Legal

Privacy Policy

Effective date: 30 June 2026. This Privacy Policy describes how Peakbit Smart Nexus (“we”, “our”, “us”) collects, uses, processes, and protects information across our corporate website, our mobile applications distributed via the Apple App Store and Google Play, our research projects, and our client engagements.

Document version 4.2 · Last updated 30 June 2026 · Reviewed by Studio Operations & Compliance

1. Definitions & Scope

This Privacy Policy applies to peakbitsmartnexus.com (the “Website”) and to the mobile applications published by Peakbit Smart Nexus in the Apple App Store, Google Play, and any other app distribution platform (collectively, the “Apps”). It also covers research preview builds, beta programmes, and any service or product operated by us under the Peakbit Smart Nexus brand.

Throughout this document:

  • “Personal data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or erasure.
  • “User” or “you” means any individual who visits the Website, installs or interacts with an App, or otherwise provides personal data to us.
  • “Device” means any smartphone, tablet, computer, or other equipment used to access the Website or Apps.

If you reside in the European Economic Area (EEA), the United Kingdom, or Switzerland, the data controller for your personal data is Peakbit Smart Nexus, St John’s Innovation Centre, Cambridge CB4 0FE, United Kingdom.

2. Information We Collect

We are a privacy-first studio. The vast majority of our products are architected to keep user data on the device and to operate fully offline. Where data is processed on our servers, it is the minimum required to deliver the feature you have explicitly requested.

2.1 Information you provide directly

  • Contact information when you write to us (name, email address, organisation, message body).
  • Account information for the few services that require an account (email address, hashed password).
  • User-generated content you choose to create or import into our Apps (notes, plant records, wardrobe entries, countdown events, draft manuscripts, and similar).
  • Support correspondence and any feedback you choose to provide.

2.2 Information collected automatically

  • Device information: model, operating system version, language, country (derived from IP), and time zone.
  • App usage information: which features are used, crash reports, performance metrics, and aggregated, anonymised analytics.
  • Advertising identifiers (IDFA on iOS, GAID on Android) only after you have granted consent via the App Tracking Transparency prompt (iOS) or have not opted out (Android).
  • IP address, which may be used for country detection, fraud prevention, and security.

2.3 Information we do NOT collect

  • Your precise geolocation (latitude / longitude). We use only coarse country / region detection.
  • Your contact list, calendar, microphone, or camera contents.
  • Your browsing history outside our Apps.
  • Biometric data.
  • Government identifiers (SSN, NHS number, etc.).
  • Financial information such as bank account or credit card details (we use Apple / Google payment infrastructure for any in-app purchases).

3. How We Use Information

We use the limited information we collect for the following purposes:

  1. To deliver, maintain, secure, and improve the Apps and Website.
  2. To respond to your enquiries, support requests, and communications.
  3. To display advertising in our free-tier Apps (where applicable, and only with your consent where required by law).
  4. To detect, prevent, and address fraud, abuse, security, or technical issues.
  5. To comply with applicable legal obligations.
  6. To conduct aggregate, anonymised research that improves our products (e.g. understanding which features are underused).

We do not sell personal data. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

4. Legal Bases for Processing (EEA / UK)

If you are in the EEA or the UK, we rely on the following legal bases under the UK GDPR and EU GDPR:

  • Performance of a contract — to provide the Apps and services you have requested.
  • Legitimate interests — to secure, maintain, and improve our products, where our interests are not overridden by your rights.
  • Consent — for advertising, analytics, and any optional features that require your active opt-in.
  • Legal obligation — to comply with applicable laws and regulations.

5. Advertising & Ad Networks

Our free-tier Apps may display advertising. We integrate with a curated set of third-party ad networks and mediation platforms. Each network is contractually required to comply with applicable privacy laws, and we take active steps to ensure that only the data necessary to serve an ad is transmitted.

Where a regulatory regime requires prior consent (e.g. EU/EEA users, UK users under the Age Appropriate Design Code, California users under CCPA), we will request consent before loading advertising SDKs that are not strictly necessary for the operation of the App.

5.1 Ad Networks and Monetisation Platforms We Work With

The following advertising and monetisation platforms may be integrated into one or more of our Apps. Each is bound by its own privacy policy and contractual data processing terms with us.

5.1.1 Google AdMob (Google LLC)

AdMob is Google’s mobile advertising platform. AdMob may collect device identifiers, advertising IDs, IP address, app usage signals, and coarse location in order to serve, measure, and personalise ads. AdMob uses this data in accordance with the Google Privacy Policy and the AdMob data usage policy. AdMob supports the IAB Transparency and Consent Framework (TCF v2.2) and Apple’s App Tracking Transparency (ATT) framework.

5.1.2 Google Ad Manager (Google LLC)

Google Ad Manager (formerly DoubleClick for Publishers and DoubleClick Ad Exchange) may be used for direct ad serving and programmatic mediation. Privacy practices are governed by the Google Privacy Policy.

5.1.3 Google AdSense (Google LLC)

For web-based ad serving (where applicable in our research and marketing pages), we may use Google AdSense, governed by the same Google Privacy Policy.

5.1.4 Meta Audience Network (Meta Platforms, Inc.)

Meta Audience Network (formerly Facebook Audience Network) serves ads in our Apps using data from Meta’s advertising systems. Meta may collect device identifiers, hashed email addresses (if you are logged into Facebook), and engagement signals. See the Meta Privacy Policy. FAN is a registered IAB TCF vendor and supports ATT.

5.1.5 Unity Ads (Unity Technologies)

Unity Ads is a video and display advertising platform commonly used in games and interactive apps. Unity may collect device identifiers, IP address, and aggregated event data. See the Unity Privacy Policy and the Unity Game Player and App User Privacy Policy.

5.1.6 AppLovin Corporation (AppLovin, including MAX, MoPub-acquired business)

AppLovin MAX is a mediation platform; AppLovin’s direct network may also serve ads. AppLovin may collect device identifiers, ad engagement, and conversion data. See the AppLovin Privacy Policy.

5.1.7 ironSource (now Unity)

ironSource is a mediation and monetisation platform. ironSource may collect device identifiers, IP address, and engagement data. See the ironSource Privacy Policy.

5.1.8 Vungle (now part of Liftoff)

Vungle serves video and interactive ads. Vungle may collect device identifiers, advertising IDs, and coarse location. See the Vungle Privacy Policy.

5.1.9 InMobi (InMobi Technology Services Pvt. Ltd.)

InMobi is a global mobile advertising network. InMobi may collect device identifiers, IP address, and contextual app signals. See the InMobi Privacy Policy.

5.1.10 Chartboost (now part of Zynga / Take-Two)

Chartboost is a programmatic in-app advertising network. Chartboost may collect device identifiers, IP address, and event data. See the Chartboost Privacy Policy.

5.1.11 Tapjoy, Inc.

Tapjoy operates a rewarded advertising and offerwall platform. Tapjoy may collect device identifiers, IP address, and engagement data. See the Tapjoy Privacy Policy.

5.1.12 AdColony (now part of Digital Turbine / Opera)

AdColony is a mobile video and rich-media ad network. AdColony may collect device identifiers, IP address, and ad engagement data. See the AdColony Privacy Policy.

5.1.13 Digital Turbine (Digital Turbine USA, Inc.)

Digital Turbine operates the Fyber mediation platform and other advertising businesses. See the Digital Turbine Privacy Policy.

5.1.14 Pangle (ByteDance Ltd.)

Pangle is ByteDance’s ad network, primarily active in Asia and increasingly global. See the Pangle Privacy Policy.

5.1.15 Mintegral (Mintegral International Ltd.)

Mintegral is a mobile programmatic advertising platform. See the Mintegral Privacy Policy.

5.1.16 Liftoff Mobile, Inc.

Liftoff operates a mobile ad and re-engagement platform. See the Liftoff Privacy Policy.

5.1.17 Start.io (formerly StartApp)

Start.io is a mobile ad network. See the Start.io Privacy Policy.

5.1.18 Smaato, Inc.

Smaato is a real-time advertising exchange. See the Smaato Privacy Policy.

5.1.19 PubMatic, Inc.

PubMatic is a supply-side advertising platform. See the PubMatic Privacy Policy.

5.1.20 MoPub (now part of AppLovin)

MoPub is a mobile ad server and mediation platform (acquired by AppLovin). See the MoPub Privacy Policy.

5.1.21 Criteo (Criteo S.A.)

Criteo is a retargeting and display advertising platform. See the Criteo Privacy Policy.

5.1.22 Taboola (Taboola.com Ltd.)

Taboola is a content-discovery and native advertising platform. See the Tabola Privacy Policy.

5.1.23 Outbrain (Outbrain Inc.)

Outbrain is a content-discovery advertising platform. See the Outbrain Privacy Policy.

5.1.24 Yahoo Advertising (Yahoo / Verizon Media)

Yahoo / Verizon Media operates demand-side and supply-side advertising platforms. See the Yahoo Privacy Policy.

5.1.25 Xandr (Microsoft, formerly AppNexus)

Xandr is a programmatic advertising platform. See the Xandr Privacy Policy.

5.1.26 The Trade Desk (The Trade Desk, Inc.)

The Trade Desk is a demand-side programmatic advertising platform. See the The Trade Desk Privacy Policy.

5.1.27 TripleLift (TripleLift, Inc.)

TripleLift is a programmatic advertising platform. See the TripleLift Privacy Policy.

5.1.28 Index Exchange (Index Exchange Inc.)

Index Exchange is a programmatic advertising exchange. See the Index Exchange Privacy Policy.

5.1.29 Magnite (Magnite, Inc., formerly Rubicon Project / Telaria)

Magnite is a programmatic sell-side platform. See the Magnite Privacy Policy.

5.1.30 OpenX (OpenX Technologies, Inc.)

OpenX is a programmatic advertising exchange. See the OpenX Privacy Policy.

5.2 Mediator / SDK Provider

For Apps that run multiple ad networks, we use the following mediation platforms to manage waterfall and in-app bidding: Google AdMob Mediation, AppLovin MAX, and ironSource Mediation (now Unity LevelPlay). The mediation layer processes bid requests, device identifiers, and consent signals, and shares only the data necessary to fulfil a bid with downstream networks.

6. AdMob-Specific Disclosures

Because Google AdMob is the most widely used ad platform in our portfolio, the following additional disclosures apply:

6.1 SDK Components

The AdMob SDK includes the following components: MobileAds, AdLoader, AdView, InterstitialAd, RewardedVideoAd, AppOpenAd, NativeAd, and BannerAd. Each may collect the data items described above.

6.2 SDK Permissions

The AdMob SDK may request the following Android permissions when used: android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, com.google.android.gms.permission.AD_ID. On iOS, the SDK uses the IDFA through the App Tracking Transparency prompt.

6.3 Data Collection & Use

AdMob collects, at minimum, the following categories of data: device identifiers (IDFA, GAID), IP address (truncated), app session metadata, ad impression and click data, frequency capping, and fraud-prevention signals. Detailed categories are documented in the AdMob data disclosure.

6.4 User Controls

Users can limit AdMob personalisation through their device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads), or through Google’s ad personalisation controls. Users can also reset their advertising identifier at any time.

6.5 Family Policy & Tag for Child-Directed Treatment

We configure AdMob with the appropriate tag (tagForChildDirectedTreatment or tagForUnderAgeOfConsent) where required. For Apps that target audiences under 13, AdMob is replaced with contextual, first-party advertising only, and the SDK is initialised in compliance with the Google Play Families Policy and the Apple App Store Review Guidelines 1.4 and 5.1.4.

7. Ad Types and Formats

The following advertising formats may appear in our Apps. Each is described in plain language, with the data it processes, and the user controls available.

7.1 Banner Ads

Rectangular image or text advertisements placed in a designated area of the App (typically the bottom of a screen). Banner ads are served by all of the networks listed in section 5.

  • Data processed: device identifier, IP address (truncated), ad request metadata, click and impression events.
  • User controls: users may opt out of personalised advertising via the device settings and via the in-app privacy menu.

7.2 Interstitial Ads

Full-screen advertisements that appear at natural transition points in the App (e.g. between levels, after completing a checklist, or when opening a new section). Interstitials may be static image, rich media, or video.

  • Data processed: same as banner ads, plus interaction events (close, click-through, video completion).
  • Frequency capping: we cap interstitial frequency in our Apps to minimise disruption.

7.3 Rewarded Video Ads

Full-screen video advertisements that users choose to watch in exchange for an in-app reward (e.g. unlocking a feature, removing a watermark, earning a small in-app credit). Rewarded videos are typically 15–30 seconds long and can be skipped only after a minimum viewing period.

  • Data processed: device identifier, IP address, video start / completion / skip events, reward grant events.
  • User controls: always opt-in — the user must actively tap a button to watch a rewarded video. The user is informed of the reward before the ad begins.
  • Children: rewarded ads are only available to users confirmed to be above the applicable age of consent in their jurisdiction.

7.4 Open Screen / App Open Ads

Full-screen advertisements displayed when the user first opens the App, or when the user returns to the App after a specified background period. These are typically AdMob AppOpenAd or comparable formats from other networks.

  • Data processed: device identifier, IP address, session length, and cold-start / warm-start signals.
  • User controls: can be dismissed by tapping the close / “continue” button, typically after 5 seconds. The ad will not re-display for a configurable cool-down period.

7.5 Native Ads

Advertisements that match the visual design of the surrounding user interface and are served via a designated component (e.g. a feed item).

  • Data processed: same as banner ads, plus contextual placement signals.

7.6 Offerwall Ads

In some Apps, we may display an offerwall — a curated list of rewarded actions (install another app, complete a survey, sign up for a service) that grant in-app currency or features. Offerwalls are operated by Tapjoy, Fyber, or comparable networks.

  • Data processed: device identifier, IP address, completion events, in-app currency credit events.
  • User controls: always opt-in; users may decline to use the offerwall without any loss of existing features or content.

7.7 Sponsored Content and Affiliate Links

Where a blog post or an in-app educational article references a product or service, we may include an affiliate link or a sponsored disclosure. Affiliate clicks are processed by the affiliate network (e.g. Amazon Associates, Apple Performance Partners) and may be logged with a unique identifier.

7.8 No Personally-Targeted Behavioural Advertising for Minors

For users below the age of digital consent in their jurisdiction (typically 13, 16, or 18 depending on the country), we do not allow behaviourally-targeted advertising. Contextual advertising only, served in compliance with the Google Play Families Policy, the Apple App Store Review Guidelines, and the UK Age Appropriate Design Code (AADC).

8. Children and Age Restrictions

Our Apps default to an audience of 16 years and older, consistent with the UK Age Appropriate Design Code (AADC) and the GDPR guidance on the age of digital consent.

  • We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us so we can delete it.
  • For users aged 13–15 (in jurisdictions where this is below the age of digital consent), we offer a separate, restricted experience with no behavioural advertising, no third-party analytics, and no social features. Access to certain features may be blocked.
  • For users below the age of consent in their jurisdiction, we obtain verifiable parental consent (where required by COPPA, GDPR-K, or equivalent law) before any further processing.
  • We do not display behavioural advertising to users we know to be under 13, in accordance with the Children’s Online Privacy Protection Act (COPPA) and equivalent regimes.
  • AdMob SDK is configured with the appropriate tagForChildDirectedTreatment and tagForUnderAgeOfConsent flags, and the SDK is removed or replaced with a contextual-only version in our child-directed products.

9. Cookies and Tracking Technologies

The Website peakbitsmartnexus.com uses the following cookies and similar technologies. The Apps do not use browser cookies; instead, they use platform-level identifiers (IDFA, GAID) as described above.

9.1 Strictly Necessary Cookies

These cookies are required for the Website to function. They include session identifiers, language preferences, and security tokens. These cookies do not require consent under the ePrivacy Directive.

9.2 Performance and Analytics Cookies

We use privacy-respecting analytics (Plausible Analytics or self-hosted Matomo) on the Website, which do not require consent and do not use cross-site tracking. Aggregated, non-identifying statistics help us understand which pages and features are useful to our visitors.

9.3 Functionality Cookies

These cookies remember your preferences, such as theme selection. They are set only with your consent.

9.4 Marketing Cookies

We do not set marketing cookies on the Website. The Website does not contain third-party marketing or advertising trackers. Our marketing efforts (where they exist) are conducted through attribution-aware but consent-driven platforms.

9.5 Cookie Controls

You can control cookies via your browser settings. Most browsers allow you to block, delete, or selectively permit cookies. You can also use the “Do Not Track” (DNT) or “Global Privacy Control” (GPC) signals supported by your browser — we honour both.

10. App Store Compliance

Our Apps are distributed through the following stores, each with its own policies that we follow:

10.1 Apple App Store

  • We comply with the Apple App Store Review Guidelines, in particular Guidelines 1.4 (Safety), 2.1 (App Completeness), 5.1 (Privacy), and 5.1.1 (Privacy: Data Collection and Storage).
  • We declare all data collected via the App Privacy “nutrition label”, including data used for tracking purposes.
  • Where the App uses the App Tracking Transparency (ATT) framework, the system prompt is presented before any tracking begins, and we do not use any “pre-prompt” or shadow-tracking techniques.
  • We do not use the IDFA for tracking where the user has declined the ATT prompt.

10.2 Google Play Store

  • We comply with the Google Play Developer Policy, in particular the User Data policy and the Families policy.
  • Our Data Safety form accurately reflects the data our Apps collect, share, and the security practices we follow.
  • Where the App is targeted at children, we apply the Designed for Families designation and use only the allowed ad SDKs and formats.
  • We respect the user’s “Opt out of Ads Personalisation” setting and provide an in-app control to reset the GAID.

10.3 Alternative App Stores

Where our Apps are distributed through alternative channels (Samsung Galaxy Store, Amazon Appstore, Huawei AppGallery, regional stores in the EU and Asia), we apply equivalent privacy and safety controls and respect the platform-specific rules of each store.

11. Regional and Country Policies

Our privacy practices comply with the laws of the regions where we operate. The following country- and region-specific provisions apply.

11.1 United Kingdom (UK)

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO). Our ICO registration number is available on request. We follow the ICO’s published age-appropriate design guidance and the Children’s Code (Age Appropriate Design Code, or AADC).

11.2 European Union (EU) and European Economic Area (EEA)

We comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the ePrivacy Directive 2002/58/EC, as amended. We honour the IAB Europe Transparency and Consent Framework (TCF) v2.2 signals when processing personal data for advertising. Where a Member State has additional national requirements (e.g. the German TTDSG, the French Loi Informatique et Libertés, the Italian Garante), we apply those in addition.

11.3 United States (US) — Federal

We comply with the Children’s Online Privacy Protection Act (COPPA) for users under 13, the CAN-SPAM Act for marketing emails, the Telemarketing Sales Rule (TSR) where applicable, and other applicable federal laws.

11.4 California

We comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). See section 17 below for California-specific rights.

11.5 Virginia

We comply with the Virginia Consumer Data Protection Act (VCDPA).

11.6 Colorado

We comply with the Colorado Privacy Act (CPA).

11.7 Connecticut

We comply with the Connecticut Data Privacy Act (CTDPA).

11.8 Utah

We comply with the Utah Consumer Privacy Act (UCPA).

11.9 Texas

We comply with the Texas Data Privacy and Security Act (TDPSA).

11.10 Oregon

We comply with the Oregon Consumer Privacy Act (OCPA).

11.11 Montana, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Delaware, Kentucky, Maryland, Minnesota, Rhode Island, and other US states with enacted comprehensive privacy laws

We apply the most stringent interpretation of each state’s requirements, including rights to access, delete, correct, opt out of sale / targeted advertising, and limit use of sensitive personal data.

11.12 Canada

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the Quebec Law 25 (modernising the protection of personal information).

11.13 Brazil

We comply with the Lei Geral de Proteção de Dados (LGPD).

11.14 Australia

We comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs).

11.15 New Zealand

We comply with the Privacy Act 2020.

11.16 Japan

We comply with the Act on the Protection of Personal Information (APPI).

11.17 South Korea

We comply with the Personal Information Protection Act (PIPA) and the Act on Promotion of Information and Communications Network Utilisation and Information Protection.

11.18 Singapore

We comply with the Personal Data Protection Act 2012 (PDPA).

11.19 India

We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act).

11.20 China

We comply with the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Cybersecurity Law (CSL) for any processing that falls within Mainland China jurisdiction.

11.21 Switzerland

We comply with the revised Federal Act on Data Protection (FADP) of 2023.

11.22 South Africa

We comply with the Protection of Personal Information Act (POPIA).

11.23 Israel

We comply with the Protection of Privacy Law, 5741-1981.

11.24 Argentina, Chile, Colombia, Mexico, Peru, and other Latin American countries

We comply with each country’s applicable personal data protection law and recognise the rights established therein.

11.25 United Arab Emirates, Saudi Arabia, and Gulf Cooperation Council (GCC) countries

We comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and equivalent national laws where they apply.

12. International Data Transfers

Where personal data is transferred outside the United Kingdom, the European Economic Area, or Switzerland, we rely on the following safeguards:

  • European Commission Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decision.
  • UK International Data Transfer Agreement (IDTA) for transfers from the UK.
  • EU-US Data Privacy Framework (DPF) for transfers to certified US recipients.
  • UK Extension to the DPF for transfers from the UK to certified US recipients.
  • Binding Corporate Rules (BCRs) where our partners have them in place.
  • Explicit consent where no other legal basis is available and the transfer is necessary for the performance of a contract.

AdMob and other ad networks we use may transfer data to servers in the United States and other jurisdictions. We have configured our SDKs to limit transfer to the minimum required and to use the DPF, SCCs, or equivalent safeguards as appropriate.

13. Data Sharing and Third Parties

We do not sell personal data. We share personal data only with the following categories of recipients, and only the minimum data necessary to deliver a service you have requested:

  • Cloud infrastructure providers — for hosting and processing (Amazon Web Services, Google Cloud Platform, Cloudflare, with appropriate data processing agreements in place).
  • App distribution platforms — for the Apps (Apple App Store, Google Play, etc.).
  • Payment processors — for in-app purchases (Apple StoreKit, Google Play Billing). We do not see your card details.
  • Analytics providers — privacy-respecting analytics only, with no cross-site tracking.
  • Advertising networks and mediation partners — as described in sections 5–7.
  • Email and communication providers — for sending transactional emails (Postmark, Amazon SES, or equivalent). Marketing emails only with your consent.
  • Professional advisers and legal authorities — where required by law or to protect our legitimate interests.

14. Data Retention

We retain personal data for the minimum period necessary to fulfil the purposes for which it was collected, after which it is securely deleted or anonymised. Specific retention periods are as follows:

  • Contact form submissions: 24 months from last interaction, unless a contractual relationship is established.
  • Support correspondence: 36 months from last contact.
  • User-generated content in Apps: stored locally on your device. When you delete the App, the data is removed with it.
  • Server-side analytics logs: 13 months.
  • Server-side backups: 30 days, then rotated out.
  • Financial records: 7 years (to comply with HMRC / tax authority requirements).
  • Legal hold data: until the relevant legal matter is resolved.

You may request earlier deletion of your data at any time — see section 16.

15. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, use, disclosure, alteration, or destruction. These include:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access controls and least-privilege principles.
  • Two-factor authentication on all production systems.
  • Regular security audits and penetration testing.
  • Employee and contractor training on data protection.
  • Vendor due diligence and data processing agreements.
  • Incident response plan with notification procedures consistent with GDPR, CCPA, and equivalent laws.

No system is perfectly secure. If a security incident affects your personal data, we will notify you and the relevant supervisory authorities in accordance with applicable law.

16. Your Rights

You have the following rights with respect to your personal data. Some of these rights are qualified by your jurisdiction.

  • Right of access — to request a copy of the personal data we hold about you.
  • Right of rectification — to correct inaccurate or incomplete personal data.
  • Right of erasure (right to be forgotten) — to request deletion of your personal data in certain circumstances.
  • Right to restrict processing — to limit how we use your personal data in certain circumstances.
  • Right to data portability — to receive a machine-readable copy of your data and to transmit it to another service.
  • Right to object — to object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
  • Right to lodge a complaint — with your local data protection authority.
  • Right not to be subject to automated decision-making — we do not use automated decision-making that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at contact@peakbitsmartnexus.com. We will respond within 30 days, or sooner where required by local law.

17. California-Specific Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know what personal data we have collected, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share it.
  • Right to delete personal data we have collected from you, subject to certain exceptions.
  • Right to correct inaccurate personal data.
  • Right to opt out of sale or sharing — we do not sell personal data, but you may opt out of any “sharing” for cross-context behavioural advertising using the Global Privacy Control (GPC) signal or by contacting us.
  • Right to limit use of sensitive personal information — to the limited extent we process sensitive PI (which is rare, given our products), you may limit its use to that necessary to provide the service.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality for exercising your rights.

You may exercise these rights by emailing contact@peakbitsmartnexus.com or by using the in-app privacy controls. We will verify your identity before responding to a verifiable consumer request.

Notice of Financial Incentive: We do not currently offer financial incentive programs that would require disclosure under California law.

Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about the categories of personal data disclosed to third parties for those third parties’ direct marketing purposes. We do not disclose personal data to third parties for their own direct marketing purposes.

18. EU and UK Rights (GDPR)

If you are in the EU, EEA, or the UK, you have the rights set out in section 16 above. In addition:

  • Right to lodge a complaint with a supervisory authority. In the UK, the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU, your national data protection authority — see the European Data Protection Board’s directory at edpb.europa.eu.
  • Right to an effective judicial remedy against a legally binding decision of a supervisory authority or against a controller or processor.
  • Right to compensation for material or non-material damage suffered as a result of an infringement of the GDPR.

19. Brazil-Specific Rights (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights of confirmation, access, correction, anonymisation, portability, deletion, and information about sharing. The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority. To exercise your rights, contact contact@peakbitsmartnexus.com.

20. Other Jurisdictions

We respect the data protection rights established in all jurisdictions where our products and services are available. Where local law provides stronger protections than this Policy, the local law prevails. To exercise your rights under any specific law, please contact us.

21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Effective date” at the top of this Policy reflects when the Policy was last revised. Material changes will be announced through:

  • A notice on the Website at peakbitsmartnexus.com.
  • An in-app notification if you have an active App installed.
  • For users in the EU/UK, an email notification (where we have your email address) at least 30 days before the change takes effect.

We encourage you to review this Policy periodically. Your continued use of our Website or Apps after the effective date of a change constitutes acceptance of the revised Policy.

22. Contact and Data Controller

For any questions, comments, or requests relating to this Privacy Policy or your personal data, please contact us:

Peakbit Smart Nexus
St John’s Innovation Centre
Cambridge CB4 0FE
United Kingdom

Email (general): contact@peakbitsmartnexus.com
Email (support): support@peakbitsmartnexus.com

For users in the United Kingdom, our supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — ico.org.uk.

End of Privacy Policy · Version 4.2 · 30 June 2026

Questions?

Reach out about privacy.

If anything in this Policy is unclear, or if you want to exercise a right, write to us. A real person will read and respond.

Email contact@peakbitsmartnexus.com