Privacy Policy

Effective date: April 4, 2026

Stratium Ltd ("we", "us", or "our") is the data controller responsible for your personal data. We operate the Cadence executive orchestration platform accessible at app.stratiumhq.com and the marketing site at stratiumhq.com.

This Privacy Policy explains what personal data we collect, how we process it, the lawful bases we rely on, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

By using Cadence or visiting our website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

1. Data Controller

The data controller for the purposes of UK GDPR is:

• Stratium Ltd
• Email: [email protected]
• Website: stratiumhq.com

If you have any questions or concerns about how we handle your personal data, please contact us using the details above.

2. Personal Data We Collect

2.1 Account Information

When you create an account, we collect information you provide directly, including:

• Full name and email address
• Organisation name and role
• Password (where local authentication is used, passwords are protected using rotational encryption; if you sign in via Microsoft Entra ID, no password is stored by Stratium)
• Profile photo (optional)
• Billing information (processed by our payment provider; we do not store full card details)

2.2 Usage Data

We automatically collect information about how you interact with Cadence, including pages visited, features used, timestamps, device type, browser type, operating system, and IP address. This data is collected using privacy-friendly analytics tools and does not involve cross-site tracking.

2.3 Calendar Data

If you connect your calendar, we access event titles, times, attendees, and meeting links to power scheduling features, daily planning, and focus time governance. We access only the data necessary to provide these features and do so under the lawful basis of contractual necessity.

2.4 Work Items and Tasks

Cadence stores tasks, priorities, action items, strategic goals, and related metadata that you or your executive assistant create within the platform.

2.5 Transcripts and Notes

If you use transcript-based features, we process meeting transcripts, summaries, and notes to extract action items and provide AI-powered insights. Transcript content is stored within your tenant and is not shared with other customers.

3. Lawful Bases for Processing

Under Article 6 of UK GDPR, we process your personal data on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)): processing necessary to provide you with the Cadence service under our Terms of Service — including account management, calendar sync, task management, AI features, and billing.
• Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate business interests, such as improving the product, ensuring security, preventing fraud, and communicating with you about your account, where those interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)): where you have given explicit consent, such as opting into marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): processing necessary to comply with applicable UK laws, including tax, accounting, and regulatory requirements.

4. How We Use Your Data

We use the data we collect for the following purposes:

• Provide and operate the service: powering daily planning, calendar sync, task management, EA workflows, and reporting features.
• AI features: generating action items from transcripts, suggesting schedule optimisations, and providing executive briefings using machine learning models.
• Analytics and improvement: understanding how Cadence is used so we can improve performance, fix issues, and develop new features.
• Communications: sending transactional emails (account confirmations, password resets, billing receipts) and, with your consent, product updates and announcements.
• Security and fraud prevention: detecting and preventing unauthorised access, abuse, or security incidents.
• Legal compliance: meeting applicable legal obligations, resolving disputes, and enforcing our agreements.

5. Data Storage, Security, and Data Sovereignty

All customer data is hosted on Microsoft Azure. By default, data is stored in the Azure UK South region. For Enterprise customers, we offer multi-geography data residency options across Azure regions worldwide, allowing you to choose the jurisdiction in which your data is stored to meet your organisation's data sovereignty requirements.

We maintain the following security certifications and standards:

• ISO 27001 — Information security management system
• ISO 27017 — Cloud security controls
• ISO 27018 — Protection of personally identifiable information in public cloud
• ISO 27701 — Privacy information management (GDPR-aligned)

In addition, we implement the following technical and organisational measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Tenant-level data isolation ensuring your data is logically separated from other customers
• Regular penetration testing and vulnerability scanning
• Role-based access controls and principle of least privilege for internal systems
• Automated encrypted backups with geo-redundancy
• Annual security audits by independent third-party assessors

While we take extensive precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest practicable standard.

6. Third-Party Processors

We work with a limited number of third-party data processors to deliver Cadence. All processors are bound by Data Processing Agreements (DPAs) that comply with UK GDPR requirements. These include:

• Calendar providers: Google Calendar and Microsoft Outlook, accessed via OAuth with scopes limited to the data required for calendar sync features.
• Payment processor: our payment provider handles subscription billing. We do not store your full payment card details on our servers.
• Analytics: we use privacy-friendly analytics tools that do not use cross-site tracking or sell your data.
• Infrastructure: Microsoft Azure for hosting, compute, and storage services.
• AI processing: AI model providers used to deliver intelligent features within Cadence. Your data is not used to train third-party models.

We only share the minimum data necessary for each processor to perform its function.

7. International Data Transfers

Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR, including:

• Transfers to countries covered by a UK adequacy decision
• International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses
• Binding corporate rules where applicable

Enterprise customers who require all data to remain within the UK or a specific jurisdiction can utilise our multi-geography data residency options to ensure data does not leave their chosen Azure region.

8. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Account data: retained while your account is active and for up to 30 days after account deletion to allow for recovery.
• Usage and analytics data: retained in aggregated, anonymised form for up to 24 months.
• Billing records: retained for up to 7 years as required by HMRC tax and accounting regulations.
• Transcripts and work items: deleted when you delete them within the platform, or when your account is deleted.

You may request deletion of your account and associated data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access (Art. 15): request a copy of the personal data we hold about you (a Subject Access Request).
• Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17):request deletion of your personal data in certain circumstances (the "right to be forgotten").
• Right to restriction of processing (Art. 18): request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): request a portable copy of your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing of your data where we rely on legitimate interests, including direct marketing.
• Rights related to automated decision-making (Art. 22): you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features assist decision-making but do not make autonomous decisions with such effects.
• Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within one month, as required by UK GDPR. In complex cases, we may extend this by a further two months, and will inform you if this is necessary.

You will not be charged a fee for exercising your rights, except in cases of manifestly unfounded or excessive requests as permitted under UK GDPR.

10. Complaints

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

• Information Commissioner's Office
• Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Telephone: 0303 123 1113
• Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at [email protected].

11. Cookies

We use a limited set of cookies to operate Cadence and our website. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

12. Children's Privacy

Cadence is a business product not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice on our website before the changes take effect. The "Effective date" at the top of this page indicates when this policy was last revised.

14. Contact Us

If you have questions or concerns about this Privacy Policy, your personal data, or our privacy practices, please contact us:

• Privacy enquiries: [email protected]
• General enquiries: [email protected]
• Website: stratiumhq.com