Legal
Privacy notice
Last updated 10 May 2026
This privacy notice explains how Filovera ("we", "us") handles personal data when you use our websites at filovera.com / filovera.co.uk or the Filovera platform.
Who we are
Filovera is a product of BrainBoxIT Limited, a company registered in England and Wales (company number 11703272) with registered office at 6 Range Green, Portsmouth, PO2 8RE, United Kingdom. Throughout this notice, "we" and "us" refer to BrainBoxIT Limited, trading as Filovera.
ICO data-protection-fee registration: pending; our registration number will be published here once issued. Our data-protection contact is listed at the bottom of this page.
For data processed inside the platform on behalf of customers, we act as the data processor and you (our customer) are the data controller. Our customers' end-users should refer to their employer's privacy notice in the first instance.
For data we collect through our website, recruitment, sales, and support functions, we act as a data controller.
What we collect — website visitors
- Cookies and analytics. See the dedicated Cookies section below for the full list of cookies we set and what each does.
- Contact form submissions. Name, work email, company, employee count, and the message you send us. Used solely to respond to your enquiry.
- Waitlist consent record. Where you tick the consent box on the waitlist form, we record the email address, the timestamp, and the verbatim wording shown to you, as proof of consent.
- Server logs. IP address, request URL, user agent — retained 30 days for security and abuse prevention.
Cookies
We follow UK PECR Reg 6 and the ICO 2023 guidance on consent for analytics. You can change your choices at any time via Cookie preferences in the footer.
| Cookie / Tracker | Category | Purpose | Lifetime / Storage |
|---|---|---|---|
ARRAffinity | Strictly necessary | Azure Static Web Apps load-balancer affinity — keeps each visitor on the same backend instance. | Session (deleted when browser closes) |
ARRAffinitySameSite | Strictly necessary | Same as above for cross-site request flows. | Session |
| Plausible Analytics | Analytics | Aggregated, anonymised page-view counts. No cookies set. Uses no device storage. UK/EU only. | n/a — no storage |
hovermark.cookie-consent.v1 | Strictly necessary | Records your cookie choices in localStorage on your device so we don't keep asking. | 12 months or until you clear it |
| Google Ads (gtag) | Marketing | Conversion measurement only. Fires when you submit the contact form or join the waitlist so we can tell which ads led to enquiries. Sets cookies in the _gcl_* / _gac_* family on google.com / googleads.g.doubleclick.net. | 90 days (Google default) |
We do not set advertising cookies, do not run any cross-site or behavioural tracking pixels, and do not share visitor data with third-party advertisers. Strictly-necessary cookies are exempt from PECR consent because the site can't function without them.
Anonymous fault reports
When you scan an asset's QR code, our customer (the organisation that printed the sticker) may allow you to submit a fault report without creating an account. If you choose to use that form, we collect:
- The description and photos you provide.
- Optionally, the name and email you choose to enter.
- Your IP address and browser user-agent — these are stored on the report row and are used solely for abuse triage (rate-limiting, spam filtering, and identifying coordinated misuse). They are not used for marketing, analytics, or shared with third parties.
- The submission timestamp.
The legal basis for processing IP and user-agent is legitimate interest — specifically, protecting our customers and our infrastructure from abuse of an anonymous public-facing endpoint. You can submit without entering name or email; the IP / user-agent capture is required and not optional.
If you include personal information about other people in your description or photos (for example, a colleague visible in a photo), please consider that the report will be visible to the asset owner's facilities team. Don't submit material that's better handled through a whistleblowing or grievance channel — the public fault-report form is for reporting asset faults only.
Children
Filovera is a workplace tool intended for adult professionals. The service is not intended for, and we do not knowingly collect personal data from, individuals under 18. If you are a parent or guardian and believe your child has used Filovera, contact us at privacy@filovera.com and we will delete the relevant data promptly. Where the UK GDPR / EU GDPR Article 8 minimum age applies (13 in the UK / 16 in most EU member states), this is the floor; practical operation of Filovera remains at 18+.
What we collect — customers and prospects
- Account data. Names, work emails, job titles of users administering the platform.
- Billing data. Company name, billing address, VAT number, payment method tokens. Card numbers are handled directly by our PCI-DSS certified billing provider (Stripe — see the sub-processor list); we never see them.
- Communications. Email correspondence, support tickets, demo recordings if you consented.
Lawful basis
- Contract — for everything we do to deliver the service to a paying customer.
- Legitimate interest — for sales follow-up, product improvement analytics, and security monitoring. You can object at any time.
- Consent — for any marketing emails to non-customers. Always opt-in, always one-click unsubscribe.
- Legal obligation — for tax records and statutory retention.
How we use AI
Filovera offers a small set of opt-in AI features for customers on Professional and Enterprise plans:
- Photo quality gate — checks blur / exposure / coverage on inspection photos and prompts the inspector to retake if quality is too low. Runs on Azure AI Vision.
- Certificate text extraction — pulls structured fields (serial number, dates, ratings) from photographed asset certificates. Runs on Azure AI Document Intelligence.
- Natural-language asset search — lets administrators query the asset register in plain English. Runs on Azure OpenAI Service.
- Voice-to-text on inspection notes — transcribes spoken notes into structured text. Runs on Azure AI Speech.
How customer data flows through these features:
- All AI services are Azure-native and processed in UK South (the same Azure region as the rest of customer data). No customer-uploaded photo or text leaves the UK Azure region.
- We have disabled prompt and response logging on Azure OpenAI via the Microsoft "abuse-monitoring opt-out" — Microsoft does not retain customer prompts or model outputs beyond the request itself.
- Customer data is not used to train any model. Azure OpenAI operates under Microsoft's standard data-handling commitments for enterprise customers — your data is not used for training, cross-customer learning, or any model fine-tuning.
- Per the EU AI Act (Regulation 2024/1689) Article 50 transparency obligations: when a feature uses AI, the dashboard surfaces a visible "AI" badge so the operator knows they are interacting with an automated system.
AI features are off by default on every plan tier and must be explicitly opted in by a TenantAdmin in Settings → AI. They can be turned off again at any time, and the next call simply won't be made to the AI service. AI usage is metered and monthly costs are capped per plan to prevent runaway spend.
Where we process data
Inside the platform, customer data is processed in Microsoft Azure (UK). We never replicate primary customer data outside the UK without your written consent.
For our own corporate use of CRM, helpdesk, and email tools, data may transit through EU and US data centres operated by sub-processors listed in our DPA at /legal/dpa. Where transfers leave the UK, we rely on UK International Data Transfer Agreements.
Sharing
We do not sell personal data. We share it with the sub-processors listed below, strictly to deliver the service. The same list is mirrored in our DPA at /legal/dpa and is version-controlled.
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting, storage, identity | UK |
| Microsoft Entra External ID | Customer authentication / SSO | UK / EU |
| Microsoft Entra ID | Platform-admin authentication / SSO | UK / EU |
| Microsoft Graph | Transactional and notification email via Microsoft 365 | UK / EU |
| Azure AI Vision | Inspection photo quality gate (opt-in AI feature) | UK |
| Azure AI Document Intelligence | Certificate text extraction (opt-in AI feature) | UK |
| Azure OpenAI Service | Natural-language asset search (opt-in AI feature). Microsoft abuse-monitoring opt-out applied. No data used to train models. | UK |
| Azure AI Speech | Voice-to-text on inspection notes (opt-in AI feature) | UK |
| Plausible Analytics | Marketing-site analytics ONLY (the in-app dashboard does not run Plausible) | EU |
| Cloudflare, Inc. | DNS, edge proxy, Turnstile bot-protection on public fault-report form | EU / US |
| Stripe, Inc. | Payment processing (PCI-DSS Level 1 certified). Live for all paying customers. | US / EU |
| Google LLC (Google Ads) | Marketing-site only. Conversion measurement when you submit the contact form or join the waitlist, gated on Marketing consent. | US / EU |
Cloudflare, Inc. — Provides Turnstile, an invisible bot-protection challenge on the public fault-report form. Your IP address and browser fingerprint are sent to Cloudflare to determine whether the submission is human-driven. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
Google LLC (Google Ads) — Used only on the marketing site, and only when you have ticked Marketing in our cookie preferences. We fire a single conversion event when you submit the contact form or join the waitlist, so we can measure which Google Ads led to enquiries. We do not load Google Ads remarketing audiences, Google Analytics, or any other Google tracking pixel. Google's privacy policy: policies.google.com/privacy.
We will share data with law enforcement only on lawful, written request, and we will notify the affected customer unless legally prohibited.
Retention
- Website contact form submissions: 24 months after last interaction.
- Customer account data: lifetime of the contract plus 30 days.
- Audit logs: 90 days on Trial and Starter, 13 months on Professional, 7 years on Enterprise — applied automatically by a weekly retention sweep. Operators can request bespoke retention windows on Enterprise.
- Backups: encrypted Azure SQL backups retained for 30 days, then permanently deleted.
Anonymous fault reports are retained on the same per-plan schedule as the audit log:
| Plan | Fault-report retention |
|---|---|
| Trial | 90 days |
| Starter | 90 days |
| Professional | 13 months |
| Enterprise | 7 years |
Photos uploaded with reports are stored in private blob storage and are deleted on the same schedule (with a 30-day soft-delete window after the row delete).
Your rights — UK and EU
Under the UK GDPR (and EU GDPR where it applies), you have the right to access, correct, port, restrict, object to, or erase your personal data. To exercise any of these, email us at the address below. We respond within one calendar month.
You can complain to the Information Commissioner's Office (ICO) if you're not happy with how we've handled a request.
Your rights — US residents
Even though our trading entity is in the UK and customer data is hosted in the UK, US-resident visitors to filovera.com (and US tenants of the platform) have rights under their state's privacy law where one applies. The list of US states with comprehensive privacy laws is expanding — as of 2026 this includes California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island, and others. Specific rights vary by state but generally include:
- Right to know / access — what personal data we hold about you and how it's used.
- Right to delete — request deletion of your personal data, subject to legal-retention exceptions.
- Right to correct — fix inaccurate data we hold about you.
- Right to portability — receive your data in a machine-readable format.
- Right to opt out of "sale" and of "sharing" for targeted advertising — see the dedicated note below.
- Right to opt out of profiling that produces legal or similarly significant effects (where the state law extends to this).
- Right to non-discrimination for exercising any of the above.
To exercise any of these, email privacy@filovera.com with your state of residence and the right you wish to exercise. We respond within 45 days (most state laws' default), with one 45-day extension where the request is complex.
"Do Not Sell or Share My Personal Information"
We do not sell personal data and do not share personal data for cross-context behavioural advertising as those terms are defined by the California CCPA / CPRA. Because we don't engage in those activities, the "Do Not Sell or Share" choice is effectively the default — there is nothing to opt out of. If we ever introduce practices that would constitute "selling" or "sharing" under any US state law, we will publish a clear opt-out mechanism on this page and honour Global Privacy Control (GPC) browser signals.
California-specific addenda
California residents additionally have:
- Right to limit use of sensitive personal information under CPRA. We do not use sensitive personal information for any purpose beyond what's strictly necessary to deliver the service (e.g., authentication via your Microsoft account).
- Right to opt out of automated decision-making technology where we use it to make decisions with significant effects on you. We currently do not use ADM in this manner.
- Authorised agent — you can designate an authorised agent to exercise these rights on your behalf, with proof of authorisation.
To complain about our handling of a request, you can contact your state attorney general's privacy enforcement office. For California specifically, the California Privacy Protection Agency at cppa.ca.gov is the relevant regulator.
Contact us
- Data protection contact: privacy@filovera.com
- Postal correspondence: BrainBoxIT Limited, 6 Range Green, Portsmouth, PO2 8RE, United Kingdom (mark for the attention of "Filovera — Data Protection")
- ICO data-protection-fee registration: pending. Our registration number will be published here once issued.
You can also raise a complaint directly with the Information Commissioner's Office at ico.org.uk/make-a-complaint.
This notice was last updated on 10 May 2026.
This notice reflects current Filovera processing. Final wording is under review by our DPO and external counsel; material changes in scope (new sub-processors, new AI features, change of trading entity) will be notified to controllers under the DPA's 30-day prior-notice clause.