Privacy Policy
Effective Date: September 18, 2025
At Limitless Now Ltd, we respect privacy and are committed to protecting personal data across all our activities. This Privacy Policy explains how we look after personal data when visiting our websites, using the Limitless Now Email Agent web application, receiving client consulting and other agency services from us, or otherwise communicating or working with us. It also outlines privacy rights and how the law protects individuals.
1. Important information and who we are
1.1 Purpose of this Privacy Policy
This Privacy Policy gives information on how Limitless Now Ltd collects and processes personal data through use of:
• Our websites, web and mobile interfaces, and support portals.
• The Limitless Now Email Agent and related services that connect to Google Gmail and Microsoft Outlook via OAuth to categorize emails, manage labels/categories, and generate user‑approved drafts.
• Our client consulting and agency services, including scoping, delivery, and ongoing support.
1.2 Controller and processor roles
Limitless Now Ltd generally acts as the “data controller” for account, billing, support, usage, and marketing data relating to customers and website visitors. For business customers, where content is provided to us for processing (for example, email content processed for categorization and draft generation in the Email Agent, or client data provided under a consulting engagement), we act as a “data processor” on behalf of the business customer (the “controller”) to the extent agreed in the applicable services agreement and data protection addendum (DPA). If acting as processor, requests to exercise data subject rights should be directed to the controller; we will assist as required by law and contract.
1.3 Who we are and how to contact us
Controller: Limitless Now Ltd
Registered office: 27 Old Gloucester Street, Holborn, London, WC1N 3AX, United Kingdom
Email: privacy@limitlessnow.ai
Individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. We ask for the chance to address concerns first.
1.4 Changes to this policy and duty to inform us of changes
We may update this policy from time to time. Material changes will be notified in‑product and/or by email. It is important that personal data we hold is accurate and current—please keep us informed of changes during the relationship.
2. The data we collect
We may collect, use, store, and transfer different kinds of personal data, grouped as follows.
2.1 Contact and identity data
• Name, business role, email address, phone number, postal address.
• Account identifiers, workspace or tenant identifiers, and connected account identifiers.
2.2 Account, billing, and subscription data
• Billing contact details, invoicing records, payment status, subscription selections and lifecycle dates.
• Where applicable, limited payment method references (processed by our payment processor).
2.3 Correspondence and support data
• Emails and other communications with us, meeting notes or call summaries, support tickets and resolutions.
2.4 Technical and usage data
• IP address, device information, browser type and version, time zone setting and location, operating system and platform, session identifiers, log data, feature interactions, error diagnostics, and performance metrics.
2.5 Marketing and cookie data
• Marketing preferences, campaign responses, cookie identifiers and similar technology data, as described in our Cookie Policy.
2.6 Email and mailbox data (Email Agent)
When connecting Google Gmail or Microsoft Outlook via OAuth and enabling features:
• Message content and metadata necessary to categorize messages, apply labels/categories, and generate drafts for user approval.
• Existing labels, folders, or categories to reflect organisational preferences.
• Drafts created or modified by the service at the user’s request and under user control.
2.7 Consulting and agency engagement data
• Engagement scoping materials, statements of work, deliverables, stakeholder contact details, project communications, and any client content provided for the purpose of the engagement.
• Professional services notes, meeting recordings or transcripts if agreed, and outcomes.
We may create aggregated, de‑identified, or anonymised data from personal data (for analytics, service improvement, and business intelligence). Such data does not identify individuals and may be used and disclosed for lawful business purposes.
3. How personal data is collected
3.1 Direct interactions
Account registration, service use, support requests, consulting engagements, and other communications.
3.2 Automated technologies
As users interact with websites and applications, technical and usage data may be collected through cookies, logs, and similar technologies. See our Cookie Policy for details and controls.
3.3 Third parties and public sources
• Identity, marketing, and analytics providers.
• Partners, referrers, and event organisers where lawful to share.
• Public datasets and professional profiles.
4. How we use personal data
We will only use personal data when the law allows.
4.1 Providing the services (web app and agency)
• Perform contracts with customers, deliver features, provide consulting and implementation, and ensure service quality.
• Operate the Email Agent: categorize emails, manage labels/categories, and generate user‑approved drafts; surface relevant notifications.
4.2 Improving and operating the services
• Develop and enhance features; measure and improve performance, stability, and security; conduct troubleshooting and diagnostics.
• Create de‑identified or aggregated analytics to improve operations.
4.3 Communications
• Provide onboarding, product updates, security notices, support communications, and transactional emails.
• Provide marketing communications where permitted, with opt‑out controls.
4.4 Legal compliance and security
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations, enforce agreements, and manage disputes.
4.5 Legal bases (UK GDPR/EEA GDPR)
• Contract: when processing is necessary to deliver the services requested.
• Legitimate interests: to operate, secure, and improve services, balanced against rights and freedoms.
• Consent: for optional features, cookies/analytics where required, and marketing where required.
• Legal obligation: when processing is necessary to comply with law.
We do not undertake solely automated decisions that produce legal or similarly significant effects without appropriate safeguards.
5. Product‑specific disclosures (Email Agent)
5.1 Appropriate access and least privilege
We request only the minimum permissions necessary to provide visible, user‑facing features (categorization, labels/categories, drafting), and we present clear in‑product information before connection. We avoid requesting permissions for undeployed or undisclosed features. Where a narrower permission enables the same feature, we prefer the narrower permission.
5.2 Use of Google user data (Limited Use)
Use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use. Google user data is used only to provide or improve user‑facing features that are prominent and visible in the interface. We do not sell Google user data, do not use it for advertising, and do not permit human access except with explicit consent or for security or legal compliance. We also restrict onward sharing to subprocessors needed to deliver the features under appropriate contractual terms.
5.3 Microsoft alignment
For Microsoft Outlook/Exchange data, we follow equivalent least‑privilege and user‑facing feature principles. We do not sell data, and human access is disallowed except with explicit consent or for security or legal compliance.
5.4 In‑product privacy notice (connection screen)
We display a concise notice before OAuth connection describing the identity of the service, the data accessed, the purpose (categorization, labels/categories, user‑approved drafting), storage and sharing, user controls (disconnect, deletion), and how to revoke access. Users can review and manage connections at any time in settings.
5.5 Scopes and scope disclosures
To reduce friction and protect security, this Policy does not enumerate exact scopes. A product‑specific disclosure or help page may present an illustrative scope‑to‑feature mapping and explain why the minimum necessary permissions are requested. We will update such disclosures when features change and will re‑prompt for consent if new permissions are needed.
6. AI features and model use
6.1 AI‑assisted functionality
We use AI to analyse message content to categorize emails and to generate draft responses. Drafts are never sent without user action in the mail client or our interface.
6.2 Model training
Personal data is not used to train or improve generalized AI models. Personalization is confined to the account to improve the individual experience. Where third‑party AI inference is used, inputs are limited to what is necessary to provide the feature, and contractual controls prohibit retention for unrelated purposes (e.g., zero‑retention where available).
7. Disclosures and international transfers
7.1 Subprocessors and service providers
We use third parties to host infrastructure, store data, authenticate users, process logs/metrics, defend against abuse, and provide AI inference. Providers act under written contracts imposing confidentiality, security, data protection obligations, and, where relevant, Standard Contractual Clauses (SCCs) and the UK Addendum. We do not allow such providers to use personal data for their own marketing or training unrelated to our services.
7.2 Business changes
If we sell, transfer, or merge parts of our business, personal data may be transferred to a successor that assumes the same obligations. Users will be notified of material changes.
7.3 International transfers
Where personal data is transferred outside the UK/EEA, we implement appropriate safeguards such as SCCs and the UK Addendum, adequacy decisions where applicable, and supplementary measures. Further information about specific transfer mechanisms is available on request.
8. Security measures
We implement administrative, technical, and organisational measures designed to protect personal data:
• Encryption in transit and at rest; secure key management.
• Role‑based access controls, least privilege, multi‑factor authentication, and regular access reviews.
• Secure SDLC, code review, dependency and image scanning, and vulnerability remediation.
• Audit logging, monitoring, anomaly detection, and incident response procedures with defined SLAs.
• Network security including segmentation, firewalls, WAF/CDN, and rate limiting.
• Vendor risk management and DPAs; employee confidentiality and security training.
For restricted Gmail scopes, we maintain alignment with applicable verification and security assessment requirements (e.g., CASA Tier 2), including documentation of controls and cooperation with assessments as required.
9. Data retention and deletion
9.1 Retention principles
We retain personal data only as long as necessary to fulfil the purposes collected, to comply with legal obligations, to resolve disputes, and to enforce agreements. Data is not retained for undisclosed or incompatible purposes.
9.2 Typical timeframes
• Ephemeral processing artifacts (Email Agent): where created to facilitate classification or drafting, deleted within 24 hours after processing completes.
• Drafts and mailbox content: drafts exist in the user’s mailbox and remain under user control; service‑side derived artifacts (if any) are minimized and purged after a defined staleness period (30 days).
• Operational logs and telemetry: minimized and rotated (30 days), extended only where necessary for security or fraud prevention.
• Aggregated or anonymised analytics: retained up to 24 months.
• Backups: encrypted backups retained on a fixed rotation (up to 90 days). Deletions in active systems propagate by backup rotation and, where applicable, cryptographic erasure.
9.3 Disconnect and account deletion
Disconnect
Users can disconnect Google or Microsoft accounts at any time in settings. On disconnect, OAuth tokens are revoked and webhook subscriptions are cancelled; processing stops and no new data is ingested.
Account deletion
• Initiation: user requests deletion in settings or via support email (support@limitlessnow.ai). We immediately revoke OAuth tokens (Google and Microsoft), cancel webhooks, stop all processing, and place the account in a pending deletion state.
• Pending period: a defined window (30 days) during which users may cancel deletion. During this time, data is inert; no processing occurs and no new data is ingested.
• Final purge: at expiry of the pending period, personal data is permanently deleted from active systems. Backups age out on rotation. Upon request, we can confirm completion.
• Immediate deletion: available via support upon verified request; processing remains halted from initiation, and purge is expedited.
• Subscriptions: initiating deletion will schedule cancellation of any active subscription at the next renewal and stop further data processing; details are disclosed in‑product at initiation.
10. Marketing communications
We may send product and service updates and relevant information. Individuals can opt out at any time using unsubscribe links, in‑app settings, or by contacting privacy@limitlessnow.ai. Transactional or security notices may still be sent as permitted by law.
11. Cookies and similar technologies
We use essential cookies to authenticate sessions, remember preferences, and maintain security. Where optional analytics or marketing cookies are used, consent is obtained where required and settings can be adjusted. Details are provided in our Cookie Policy.
12. Consulting and agency services (additional terms)
12.1 Confidentiality
We treat client materials as confidential and use them solely to perform the engagement, subject to the services agreement and DPA.
12.2 Controller/processor allocation
For consulting deliverables and content provided by clients, we generally act as processor, and the client is controller. We will process data according to written instructions (including the agreement and DPA), implement appropriate security, and assist with data subject requests and incident notifications as required by law and contract.
12.3 Third‑party tools and subcontractors
Where subcontractors or tools are used to deliver the engagement, we impose confidentiality, security, and data protection obligations substantially similar to those described in this Policy and our DPA.
12.4 Professional records
We may retain de‑identified engagement metadata and work product templates that do not identify individuals or client confidential information, to improve professional services.
13. Your legal rights
Subject to legal limits, individuals have the right to:
• Access personal data.
• Rectify inaccurate or incomplete data.
• Erase data (“right to be forgotten”).
• Restrict certain processing.
• Port data where applicable.
• Object to processing based on legitimate interests.
• Withdraw consent where consent is the legal basis.
Requests can be submitted to privacy@limitlessnow.ai. We may verify identity before acting on a request. We aim to respond within one month (subject to extensions permitted by law).
14. Children
Our services are not directed to children. We do not knowingly collect personal data from children in connection with Google or Microsoft accounts. If such data is identified, it will be deleted according to law.
15. International and local law compliance
We comply with applicable data protection laws including UK GDPR and the Data Protection Act 2018, and where relevant EEA GDPR and other local regulations. Where US state privacy laws apply, we honour their notice, access, and deletion rights to the extent required.
16. Changes to this Policy
We will post updates on our website and, where appropriate, notify by email or in‑product notice. Where new uses require consent, re‑consent will be obtained before implementation. Prior versions are available upon request.
17. Contact and complaints
Data Protection Contact: privacy@limitlessnow.ai
Postal address: 27 Old Gloucester Street, Holborn, London, WC1N 3AX, United Kingdom
Supervisory authority (UK): Information Commissioner’s Office (www.ico.org.uk). Phone: 0303 123 1113.
18. Provider and trademark notices
“Gmail” is a trademark of Google LLC. “Outlook” is a trademark of Microsoft Corporation. Use is for identification only.
Annex A – Role clarity summary
• Direct‑to‑consumer web app: we are the controller for account, usage, and support data; for mailbox content processed at the user’s request, we provide the service as disclosed with appropriate permissions and user control.
• Business clients (SaaS and agency): we act as controller for account/billing/marketing data relating to the customer’s staff who use our services; we act as processor for client content processed under the services agreement and DPA.
Annex B – Retention schedules (illustrative)
• Ephemeral processing artifacts: ≤24 hours after processing completes.
• Drafts and derived artifacts in service storage (if any): purge on staleness (30 days) or on deletion request; drafts in mailbox remain under user control.
• Operational logs: 30 days, extended only for security/fraud investigations.
• Aggregated/anonymised analytics: up to 24 months.
• Backups: up to 90 days by rotation; encrypted and inaccessible to production services.
• Immediate deletion via verified support request is available; processing halts from initiation.
Annex C – Data protection addendum (DPA)
For business customers, our DPA forms part of the contract and governs controller‑processor obligations, international transfers, security measures, audit rights, incident handling, and assistance with data subject requests. A template is available on request.