1. Acceptance of Terms

By accessing or using the Katy AI Operations Assistant platform (“the Service”, “the Platform”), including any web-based interface, API endpoint, voice assistant functionality, or associated tooling, you (“the User”, “you”) agree to be legally bound by these Terms of Service (“Terms”). If you do not agree to these Terms in their entirety, you must immediately cease use of the Service.

These Terms constitute a legally binding agreement between you and Sebastian Fletcher, trading as Gitwix (“we”, “us”, “the Operator”). Use of the Service by any individual or organisation constitutes unconditional acceptance.

2. Eligibility

The Service is intended solely for use by:

• Professionals, managers, and teams acting in a legitimate professional capacity
• Businesses and their authorised employees who have been granted access
• Individuals who are at least 18 years of age
• Persons and organisations operating lawfully within their jurisdiction

You represent and warrant that:

• You have legal authority to enter into these Terms on behalf of any entity you represent
• All information you provide to the Service is accurate and current
• You will not use the Service in any jurisdiction where doing so would be unlawful

3. Permitted Use

The Service is designed exclusively for the following purposes:

• Assisting teams in screening, assessing, and communicating with contacts
• Conducting AI-assisted telephone or voice-based outreach calls
• Summarising and logging contact responses for review by authorised personnel
• Automating scheduling and follow-up communications in an operations context

Any use outside of the above purposes is expressly prohibited without prior written consent from the Operator.

4. Prohibited Uses

You must not, under any circumstances, use the Service to:

• Conduct calls or collect data on individuals without their explicit prior consent
• Discriminate against contacts on the basis of protected characteristics under the Equality Act 2010, including age, disability, gender reassignment, marriage/civil partnership, pregnancy/maternity, race, religion or belief, sex, or sexual orientation
• Impersonate another person, organisation, or AI system in a deceptive manner
• Collect, store, or process data beyond what is necessary for lawful business purposes
• Circumvent, reverse-engineer, or probe the Platform's security or infrastructure
• Resell, sublicense, or redistribute access to the Service to third parties
• Use the Service to harass, intimidate, or coerce any contact or individual
• Attempt to extract, scrape, or harvest data from the Platform in bulk
• Use the Service to make any fully automated final hiring decision without human review
• Train, fine-tune, or otherwise use Service outputs to build competing AI systems
• Introduce malware, excessive API calls, or denial-of-service attacks
• Process data of individuals outside the EEA without appropriate safeguards in place

5. Account Responsibility

You are fully responsible for:

• Maintaining the confidentiality of your login credentials
• All activity conducted under your account
• Ensuring that all users within your organisation comply with these Terms
• Notifying us immediately at admin@gitwix.com if you suspect unauthorised access

The Operator reserves the right to suspend or terminate accounts where misuse, abuse, or violation of these Terms is suspected or confirmed.

6. AI Limitations and Human Oversight

The Katy AI Operations Assistant is an AI-powered tool designed to assist — not replace — human judgement in business decisions. You acknowledge and agree that:

• AI-generated summaries, scores, or assessments may contain errors, biases, or omissions
• No hiring decision should be made solely on the basis of AI output without human review
• The Operator does not guarantee the accuracy, completeness, or fitness for purpose of any AI-generated content
• You are solely responsible for verifying any AI output before acting on it
• Use of the Service for fully automated decision-making that produces legal or similarly significant effects on contacts is prohibited under UK GDPR Article 22 unless specific conditions are met and disclosed

7. Intellectual Property

All intellectual property rights in the Service, including software, AI models, interfaces, branding, and documentation, are owned exclusively by the Operator or its licensors. These Terms do not transfer any intellectual property rights to you.

You retain ownership of data you input into the Service, subject to the licence granted below. You grant the Operator a limited, non-exclusive licence to process your input data solely for the purpose of delivering the Service to you.

The Operator does not claim ownership of contact data processed through the Service.

8. Service Availability

The Service is provided on a commercially reasonable best-effort basis. The Operator does not guarantee:

• Uninterrupted or error-free access
• That the Service will meet your specific requirements
• Compatibility with all devices, browsers, or telephony systems

Planned maintenance will be communicated where reasonably practicable. The Operator accepts no liability for losses arising from downtime, technical failures, or third-party service interruptions (including Vercel, Supabase, or telecommunications providers).

9. Limitation of Liability

To the fullest extent permitted by applicable law:

• The Operator's total aggregate liability under or in connection with these Terms shall not exceed the greater of £100 or the total fees paid by you in the 12 months preceding the claim
• The Operator shall not be liable for any indirect, consequential, special, incidental, or punitive damages
• The Operator shall not be liable for losses arising from: misuse of the Service, reliance on AI-generated output, third-party service failures, data breaches caused by your failure to secure your account credentials, or use of the Service in a manner contrary to these Terms

Nothing in these Terms limits liability for death or personal injury caused by negligence, fraud, or fraudulent misrepresentation, or any liability that cannot be excluded under applicable law.

10. Indemnification

You agree to indemnify, defend, and hold harmless the Operator and its affiliates, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or in connection with:

• Your use or misuse of the Service
• Your breach of these Terms
• Your violation of any applicable law or regulation
• Any claim brought by a contact or third party arising from data you process through the Service
• Your failure to obtain adequate consents from contacts prior to using the Service

11. Modifications to the Service and Terms

The Operator reserves the right to:

• Modify, suspend, or discontinue the Service (or any part of it) at any time with reasonable notice where practicable
• Update these Terms at any time, with changes taking effect upon posting to the Platform

Continued use of the Service following notification of changes constitutes acceptance of the revised Terms. It is your responsibility to review these Terms periodically.

12. Termination

The Operator may suspend or terminate your access immediately and without notice if:

• You breach any provision of these Terms
• Continued provision of the Service would expose the Operator to legal liability
• You engage in any fraudulent, abusive, or unlawful conduct

Upon termination, your right to use the Service ceases immediately. Provisions that by their nature should survive termination (including intellectual property, limitation of liability, and indemnification clauses) shall continue to apply.

13. Governing Law and Dispute Resolution

These Terms are governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or relating to these Terms or the Service shall be subject to the exclusive jurisdiction of the courts of England and Wales.

1. Who We Are

Sebastian Fletcher, trading as Gitwix (“we”, “us”), is the data controller for personal data processed through the Katy AI Operations Assistant platform. We are committed to handling personal data responsibly and in compliance with UK GDPR (UK General Data Protection Regulation) and the Data Protection Act 2018.

Contact for data protection enquiries: admin@gitwix.com

2. What Data We Collect

Data Provided by Operators (Business Users)

• Name, email address, and job title of account holders
• Organisation name and billing information
• Configuration settings and job role/vacancy information

Data Collected About Contacts (via Operator use of the Service)

• Voice and call data: Recordings of AI-assisted telephone calls, where call recording is enabled
• Transcriptions: Automated text transcriptions of call conversations
• AI-generated summaries: Structured assessments and notes generated from call content
• Contact identification data: Name, contact number, email address (as provided by the Operator)
• Behavioural data: Call timestamps, duration, response patterns

Automatically Collected Technical Data

• IP addresses and device information
• Browser type and version
• Usage logs, API call metadata
• Cookies and session identifiers (see Cookie Policy below)

3. Legal Basis for Processing

Where the Service processes special category data (e.g., health information, ethnicity, or other protected characteristics inadvertently revealed during a call), processing is limited to what is strictly necessary and will only proceed under Article 9(2)(b) (employment law obligations) or explicit consent.

4. How We Use Your Data

Personal data is used for the following purposes:

• Providing, operating, and maintaining the Service
• Facilitating AI-assisted call sessions
• Generating call transcriptions and contact summaries
• Enabling operators to review and manage contact assessments
• Sending service notifications and updates
• Troubleshooting technical issues and ensuring platform security
• Complying with legal obligations

We do not use personal data for:

• Selling data to third parties
• Behavioural advertising or ad targeting
• Training AI/ML models on identifiable contact data without explicit consent
• Any purpose incompatible with the original collection purpose

5. Data Sharing and Third Parties

We use the following third-party sub-processors. By using the Service, you acknowledge and accept their involvement:

We will notify you of material changes to sub-processors. We require all sub-processors to maintain appropriate security standards and process data only on our documented instructions.

We may also disclose data to:

• Law enforcement or regulatory bodies where required by law
• Legal advisors and professional indemnity insurers in connection with legal claims
• Successors in the event of a business sale or merger (with appropriate notice)

6. International Data Transfers

Some of our sub-processors are located outside the UK/EEA. Where data is transferred internationally, we rely on one or more of the following safeguards:

• UK adequacy regulations
• UK International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses
• Binding Corporate Rules where applicable

7. Data Retention

You may request earlier deletion subject to our legal obligations.

8. Your Rights

Under UK GDPR, individuals have the following rights:

• Right of access — obtain a copy of personal data held about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure (“right to be forgotten”) — request deletion of data in certain circumstances
• Right to restrict processing — limit how we use your data in certain circumstances
• Right to data portability — receive data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects
• Right to withdraw consent — at any time where processing is based on consent

To exercise any of these rights, please contact: admin@gitwix.com. We will respond within one calendar month. Where requests are complex or numerous, we may extend this by a further two months with prior notice.

If you are dissatisfied with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk | Helpline: 0303 123 1113.

9. Data Security

We implement the following technical and organisational measures to protect personal data:

• Encryption in transit (TLS 1.2+) and at rest
• Row-level security policies in Supabase
• Role-based access controls limiting data access to authorised personnel
• Regular security reviews and vulnerability assessments
• Vercel's enterprise-grade infrastructure protections
• Incident response procedures aligned with UK GDPR Article 33 (72-hour breach notification obligation)

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware and inform affected individuals without undue delay where required.

1. Pre-Call Consent Notice (to be read/played to contacts before call commences)

“Hello. You are about to speak with Katy, an AI-powered operations assistant operated on behalf of [Operator Company Name]. This call may be recorded and transcribed for assessment purposes. Your responses will be reviewed by the team at [Operator Company Name]. By continuing this call, you consent to this processing. If you do not consent, you may end the call at any time and request an alternative assessment method by contacting [Operator contact details]. For full details of how your data is handled, please visit https://app.gitwix.com/privacy.”

2. Contact Data Processing Notice

What we collect during this call:

• A recording and transcription of your spoken responses
• An AI-generated summary of your answers
• Call metadata (date, time, duration)

How it is used:

• To assess your suitability for the role applied for
• To share with the hiring team responsible for this vacancy
• To maintain a record of the outreach process

Your rights:

• You may request a copy of your data, including the recording and transcript
• You may request deletion of your data at any time
• You may object to automated processing affecting your application
• Contact: admin@gitwix.com

Retention: Call recordings and transcripts are retained for 90 days following your assessment, after which they are permanently deleted.

No sale of data: Your data will never be sold or shared with third parties outside of the business process.

3. Operator Obligation Checklist

Operators using the Service are contractually required to:

• Inform contacts in the outreach process that AI-assisted calls may be used
• Provide contacts with a link to the Privacy Notice before the call
• Ensure the pre-call consent notice is played or displayed before assessment begins
• Offer contacts a human-only alternative assessment method
• Ensure that AI output is reviewed by a human before any hiring decision is made
• Not process any data through the Service relating to contacts under 18 years of age
• Maintain their own record of consent obtained from contacts
• Promptly notify the Operator of any data subject requests relating to contact data

4. Default AI Disclosure and Platform Position

The Katy AI platform is configured by default with a compliant AI disclosure greeting that identifies the caller as an AI assistant at the commencement of every call. This default behaviour is designed to satisfy the transparency requirements of the EU AI Act and UK telecommunications regulations.

The default pre-call disclosure reads: "Hi, this is Katy, an AI assistant calling on behalf of [Company Name]."

Deployers (business customers) have the ability to modify or disable this AI disclosure greeting through the Platform's Settings interface. The Platform presents an explicit, unskippable legal warning when a Deployer attempts to disable this feature, requiring the Deployer to acknowledge and accept full legal liability before proceeding.

The Operator (Gitwix) accepts no responsibility, liability, or legal obligation arising from a Deployer's decision to modify, disable, or remove the default AI disclosure greeting. By disabling this compliance feature, the Deployer assumes all legal, regulatory, and financial risk associated with non-disclosure, including but not limited to fines, enforcement actions, or civil claims under the EU AI Act, GDPR, TCPA, FCC regulations, UK Ofcom rules, or any equivalent legislation in any jurisdiction.

Gitwix strongly recommends that all Deployers maintain the AI disclosure greeting in its default enabled state. Deployers who choose to disable it warrant that they have obtained independent legal advice confirming that their specific use case, jurisdiction, and consent framework do not require such disclosure.

1. Purpose

This Acceptable Use Policy forms part of the Terms of Service and sets out specific standards of behaviour required from all users. Violation of this AUP may result in immediate account suspension without refund.

2. Prohibited Activities (Expanded)

In addition to prohibitions in the Terms of Service, the following are expressly prohibited:

Discriminatory Use

• Using contact data or AI outputs to make decisions based on protected characteristics
• Configuring AI scoring criteria that correlate with or proxy protected characteristics
• Applying different assessment standards to contacts of different demographics

Deceptive Use

• Presenting the AI assistant as a human interviewer without disclosure
• Using the Service to mislead contacts about the nature of the assessment process
• Recording calls without providing the mandatory pre-call consent notice

Data Misuse

• Retaining contact data beyond the periods specified in the Privacy Notice
• Sharing contact data with parties not involved in the specific business process
• Using call data for any purpose other than assessment for the specific engagement

Security Violations

• Attempting to access other organisations' data or accounts
• Conducting penetration testing without prior written consent from the Operator
• Exploiting vulnerabilities rather than reporting them through responsible disclosure

3. Responsible Disclosure

If you discover a security vulnerability in the Service, please report it confidentially to admin@gitwix.com before any public disclosure.

Disclosure Timeline:

• Acknowledgement of report: within 48 hours
• Initial assessment and severity classification: within 5 business days
• Remediation of confirmed critical vulnerabilities: within 30 days
• Remediation of confirmed high-severity vulnerabilities: within 60 days
• Remediation of medium/low-severity vulnerabilities: within 90 days
• Reporter will be notified upon remediation and may be credited (with consent)

We request that you do not publicly disclose the vulnerability until we have had reasonable time to remediate. We will not take legal action against security researchers acting in good faith under this policy.

1. What Are Cookies?

Cookies are small text files placed on your device when you visit the Platform. They enable the Service to remember your preferences and analyse usage.

2. Cookies We Use

3. Your Cookie Choices

The Platform uses only strictly necessary cookies for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies. These essential cookies cannot be disabled as they are required for the Platform to function.

1. Roles

The business customer is the Data Controller. Sebastian Fletcher, trading as Gitwix, is the Data Processor when processing contact personal data on the customer's behalf.

2. Processing Instructions

The Operator will only process personal data on documented instructions from the Controller, except where required by law. If the Operator believes an instruction violates UK GDPR, it will promptly notify the Controller.

3. Processor Obligations

The Operator commits to:

• Processing data only for the purposes set out in these Terms and the Privacy Notice
• Ensuring all personnel with access to personal data are bound by appropriate confidentiality obligations
• Implementing the technical and organisational security measures described in this document
• Not engaging new sub-processors without informing the Controller and providing opportunity to object
• Assisting the Controller in fulfilling data subject rights requests within the required timeframes
• Deleting or returning all personal data upon termination of the Service, as directed by the Controller
• Providing all information necessary to demonstrate compliance with Article 28 of UK GDPR
• Notifying the Controller within 48 hours of becoming aware of a personal data breach

4. Audit Rights

The Controller has the right, on reasonable notice (minimum 30 days except in genuine emergencies), to audit the Operator's data processing activities, either directly or through an appointed third party, no more than once per calendar year.

AI Bias Mitigation

The Operator commits to:

• Regularly reviewing AI outputs for evidence of bias against protected characteristic groups
• Not training models on historical hiring data that reflects past discriminatory patterns without bias correction
• Documenting the AI system's decision logic to enable transparency audits upon request
• Providing operators with guidance on how to use AI outputs in a compliant manner

Operator Responsibilities

Business customers must:

• Conduct their own Equality Impact Assessment before deploying AI-assisted operations
• Ensure a human reviews every AI-generated assessment before a hiring decision is made
• Maintain an audit trail of decisions to demonstrate compliance with equality obligations
• Make reasonable adjustments for disabled contacts who cannot or prefer not to participate in AI-assisted calls