Privacy Policy
Last updated: 8 June 2026 · Effective date: 8 June 2026
1. Who we are and how to contact us
Moore Global Solutions Limited (“we”, “us”, “our”) is the data controller for personal data collected through Prezoa (“the Service”). We are registered in England and Wales under Company Registration Number 14263617.
You can contact our data controller at:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.
2. What data we collect and why
We collect and process the following categories of personal data:
2.1 Account and identity data
- Full name and email address (provided at registration)
- Password (stored as a bcrypt hash — we never store your plain-text password)
- Account role (user or administrator)
- Account creation date and activity timestamps
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR) — this data is necessary to provide you with an account.
2.2 Pitch deck content
- All text, data, numbers, and answers you enter when creating a pitch deck
- Uploaded logo images (stored as base64 data within your deck records)
- Generated slide content returned by Anthropic's Claude AI
- Deck settings including theme, accent colour, and share tokens
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR). This data is the core deliverable of the Service.
2.3 Billing and payment data
- Subscription plan and billing status
- Stripe Customer ID (a tokenised reference — we do not store card numbers)
- Payment history records (amount, currency, status, invoice URL)
- Last 4 digits of payment card and card expiry (retrieved from Stripe for display)
Legal basis: Performance of a contract and compliance with legal obligations (Article 6(1)(b) and (c) UK GDPR). Payment card data is processed directly by Stripe Payments Europe Limited under their own privacy policy.
2.4 Usage and technical data
- Number of decks generated and credits used
- AI token usage per generation (input tokens, output tokens, cost)
- API model used and endpoint called
- Session tokens (stored in HTTP-only cookies)
- Standard server logs (IP address, user agent, request timestamps) retained for security and debugging
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — to operate, secure, and improve the Service. We have balanced these interests against your rights and freedoms.
3. How we use your data
We use your personal data to:
- Create and manage your account and authenticate your sessions
- Generate pitch decks on your behalf using Anthropic's Claude AI
- Process subscription payments via Stripe
- Send transactional emails (e.g. billing confirmations, account alerts) — we do not send marketing emails without your explicit consent
- Monitor and enforce fair usage (credit limits per plan)
- Detect and prevent fraud, abuse, and security incidents
- Comply with our legal and regulatory obligations
- Resolve disputes and enforce our Terms of Service
We do not use your pitch deck content to train AI models. We do not sell your data to third parties. We do not use your data for profiling or automated decision-making with legal or similarly significant effects.
4. Third-party processors
We share data only with the following processors, each under a Data Processing Agreement and bound to process data solely on our instructions:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI generation — your deck inputs are sent to Claude via the Anthropic API | USA (SCCs applied) |
| Stripe Payments Europe Ltd | Payment processing and subscription management | EEA / UK |
| Supabase / PostgreSQL host | Database hosting for account and deck data | EU (AWS) |
| Unsplash (Crew Labs Inc) | Fetching stock images for slide backgrounds | USA (SCCs applied) |
| Vercel Inc | Application hosting and serving | USA / EU (SCCs applied) |
| Resend Inc | Sending transactional emails (account, billing, team invitations) | USA (SCCs applied) |
Where processors are based outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) approved under UK GDPR to ensure adequate protection.
5. Cookies and session data
We use only essential cookies and local storage — no tracking or advertising cookies:
session_token — HTTP-only, secure, SameSite=Lax cookie. Contains your session identifier. Required for authentication. Expires when you sign out or after 30 days.
active_team — HTTP-only, SameSite=Lax cookie. Remembers which team workspace you are viewing. Only set if you are a member of a team.
prezoa_cookie_consent — browser local storage entry recording your cookie banner choice so we don't ask again.
We do not use tracking, analytics, or advertising cookies. We do not use Google Analytics or any third-party analytics tools that set cookies.
6. Data retention
- Account data: Retained for the duration of your account and deleted within 30 days of account deletion request.
- Pitch deck content: Retained for the duration of your account. You can delete individual decks at any time from within the Service.
- Payment and billing records: Retained for 7 years to comply with UK financial and tax legislation (Companies Act 2006, HMRC requirements).
- API usage logs: Retained for 12 months for fraud detection and billing accuracy.
- Server logs: Retained for 30 days.
7. Your rights under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@prezoa.com. We will respond within one calendar month.
Right of access (Subject Access Request)
Request a copy of all personal data we hold about you.
Right to rectification
Ask us to correct inaccurate or incomplete data.
Right to erasure ('right to be forgotten')
Ask us to delete your data where there is no compelling reason for its continued processing.
Right to restrict processing
Ask us to limit how we use your data in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format (where processing is based on consent or contract and carried out automatically).
Right to object
Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
Rights related to automated decision-making
We do not make solely automated decisions with legal or significant effects on you.
Right to withdraw consent
Where we rely on consent, you can withdraw it at any time without affecting prior processing.
8. Security
We implement appropriate technical and organisational measures including:
- TLS encryption for all data in transit
- bcrypt hashing for passwords (cost factor 12)
- HTTP-only, Secure, SameSite cookies
- Role-based access controls within the application
- No storage of full payment card data (handled entirely by Stripe)
- Regular dependency updates and security patching
Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33.
9. Children
The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at privacy@prezoa.com and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.