Privacy Notice

Who we are

Neos Wave Limited (“Neos Wave”, “we”, “us”) is committed to protecting the confidentiality and security of your personal information. This notice explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it.

Neos Wave Limited
6th Floor, Charlotte Building, 17 Gresse Street, London, W1T 1QL
Company No. 12002488
Contact for data protection matters: hello@neoswave.com

Neos Wave is the data controller for the personal data described in this notice that we process for our own business purposes (for example, data about our staff, our business contacts, and people who contact us). Where we operate AI service operations on behalf of clients, our client is usually the data controller and Neos Wave acts as their data processor; this is explained further below.

“Processing” and what this notice covers

“Processing” means anything we do with personal data: collecting, recording, organising, storing, using, sharing, or deleting it. As part of the services we offer, we process personal data about our business contacts, the people who contact us, our staff and contractors, and (when delivering services for clients) the end customers of those clients.

The lawful bases we rely on

Under UK GDPR we must have a lawful basis for processing your personal data. The basis depends on the purpose:

PurposeLawful basis (UK GDPR Article 6)
Delivering services under a contract with you or your organisationContract: Article 6(1)(b)
Operating AI service operations for our clientsContract: Article 6(1)(b); or Legitimate Interests: Article 6(1)(f), as set by the client controller
Sales, marketing and business developmentLegitimate Interests: Article 6(1)(f); Consent: Article 6(1)(a) for electronic marketing
Billing, invoicing and financial recordsContract: Article 6(1)(b); Legal Obligation: Article 6(1)(c)
Employing and paying staff and contractorsContract: Article 6(1)(b); Legal Obligation: Article 6(1)(c)
Meeting our legal, tax and regulatory dutiesLegal Obligation: Article 6(1)(c)
Responding to enquiries you send usLegitimate Interests: Article 6(1)(f)

Where we rely on legitimate interests, our interest is in running and growing our business and delivering our services; we balance this against your interests and rights, and you have the right to object (see “Your rights” below). Where we rely on consent (for example for electronic marketing), you can withdraw it at any time.

Special category data

Some of the AI service operations we design for clients are intended to operate in contexts where a person might share “special category” data, for example health information or information revealing that someone is in vulnerable circumstances, during an interaction. Where such a service is live, Neos Wave processes that data as a data processor, on the documented instructions and lawful basis of the client who is the data controller. The relevant condition under UK GDPR Article 9 is set by that client controller, typically Article 9(2)(h) (provision of health and social care) or Article 9(2)(a) (explicit consent).

Our agents are designed to minimise special category data: they ask only for what is needed for the task, and where a person volunteers sensitive information that is not needed, the agent is designed to decline to use it and to flag it for removal. Neos Wave does not process special category data for its own purposes, and does not process special category data about members of the public other than as a processor acting on a client controller’s instructions for a live, contracted service.

AI-powered service operations

Neos Wave builds and operates AI-powered service operations for our clients, including AI voice agents, AI text-based agents, and AI assistants that may interact with customers, suppliers, or third parties on behalf of our clients. When we do this:

  • Data controller: our client remains the data controller for their customer data. Neos Wave acts as a data processor under a data processing agreement with each client.
  • Transparency: all AI agent interactions are governed by our Service Handshake, which requires declared goals, authority levels, data permissions, and fallback rules before any interaction begins. Agents disclose that they are AI when asked.
  • Interaction data: we may process interaction transcripts, voice recordings, and metadata as part of service delivery. This data is processed solely to deliver the service, on the instructions of the client controller, and is subject to the data processing agreement with that client.
  • Consumer AI assistants: where we build AI assistants that act on behalf of individual consumers, the consumer is the data controller. The assistant operates within boundaries explicitly set by the consumer through a Service Handshake declaration, and we process data only as necessary to operate the assistant.
  • Retention: interaction data from AI-powered operations is retained only for the duration specified in the relevant client or consumer agreement, after which it is securely deleted.

The data we use

Depending on your relationship with us, we may process the following categories of personal data:

  • Contact details: name, email, phone number, employer, job title
  • Records of our communications with you: emails, call notes, messages, meeting records
  • Website and social media activity
  • Financial and billing information (for clients and suppliers)
  • Staff and contractor information: contact details, right-to-work, payroll, pension and tax details, emergency contacts, training records
  • Interaction data from AI-powered service operations, where applicable (which may include conversation content and, where a person shares it, special category data, processed on behalf of the relevant client controller)

How we receive your personal data

  • Website: neoswave.com offers visitors the opportunity to submit their details via email or contact forms
  • Cookies: see the “Cookies” section below
  • Social media: if you choose to communicate with us via social media platforms
  • Verbal and written communications: when you email, call, write to, or meet us
  • AI interactions: when you interact with an AI agent or assistant operated by Neos Wave, directly or on behalf of one of our clients
  • Third parties: we sometimes receive personal data from third parties, such as a client providing contact details of their staff

Who we share your data with

Your personal data is seen and used by Neos Wave personnel on a role-based, least-privilege basis, meaning people only have access to the personal data they need to do their job. We do not sell, rent, or trade personal data.

To deliver our services we use trusted third-party providers who process personal data on our behalf as sub-processors, under contracts that require them to protect it. These fall into the following categories:

  • Cloud productivity and storage (our business email, documents, and files)
  • Conversational AI and voice platform (for operating voice and chat agents)
  • Telephony and messaging provider
  • Language model provider (for the AI agents’ language understanding)
  • Application hosting providers
  • Credential management and security tooling

A current list of our sub-processors is maintained in our internal records and is available to clients on request as part of their data processing agreement. Where we operate AI services for a client, relevant interaction data may also be accessible to that client’s authorised personnel in accordance with the data processing agreement.

We may also share data where we are legally required to, for example with HMRC, our regulators, or law enforcement where we are obliged to by law or court order.

Transfers outside the UK

We aim to keep personal data within the UK and European Economic Area (EEA).

The personal data we process today (data about our business contacts, the people who contact us, and our staff and contractors) is held in our business systems. Some of these are provided by organisations headquartered outside the UK and EEA (for example, certain US-headquartered providers). Where personal data is processed outside the UK and EEA, we ensure an appropriate safeguard recognised under UK GDPR is in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, so that the data continues to receive protection essentially equivalent to that under UK law.

Where we design AI service operations that will process the personal data of our clients’ end customers, our approach is to keep that data within the UK/EEA: conversational AI and telephony providers are configured to EEA-based processing, supporting applications are requested on EEA servers, and language models are run either on our own self-hosted infrastructure or on third-party cloud models hosted on servers located within the UK/EEA. US-headquartered cloud providers are used only for our own business-facing websites, demonstrations, and the processing of business data, and demonstrations do not use real personal data.

We also engage a small number of contractors located outside the UK, whose access to personal data is limited to what their role requires, is browser-based, and is subject to the same safeguards.

National Data Opt-Out

The national data opt-out gives people the ability to stop health and social care organisations from sharing their confidential patient information for research and planning purposes.

We review our data processing at least annually, and assess all new processing, to determine whether the national data opt-out applies to us. This assessment is recorded in our Record of Processing Activities. At this time, we do not use confidential patient information for research or planning purposes, and the national data opt-out does not apply to our processing.

If any of our processing falls within the scope of the national data opt-out in future, we will apply it — including using the NHS MESH service to check whether individuals have opted out of their data being used for that purpose — and we will update this notice accordingly. You can find out more at nhs.uk/your-nhs-data-matters.

How we store and dispose of your personal information

We store personal data securely using the technical and organisational controls described under “How we keep your data secure” below. We keep personal data only for as long as we need it for the purpose we collected it for, or to meet a legal obligation. Our standard retention periods are:

InformationRetention period
Enquiry and marketing contact dataUp to 24 months after last contact, unless you ask us to remove it sooner
Client relationship and contract recordsDuration of the relationship plus 6 years (to meet contractual and tax obligations)
Financial and accounting records6 years (HMRC requirement)
Staff and contractor recordsDuration of engagement plus 6 years
AI service interaction data (processed for clients)As specified in the relevant client data processing agreement, typically minimal and transient; deleted on the schedule set by the client controller
Compliance and security recordsCurrent period plus 2 years

When personal data is no longer needed, we securely delete it. Electronic records are deleted from our systems and from our providers’ systems, and any physical records are securely destroyed. For AI service interaction data, deletion follows the schedule set in the relevant client data processing agreement.

Automated processing

To ensure our prospects and clients receive relevant communications, we use some automated processes, which may include lead scoring and behaviour-based marketing. No automated processing produces legal effects, or similarly significant effects, on you without human review. The AI agents we operate for clients are governed by declared authority limits and do not make decisions producing legal or similarly significant effects on individuals without a human route being available.

Cookies

neoswave.com does not set any cookies. We do not use cookies to identify you, to track you across sites, or to measure how you use this website. For full details — including the third-party resources the site loads and what they do — see our cookie information page. If that ever changes, we will update both that page and this notice.

How we keep your data secure

Neos Wave maintains technical and organisational measures appropriate to the risk, including: multi-factor authentication on all business systems; encryption of devices and data; role-based, least-privilege access; scoped and rotated credentials held in a dedicated password manager; secure configuration and prompt patching of devices; and data minimisation built into the design of our AI agents. Neos Wave holds Cyber Essentials certification.

Your rights

Under UK data protection law you have the following rights over your personal data:

  1. Access: you can ask for a copy of the personal data we hold about you. We will not normally charge for this.
  2. Rectification: you can ask us to correct data you believe is inaccurate or incomplete.
  3. Erasure: you can ask us to delete your personal data where it is no longer necessary for the purpose we collected it, or where you withdraw consent we were relying on.
  4. Restriction: you can ask us to restrict processing while we consider a rectification or objection request.
  5. Portability: in certain circumstances you can ask us to transfer your data to another organisation.
  6. Object to direct marketing: you can object to processing of your data for direct marketing at any time.
  7. Object to legitimate-interests processing or profiling: where we process your data under legitimate interests or carry out profiling, you can object and we will restrict processing while we consider it.

Where we process personal data as a processor on behalf of a client controller (for example, AI service interaction data), requests to exercise these rights are directed to the relevant client controller; we will assist them in responding. We may ask you for information to confirm your identity before acting on a request, to make sure data is not disclosed to the wrong person. We will respond as soon as possible and within one month.

How to contact us or complain

To exercise any of your rights, or if you have questions or concerns about how Neos Wave processes your data, please contact us first at hello@neoswave.com so we can try to put things right.

If you remain dissatisfied, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ico.org.uk