Privacy Policy

This Privacy Policy explains how NPU Labs ("we," "us," "our") collects, uses, shares, and protects personal information when you visit npu-labs.com and interact with us through the site or our services. We aim to comply with applicable global data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and the South African Protection of Personal Information Act (POPIA). Where these laws differ, the law that applies to you will govern our handling of your personal information.

1. Who we are

NPU Labs is an AI software studio operating principally from South Africa. For the purposes of GDPR and UK GDPR we are the "controller" of your personal information collected through this site. For the purposes of POPIA we are the "responsible party." Our information officer can be reached at info@npu-labs.com.

2. Information we collect

When you submit the contact form we collect:

• Your name
• Your email address
• Your company name (if you choose to provide it)
• The product or topic you selected
• The content of the message you sent

We may also collect basic technical information automatically when you visit the site, including IP address, device type, browser type, operating system, referring page, and pages visited. This is collected through standard server logs and any privacy-respecting analytics tool we may add in future (with appropriate notice and consent where required).

3. How we use your information

We use the information described above to:

• Respond to your inquiry and provide the services you request.
• Improve and maintain the site and our products.
• Understand how visitors engage with our content (aggregated, non-identifying analysis).
• Detect, prevent, and address security issues, abuse, or fraud.
• Comply with legal obligations.

We do not sell your personal information. We do not share it with third parties for their direct marketing purposes.

4. Legal bases (GDPR / UK GDPR)

If you are in the EEA or the UK, we process your personal information on the following legal bases:

• Consent: for non-essential cookies and any optional marketing communications. You can withdraw consent at any time.
• Contract: to respond to your inquiries and provide services you have requested.
• Legitimate interests: to operate, secure, and improve the site, provided your interests and fundamental rights do not override ours.
• Legal obligation: to comply with applicable law.

5. Conditions of lawful processing (POPIA)

For users in South Africa, we process personal information in accordance with the eight POPIA conditions, including accountability, processing limitation, purpose specification, information quality, openness, security safeguards, data subject participation, and a lawful purpose.

6. Third-party processors

We share personal information with carefully chosen service providers that process information on our behalf and only on our instructions:

• Vercel: hosting and content delivery.
• Resend (or an equivalent provider): email delivery for contact-form submissions.
• GitHub: code repository hosting (no personal information from the contact form is sent here).

Each processor is bound by its own data-processing terms and applicable law. We review providers periodically to ensure adequate safeguards.

7. International data transfers

We operate from South Africa and use service providers based in various countries, including the United States and the European Union. Where personal information is transferred outside the jurisdiction in which it was collected, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, adequacy decisions, or the equivalent under UK GDPR or POPIA.

8. Cookies and similar technologies

The site currently uses only essential cookies needed for basic functionality. If we add analytics or marketing technologies in future we will update this policy and, where consent is required, request it before any non-essential technology is set. See our Cookie Policy for details.

9. Your rights (GDPR / UK GDPR / POPIA)

Depending on where you live you have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Rectification: ask us to correct inaccurate or incomplete information.
• Erasure: ask us to delete personal information, subject to legal exceptions.
• Restriction: ask us to limit how we process information in certain circumstances.
• Portability: receive your information in a portable, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of earlier processing.
• Lodge a complaint: with your local data protection authority, including the South African Information Regulator, the UK Information Commissioner's Office, or your EU member-state authority.

To exercise any of these rights, contact us at info@npu-labs.com. We will respond within the timeframes required by applicable law.

10. Your rights (California: CCPA / CPRA)

If you are a California resident you have additional rights under the CCPA / CPRA:

• Right to know what categories of personal information we collect, where it comes from, and how it is used.
• Right to access the specific pieces of personal information we hold about you.
• Right to delete personal information we have collected.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising).
• Right to non-discrimination for exercising your rights.

To submit a request, email info@npu-labs.com. We may need to verify your identity before responding.

11. Data retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, including responding to your inquiry, providing requested services, and complying with legal obligations. Contact-form submissions are typically retained for up to two years from the last relevant interaction, after which they are deleted or anonymized unless a longer retention period is required by law. You can request earlier deletion at any time.

12. Security

We take reasonable organizational and technical measures to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No internet transmission or storage is perfectly secure, however, so we cannot guarantee absolute security. In the event of a personal data breach affecting your rights we will notify the relevant authorities and, where required, affected individuals within the timeframes mandated by applicable law.

13. Children's privacy

The Service is not intended for children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will take reasonable steps to delete it.

14. Automated decision-making

We do not currently make decisions about you based solely on automated processing that produce legal or similarly significant effects. If we introduce such processing we will update this policy and provide the safeguards required by applicable law.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date reflects the most recent change. If a change is material we will take reasonable steps to bring it to your attention, including, where appropriate, requesting fresh consent. Continued use of the Service after a change means you accept the updated policy.

16. Contact

Questions about this policy or about your data? Email info@npu-labs.com.

This document is a working draft prepared for general information. It is not legal advice. Have it reviewed by a qualified attorney or privacy professional in each jurisdiction where you operate before relying on it for any commercial purpose.