Controller: North AI ("North AI", "we", "us", "our")

Effective date: 15 April 2026

Last updated: 15 April 2026

Jurisdictions covered: United Kingdom, European Economic Area, United States

Disclaimer: This document is a template prepared for North AI based on the integrations and tooling declared by the product team. It is not legal advice. Review with qualified counsel before publication.

1. Who we are

North AI operates the North AI platform, website, and related services (the "Service"), which provides AI-powered simulation, content analysis, and creator intelligence tools.

Item Detail Legal entity North AI [Legal entity name, registration number] Registered address [Address] Contact (privacy) privacy@northai.co Data Protection Officer / EU Rep [Name, email] UK Representative (Art. 27 UK GDPR) [Name, email] EU Representative (Art. 27 EU GDPR) [Name, email]

2. Scope

This Policy explains how we collect, use, disclose, and protect personal data when you:

• Visit northai.co or any North AI subdomain.

• Create an account or use the Service.

• Connect third-party accounts (Facebook, Instagram, TikTok, YouTube, Google) to North AI.

• Interact with our marketing, ads, or support channels.

3. Legal bases (UK & EEA)

We process personal data under the UK GDPR, EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, and the ePrivacy Directive (Directive 2002/58/EC as transposed locally, and the PECR in the UK). For US users we comply with applicable state laws including the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and other state privacy statutes in force.

Processing activity Legal basis (UK/EEA) Providing the Service (account, auth, core features) Contract (Art. 6(1)(b)) Connecting social platforms via OAuth Contract + Consent (Art. 6(1)(a)(b)) Analytics, product improvement Consent (Art. 6(1)(a)) via cookie banner Marketing, retargeting, lookalike audiences Consent (Art. 6(1)(a)) Security, fraud prevention, abuse detection Legitimate interests (Art. 6(1)(f)) Legal, tax, accounting compliance Legal obligation (Art. 6(1)(c))

Where we rely on consent, you can withdraw it at any time without affecting prior lawful processing.

4. Personal data we collect

4.1 Data you provide

• Identity: name, email, password (hashed), company, role.

• Billing: name, billing address, VAT ID, last 4 digits of card (payment processed by our PSP; we do not store full card numbers).

• Support communications, feedback, survey responses.

4.2 Data from connected platforms (OAuth)

When you connect an account, we request the minimum scopes required. Tokens are stored encrypted at rest.

Platform Data received Purpose Scopes (summary) Google / YouTube Data API Profile, channel ID, video metadata, public stats, analytics where authorized Creator analytics, content ingestion, simulations youtube.readonly, yt-analytics.readonly, userinfo.email, userinfo.profile Facebook Graph API Profile, pages, post metadata, insights Page analytics, content ingestion public_profile, email, pages_show_list, pages_read_engagement, read_insights Instagram Graph API Business account ID, media, insights Content and performance analysis instagram_basic, instagram_manage_insights TikTok for Developers User profile, video list, video metrics Creator analytics user.info.basic, video.list, video.insights Google Sign-In Email, name, Google ID Authentication openid, email, profile

We only access data necessary for the features you activate. We do not sell, rent, or share this data with third parties for independent use.

4.3 Data collected automatically

• Device, browser, OS, IP address, timezone, language.

• Log data, page views, clicks, referrer URLs, session duration.

• Cookies and similar technologies (see Section 9).

5. YouTube API Services disclosure

North AI's use of information received from YouTube APIs adheres to the YouTube API Services Terms of Service and the Google Privacy Policy. You can revoke North AI's access to your Google account at any time via the Google security settings page at https://myaccount.google.com/permissions.

6. How we use personal data

• Deliver, maintain, and secure the Service.

• Authenticate users and connected accounts.

• Run simulations, analytics, and generate reports you request.

• Personalize content and recommendations.

• Send transactional and, with consent, marketing communications.

• Measure and improve performance, debug, and prevent abuse.

• Comply with legal obligations and enforce our Terms.

We do not use connected-platform data to train foundation models. Derived, aggregated, and anonymized signals may be used to improve North AI product features.

7. AI processing and automated decisions

North AI uses large language models and other AI systems to process content you submit or authorize via connected platforms. Outputs are generated automatically but are not used to make decisions that produce legal or similarly significant effects on you without human review. You can contact privacy@northai.co to request human review of any automated output.

8. Disclosure of personal data

We share data only with:

Recipient category Examples Purpose Location Cloud infrastructure AWS (us-east-1) Hosting, storage, compute US AI model providers Anthropic, OpenAI, Google Inference on your content US / EU Analytics Google Analytics 4, Microsoft Clarity Product and site analytics US / EU Advertising Meta, LinkedIn, Google Ads Marketing (consent-based) US / EU Consent management iubenda Cookie compliance EU Payment processing [Stripe or equivalent] Billing US / EU Customer support tools [e.g. Intercom, Zendesk] Support tickets US / EU Authorities Regulators, courts Legal obligation Varies

We require all processors to sign a Data Processing Agreement under Art. 28 GDPR.

9. Cookies and tracking technologies

We manage cookie consent through iubenda. On first visit, a banner lets you accept, reject, or configure cookies. You can change your choice at any time via the "Cookie preferences" link in the footer.

Category Tools Purpose Basis Strictly necessary Session, CSRF, auth Service operation Legitimate interest / contract Analytics Google Analytics 4, Google Tag Manager, Microsoft Clarity Usage measurement, session replay (masked) Consent Marketing Meta Pixel, LinkedIn Insight Tag Retargeting, campaign measurement Consent

Google Tag Manager itself does not set tracking cookies but loads the tags listed above. Microsoft Clarity records masked session replays and heatmaps. Meta Pixel and LinkedIn Insight Tag share hashed identifiers with Meta and LinkedIn for ad measurement and retargeting. All non-essential tags fire only after consent via iubenda and Google Consent Mode v2.

10. International data transfers

Personal data may be transferred to the United States and other jurisdictions outside the UK/EEA. We rely on:

• EU-US Data Privacy Framework where the recipient is certified.

• UK-US Data Bridge extension for UK transfers.

• Standard Contractual Clauses (EU 2021/914) plus the UK International Data Transfer Addendum where DPF does not apply.

• Transfer impact assessments and supplementary measures where required.

11. Retention

Data type Retention Account data Life of account + 30 days OAuth tokens Until revoked or 90 days of inactivity Connected-platform content cache Up to 24 months or until disconnection Billing records 7 years (tax law) Analytics (GA4) 14 months Clarity session recordings 30 days Support tickets 3 years Backups 35 days rolling

12. Your rights

12.1 UK / EEA (GDPR)

Right of access, rectification, erasure, restriction, portability, objection, and to not be subject to solely automated decisions with legal effects. You may lodge a complaint with the ICO (UK) or your local supervisory authority (EEA).

12.2 United States

Depending on your state, you may have the right to know, delete, correct, portability, opt out of "sale" or "sharing" (including targeted advertising), and limit use of sensitive personal information. California residents have additional rights under the CCPA/CPRA, including non-discrimination. We honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing.

North AI does not sell personal information for money. We may "share" data for cross-context behavioral advertising via Meta Pixel, LinkedIn Insight Tag, and Google Ads; you can opt out at any time via the cookie banner or by emailing privacy@northai.co.

12.3 How to exercise rights

Email privacy@northai.co or use the in-product "Privacy" page. We respond within 30 days (UK/EEA) or 45 days (US), extendable once where permitted.

13. Security

Encryption in transit (TLS 1.2+), encryption at rest (AES-256), role-based access control, audit logging, least privilege, SSO for staff, vulnerability scanning, and annual penetration testing. Breach notification within 72 hours where required by GDPR Art. 33.

14. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. Contact privacy@northai.co to request deletion.

15. Changes

We will post updates here and notify registered users of material changes by email at least 15 days before they take effect.

16. Contact

Purpose Address Privacy requests privacy@northai.co Security disclosures security@northai.co Postal [North AI, full postal address] ICO (UK) https://ico.org.uk