Data protection

AudienceLens Data Processing Agreement

This Data Processing Agreement explains how Intuitus Ltd processes customer personal data when providing AudienceLens.

Last updated: 8 June 2026 · AudienceLens customer workspace content remains in the UK

Plain-English summary

AudienceLens is operated by Intuitus Ltd. For customer workspace content, the customer is normally the controller and Intuitus Ltd acts as processor.

AudienceLens customer workspace content remains in the UK. Core application hosting, database storage, administration, support, security logging and operational tooling are self-hosted by Intuitus Ltd within Civo infrastructure. AI-assisted processing is provided through Relax AI by CIVO. Customer prompts, customer content and generated outputs are not retained by the AI supplier and are not used for model training. Payment and billing processing is handled separately by Stripe and is limited to payment, billing and transaction information.

1. Parties and roles

This DPA forms part of the agreement between the customer using AudienceLens and Intuitus Ltd, the provider and operator of AudienceLens.

For customer content submitted into AudienceLens, the customer is normally the controller and Intuitus Ltd is normally the processor. Intuitus Ltd may act as controller for its own account administration, billing, website, sales, support, security, legal and service-management records.

2. What AudienceLens processes

AudienceLens may process account details, authorised user details, organisation context, message drafts, audience notes, location selections, reports, generated outputs, version history, support records, usage data, security logs and technical metadata.

AudienceLens is intended for communications material that is planned for publication or external distribution. Customers should not upload safeguarding records, health records, donor financial records, payment card data, HR files, confidential case-management records, children data, special category data, passwords, secret keys or other high-risk data unless this has been expressly agreed in writing and assessed separately.

3. Processing instructions

Intuitus Ltd will process customer personal data only on documented customer instructions. Documented instructions include the customer agreement, this DPA, product configuration, authorised user actions, support requests and any written instructions accepted by Intuitus Ltd.

3A. Processing details

Subject matter: the provision, operation, support, security and improvement of AudienceLens for customer communications analysis and related reporting.

Duration: for the duration of the customer’s agreement with Intuitus Ltd, and thereafter only as necessary for deletion, return, backup expiry, legal, accounting, security, dispute or compliance purposes.

Nature and purpose: hosting, storing, analysing, generating, displaying, securing, supporting and deleting customer workspace content and related account, usage and technical data.

Types of personal data: authorised user details, account details, organisation context, message drafts, audience notes, reports, generated outputs, support communications, usage data, security logs and technical metadata.

Categories of data subjects: customer authorised users, customer personnel, representatives of the customer, and individuals who may be referred to in customer communications material submitted to AudienceLens.

Controller rights and obligations: the customer may issue documented instructions, manage user access, request assistance with data subject rights, object to material new subprocessors on reasonable data-protection grounds, request deletion or return of customer personal data, and request reasonable evidence of compliance.

4. UK processing position

UK-only workspace content processing Civo infrastructure Relax AI by CIVO

AudienceLens customer workspace content remains in the UK. Hosting, database storage, administration, support, security logging, operational tooling and AI-assisted processing are provided through UK-based Civo infrastructure and Relax AI by CIVO. Payment and billing processing is handled separately by Stripe and is limited to payment, billing and transaction information.

Intuitus Ltd does not intentionally transfer customer workspace content outside the UK as part of the standard AudienceLens service. If this position changes, Intuitus Ltd will update this DPA or the subprocessor information before making the change, unless urgent security, legal or operational reasons require faster action.

5. AI processing

AudienceLens uses AI-assisted processing to help generate message reviews, signal summaries, likely audience reactions, objections, risks, opportunities, improvement suggestions and related outputs.

The AI supplier used for AudienceLens is Relax AI by CIVO, delivered through Civo. Customer prompts, customer content and generated outputs are not retained by the AI supplier after processing and are not used for model training.

AI-assisted outputs are decision-support only and must be reviewed by human users before publication, sending or action. AudienceLens is not intended to make solely automated decisions about individuals that have legal or similarly significant effects.

6. Subprocessors and suppliers

Intuitus Ltd uses suppliers to provide, secure and support AudienceLens. Intuitus Ltd requires suppliers that process customer personal data to provide appropriate confidentiality, security and data-protection commitments.

Administration, support management, security logging, service management and operational monitoring for AudienceLens are self-hosted by Intuitus Ltd within Civo-hosted AudienceLens infrastructure. These internal operational tools are not separate third-party subprocessors for AudienceLens customer workspace content.

Supplier Service Data processed Location Position
Civo Application hosting, infrastructure, database hosting, networking, storage and related operational services Customer workspace content, account data, logs, technical metadata and operational records as needed to provide and secure the service United Kingdom AudienceLens customer workspace content remains in the UK.
Relax AI by CIVO UK-based AI-assisted processing for message reviews, signal summaries, audience reaction analysis, improvement suggestions and related outputs Prompts, customer content, generated outputs and technical metadata as needed to process the request United Kingdom Prompts, customer content and generated outputs are not retained by the AI supplier after processing and are not used for model training.
Stripe Payment processing, billing support, invoice/payment records, fraud prevention and payment compliance Billing contact details, payment details, transaction records, invoice information and payment metadata Processed by Stripe in accordance with Stripe's own payment-processing terms and data-protection terms Stripe does not process AudienceLens workspace content, prompts or generated outputs. Stripe is used only for payment and billing-related data.

The customer gives general written authorisation for Intuitus Ltd to use the subprocessors listed in this DPA for the purposes described. Intuitus Ltd will maintain written contracts with subprocessors that impose data-protection obligations equivalent to those required by Article 28 of the UK GDPR. Intuitus Ltd will give reasonable advance notice of material new subprocessors where practical and will allow customers to object on reasonable data-protection grounds. If an objection cannot be resolved, the parties should follow the remedies set out in the main agreement.

7. Intuitus Ltd processor obligations

Intuitus Ltd will:

8. Customer obligations

The customer must ensure it has a lawful basis for personal data submitted to AudienceLens, provide required privacy information, manage authorised users and access permissions, avoid unnecessary or high-risk personal data, review AI-assisted outputs before use, and respond to individuals where the customer is controller.

9. Security measures

AudienceLens applies security measures designed to protect customer data, including TLS in transit, access control, least privilege, logical workspace separation, restricted staff access, secure configuration, patching, logging, backup controls, supplier review and incident-response processes.

10. Deletion and return

On termination or expiry of the service, Intuitus Ltd will, at the customer’s choice and where technically feasible, delete or return customer personal data within 60 days, unless UK law requires continued storage.

During the contract, customer admins may delete projects, scenarios, reports or workspaces where supported by the service. Backup copies are overwritten in the ordinary course, normally within 90 days, unless a legal hold, security investigation or technical constraint applies.

Intuitus Ltd may retain minimal records required for legal, tax, accounting, security, dispute, audit and compliance purposes.

11. Audit and evidence

Intuitus Ltd will make available reasonable information needed to demonstrate compliance with this DPA and Article 28 of the UK GDPR, and will allow for and contribute to audits and inspections by the customer or an appointed auditor.

Audit and inspection requests must be subject to reasonable notice, confidentiality, scope limits, no access to other customers’ data and no material disruption to the service. Intuitus Ltd may provide evidence through security summaries, Cyber Essentials status, subprocessor information, retention statements, completed security questionnaires, policies, logs or supplier trust materials where appropriate.

12. Order of precedence

This DPA governs data-protection matters if there is a conflict with the main agreement. Commercial liability, warranties, indemnities, service levels and fees should be handled in the main agreement unless expressly stated otherwise.

Customer review note: This page is provided for customer and procurement review. Customers should take their own legal advice before signature or formal contractual reliance.