Get Beta access

Speak to sales

Get Beta access

Speak to sales

Speak to sales

Privacy Policy

Privacy Policy

At Cue, we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.This Privacy Notice explains how Cue Limited ("Cue", "we", "our", "us") collects, uses, shares and secures personal data when you visit our websites, create an account, or use our platform (the "Service").



Who we are
Cue Limited is a private company registered in England & Wales (Company No. 16187291). Our registered office is Didymos Limited, 5 Niblick Green, Chelmsford Garden, Chelmsford, CM3 3FS. We are the controller of the personal data described in this Notice (except where Section 6 states we act as a processor).

Contact us at Cue customer support for any privacy‑related questions. If you request that your account be deleted, Cue will delete all retained information on you, in line with the deletion policies outlined below. Cue will not directly or indirectly transfer any data for any monetization-related service.

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time (www.ico.org.uk) or your local supervisory authority in the EEA.


Scope of this Notice
This Notice applies to:

  • Visitors to meetcue.ai and any sub‑domains;

  • Users who use our real-time AI sales assistant Service;


It does not apply to third‑party websites or services that integrate with Cue; their privacy practices are governed by their own policies.


How and why we collect data
In the course of using Cue, engaging with Cue’s websites, or corresponding with the team at Cue, you provide us with or we collect various pieces of personal data.

We collect and use the data outlined below to provide a contracted service to you or to further operate and develop our business.

Your personal data will not be sold, distributed, or leased to any third parties. We only share your personal data in cases in which it is necessary for us to provide our services.

We do not collect information regarding your race, ethnicity, religious or philosophical beliefs, political beliefs, sexual orientation, genetic information, or information about your health.

We will not discriminate against you should you exercise any of the rights described in our privacy policy.



Other relevant policies and terms
This Privacy Notice should be read alongside:

  • Website Terms of Service

  • Terms of Use

  • Cookie Policy

  • Service Providers & Subprocessors


The Data we collect

Category

Examples

Source

Legal basis*

Account Data

Account Data

Name, email, job title, organisation, password hash, authentication tokens

You

Contract

Audience Definition Data

Audience Definition Data

Interview transcripts, support tickets, customer research and analytics data

You

Contract; legitimate interests (product improvement)

Test Content

Test Content

Prompts, scenario descriptions, GUI screenshots, audio/video of sessions (which may contain personal data)

You

Contract; legitimate interests (product improvement)

Usage & Log Data

IP address, browser type, device IDs, access timestamps, feature usage events

Automated collection

Legitimate interests (security & analytics)

Marketing Data

Newsletter preferences, content engagement metrics

You / cookies

Consent

‍*Additional lawful bases listed in Section 5.


We use Stripe to manage billing and never store your full payment‑card details. Stripe is a PCI‑DSS Level 1 provider.

We never deliberately collect special‑category data (race, health, etc.).



How and why we use personal data

Purpose

Details

Lawful Basis

Provide & secure the Service

Create accounts, authenticate users, process tests, store results, prevent fraud

Contract; legitimate interests (security)


Improve & develop features

Analyse aggregated usage, train proprietary evaluation models, conduct A/B tests


Legitimate interests; consent for non‑essential cookies

Customer support

Respond to tickets, troubleshoot, reproduce issues

Contract

Marketing

Send product updates, event invites, newsletters

Consent; soft opt‑in for existing UK/EU customers

Legal & compliance

Tax, accounting, respond to lawful requests

Legal obligation; legitimate interests

Automated processing & AI output

We use large‑language models (currently GPT‑4.1 mini) and other third‑party AI systems to transcribe, summarise and generate real-time responses to conversation data. We do not make solely automated decisions that produce legal or similarly significant effects on individuals. You may request human review of any decision that affects you (see Section 10).


Cookies & similar technologies

We use first‑ and third‑party cookies and JSON Web Tokens (JWT) to:

  • keep you signed in;

  • remember preferences;

  • measure site performance.

Full details are in our separate Cookie Policy, which includes your choices to accept or reject non‑essential cookies.


When we act as a processor

Where a customer uploads personal data (e.g., customer interview transcripts) into the Service, Cue processes that data solely on the customer’s instructions. Our Data Processing Addendum (DPA) sets out the obligations required by Article 28 UK/EU GDPR, including Standard Contractual Clauses for international transfers.


Sharing your personal data

We share personal data only as necessary with:

  1. Service providers – cloud hosting, compute, email delivery, payment processing, analytics; all under written contracts and assessed for security.

  2. AI model vendors – currently OpenAI (USA) for GPT‑4 inference. Prompt content and generated output are transmitted under SCCs + UK Addendum.

  3. Professional advisers – lawyers, auditors, insurers.

  4. Authorities – where required by law or to protect rights, property or safety.

  5. Successors – in connection with a merger, acquisition or sale (with notice to you where required).

We never sell or rent personal data.


International Transfers

Cue is UK‑based but uses providers in the United States and EEA. When we transfer personal data outside the UK/EEA we rely on:

  • UK International Data Transfer Agreement (IDTA)

  • EU Standard Contractual Clauses (2021/914) plus UK Addendum

  • Adequacy regulations (where available)


Data Retention

Automated processing & AI output

We use large‑language models (currently GPT‑4.1 mini) and other third‑party AI systems to transcribe, summarise and generate real-time responses to conversation data. We do not make solely automated decisions that produce legal or similarly significant effects on individuals. You may request human review of any decision that affects you (see Section 10).


Cookies & similar technologies

We use first‑ and third‑party cookies and JSON Web Tokens (JWT) to:

  • keep you signed in;

  • remember preferences;

  • measure site performance.

Full details are in our separate Cookie Policy, which includes your choices to accept or reject non‑essential cookies.


When we act as a processor

Where a customer uploads personal data (e.g., customer interview transcripts) into the Service, Cue processes that data solely on the customer’s instructions. Our Data Processing Addendum (DPA) sets out the obligations required by Article 28 UK/EU GDPR, including Standard Contractual Clauses for international transfers.


Sharing your personal data

We share personal data only as necessary with:

  1. Service providers – cloud hosting, compute, email delivery, payment processing, analytics; all under written contracts and assessed for security.

  2. AI model vendors – currently OpenAI (USA) for GPT‑4 inference. Prompt content and generated output are transmitted under SCCs + UK Addendum.

  3. Professional advisers – lawyers, auditors, insurers.

  4. Authorities – where required by law or to protect rights, property or safety.

  5. Successors – in connection with a merger, acquisition or sale (with notice to you where required).

We never sell or rent personal data.


International Transfers

Cue is UK‑based but uses providers in the United States and EEA. When we transfer personal data outside the UK/EEA we rely on:

  • UK International Data Transfer Agreement (IDTA)

  • EU Standard Contractual Clauses (2021/914) plus UK Addendum

  • Adequacy regulations (where available)


Data Retention

Automated processing & AI output

We use large‑language models (currently GPT‑4.1 mini) and other third‑party AI systems to transcribe, summarise and generate real-time responses to conversation data. We do not make solely automated decisions that produce legal or similarly significant effects on individuals. You may request human review of any decision that affects you (see Section 10).


Cookies & similar technologies

We use first‑ and third‑party cookies and JSON Web Tokens (JWT) to:

  • keep you signed in;

  • remember preferences;

  • measure site performance.

Full details are in our separate Cookie Policy, which includes your choices to accept or reject non‑essential cookies.


When we act as a processor

Where a customer uploads personal data (e.g., customer interview transcripts) into the Service, Cue processes that data solely on the customer’s instructions. Our Data Processing Addendum (DPA) sets out the obligations required by Article 28 UK/EU GDPR, including Standard Contractual Clauses for international transfers.


Sharing your personal data

We share personal data only as necessary with:

  1. Service providers – cloud hosting, compute, email delivery, payment processing, analytics; all under written contracts and assessed for security.

  2. AI model vendors – currently OpenAI (USA) for GPT‑4 inference. Prompt content and generated output are transmitted under SCCs + UK Addendum.

  3. Professional advisers – lawyers, auditors, insurers.

  4. Authorities – where required by law or to protect rights, property or safety.

  5. Successors – in connection with a merger, acquisition or sale (with notice to you where required).

We never sell or rent personal data.


International Transfers

Cue is UK‑based but uses providers in the United States and EEA. When we transfer personal data outside the UK/EEA we rely on:

  • UK International Data Transfer Agreement (IDTA)

  • EU Standard Contractual Clauses (2021/914) plus UK Addendum

  • Adequacy regulations (where available)


Data Retention

Account & billing records: 7 years after account closure (tax & audit)

Test content & outputs: Until you chose to delete them

Logs & analytics: 12 months (aggregated thereafter)

Marketing preferences: Until you withdraw consent

Your rights

Under UK GDPR / EU GDPR you can:

  • Access your personal data

  • Correct inaccuracies

  • Erase data (“right to be forgotten”)

  • Restrict or object to processing

  • Data portability

  • Withdraw consent at any time

To exercise any right, email hello@meetcue.ai. We may need to verify your identity and respond within one month.


California residents

If you reside in California, the Supplemental CCPA/CPRA Notice in Appendix A explains additional rights, including the right to opt‑out of the sale/share of personal information and the right to limit use of sensitive personal information.


Security

All personal data is hosted on Supabase (Frankfurt, DE). Supabase maintains SOC 2 Type II and HIPAA reports and provides the following controls:

  • End‑to‑end encryption – TLS 1.3 in transit; AES‑256 encryption at rest for all databases and object storage.

  • Role‑based access control (RBAC) and least‑privilege IAM policies.

  • Isolated production network with automated OS and container patching.

  • Continuous vulnerability scanning & dependency monitoring (Snyk, Dependabot).

  • Annual third‑party penetration tests – summary reports available on request under NDA.

  • 24 × 7 logging and alerting to detect and respond to suspicious activity.

A live list of sub‑processors, their locations, and change‑notification history is available in our Service Providers & Subprocessors policy.


Children

Our Service is intended for business users aged 18 +. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us to have it deleted.


Changes to this notice

We may update this Notice from time to time. We will post any changes on this page and, for material changes, provide a prominent notice (e.g., email or in‑app alert). The “Last updated” date at the top indicates when it was most recently revised.


Appendix A – California Privacy Notice (CPRA)

This Appendix applies only to “consumers” as defined by the California Consumer Privacy Act (as amended by the California Privacy Rights Act).

Categories collected

See Section 4 above for the categories of personal information we collect.

Purposes, sharing and retention

See Sections 5, 8 and 10.

Your CPRA rights

You may:

  1. Know the categories and specific pieces of personal information we hold.

  2. Delete personal information (subject to statutory exceptions).

  3. Correct inaccurate personal information.

  4. Opt‑out of the sale or sharing of personal information.

  5. Limit the use of sensitive personal information.

  6. Not be discriminated against for exercising any CPRA right.

Submit requests via hello@meetcue.ai. We will verify your request using the information associated with your account and respond within 45 days (90 days for complex requests).

Your rights

Under UK GDPR / EU GDPR you can:

  • Access your personal data

  • Correct inaccuracies

  • Erase data (“right to be forgotten”)

  • Restrict or object to processing

  • Data portability

  • Withdraw consent at any time

To exercise any right, email hello@meetcue.ai. We may need to verify your identity and respond within one month.


California residents

If you reside in California, the Supplemental CCPA/CPRA Notice in Appendix A explains additional rights, including the right to opt‑out of the sale/share of personal information and the right to limit use of sensitive personal information.


Security

All personal data is hosted on Supabase (Frankfurt, DE). Supabase maintains SOC 2 Type II and HIPAA reports and provides the following controls:

  • End‑to‑end encryption – TLS 1.3 in transit; AES‑256 encryption at rest for all databases and object storage.

  • Role‑based access control (RBAC) and least‑privilege IAM policies.

  • Isolated production network with automated OS and container patching.

  • Continuous vulnerability scanning & dependency monitoring (Snyk, Dependabot).

  • Annual third‑party penetration tests – summary reports available on request under NDA.

  • 24 × 7 logging and alerting to detect and respond to suspicious activity.

A live list of sub‑processors, their locations, and change‑notification history is available in our Service Providers & Subprocessors policy.


Children

Our Service is intended for business users aged 18 +. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us to have it deleted.


Changes to this notice

We may update this Notice from time to time. We will post any changes on this page and, for material changes, provide a prominent notice (e.g., email or in‑app alert). The “Last updated” date at the top indicates when it was most recently revised.


Appendix A – California Privacy Notice (CPRA)

This Appendix applies only to “consumers” as defined by the California Consumer Privacy Act (as amended by the California Privacy Rights Act).

Categories collected

See Section 4 above for the categories of personal information we collect.

Purposes, sharing and retention

See Sections 5, 8 and 10.

Your CPRA rights

You may:

  1. Know the categories and specific pieces of personal information we hold.

  2. Delete personal information (subject to statutory exceptions).

  3. Correct inaccurate personal information.

  4. Opt‑out of the sale or sharing of personal information.

  5. Limit the use of sensitive personal information.

  6. Not be discriminated against for exercising any CPRA right.

Submit requests via hello@meetcue.ai. We will verify your request using the information associated with your account and respond within 45 days (90 days for complex requests).

Your rights

Under UK GDPR / EU GDPR you can:

  • Access your personal data

  • Correct inaccuracies

  • Erase data (“right to be forgotten”)

  • Restrict or object to processing

  • Data portability

  • Withdraw consent at any time

To exercise any right, email hello@meetcue.ai. We may need to verify your identity and respond within one month.


California residents

If you reside in California, the Supplemental CCPA/CPRA Notice in Appendix A explains additional rights, including the right to opt‑out of the sale/share of personal information and the right to limit use of sensitive personal information.


Security

All personal data is hosted on Supabase (Frankfurt, DE). Supabase maintains SOC 2 Type II and HIPAA reports and provides the following controls:

  • End‑to‑end encryption – TLS 1.3 in transit; AES‑256 encryption at rest for all databases and object storage.

  • Role‑based access control (RBAC) and least‑privilege IAM policies.

  • Isolated production network with automated OS and container patching.

  • Continuous vulnerability scanning & dependency monitoring (Snyk, Dependabot).

  • Annual third‑party penetration tests – summary reports available on request under NDA.

  • 24 × 7 logging and alerting to detect and respond to suspicious activity.

A live list of sub‑processors, their locations, and change‑notification history is available in our Service Providers & Subprocessors policy.


Children

Our Service is intended for business users aged 18 +. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us to have it deleted.


Changes to this notice

We may update this Notice from time to time. We will post any changes on this page and, for material changes, provide a prominent notice (e.g., email or in‑app alert). The “Last updated” date at the top indicates when it was most recently revised.


Appendix A – California Privacy Notice (CPRA)

This Appendix applies only to “consumers” as defined by the California Consumer Privacy Act (as amended by the California Privacy Rights Act).

Categories collected

See Section 4 above for the categories of personal information we collect.

Purposes, sharing and retention

See Sections 5, 8 and 10.

Your CPRA rights

You may:

  1. Know the categories and specific pieces of personal information we hold.

  2. Delete personal information (subject to statutory exceptions).

  3. Correct inaccurate personal information.

  4. Opt‑out of the sale or sharing of personal information.

  5. Limit the use of sensitive personal information.

  6. Not be discriminated against for exercising any CPRA right.

Submit requests via hello@meetcue.ai. We will verify your request using the information associated with your account and respond within 45 days (90 days for complex requests).

Legal

Privacy Policy

Terms of Service

Terms of Use

Data Processors

Cookie Policy

Contact

Contact Sales

Copyright @ 2025 Cue

Legal

Privacy Policy

Terms of Service

Terms of Use

Data Processors

Cookie Policy

Contact

Contact Sales

Copyright @ 2025 Cue

Legal

Privacy Policy

Terms of Service

Terms of Use

Data Processors

Cookie Policy

Contact

Contact Sales

Copyright @ 2025 Cue