1. Who We Are
Athena (“we”, “our”, or “us”) is an AI-powered document intelligence platform that empowers organisations with document analysis, search, automated workflows, and secure communication tools via our web and mobile applications.
| Legal Entity | Zeus AI Business Solutions Ltd (trading as Athena) |
| Company Number | 16793939 (England and Wales) |
| Registered Address | 56 Hanley Rd, Hull, HU5 5ST, England |
| lee@askathena-ai.co.uk | |
| Website | askathena-ai.co.uk |
| ICO Registration | ZC016874 |
We act as a Data Controller for the personal data you provide directly to us (such as account registration) and as a Data Processor for the organisational data and documents you process through our platform. Where we act as a Data Processor, processing is governed by our Data Processing Agreement (DPA).
2. What Information We Collect
a) Personal Data
- Name and job title
- Email address
- Organisation affiliation
- Login credentials (encrypted and hashed - we cannot see your password)
- Profile information provided during onboarding
b) Technical and Usage Data
- IP address and device identifiers (for mobile and web)
- App usage statistics (features used, time spent)
- Crash logs and performance diagnostics
- Operating system, browser type, and screen resolution
c) Business Data and Integrations
- Documents: Files uploaded for processing, analysis, or storage (e.g., PDFs, Word documents, spreadsheets, technical drawings).
- Chat Data: Messages, images, and files sent via the Athena chat features.
- Integration Data: Data accessed via connected services (e.g., Google Drive, OneDrive, SharePoint, Notion, HubSpot, Xero) based on your explicit permissions.
- Metadata: Information about files (size, type, creation date) and processing logs (e.g., error reports, success status).
d) Payment Data
Payment card details are collected and processed by Stripe (our payment processor). We do not store, process, or have access to full payment card numbers. We receive only a confirmation of payment status and basic transaction metadata from Stripe.
3. How We Use Your Information
- Service Provision: To enable document upload, analysis, storage, retrieval, and search, and to facilitate communication between organisation members.
- AI Processing: To analyse documents, extract text, generate embeddings for semantic search, and provide natural language responses to queries using AI services (see Section 5).
- Automation: To execute workflows triggered by your data (e.g., classifying documents, extracting text, syncing integrations).
- User Management: To manage organisation invites, roles, access permissions, and billing.
- Security: To protect accounts through two-factor authentication, concurrent session detection, and security alerting.
- Improvement: To improve app performance and user experience through anonymised and aggregated usage analytics. We do NOT use your documents or business data to train AI models.
- Communication: To send service updates, security alerts, billing notifications, and support responses.
- Compliance: To fulfil legal obligations and ensure platform security.
We rely on the following lawful bases for processing: contractual necessity (to provide the service you signed up for), legitimate interests (to improve our product and ensure security), and consent (for optional integrations and marketing communications).
4. Data Security
Encryption
Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption, provided through our infrastructure provider.
Infrastructure
Our primary database is hosted on Supabase (SOC 2 Type II certified) on AWS eu-west-1 (Ireland). Application hosting is provided by Vercel. Workflow automation is hosted on Elestio/Hetzner in the EU (Germany).
Access Control
Strict role-based access controls (RBAC) are enforced at the application and database level. Row-Level Security (RLS) ensures complete data isolation between organisations. Two-factor authentication (TOTP) is available for all user accounts. Concurrent session detection prevents unauthorised account sharing.
Monitoring
Automated infrastructure monitoring, application error logging, and security alerting are in place. Suspicious activity triggers security alert emails to affected users.
5. Artificial Intelligence and Your Data
Athena uses artificial intelligence services to power its core features, including document analysis, text extraction, semantic search, and natural language chat. This section explains how AI interacts with your data.
Which AI services do we use?
We use AI services provided by Anthropic (Claude), Google (Gemini), OpenAI, and ElevenLabs. A complete list of all third-party service providers is maintained in our Sub-Processor Register.
Is my data used to train AI models?
No. Your documents, queries, chat messages, and all other Customer Data are NOT used to train, fine-tune, or improve any AI models - whether operated by us or by any third-party provider. We use only the API (enterprise) tier of all AI services, which are governed by data processing agreements that explicitly prohibit the use of input data for model training.
What happens to my data during AI processing?
When you use an AI feature (such as document chat or search), the relevant content is sent to the AI provider via an encrypted API call. The AI provider processes the request and returns a response. Your data is not retained by the AI provider beyond the duration of the API request. No copies are stored, cached, or logged by the AI provider.
Automated decision-making
Athena does not engage in automated decision-making that produces legal effects concerning individuals or similarly significantly affects them within the meaning of Article 22 of the UK GDPR. AI processing within Athena is used to assist users with document analysis, search, and information retrieval. All AI-generated outputs are presented for human review and should be independently verified before being relied upon for business, legal, financial, or safety-critical decisions.
6. Sharing Your Data
We do not sell your data to third parties.
We may share data with:
- Sub-processors: Trusted third-party service providers who assist in hosting, AI processing, payment processing, and email delivery. A complete list is maintained in our Sub-Processor Register.
- Integrations: When you connect a third-party service (like Google Drive or OneDrive), data is shared strictly in accordance with your instructions and the permissions you grant.
- Legal Authorities: If required by law, court order, or to protect the rights and safety of Athena or its users.
7. Where Your Data Is Stored
| Service | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | Ireland (eu-west-1) |
| Vercel | Application hosting, API execution | USA (us-east-1) |
| Elestio / Hetzner | Workflow automation (n8n) | Germany (EU) |
| AI Providers | Document analysis (API only, no retention) | USA / EU |
For a complete list of sub-processors including their legal entities, data locations, and transfer safeguards, see our Sub-Processor Register.
8. Your Rights
Under the UK GDPR and applicable data protection laws, you have the right to:
- Access the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data (“Right to be Forgotten”).
- Restriction: restrict or object to specific processing activities.
- Portability: request your data in a commonly used, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
To exercise any of these rights, please contact us at lee@askathena-ai.co.uk. We aim to respond to all data subject requests within 30 days.
9. Cookies and Mobile Permissions
Web
We use essential cookies to maintain your session and login state. We may use analytical cookies to understand how our site is used. Our Cookie Policy provides full details of the cookies we use and how to manage them.
Mobile App
The Athena mobile app may request permissions for Notifications (for chat alerts), Camera/Gallery (for document uploads), and Storage. You can manage these permissions in your device settings at any time.
10. Data Retention
- Active accounts: Data is retained for the duration of your active subscription.
- Documents and chat: Retained for the duration of your workspace’s active subscription, or until manually deleted by an Administrator.
- Terminated accounts: On termination, Customer Data is available for export for 30 days. After the export period, all Customer Data is securely deleted within 90 days, unless applicable law requires continued retention.
- Expired trials: Data from expired trial accounts is retained for 90 days, after which it may be deleted.
- Inactive accounts: Data from inactive accounts may be deleted or anonymised after a reasonable grace period. We will notify account holders before deletion.
11. Security Incidents and Breach Notification
In the event of a personal data breach that affects your data, we will:
- Notify affected customers without undue delay, and in any event within 48 hours of becoming aware of the breach.
- Provide details of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it.
- Report to the Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals, as required by the UK GDPR.
- Cooperate fully with affected customers in the investigation, mitigation, and remediation of any security incident.
If you discover a security vulnerability or suspect unauthorised access to your account, please contact us immediately at lee@askathena-ai.co.uk.
12. International Data Transfers
Some of our sub-processors are located outside the United Kingdom (see Section 7). Where data is transferred outside the UK, we ensure it is protected by appropriate safeguards as required by the UK GDPR, including:
- UK Adequacy Decisions: For transfers to EU/EEA countries, which are covered by the UK’s adequacy regulations.
- International Data Transfer Agreement (IDTA): For transfers to the USA and other countries without an adequacy decision, we rely on the IDTA or the UK Addendum to the EU Standard Contractual Clauses.
Transfer risk assessments are conducted for each international transfer and are available on request.
13. Children’s Data
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at lee@askathena-ai.co.uk and we will take steps to delete such information.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our technology, legal requirements, or business practices. The latest version will always be available at this page and within the app settings.
If we make material changes that affect how we process your personal data, we will notify you by email or in-app notification at least 30 days before the changes take effect.
15. Contact Us
If you have questions about this policy, your privacy, or our data handling practices, please contact:
Athena Support Team
Zeus AI Business Solutions Ltd (trading as Athena)
56 Hanley Rd, Hull, HU5 5ST, England
Email: lee@askathena-ai.co.uk
Website: askathena-ai.co.uk
ICO Registration: ZC016874