Last updated: March 2026
Effective date: March 2026
Legal notice: This Privacy Policy has been drafted as a comprehensive starting point based on UK GDPR requirements and UK SaaS best practice. It should be reviewed by a qualified UK solicitor before being published and relied upon commercially.
Inzo is a product of HRZN Ltd, a company registered in England and Wales ("HRZN", "we", "us", "our"). Our registered office is in London, United Kingdom.
We are the data controller for personal data collected directly from you when you use the Inzo website and platform at inzo.hrzn.co.uk (the "Service").
For any questions about this Privacy Policy or how we handle your personal data, please contact us at:
Email: hello@hrzn.co.uk
Website: hrzn.co.uk
We collect only what we need to run the Service. We don't sell your data. We don't use your brand content or AI conversations to train models. Plausible Analytics — our primary analytics tool — is cookieless and privacy-friendly by design. You have clear rights over your data and can exercise them by contacting us.
What: Name, email address, password (stored as a secure hash), company name, and your chosen subscription tier.
Why: To create and manage your account, verify your identity, and provide access to the Service.
Legal basis: Contract — this data is necessary to fulfil our agreement with you.
What: Subscription tier, billing cycle, invoice history, and payment status. We do not store card numbers or full payment details — these are handled entirely by Stripe, our payment processor.
Why: To process your subscription payments, issue invoices, manage upgrades and cancellations, and comply with financial record-keeping obligations.
Legal basis: Contract and Legal Obligation.
Third party: Stripe, Inc. — see Section 6 for details.
What: Brand assets, guidelines, documents, colour palettes, typography choices, logos, and any other content you upload or create within the Platform ("Your Content").
Why: To store, display, and process Your Content as part of delivering the Service to you.
Legal basis: Contract.
Important: Your Content is yours. We do not use it for any purpose other than delivering the Service to you. We do not share it with other users or third parties. We do not use it to train AI models.
What: Messages, prompts, and responses exchanged with the Inzo AI Companion. The AI is powered by Anthropic's Claude API.
Why: To generate AI responses, maintain conversation context within a session, and display your conversation history within your account.
Legal basis: Contract.
Important: Your conversation content is not used to train AI models. Anonymised, aggregated usage patterns (such as feature engagement metrics, not content) may be used to improve the Service. Anthropic processes your prompts as a sub-processor — see Section 6.
What: AI token consumption, feature usage metrics, monthly usage totals, and token top-up purchase history.
Why: To enforce fair usage limits, display your usage dashboard, trigger upgrade prompts, and manage token top-up purchases.
Legal basis: Contract and Legitimate Interests.
What: Email addresses and names of team members you invite to your workspace, along with their assigned role (Editor or Member).
Why: To create user accounts for invited team members and manage their access to your workspace.
Legal basis: Contract and Legitimate Interests.
Your responsibility: If you invite team members to your workspace, you are responsible for ensuring they are aware that their data will be processed in accordance with this Privacy Policy.
What: Emails sent to or received from you, including transactional emails (account verification, password reset, billing receipts) and product communications (feature updates, usage alerts, onboarding sequences).
Why: To communicate with you about your account, the Service, and relevant updates.
Legal basis: Contract (transactional) and Legitimate Interests (product communications). Where required by law, we will obtain your consent before sending marketing communications.
Third party: Resend — see Section 6 for details.
What: Page views, feature interactions, session duration, referral sources, and general usage patterns. This data is collected at an aggregated, anonymised level by Plausible Analytics.
Why: To understand how the Service is being used, identify areas for improvement, and measure feature adoption.
Legal basis: Legitimate Interests.
Plausible Analytics: Our primary analytics tool is Plausible, which is cookieless, does not collect personal data, does not use cross-site tracking, and is fully compliant with UK GDPR and the EU GDPR by design. No cookie consent banner is required for Plausible.
Google Analytics: We may also use Google Analytics for additional measurement. Where Google Analytics is active, it uses cookies and may collect your IP address (anonymised) and browsing behaviour. If you prefer not to be tracked by Google Analytics, you can opt out using the Google Analytics Opt-out Browser Add-on.
What: If you complete the HRZN Brand Assessment tool or interact with HRZN's website prior to signing up for Inzo, your email address and assessment results may be stored in our CRM system (Attio).
Why: To manage our customer relationships, follow up on assessment results, and provide relevant communications.
Legal basis: Legitimate Interests. You can request deletion of your CRM data at any time by contacting hello@hrzn.co.uk.
What: IP address, browser type and version, operating system, device type, and error logs.
Why: To maintain the security and integrity of the Service, diagnose technical issues, and prevent fraud or abuse.
Legal basis: Legitimate Interests and Legal Obligation.
We use a minimal set of cookies necessary to operate the Service:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Supabase auth session | Keeps you logged in to your account | Essential | Session / up to 7 days |
| Stripe | Fraud prevention and payment processing | Essential | Session |
| Plausible | Cookieless analytics — no cookie set | N/A | N/A |
| Google Analytics (if active) | Usage analytics | Analytics | Up to 2 years |
Essential cookies are required for the Service to function and cannot be disabled. Analytics cookies (Google Analytics) can be managed through your browser settings or the Google Analytics opt-out tool linked in Section 3.8.
We do not use advertising cookies or sell data to advertisers.
| Data Type | Retention Period |
|---|---|
| Account and profile data | For the duration of your account, plus 90 days after deletion |
| Billing and payment records | 7 years (required by UK tax law) |
| Brand content and assets | For the duration of your account, plus 30 days after termination |
| AI conversation history | For the duration of your account, plus 30 days after termination |
| Usage and token data | 13 months rolling |
| Email communications | 3 years |
| Analytics data (Plausible) | 13 months rolling (anonymised) |
| Security and error logs | 90 days |
When your account is deleted or your subscription is terminated, we will delete or anonymise your personal data within the periods set out above, except where we are required to retain it for legal or regulatory purposes.
We use a small number of carefully selected third-party services to operate the Platform. Each processes personal data only to the extent necessary to fulfil their function.
| Provider | Purpose | Location | Privacy Info |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | EU / USA (with Standard Contractual Clauses) | supabase.com/privacy |
| Anthropic | AI language model processing (Claude API) | USA (with Standard Contractual Clauses) | anthropic.com/privacy |
| Stripe | Payment processing and subscription management | USA / EU (with Standard Contractual Clauses) | stripe.com/privacy |
| Vercel | Platform hosting and infrastructure | USA / EU (with Standard Contractual Clauses) | vercel.com/legal/privacy-policy |
| Resend | Transactional and product email delivery | USA (with Standard Contractual Clauses) | resend.com/legal/privacy-policy |
| Plausible | Privacy-friendly website analytics | EU | plausible.io/privacy |
| Attio | CRM and customer relationship management | EU / USA (with Standard Contractual Clauses) | attio.com/privacy |
We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.
Some of our sub-processors are based outside the UK or process data in countries that may not provide the same level of data protection as the UK. Where this is the case, we ensure that appropriate safeguards are in place, including:
You may request details of the specific transfer mechanisms in place by contacting us at hello@hrzn.co.uk.
As a UK data subject, you have the following rights in relation to your personal data:
Right of access — You can request a copy of the personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate or incomplete data.
Right to erasure — You can ask us to delete your personal data in certain circumstances (commonly known as the "right to be forgotten").
Right to restriction — You can ask us to restrict how we process your data in certain circumstances.
Right to data portability — You can request a copy of certain data in a structured, commonly used, machine-readable format.
Right to object — You can object to processing based on legitimate interests, including for direct marketing purposes.
Rights related to automated decision-making — You have the right not to be subject to decisions made solely by automated means that produce legal or similarly significant effects, without human review.
Right to withdraw consent — Where we rely on your consent as the legal basis for processing, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please contact us at hello@hrzn.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us at hello@hrzn.co.uk in the first instance.
We take the security of your personal data seriously. Measures in place include:
No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our obligations under UK GDPR.
The Service is intended for use by adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.
Our Service may contain links to third-party websites, including hrzn.co.uk. This Privacy Policy applies only to Inzo (inzo.hrzn.co.uk). We are not responsible for the privacy practices of any other website and encourage you to review their privacy policies before providing any personal data.
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. Where changes are material, we will notify you by email or via an in-platform notification before the changes take effect.
The "Last updated" date at the top of this page indicates when the Policy was last revised. We encourage you to review this Policy periodically.
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
HRZN Ltd
Email: hello@hrzn.co.uk
Website: hrzn.co.uk