Privacy Policy

HyperionWave Limited is a company registered in England and Wales (company number 16645022). Our registered office is at 5-7 The Crescent, Newquay, Cornwall, TR7 1DT, United Kingdom. We operate the UnaGo agentic automation platform and associated services (together, the "Services").

This policy explains how we collect, use, store and share personal data, and sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to handling your data transparently, fairly and securely.

It applies to:

• employees, officers and other contacts at our enterprise client organisations ("client contacts");
• individual end users who access or use the UnaGo platform ("end users");
• employees, officers and other contacts at our reseller and partner organisations ("partner contacts"); and
• visitors to our websites at unago.ai and hyperionwave.com ("website visitors").

A note on data processed within client workflows. Where HyperionWave processes personal data on behalf of a client organisation acting as data controller — for example, personal data that flows through an automation workflow that client has configured on the UnaGo platform — those processing activities are governed by the Data Processing Agreement we hold with that client (see clause 5 below), not by this policy. This policy covers only the data we process as a data controller in our own right.

For the purposes of UK GDPR, HyperionWave Limited is the data controller in respect of the personal data described in this policy.

If you have any questions about this policy or how we handle your data, please contact us:

• Email: privacy@hyperionwave.com
• Post: HyperionWave Limited, 5-7 The Crescent, Newquay, Cornwall, TR7 1DT, United Kingdom

3.1 Client contacts and partner contacts

We may collect:

• name, job title and employer organisation;
• work email address, telephone number and postal address;
• account credentials (username and hashed password) for any portal or dashboard access;
• correspondence and communications with us;
• contractual and commercial records, including signed agreements and order forms;
• billing and invoicing information; and
• records of interactions with our support and account management teams.

We do not store payment card details. Card transactions are handled directly by our payment processor.

3.2 End users

We may collect:

• name and work email address;
• account credentials;
• usage data, including actions taken within the platform, workflows created or triggered, and feature interactions;
• configuration data, including agent settings and integration preferences;
• log data, including IP addresses, device and browser information, and access timestamps; and
• support correspondence.

3.3 Website visitors

We may collect:

• IP address and approximate location derived from it;
• device and browser information;
• pages visited, time on site and referral source;
• information submitted via contact, demo request or newsletter sign-up forms; and
• cookie and tracking data (see our Cookie Policy).

4.1 Providing and managing the Services

We use personal data to:

• set up and manage accounts for client contacts, partner contacts and end users;
• provide, operate and improve the UnaGo platform and associated services;
• process orders, invoices and payments;
• manage partner and reseller relationships, including revenue share reporting and coordination;
• deliver technical support and respond to queries and complaints; and
• send service communications, including updates, security notices and maintenance notifications.

4.2 Commercial and contractual purposes

We use personal data to:

• negotiate, execute and administer contracts with clients and partners;
• manage renewals, upsells and account reviews; and
• conduct credit and identity checks where relevant.

4.3 Marketing and communications

With your consent, or where we have a legitimate interest in doing so, we may use personal data to:

• send promotional communications about HyperionWave products, features and events;
• share relevant case studies, whitepapers or product updates; and
• invite you to webinars, demonstrations or partner events.

You may opt out of marketing communications at any time by clicking the unsubscribe link in any email, or by contacting us at privacy@hyperionwave.com.

4.4 Security, fraud prevention and legal compliance

We use personal data to:

• monitor platform activity for security threats, misuse and fraud;
• enforce our terms of service and acceptable use policies;
• comply with legal and regulatory obligations;
• respond to lawful requests from courts, regulators and law enforcement agencies; and
• establish, exercise or defend legal claims.

4.5 Analytics and product improvement

We use aggregated and, where necessary, individual usage data to understand how the platform is used, identify errors and improve features and performance. Where possible, we use anonymised or pseudonymised data for these purposes so that individuals cannot be identified from the analysis.

Custom Agent configurations. Where you or your authorised users have created Custom Agents (meaning automation workflows, agent configurations, prompt logic, orchestration structures or decision workflows) within the UnaGo platform, those configurations are treated as your confidential intellectual property and are expressly excluded from any analytics, model training or product improvement use.

HyperionWave does not use Custom Agent logic or configurations — whether in identifiable or abstracted form — to train or improve its AI models, develop generalised platform features, or create products or services for any other customer. This exclusion applies regardless of whether Custom Agent data is processed in identifiable or anonymised form. Full details of these protections are set out in clause 7.5 of our Terms and Conditions.

4.6 AI transparency and applicable AI legislation

Where we process personal data as part of AI-assisted or agentic automation workflows, we are committed to transparency about how AI is used. Where legally required — including under the EU AI Act where applicable — or where you are deploying AI-generated outputs to your own end users, you may be required to:

• disclose that content or decisions were generated or assisted by AI;
• implement appropriate transparency measures as required by applicable law; and
• maintain records necessary to demonstrate compliance with AI transparency obligations.

Our Terms and Conditions (clause 5.7) set out your obligations as a customer in respect of AI transparency. We will process any personal data necessary to support your compliance with AI transparency requirements on the basis of legitimate interests or legal obligation, as applicable.

5.1 When the DPA applies

Where HyperionWave processes personal data on your behalf as a data processor — for example, personal data contained in or flowing through automation workflows, agent tasks, or integrations you have configured on the UnaGo platform — those processing activities are governed by the Data Processing Agreement ("DPA") between HyperionWave and your organisation, not by this policy.

5.2 Availability of the DPA

Our standard DPA is available at our DPA page and is incorporated by reference into our Terms and Conditions. The DPA sets out:

• the subject matter, nature and purpose of processing we carry out on your behalf;
• the categories of personal data and data subjects involved;
• your instructions to us as processor;
• our obligations in respect of security, sub-processors, breach notification, data subject rights assistance and international transfers; and
• the Standard Contractual Clauses or UK International Data Transfer Agreement (UK IDTA) mechanisms applicable to any international transfers of your data.

5.3 Your obligations as controller

If you are a client organisation using the UnaGo platform, you act as the data controller in respect of any personal data you instruct us to process on your behalf. You are responsible for ensuring you have a lawful basis for that processing, that you have provided appropriate privacy notices to your data subjects, and that your instructions to us comply with applicable data protection law.

5.4 Sub-processors

Where we engage sub-processors to process personal data on your behalf, we maintain a current list of approved sub-processors at our Sub-processor List page. We will give you at least 30 days' notice before adding or replacing any sub-processor. If you reasonably object to a new sub-processor on data protection grounds, you may exercise your right to terminate the affected Services without penalty in accordance with the DPA and our Terms and Conditions.

We are required by UK GDPR to identify a lawful basis for each processing activity. The table below sets out our purposes and the basis we rely on for each.

Our legitimate interests include: operating and growing a sustainable B2B SaaS business; protecting the security and integrity of our platform; and maintaining productive commercial relationships with clients and partners. We have assessed in each case that our legitimate interests are not overridden by your rights and interests.

You have the right to object to processing based on legitimate interests at any time. See clause 10 for details.

We will never sell or rent your personal data to third parties.

We may share your personal data with the following categories of recipient, strictly to the extent necessary for the relevant purpose:

• Technology and infrastructure providers — cloud hosting, database, monitoring and security providers who process data on our behalf under contractual data processing agreements;
• Payment processors — to handle billing and payment transactions securely on our behalf;
• Customer relationship and support tools — CRM, helpdesk and communication platforms used to manage your account and support interactions;
• Analytics providers — to help us understand platform and website usage (see our Cookie Policy for further detail);
• Reseller and partner organisations — where you are associated with a client account managed by a reseller, we may share relevant account and service information with that reseller to the extent necessary for them to deliver services to you;
• Professional advisers — lawyers, accountants and insurers, where reasonably necessary;
• Regulatory and law enforcement bodies — where we are required to do so by law, court order or regulatory obligation; and
• Successors in business — in the event of a merger, acquisition or sale of all or part of our business, personal data may be transferred to the acquiring entity subject to equivalent data protection obligations.

All third-party processors are bound by contractual data protection obligations and are permitted to process your personal data only for the purposes we have authorised.

Sub-processors (processor context). A current list of sub-processors is maintained at our Sub-processor List page. We will notify you at least 30 days in advance of any addition to or replacement of sub-processors. Details of your right to object are set out in clause 5.4 above and in the DPA.

HyperionWave is a UK-based business. Our primary infrastructure is hosted on Google Cloud Platform in the eu-west2 (London) region. This means your personal data is stored and processed within the United Kingdom as a matter of course, and no international transfer mechanism is required for primary data storage or processing.

In the event that any incidental processing occurs outside the UK — for example, for infrastructure support, monitoring tooling, or disaster recovery — such transfers are subject to appropriate safeguards in accordance with UK GDPR Chapter V. This will typically be:

• a UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office; or
• a UK Addendum to EU Standard Contractual Clauses, where applicable.

Transfers to EEA countries are covered by the UK's adequacy regulations for the EEA.

Where we engage sub-processors located outside the UK or EEA, we ensure equivalent safeguards are in place. Details of specific safeguards are available on request at privacy@hyperionwave.com.

We retain personal data only for as long as necessary for the purposes set out in this policy.

Important distinction. The retention periods below apply to personal data that HyperionWave processes as a data controller in its own right. Personal data processed on behalf of a client as a data processor — such as data flowing through an automation workflow — is subject to the DPA and Terms and Conditions. Under those terms, Customer Data is deleted or anonymised within 90 days of account termination or expiry of the Subscription Term, unless retention is required by law.

Where data is no longer required, it is securely deleted or irreversibly anonymised.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you;
• Right to rectification — to ask us to correct inaccurate or incomplete data;
• Right to erasure — to ask us to delete your data where we no longer have a valid reason to retain it;
• Right to restrict processing — to ask us to pause processing of your data in certain circumstances;
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format, or to have it transferred directly to another controller where technically feasible;
• Right to object — to object to processing based on legitimate interests, or to object at any time to processing for direct marketing purposes; and
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

How to exercise your rights. To exercise any of these rights, please contact us at privacy@hyperionwave.com. We will respond within one calendar month of receiving your request. We may need to verify your identity before acting on it.

Data deletion and portability requests. Requests for deletion or export of your data (including Customer Data held on the UnaGo platform) may also be submitted to our data protection team at dpo@hyperionwave.com. We will action such requests within 30 days in accordance with applicable data protection laws, subject to any retention obligations under law or the DPA.

If you have a disability or accessibility need that makes it difficult to contact us by email, please let us know and we will do our best to accommodate an alternative method of contact.

If you are unhappy with how we have handled your personal data, please contact us in the first instance at privacy@hyperionwave.com so we have the opportunity to resolve the matter.

You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO):

We maintain appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These include encryption of data in transit and at rest, role-based access controls, multi-factor authentication, regular security assessments, and isolated multi-tenant architecture with strict data boundaries between client environments.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will notify affected individuals without undue delay, in accordance with our obligations under UK GDPR Article 33.

We may update this policy from time to time. Where changes are material — meaning they significantly affect how we process your data or your rights — we will notify you directly by email at least 14 days before the changes take effect. For minor or administrative updates, we will post the revised policy on our websites and update the date at the top of this document.