contract with us, or otherwise contact us;
Account data: login credentials and account configuration information for users of the Platform;
Correspondence: records of communications between you and us, including emails, support requests, and meeting notes;
Contract and commercial data: information contained in agreements, order forms, and other commercial documents.

3.2 Data Collected Automatically

When you use the Platform or visit our website, we may automatically collect:

Usage and technical data: IP address, browser type, device information, operating system, pages visited, time and date of access, and session duration;
Platform usage data: information about how the Platform is used. For UnInvest, this includes conversation transcripts and chat session metadata. For UnCheck, this includes queries run against financial statements and the responses generated. Technical telemetry includes model latency, token counts, and classification confidence scores;
Cookies and similar technologies: as described in Section 10.

3.3 Data from Third-Party and Public Sources

We may also obtain information about you from other sources, including publicly or commercially available information, third-party data platforms, event attendance records, and business contact details provided at industry events or through social media interactions. We use this information to respond to enquiries, develop business relationships, and where relevant, to process job applications.

3.4 Data Submitted to the Platform (Input and Output)

Our enterprise customers may submit content to the Platform (“Input”) and receive AI-generated content (“Output”). We treat Input and Output as the confidential information of our customers.

General principle: Input and Output are confidential customer data. UnlikelyAI does not use one customer’s data to train models that serve other customers.

Customer-specific model improvement: Where expressly agreed in the licence agreement or data processing agreement, UnlikelyAI may use a customer’s Input, Output, and associated usage data to fine-tune, adapt, or improve language models and AI components that are deployed exclusively for that customer’s use. This includes fine-tuning models on customer-specific data to improve accuracy, latency, or domain relevance for that customer. This is not a default entitlement and will only occur where it is specifically provided for in the relevant contractual arrangements.

General platform improvement: UnlikelyAI may use anonymised, aggregated usage metadata (not Input/Output content) to improve the Platform generally. If a customer agrees to contribute their data to general model training, this will be expressly set out in the relevant licence agreement.

No cross-customer data mixing: Data used for customer-specific fine-tuning is isolated and is not used to train models serving other customers.

Customers are responsible for ensuring that personal data is not submitted to the Platform unless expressly agreed and covered by an appropriate data processing agreement. This obligation is reflected in UnlikelyAI’s standard customer agreements. UnlikelyAI is aware that certain document types processed by the Platform (such as financial statements or disclosure checklists) may contain personal data including director names. Pending the deployment of automated data sanitisation measures, customers are required by contract to take responsibility for managing the submission of personal data to the Platform and to ensure that appropriate lawful bases exist for any personal data included in documents submitted for processing. UnlikelyAI is developing additional technical data sanitisation capabilities to support customers in managing this risk over time.

4. How We Use Personal Data

We use personal data for the following purposes and on the following legal bases:

Purpose	Legal Basis
Providing and managing the Platform and services	Performance of contract
Creating and managing customer and user accounts	Performance of contract
Communicating about your account, services, and support	Performance of contract
Invoicing and payment administration	Performance of contract
Training, fine-tuning, and adapting AI models on customer data to improve Platform performance for that customer (only where expressly agreed in the relevant licence agreement or DPA — this is not a default entitlement)	Performance of contract (conditional on express agreement)
Responding to enquiries and pre-sales communications	Legitimate interests
Improving and developing the Platform and our services	Legitimate interests
Security monitoring, fraud prevention, and platform integrity	Legitimate interests
Compliance with legal and regulatory obligations	Legal obligation
Marketing to existing and prospective customers	Legitimate interests (or consent where required)
Analytics and understanding Platform usage (see Section 10)	Legitimate interests

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and interests. You may request further information about this assessment.

Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

5. How We Share Personal Data

We do not sell personal data. We share personal data only in the following circumstances:

Service providers and subprocessors: We engage trusted third-party suppliers to support the operation of the Platform and our business, including cloud infrastructure providers, analytics providers, and customer relationship management tools. These parties are contractually required to process data only on our instructions and in accordance with applicable data protection law. A list of our current subprocessors is available on request.
Third-party AI model providers: The Platform may transmit customer Input to third-party AI model providers as sub-processors for inference purposes. These providers are currently Google (Gemini API) and, in certain configurations, others. These providers are contractually bound not to use customer data for their own model training. A current list of AI model providers used is available on request.
Professional advisers: We may share data with lawyers, auditors, and insurers where necessary in the course of professional advice.
Corporate transactions: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party as part of that transaction, subject to appropriate protections.
Legal and regulatory requirements: We may disclose personal data where required by law, regulation, court order, or at the request of a competent regulatory or governmental authority.
With your consent: We may share data with third parties where you have given us your prior consent to do so.

We do not share customer Input or Output with third parties except as described above or as expressly agreed with the relevant customer.

6. International Data Transfers

UnlikelyAI is based in the United Kingdom. Our primary infrastructure is hosted in the UK and EEA (including Google Cloud europe-west4 and AWS eu-west-2 regions). Some third-party AI model providers may process data in other jurisdictions, including the United States.

Where personal data is transferred to a country that does not provide an equivalent level of data protection, we ensure appropriate safeguards are in place, including:

reliance on UK adequacy regulations or EU adequacy decisions (as applicable);
use of the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs); or
other approved transfer mechanisms under applicable data protection law.

Where UnlikelyAI supports customer-managed cloud deployments (for example, where a customer deploys the Platform within their own cloud environment), customer data remains within the customer’s chosen infrastructure and jurisdiction. In such deployments, UnlikelyAI does not process that customer data, and the customer acts as the data controller in respect of data held within their own environment. Data processing responsibilities in those scenarios are governed by the terms of the relevant deployment arrangement.

You may request further information about our transfer safeguards by contacting us at the details in Section 13.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, accounting, or reporting obligations. When personal data is no longer required, we take commercially reasonable steps to irretrievably delete or anonymise it.

Where customer data is used for customer-specific fine-tuning, we retain the relevant training dataset for the duration required to maintain and support the fine-tuned model. Upon termination of a customer contract, we will delete or return customer data, including any fine-tuned models derived exclusively from that customer’s data, in accordance with the terms of the relevant data processing agreement.

For UnInvest, conversation transcripts are retained for the period set out in the applicable customer agreement. Customers may be able to configure retention periods for their deployment. Specific retention periods by data category are available on request.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:

logical isolation between customer tenants to prevent cross-customer data access;
encryption of data at rest and in transit;
access controls and audit logging for AI training data and model artefacts; and
regular review of security measures in light of evolving threats and best practices.

A more detailed security overview is available on request. In the event of a personal data breach likely to result in a risk to individuals, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law.

9. Your Rights

Depending on your location, you may have the following rights in relation to your personal data:

Access: to request a copy of the personal data we hold about you;
Rectification: to request correction of inaccurate or incomplete data;
Erasure: to request deletion of your personal data in certain circumstances;
Restriction: to request that we restrict processing of your data in certain circumstances;
Portability: to receive your personal data in a structured, commonly used format;
Objection: to object to processing based on legitimate interests or for direct marketing, including objection to the use of your personal data for AI model training where that processing is based on legitimate interests;
Withdrawal of consent: where processing is based on consent, to withdraw it at any time;
Automated decision-making: not to be subject to solely automated decisions producing legal or similarly significant effects without human involvement. Certain UnlikelyAI products, including UnInvest and UnCheck, are designed to support human decision-making. We maintain human oversight mechanisms in line with our obligations under the EU AI Act. Further information on how human review operates within each product is available on request.

To exercise any of these rights, or to request deletion of your account, please contact us at the details in Section 13. You may use an authorised agent to submit a request on your behalf if you provide written permission signed by you. We will respond within one month (extendable by a further two months in complex cases). We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with a supervisory authority:

UK — Information Commissioner’s Office (ICO): www.ico.org.uk
Ireland / EU — Data Protection Commission (DPC): www.dataprotection.ie

10. Cookies and Analytics

Our website uses cookies and similar tracking technologies. We use strictly necessary cookies to operate our website, and (where you have provided consent) analytics and functional cookies to improve your experience.

We currently use the following analytics and consent tools on our website:

Google Analytics: to understand how visitors use the website, including pages visited, session duration, and referral sources. Google’s privacy policy is available at google.com/policies/privacy.
iubenda: for cookie consent management and to generate our Cookie Policy. iubenda’s privacy policy is available at iubenda.com/privacy-policy.

We reserve the right to add or remove analytics tools as our services evolve. You may control cookies through your browser settings or our cookie consent tool. A full list of cookies we use is available in our Cookie Policy.

11. AI-Specific Transparency

UnlikelyAI builds AI products using a combination of large language models, neurosymbolic reasoning components, and fine-tuned classifiers. In the interests of transparency, we wish to make clear:

What AI models are used: The Platform uses a combination of proprietary components and third-party language model APIs (currently Google Gemini and related services). For certain customer deployments, models are fine-tuned on customer-specific data as described in Section 3.4.
Whether customer data trains models: Customer data is not used to train models that serve other customers. Customer-specific fine-tuning is only performed where expressly agreed and results in models deployed solely for that customer.
Human oversight: Our products are designed to support, not replace, human judgement. We maintain human oversight mechanisms in line with our obligations under the EU AI Act and the expectations of customers operating in regulated environments.
Data flow during processing: When customer Input is processed, it may be transmitted to third-party AI model providers as sub-processors for inference. See Section 5 for further detail.
Cross-customer data isolation: UnlikelyAI’s architecture enforces logical separation between customer tenants. Data used in one customer deployment is not accessible to or used by any other.

Customers seeking a detailed AI privacy and transparency statement for their own procurement or governance purposes should contact us at the details in Section 13.

12. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and related legislation, including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information (we do not sell personal information).

Please note that the CCPA applies to for-profit businesses that meet certain thresholds (for example, annual gross revenues exceeding $25 million, or processing the personal data of 100,000 or more California consumers or households per year). UnlikelyAI does not currently meet those thresholds. We include this section for transparency given that we may engage with US-based individuals, and we will update it if our position changes.

California residents may submit requests by contacting us at the details in Section 13. We will respond to verifiable requests within the timeframes required by applicable California law.

13. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing activities, or to request a copy of our subprocessor list, security overview, or detailed AI transparency statement, please contact:

Data Protection Contact

Unlikely Artificial Intelligence Limited

Victoria Hall, Victoria Street, Cambridge, United Kingdom, CB1 1JP

Email: privacy@unlikely.ai

UnlikelyAI is in the process of appointing an EU-based representative as required under EU GDPR Article 27 and will update this policy once appointed. In the meantime, individuals in the EEA who wish to raise a matter under EU GDPR may contact us at the address above and mark their correspondence for the attention of EU GDPR Enquiries.

When an EU representative is formally appointed, this section will be updated to include the representative’s own name, address, and contact details. The representative must be independently contactable by EEA data subjects and supervisory authorities; correspondence directed to UnlikelyAI’s UK address does not satisfy this requirement on its own.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will post the updated policy on our website with a revised “Last Updated” date. Where changes are material, we will provide more prominent notice, for example by email to registered customers.

Version 4.0 — March 2026