‍Lease Reader - Terms of Use

These terms of use and privacy policy (the “Terms of Use”) govern your use and apply whenever you access, use, or otherwise interact with the software made available by Curved Stone Ltd (“Curvestone”) at this domain and any associated domains and/or servers (hereinafter the “Services”).

Subject to your compliance with these Terms of Use, you may access and use the Services. In using the Services you must comply with all applicable laws as well as any usage policy and other documentation, guidelines, or policies we may make available to you from time to time.

1.     Definitions

a)     Curvestone shall mean Curved Stone Ltd. of 55a, Fermoy Road, London, W9 3NJ, UK with corporate registration number: 9249565.

b)     Primary Account Holder shall mean an entity with a paid business account and who is subject to the associated business account terms.

c)      User or You shall mean you, a natural or legal person who is a registered user of the Services.

d)     Account Administrator shall mean a User who is nominated as the account administrator on behalf of the Primary Account Holder, and who has the authority to invite Users to the Primary Account Holder’s business account.

e)     Invited User shall mean a User who registers and uses the Services following an invitation from an Account Administrator.

f)      Trial User shall mean a User who registers and uses the Services independently of any Account Administrator. On expiration of the applicable trial period, a Trial User must cease using the Services, or become an Invited User or Account Administrator.

g)     User Content shall mean any chat messages, prompts, or uploaded documents (collectively “Inputs”) you submit to the Services together with any outputs the Services provide in direct response to your inputs (the “Outputs”).

h)     “Personal Data” shall mean any information relating to an identified or identifiable natural person as set out in Article 4 of the GDPR.

2.     Registration

You must be at least 18 years old, or the minimum age required in your country to consent to use these Services, and you must provide full and accurate information when you register to create an account and use the Services. You may not register to use the Services on behalf of another person, and you must not share your account credentials or otherwise make your account available to anyone else. You remain responsible for all activities that take place under your account.

You may register as a Trial User for a fixed period defined by Curvestone at its sole discretion, or you may be invited to register and use these Services by an Account Administrator. If you receive an invite and believe this to be an error, or if you wish to contact your Account Administrator, or if you wish your account to be deleted, please email: infosec@curvestone.io.

3.     Using the Services

a)     Whilst using the Services You may not:

i)       Reproduce, copy, alter, modify, deface, disclose or change the Services.

ii)     Attempt to or assist someone to decompile, reverse engineer or otherwise gain access to the source code for the Services.

iii)    Delete, remove or obscure any copyright or proprietary notices of Curvestone included in the Services.

iv)    Use the Services and any corresponding Outputs without appropriate human oversight, in particular where the intended use case may have an impact on any business or individual’s legal position, financial position, or human rights and safety.

v)     Use the Services to collect, process, or make use of Personal Data except in compliance with these Terms of Use and any applicable law.

vi)    Interfere with or disrupt the Services, including making any attempt to circumvent any usage limits or account controls.

b)     Whilst using the Services You agree that You:

i)       Will not use any automated or programmatic method of requesting Outputs or uploading documents that would place an unreasonable burden on the Services or on any third-party services.

ii)     Will not use the Services for use cases that require or rely on up-to-date and factually accurate information unless this information is uploaded by You.

iii)    Will upload and enter Inputs only to such an extent reasonably required for your use of the Services.

iv)    Will not re-sell access to or usage of the Services without the prior written consent of Curvestone.

c)      The Services are provided using resources and servers located in the UK, EU/EEA, and USA as necessary to meet Curvestone’s performance and resilience objectives. In using the Services, You acknowledge and agree that your use of the Services may require your Inputs and resulting Outputs to be stored and/or transferred to computer systems located in any of these regions. Where we transfer your data outside the EU/EEA this transfer will be protected by the Standard Contractual Clauses of the European Commission and the UK IDTA, and in accordance with the terms of the Data Processing Addendum which is incorporated into these Terms of Use by reference.

4.     Prohibited Uses

You agree that You shall not use the Services for, or create or upload User Content related to, any of the following prohibited activities:

a)     Illegal activity of any description, including but not limited to exploitation and abuse, violent content and/or conduct, and prohibited substances or materials.

b)     Generating or circulating content that incites or promotes hate based on identity, or which is intended to harass, threaten, or bully an individual.

c)      Generating or distributing malware.

d)     Generating or circulating of pornographic content & services.

e)     Inferring, or attempting to infer, sensitive information about an individual without their express consent, or otherwise attempting to violate the privacy of an individual.

5.     User Content

a)     You acknowledge and agree that all of your User Content is in accordance with the Terms of Use and that you have all necessary permissions and approvals to input this User Content to the Services.

b)     You acknowledge and agree that your User Content is stored on Curvestone’s or its third-party cloud service provider’s servers and You grant Curvestone all necessary rights for this purpose.

c)      Curvestone will protect the confidentiality of your User Content with at least reasonable care, Curvestone will not use User Content for any purpose outside the scope of these Terms of Use and will not disclose User Content to any third party (except third party service providers) and will limit access to User Content to its employees, contractors, advisors and agents on a need-to-know basis. Curvestone may disclose User Content if required to do so under law, statute, rule or regulation or legal process.

d)     Curvestone retain no ownership of any User Content and You grant us no rights in User Content except such rights required for the sole purpose of providing the Services.

6.     Paid Accounts

If You upgrade from a Trial User or Invited User (whose use of the Services will be billed to the respective Primary Account Holder) to a paid account, You agree to provide complete and accurate billing information and you agree to the business terms provided to you during the upgrade process.

7.     Term and Termination

Your access to the Services is controlled by the Primary Account Holder. This access may be withdrawn at any time, either (i) by the Primary Account Holder (or Curvestone acting on their behalf) at their discretion, or (ii) by Curvestone as a result of You breaching these Terms of Use, or (iii) by Curvestone as a result of the termination or expiration of any applicable licence agreement between Curvestone and Primary Account Holder. Following termination You will stop using the Services and we will permanently delete all User Content.

8.     Warranties

The Services are intended to be used for experimental purposes only and are provided to You “AS IS”. In no event does Curvestone warrant that the Services, or any associated Outputs, are error free or that You will be able to use the Services without problems or interruptions to availability.

NO WARRANTY, EXPRESS OR IMPLIED, IS MADE HEREIN THAT THE SOFTWARE, SOFTWARE PRODUCTS OR ANY PARTS THEREOF ARE MERCHANTABLE, OR FIT OR SUITABLE FOR THE PARTICULAR PURPOSES INTENDED BY YOU, AND ANY LIABILITY ON THE PART OF CURVESTONE SHALL BE LIMITED TO THAT SET OUT IN THE GOVERNING LICENCE AGREEMENT.

9.     Limitation of Liability

IN NO EVENT SHALL CURVESTONE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE SERVICES. OUR AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED ​​THE GREATER OF THE AMOUNT YOU PAID FOR THE SERVICES THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE.

The limitations of liability set forth in this Section 9 shall not apply, however, in case of willful misconduct or gross negligence and nothing in this clause will serve to limit or exclude your or our liability for death or personal injury arising from your or our own negligence.

10.   Indemnity

If You are a Primary Account Holder, to the extent permitted by law, you will indemnify and hold Curvestone and its employees, officers, and advisors harmless from and against any costs, losses, liabilities, and expenses (including legal fees) from third party claims arising out of or relating to your use or the user of your Invited Users of the Services or any violation of these Terms of Use.

11.   Privacy Policy

Curvestone respects your privacy, and we are committed to keeping secure any information we obtain from You or about You. Taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Curvestone shall implement appropriate technical and organisational measures to ensure an adequate level of security.

11.1 Personal Data We Collect

When You create an account and use the Services we collect the following information:

·       Account information which may include your name, contact information, organisation if you are an Invited User or Account Administrator and billing information.

·       Information You choose to share with us for the purpose of communicating with You on support issues, technical issues, or other questions relating to using the Services.

·       Usage information we receive automatically when You access or use the Services (e.g. web browser type, date & time of access).

·       Cookie information (small text files placed on your device) for the purposes of Service administration and analytics.

For Personal Data we collect Curvestone of 55a Fermoy St., London, W9 3NJ is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

11.2 How We Use Personal Data

We may use and store Personal Data we collect for the following purposes:

·       Provide and support the operation of the Services to You.

·       To develop new features & services.

·       To prevent misuse of the Services and any third-party services, in particular the Microsoft Azure AI service.

·       To fulfill our Licence Agreements with the Primary Account Holders.

·       To comply with our legal obligations and to protect the rights of our users and third parties.

11.3 Retention and Disclosure of Personal Data

Curvestone may retain your Personal Data for as long as we need in order to provide the Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations.

We may be required to share Personal Data with the following:

a)     Our employees, directors, and relevant subcontractors and third-party technology providers in order to provide the Services to You or provide support to You at your request.

b)     With legal or regulatory bodies if required to do so by law or in the good faith belief that this disclosure is necessary to comply with a legal or statutory obligation.

c)      With the Primary Account Holder if you are an Invited User.

11.4 Your Rights

a)     You may withdraw your consent for our processing of Your Personal Data at any time by contacting infosec@curvestone.io. If You withdraw Your consent, You will no longer have access to the Services and Your User Content will be deleted. Please note that withdrawing Your consent as an Invited User will not affect Your relationship with a Primary Account Holder with whom you have a direct relationship outside the scope of the Services. If you also wish to withdraw consent for processing performed by the Primary Account Holder please contact them directly.

b)     You may request access to your Personal Data and You may request that we update, rectify, or delete your Personal Data. Deleting your Personal Data will mean You will no longer have access to the Services.

c)      You may object to or restrict our processing of your Personal Data. This may have an impact on your access to the Services.

d)     You may lodge a complaint with the UK Information Commissioner’s Office.

If You have any questions or concerns, or if You wish to change, correct, or delete any Personal Data, please contact us by email at infosec@curvestone.io.  

12.   Changes to these Terms of Use

We reserve the right to update these Terms of Use at any time without prior notice to reflect the changing nature of the Services. Any changes to these Terms of Use will be posted to the website You typically use to access the Services and any other places we deem appropriate so that You are aware of the changes.

13.   General Provisions

a)     Assignment: You may not assign or transfer any rights or obligations under these Terms of Use and any attempt to do so will be void. Curvestone may assign our rights or obligations under these Terms of Use to any affiliate, subsidiary, or successor in interest of any business associated with our Services.

b)     Entire Agreement: These Terms of Use contain the entire agreement regarding the Services and, other than any business terms between Curvestone and a respective Primary Account Holder, supersedes any prior or contemporaneous agreements between you and Curvestone regarding the Services.

c)      Governing Law: These Terms of Use shall be governed by and construed in accordance with the substantive laws of England without reference to or application of any conflict of laws principles.

d)     Jurisdiction: Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination, or invalidity thereof, shall be settled exclusively by a court of general jurisdiction in England.

‍

Data Processing Agreement

‍

1.              Introduction, Scope, and Definitions

1.1.           Introduction

This Data Processing Agreement (“DPA”) is incorporated by reference into the Lease Reader Terms of Use or such other agreement governing your use of Curvestone’s services and is entered into between Curved Stone Ltd (“Curvestone”) and you, the user of Curvestone’s services to reflect our joint agreement with regard to processing of Personal Data.

1.2.           Scope

The parties acknowledge that the Customer for whom Curvestone Processes Personal Data in accordance with the Agreement is and will remain the data controller and Curvestone is a data processor for the purposes of Data Processing Law (“DP Law”) in connection with this DPA. This DPA applies to all activities in which Curvestone, or any sub-processor commissioned by Curvestone, processes Personal Data of the Customer on its behalf.

1.3.           Definitions

Terms used but not defined in this DPA shall be understood in terms of their definition in the Terms of Use, Business Terms, or in applicable DP Law. In the event of any conflict or inconsistency the terms in this DPA shall prevail.

“Customer” (collectively “you”, “your”, “User”, or “Customer”) shall mean the business entity or natural person using Curvestone’s services.

“DP Law” means UK Data Protection Laws, EU/EEA Data Protection Laws, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.

“Microsoft Standard Contractual Clauses” means the standard data protection clauses between Microsoft Ireland Operations Limited and Microsoft Corporation for the transfer of Personal Data from processors in the EEA to processors established in countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021.

“Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with a natural person, and which information is processed by Curvestone solely on behalf of Customer under this DPA and the Agreement

“Restricted Transfer” means transfer of data from the UK or EU/EEA which is covered by Chapter V of the UK Data Protection Laws, EU/EEA Data Protection Laws.

“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable DP Laws.

2.              Type, Nature, and Duration of Processing

2.1.           Type of Data

Customer may submit Personal Data to the services, the type and extent of which is determined and controlled by Customer in its sole discretion.

2.2            Nature of Processing

The Parties acknowledge and agree that with regard to the processing of Personal Data by Curvestone on behalf of Customer the Customer is the Controller of Personal Data, and Curvestone is the Processor of the Personal Data.

Curvestone shall process Personal Data (a) in connection with its provision of the services, (b) to comply with your reasonable instructions provided such instructions do not breach the Terms of Use or this DPA, (c) to share Personal Data with sub-processors solely in connection with the provision of the services, (d) as required under DP Law, (e) for Curvestone’s business administration purposes required to manage the relationship between the parties.

For the avoidance of doubt Customer agrees that the services are not intended for the processing of Sensitive Data unless and until Customer has obtained Curvestone’s prior written consent.

2.3            Duration of Processing

The processing begins when Customer commences use of the services and continues for the term of the services Agreement, together with any reasonable time period required for the erasure or destruction of data following termination.

3.              Obligations of Curvestone

3.1.           Curvestone shall process Personal Data only as contractually agreed or as instructed by the Customer, unless Curvestone is obliged by law to carry out specific processing. If such obligations exist for Curvestone, it shall notify the Customer prior to processing, unless such notification is prohibited by law. Furthermore, Curvestone shall not use the data provided for processing for any other purpose, in particular not for its own purposes.

3.2.           Curvestone confirms that it is aware of the legal provisions of the applicable data protection laws and observes the principles of correct data processing.

3.3.           Curvestone undertakes that it, together with any of its agents, officers, employees, and sub-processors who may gain access to the data, shall (i) process User Content only on instructions from Customer or as described in this DPA, (ii) maintain confidentiality during processing and after the termination of any contractual relationship, and (iii) provide periodic and mandatory data privacy and security training to its employees in accordance with Curvestone’s Information Security Policy.

3.4.           Curvestone warrants that the persons employed by it for processing have been made familiar with the relevant provisions of data protection and this DPA prior to commencement of processing.

3.5.           If the Customer is subject to inspection by supervisory authorities or other bodies, or if data subjects assert rights against it, Curvestone undertakes to support the Customer to the extent necessary insofar as the processing is concerned.

3.6.           Curvestone shall notify Customer promptly of (i) any correspondence it may receive from any Regulator relating to User Content or (ii) any complaint from an individual about the processing of User Content in connection with the Services. Curvestone shall cooperate with Customer with the purpose of enabling Customer to respond to the correspondence or complaint.

3.7.           The transfer of any Personal Data outside of the UK or EU/EEA is subject to the conditions in Chapter V of the GDPR and must be in compliance with the provisions of this Agreement. For the avoidance of doubt by executing this DPA the Customer grants consent for the specific transfers set out in clause 7.

3.8.           Curvestone shall, unless legally not required by DP Law, appoint a competent and reliable person as Data Protection Officer (DPO). Curvestone shall inform the Customer upon execution of this DPA of the contact details of the DPO or give a reason why no DPO has been appointed. Curvestone shall inform the Customer immediately of any changes in the identity of the DPO during the term of the Agreement.

4.              Rights and Obligations of Customer

4.1.           Customer is solely responsible for assessing the permissibility of the processing and the safeguarding of the rights of data subjects, and warrants to Curvestone that its instructions to process data under this DPA are lawful.

4.2.           Curvestone processes data on the instructions of the Customer. The Customer agrees that the Agreement (including this DPA and any applicable updates), along with the Customer’s use and configuration of the services, are Customer’s complete documented instructions to Curvestone for the processing of Personal Data.

4.3.           Customer shall be entitled to monitor compliance with data protection provisions and the contractual agreements at Curvestone to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the on-site controls. The persons entrusted with the inspection shall be given access and insight by Curvestone to the extent necessary for the performance of an inspection. Curvestone shall be entitled to refuse inspections by third parties insofar as they are in competition with it or for similarly important reasons.

4.4.           Inspections at Curvestone's premises must be carried out without undue disruption to its business operations. Unless otherwise indicated for urgent reasons, which are to be documented by the Customer, inspections shall be carried out after reasonable advance notice, during Business Hours, and no more frequently than every 12 months.

5.              Security of Processing

5.1.           Curvestone shall implement and maintain technical and organisational measures to avoid unauthorised or unlawful processing of Personal Data and against loss or destruction of or damage to User Content as outlined in DP Law and in accordance with the requirements set forth in ISO 27001.

5.2.           Curvestone shall ensure that all User Content shall be encrypted by default when transferred over public networks or between data centres, and when at rest.

5.3.           Curvestone shall employ least privilege access mechanisms to control access to User Content.

5.4.           Curvestone shall ensure that all sub-processors implement and maintain comparable technical and organisational measures at least as robust as those in use by Curvestone for its compliance with the requirements of this clause 5.

6.              Subcontracting Relationships

6.1.           The use of sub-processors is permitted provided that any sub-processor is contractually bound to comply with data protection obligations comparable to those agreed in this DPA. Upon request, Curvestone shall provide access to the relevant portions of its contract with the sub-processor together with any information reasonably required to demonstrate compliance with clause 6.1.

6.2.           The Services provided under the Agreement make use of underlying technology provided by Microsoft’s Azure cloud infrastructure and cognitive services. The execution of this DPA constitutes Customer’s prior written consent to the engagement of Microsoft Ireland Operations Ltd and Microsoft Corporation as authorised sub-processors subject to the restrictions set out in clause 7.

6.3.           The engagement and use of sub-processors who carry out commissioned processing in territories other than the territory of the UK or EU/EEA shall only be permissible (i) if the sub-processor has appointed a responsible representative in the EU in terms of Art. 27 of the GDPR, and (ii) as far and as long as the sub-processor offers appropriate data protection safeguards.

7.              Processing Location and Cross-border Transfers

7.1.           The processing of data by Curvestone or its authorised sub-processors shall take place in the UK, EU/EEA, or USA.

7.2.           To ensure the necessary performance and availability of the services Curvestone Personal Data may be transferred from the UK or from EU member states to countries that have been deemed to offer an adequate level of data protection as determined by the EU/EEA and/or UK as applicable (each an “Adequacy Decision”). For the avoidance of doubt, “Adequacy Decisions” include the European Commission’s adequacy decision of 10 July 2023, establishing the EU-US Data Privacy Framework. Where the transfer of Personal Data will be to a country covered by an Adequacy Decision, Customer grants permission for such transfer without additional safeguarding measures. In all other cases no transfer will be permitted without the prior written permission of Customer.

7.3.           Where a transfer of Personal Data takes place, Curvestone:

7.3.1.       agrees that DP Law applies to its processing of the transferred data, including the transfer of the data to the relevant sub-processor;

7.3.2.       shall ensure that the transfer and processing is governed by its existing binding contractual agreements with both Microsoft Ireland Operations Ltd and Microsoft Corporation;

7.3.3.       shall ensure that these transfers and any associated processing shall be governed by the Microsoft Standard Contractual Clauses. In addition, transfers from the United Kingdom shall be governed by the IDTA implemented by Microsoft. For purposes of this DPA, the “IDTA” means the International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner’s Office under S119A(1) of the UK Data Protection Act 2018.

7.4.           Customer may revoke the permissions granted under clause 7 at any time by providing written instructions to Curvestone.

7.5.           At all times during the term of Agreement Customer will have the ability to access, extract and delete User Content stored in the Services.

8.              Notification Duties

8.1.           Curvestone shall immediately notify Customer of any actual or suspected breaches of the protection of Personal Data processed on behalf of the Customer. This notification must be sent within 24 hours of Curvestone becoming aware of the relevant event and sent to an address specified by the Customer. It shall contain at least the following information:

8.1.1.       a description of the nature of the breach of the protection of Personal Data, indicating where possible the categories and approximate number of data subjects, the categories concerned and the approximate number of Personal Data sets concerned;

8.1.2.       the name and contact details of the Data Protection Officer or any other contact point for further information;

8.1.3.       a description of the likely consequences of the breach of the protection of Personal Data;

8.1.4.       a description of the measures taken or proposed by Curvestone to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.

8.2.           Curvestone shall immediately inform the Customer of any controls or measures taken by regulatory authorities or other third parties and shall assist the Customer in its obligations under Articles 33 and 34 of the GDPR to the extent required.

8.3.           Curvestone’s notification of any actual or suspected breaches is not an acknowledgement by Curvestone of any fault or liability with respect to the notified event.

9.              Termination

9.1.           This DPA shall terminate automatically upon termination of the associated Agreement.

9.2.           Upon termination of this DPA and the associated Agreement, all data processed in the terms of this DPA (including any copies thereof) which are still held on the Services at the end of the contractual relationship shall either be destroyed or returned to Customer at Customer's option. Customer must inform Curvestone of its choice within two weeks of being requested to do so by Curvestone.

9.3.           Curvestone shall provide written confirmation of proper destruction or return without delay.

9.4.           Curvestone shall have the right to retain documentation which serves as confirmation of proper processing of data for a period of three years from the date of termination.

10.            Miscellaneous

10.1.        Any Fees related to the performance of the parties duties under this DPA are conclusively regulated in the Agreement.

10.2.        Should individual parts of this DPA be invalid, this shall not affect the validity of the remaining parts of the DPA.

10.3.        If a party is required to notify the other party to this DPA it will be marked for the attention of the DPO or other relevant key contact and sent by e-mail to the e-mail address given for the key contact.

10.4.        If one party has made any oral or written statements to the other before entering into this DPA (which are not written in this DPA) the other party confirms that it has not relied on those statements and that it will not have a legal remedy if those statements are untrue or incorrect, unless the statement was made fraudulently.

10.5.        The applicable laws and jurisdiction are as set out in DP Law and in the relevant Terms of Use.

‍