Eliot

Privacy Policy

Last updated: March, 2026

Eliot AI Inc. ("Eliot AI," "we," "us," or "our") is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, store, disclose, and protect your information when you visit our website (meeteliot.com, companiesgraph.com), use our platform, or interact with our services (collectively, the "Services").

This Privacy Policy does not apply to data that we process on behalf of our enterprise clients through the Eliot AI platform in our capacity as a data processor. That processing is governed by our customer agreements and Data Processing Addendum (DPA), which sets out the terms under which we process data on behalf of our clients.

1. Data Controller

Eliot AI Inc. is the data controller responsible for your personal data as described in this Privacy Policy.

  • Registered Address: Delaware, United States
  • Contact: privacy@meeteliot.com
  • Data Protection Officer (Acting): Damian Stone Aguirre, CTO, damian@meeteliot.com

2. Personal Data We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, job title, company name, and password when you create an account, request a demo, or subscribe to our Services.
  • Communication Information: Name, email address, phone number, and the content of messages when you contact us, submit a form, or correspond with our team.
  • Payment Information: Billing address and payment card details when you make a purchase. Payment data is processed and stored exclusively by Stripe, Inc. (PCI-DSS compliant). We do not store payment card numbers on our systems.
  • Documents and Content: Files, documents, and data you upload to the platform in the course of using our compliance investigation Services.

2.2 Information We Collect Automatically

  • Log Data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and duration of visit.
  • Device Information: Device type, unique device identifiers, operating system, and browser configuration.
  • Usage Data: Features accessed, actions taken within the platform, search queries, frequency of use, and session duration.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to operate and improve our Services, analyze usage patterns, and remember your preferences. See Section 13 (Cookies) for details.

2.3 Information From Other Sources

  • Corporate Entity Data: We collect publicly available corporate information from government registries (e.g., UK Companies House), licensed third-party data vendors, and other public sources. This data includes company names, registration numbers, director and shareholder names, beneficial ownership information, and corporate filing documents. This data is collected and processed for the purpose of providing compliance investigation services to our enterprise clients.
  • Business Contact Information: We may receive your business contact information from partners, event organisers, or publicly available professional sources (e.g., LinkedIn) for business development purposes.

3. How We Use Your Data

We process personal data for the following purposes:

  • Service Delivery: To provide, operate, and maintain our platform and compliance investigation services, including account creation, authentication, and platform functionality.
  • Client Obligations: To fulfill our contractual obligations to enterprise clients, including processing corporate entity data and documents for KYB and AML compliance investigations.
  • Communication: To respond to your inquiries, provide customer support, send service-related notices, and deliver product updates.
  • Security and Fraud Prevention: To monitor, detect, and prevent fraudulent activity, unauthorised access, and security threats to our platform and users.
  • Improvement and Development: To analyse usage patterns, conduct research, improve existing features, and develop new capabilities for our platform.
  • Marketing: To send promotional communications about our Services, events, and content, where you have consented or where we have a legitimate interest. You may opt out at any time.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including AML and financial crime regulations.
  • Business Operations: To manage payments, enforce contracts, conduct audits, and administer our corporate governance and compliance programmes.

We do not sell your personal data. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

4. Legal Basis for Processing

We process personal data under the following legal bases pursuant to GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): When processing is necessary to provide our Services under your agreement with us, such as creating your account and delivering platform functionality.
  • Legitimate Interest (Art. 6(1)(f)): When processing is necessary for our legitimate business interests, including improving our Services, ensuring platform security, conducting business development, and processing publicly available corporate data for compliance investigations. We balance these interests against your rights and freedoms.
  • Legal Obligation (Art. 6(1)(c)): When processing is necessary to comply with a legal obligation, such as tax reporting, regulatory requirements, or responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a)): When you have given explicit consent for a specific processing purpose, such as receiving marketing communications. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in any marketing email.

5. Data Sharing and Disclosure

We share personal data only when necessary to deliver our Services, comply with legal obligations, or protect our rights. We do not sell, rent, or trade personal data.

  • Service Providers: We engage third-party service providers who process data on our behalf to provide infrastructure, security, payment processing, and other operational functions. All service providers operate under signed Data Processing Agreements with appropriate safeguards. A list of our current subprocessors is available at meeteliot.com/subprocessors.
  • Legal Requirements: When required by law, regulation, court order, or governmental request.
  • Rights Protection: To protect the rights, property, safety, or security of Eliot AI, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case we will notify you of any such change.
  • With Your Consent: When you have given us explicit permission to share your data with a specific third party.

6. International Data Transfers

Your personal data may be transferred to and processed in countries other than your own. When data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures including encryption in transit and at rest, and contractual commitments regarding data protection.

You may request a copy of the applicable transfer safeguards by contacting privacy@meeteliot.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

  • Account data is retained for the duration of the account plus 90 days after closure.
  • Communication data is retained for 2 years from last interaction.
  • Usage and log data is retained for 12 months.
  • Payment records are retained as required by applicable tax and accounting law.
  • Marketing preferences are retained until consent is withdrawn.

When data is no longer needed, it is securely deleted or anonymised.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption at rest and in transit
  • Multi-factor authentication enforced across all systems
  • Role-based access controls following the principle of least privilege
  • Web application firewall protection on all public-facing endpoints
  • Continuous threat monitoring and detection
  • Comprehensive audit logging
  • Automated vulnerability scanning
  • A documented incident response plan aligned with GDPR Article 33 notification requirements

We maintain an active compliance programme including regular security assessments and policy reviews. No method of transmission or storage is 100% secure, and while we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your location, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Restriction: Request that we restrict processing in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest or for direct marketing.
  • Withdraw Consent: Withdraw consent at any time without affecting prior processing.
  • Complaint: Lodge a complaint with a supervisory authority (e.g., the UK ICO at ico.org.uk or your local data protection authority).

To exercise any of these rights, contact us at privacy@meeteliot.com. We will verify your identity and respond within 30 days. Complex requests may be extended by 60 days with notice.

10. Cookies and Tracking Technologies

Our website uses the following cookies:

  • Essential cookies: Used for basic site functionality, including remembering your cookie consent preference. These do not require consent.
  • Analytics cookies: We use Google Analytics (GA4) to understand how visitors interact with our website. Google Analytics sets cookies (such as _ga and _ga*) that collect anonymized usage data including pages visited, session duration, and general location. These cookies expire after 2 years. No personally identifiable information is collected. Analytics cookies are only activated after you provide consent through our cookie banner.

We do not use advertising or third-party tracking cookies. You can manage cookies through your browser settings or by updating your preferences via our cookie banner at any time.

11. Children

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. Eliot AI is a B2B platform exclusively serving enterprise clients in financial services. If we become aware that we have collected data from a minor, we will take immediate steps to delete it.

12. California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights:

  • The right to know what personal information we collect and how we use it.
  • Request deletion or correction of your personal information.
  • Opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under CCPA/CPRA).
  • Not be discriminated against for exercising your rights.

To exercise your rights, contact us at privacy@meeteliot.com.

13. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised effective date. Material changes will be communicated via email or a prominent notice on our website.

15. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy, or wish to exercise your data protection rights:

  • Eliot AI Inc.
  • Email: privacy@meeteliot.com
  • Data Protection Officer: damian@meeteliot.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.