Privacy Policy
Last Updated: 19 March 2026
Privacy Policy
Niftact — AI Chat Widget & Chatbot Services
Operated by Izaz Iqbal Ltd (Company No. 16673806)
Last Updated: 19 March 2026
Table of Contents
- Who We Are
- Important: Two Types of Data Subjects
- Scope of This Policy
- Information We Collect
- How We Collect Your Data
- How We Use Your Data & Legal Bases
- Chatbot & AI Processing
- Voice Data Processing (Vapi Integration)
- Knowledge Base & Document Uploads
- Third-Party AI Providers
- Payments & Billing
- Analytics & Tracking
- Cookies
- Third-Party Integrations
- Marketing & Newsletter Communications
- Data Retention & Deletion by Plan
- How We Share Your Data
- International Data Transfers
- Data Security
- Your Rights Under UK GDPR
- How to Exercise Your Rights
- Children & Age Restrictions
- ICO Registration
- Changes to This Policy
- Contact Us
1. Who We Are
Niftact is an AI-powered chat widget and chatbot platform operated by:
- Company Name: Izaz Iqbal Ltd
- Company Type: Private Limited Company (Ltd)
- Company Number: 16673806
- Registered Address: Office 14073, 182–184 High Street North, East Ham, London, E6 2JA, United Kingdom
- Website: www.niftact.com
- App: app.niftact.com
- Support Email: support@niftact.com
Izaz Iqbal Ltd is registered in England and Wales and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our role as Data Controller or Data Processor depends on the context — this is explained in full in Section 2.
2. Important: Two Types of Data Subjects
Niftact serves two distinct groups of people, and our role differs for each:
Group A: Niftact Customers ("Customers")
These are the businesses and individuals who sign up for a Niftact account at app.niftact.com to use our chat widget on their own websites. This includes Free, Pro, and Business plan users.
For data relating to our Customers, Izaz Iqbal Ltd acts as the DATA CONTROLLER — we decide how and why this data is processed.
Group B: End Users ("End Users")
These are the visitors and users of our Customers' websites who interact with a Niftact chat widget embedded on a third-party website.
For data relating to End Users, Izaz Iqbal Ltd acts as a DATA PROCESSOR — we process this data on behalf of our Customers, who are themselves the Data Controllers for their own End Users' data.
If you are an End User who interacted with a Niftact chat widget on a third-party website and have questions about how your data is used, you should contact the business that operates that website. Their privacy policy governs how they use your data.
Group C: Niftact.com Visitors
These are people who visit www.niftact.com without registering an account.
For these visitors, Izaz Iqbal Ltd acts as the DATA CONTROLLER.
3. Scope of This Policy
This Privacy Policy applies to:
- All visitors to www.niftact.com
- All registered Niftact Customers (Free, Pro, and Business plans)
- End Users who interact with Niftact chat widgets embedded on Customer websites, to the extent that we process their data as a Data Processor
- Anyone who contacts us via email, support, or our contact form
- Subscribers to our newsletter
This policy does not replace the privacy policies of our Customers' websites. If you are an End User interacting with a chat widget on a third-party website, that website's own privacy policy also applies.
By using Niftact's platform or website, you confirm you have read and understood this Privacy Policy.
4. Information We Collect
4A. From Niftact Customers (Business Users)
When you register and use a Niftact account, we collect:
Account & Identity Information
- Full name
- Email address
- Password (securely hashed and encrypted — never stored in plain text)
- Profile photo / avatar (optional)
- Job title and company name (optional)
- Account type (Free, Pro, or Business)
- Date and time of account creation
Authentication Data
- Email & password credentials (for direct login)
- Google account ID, name, and email (for Google Sign-In via OAuth)
Team Member Data
- Names and email addresses of team members you invite to your account (up to 1 on Free, 5 on Pro, and unlimited on Business)
Widget Configuration Data
- Chat widget settings, branding, and customisation preferences
- Configured live chat hours and escalation settings
- Help Desk FAQ content you create within the platform
- Helpdesk questions and recommended starter questions configured
Knowledge Base & Uploaded Documents
- PDFs, text files, and other documents you upload to train your AI
- See Section 9 for full details on document data handling
Voice Configuration Data (Pro & Business)
- Vapi voice integration settings
- Dedicated Vapi phone number (where applicable)
- See Section 8 for full details on voice data handling
Billing & Subscription Data
- Subscription plan (Free, Pro at $59.99/month, or Business at $74.99/month)
- Billing cycle (monthly)
- Billing history and invoice records
- Subscription status (active, cancelled, expired, trial)
- Note: Card details are never stored by us — see Section 11
Usage & Analytics Data
- Features used and pages accessed on app.niftact.com
- Device type, browser, and operating system
- IP address and approximate location
- Session duration and activity logs
- Error logs and performance data
Support & Communications Data
- Messages and attachments sent to support@niftact.com
- Contact form submissions from www.niftact.com/contact
- Records of our support responses
4B. From End Users (Visitors to Customer Websites)
When a visitor interacts with a Niftact chat widget embedded on one of our Customer's websites, the following data may be collected on behalf of that Customer:
Contact & Identity Data
- Name and email address (where voluntarily provided by the visitor)
- Any other contact details the visitor shares during the conversation
Conversation Data
- All chat messages sent to and received from the AI chatbot
- Full conversation history and session logs
- Timestamps of each message and session
Voice Data (where Vapi Voice is enabled by the Customer)
- Voice recordings of calls made via the Vapi voice channel
- Transcripts of voice conversations
- Call duration and metadata
- See Section 8 for full details
Location & Device Data
- Approximate geographic location (derived from IP address)
- Device type, browser, and operating system
- IP address
- Referring website
Lead Data
- Contact information gathered through the chat widget for lead generation purposes on behalf of the Customer
Important: This data is processed on behalf of our Customers as Data Processor. Our Customers are responsible for obtaining appropriate consent from their End Users and for providing their own privacy notices in accordance with applicable law.
4C. From Website Visitors to www.niftact.com
When you visit www.niftact.com without registering, we collect:
- IP address and approximate geographic location
- Browser type, device type, and operating system
- Pages visited and time spent on each page
- Referring website or search term
- Cookie data (see Section 13)
- Newsletter email address (if you subscribe via the footer form)
5. How We Collect Your Data
We collect data through the following means:
- (a) Directly from you — when you register, update your profile, configure your widget, upload documents, subscribe to our newsletter, or contact our support team.
- (b) Automatically — through cookies, server logs, and analytics tools as you use app.niftact.com or browse www.niftact.com.
- (c) Via your embedded chat widget — when End Users interact with a Niftact widget installed on your website.
- (d) From Google Sign-In — when you authenticate with Google, we receive your name, email, and Google ID via OAuth.
- (e) From Stripe — subscription status, billing cycle, and invoice data (but never full card details).
- (f) From Vapi — when voice integration is active, call data and transcripts are received from Vapi's platform.
- (g) From HubSpot (Business plan) — when HubSpot integration is enabled, lead data may flow between Niftact and HubSpot.
6. How We Use Your Data & Legal Bases
Under UK GDPR, we must have a lawful basis for processing personal data.
For Niftact Customers:
| Purpose | Legal Basis |
|---|---|
| Creating & managing your account | Contract performance |
| Delivering the Niftact platform | Contract performance |
| Processing widget conversations | Contract performance |
| Managing team members & permissions | Contract performance |
| Managing your subscription & billing | Contract performance |
| Sending transactional emails (confirmations, invoices, resets) | Contract performance |
| Improving platform features | Legitimate interests |
| Monitoring bugs & performance | Legitimate interests |
| Ensuring platform security | Legitimate interests |
| Analysing usage patterns | Legitimate interests |
| Preventing fraud and abuse | Legitimate interests |
| Escalation email notifications | Legitimate interests |
| Sending newsletter & marketing emails | Consent (opt-in only) |
| Optional profile data (photo, job title) | Consent |
| Retaining financial/billing records | Legal obligation |
| Complying with ICO or court requirements | Legal obligation |
For End Users (processed as Data Processor):
We process End User data solely on the documented instructions of our Customers. Our Customers determine the legal basis for processing End User data under their own privacy policies.
7. Chatbot & AI Processing
7.1 How the Chatbot Works
When an End User sends a message via a Niftact-powered chat widget, that message is securely transmitted to one or more AI models to generate a response. These models may include OpenAI GPT, Google Gemini, and/or Niftact's own proprietary AI model (see Section 10).
7.2 Custom AI Training (Pro & Business Plans)
Niftact Customers on Pro and Business plans can train the AI on their own business data by uploading documents to a dedicated Knowledge Base (see Section 9). The AI learns from these documents to deliver accurate, brand-aligned answers specific to that Customer's business.
7.3 AI Training on User Data
Niftact does NOT use End User personal conversation data to train any AI model — including our own proprietary model. Conversations are used solely to generate responses during live sessions and to maintain conversation history within each Customer's account.
As an additional safeguard, Customers and End Users may request exclusion of their data from any future internal analytics or improvement processes by contacting us at support@niftact.com.
7.4 Conversation History Access & Deletion
Customers can access, review, and delete End User conversation history within their Niftact dashboard. End Users can request deletion of their chat history by contacting the business whose website they used. For automatic deletion timelines, see Section 16.
7.5 Human Escalation
Where a Customer has configured live chat hours, the AI will escalate conversations to a human agent during those hours and send the Customer an email notification. During escalation, the full conversation context is shared with the Customer's team. No escalation occurs outside the Customer's configured hours.
7.6 Automated Decision-Making
Niftact's AI responses are informational only. The chatbot does not make legally significant automated decisions about End Users. All AI outputs are advisory and do not constitute legally binding decisions.
8. Voice Data Processing (Vapi Integration)
Niftact's Pro and Business plans offer optional voice functionality via integration with Vapi, a third-party voice AI platform.
8.1 What is Collected During Voice Sessions
When a Customer enables Vapi Voice Integration, the following data may be collected from End Users who use the voice channel:
- Audio recordings of the voice call
- AI-generated transcripts of the conversation
- Call duration, start/end time, and metadata
- Any contact information shared verbally or via the interface
8.2 How Voice Data is Handled
Voice calls are processed by Vapi's infrastructure. Audio recordings and transcripts are associated with the relevant Customer account and are subject to the same data retention rules as chat conversations (see Section 16). Voice data is processed on behalf of Customers as Data Processor.
8.3 Vapi as a Sub-Processor
Vapi acts as a sub-processor for Izaz Iqbal Ltd when processing voice data on behalf of our Customers.
- Vapi Privacy Policy: https://vapi.ai/privacy
- Vapi may process data in the United States. Appropriate international transfer safeguards apply (see Section 18).
8.4 Customer Responsibility for Voice Data
Customers who enable Vapi Voice Integration are responsible for:
- Informing their End Users that voice calls may be recorded
- Obtaining any required consent under applicable law before recording
- Including appropriate disclosures in their own privacy policy
8.5 Important Note on Voice Recordings
Voice recordings are particularly sensitive personal data. If you are an End User and do not wish your voice to be recorded, please do not use the voice channel on a Customer's website. You may still use the text chat channel instead.
9. Knowledge Base & Document Uploads
Niftact Pro and Business Customers can upload documents (PDFs, .txt files, and other supported formats) to a dedicated Knowledge Base to train their AI chat assistant.
9.1 What We Do With Uploaded Documents
- Documents are parsed and indexed to enable the AI to provide accurate, contextually relevant answers based on the Customer's own content.
- Documents are stored securely and are accessible only to the Customer who uploaded them and authorised members of their team.
- Document content is used only for the purpose of powering that Customer's AI assistant — it is not shared with other Customers.
9.2 Documents Containing Personal Data
Customers must ensure that any documents uploaded to the Niftact Knowledge Base comply with applicable data protection laws. If a document contains personal data about third parties, the Customer is responsible for ensuring they have a lawful basis for uploading and processing that data.
Izaz Iqbal Ltd processes uploaded document data as a Data Processor on behalf of the Customer.
9.3 Document Deletion
Customers can delete individual documents or their entire Knowledge Base at any time from the Niftact dashboard. Deleted documents are permanently removed from active storage and purged from encrypted backups within 90 days.
10. Third-Party AI Providers
To deliver chatbot responses, conversation data may be processed by the following AI providers. We have Data Processing Agreements (DPAs) in place with each provider.
10.1 OpenAI (GPT Models)
- Provider: OpenAI, LLC
- Location: United States
- Purpose: Generating AI chatbot responses
- Privacy Policy: https://openai.com/privacy
- Data transfer: Outside the UK — protected by Standard Contractual Clauses (SCCs) / UK IDTA
10.2 Google Gemini
- Provider: Google LLC
- Location: United States
- Purpose: Generating AI chatbot responses
- Privacy Policy: https://policies.google.com/privacy
- Data transfer: Outside the UK — protected by Standard Contractual Clauses (SCCs) / UK IDTA
10.3 Niftact Proprietary AI Model
- Provider: Izaz Iqbal Ltd (in-house)
- Location: UK/EU and US infrastructure via Vercel
- Purpose: Generating AI chatbot responses
- Data usage: Personal conversation data is NOT used to train this model. Processing is limited to real-time response generation only.
10.4 Our Commitments with AI Providers
We contractually require all third-party AI providers to:
- Process data only to provide Niftact's service
- Not use customer or end-user data for their own independent AI training or commercial purposes
- Maintain appropriate security and confidentiality standards
- Comply with UK GDPR data transfer requirements
11. Payments & Billing
11.1 Payment Processor
All payments for Niftact's paid plans are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor.
- Stripe Privacy Policy: https://stripe.com/privacy
11.2 Plan Pricing
- Free Plan: $0 / forever (no credit card required)
- Pro Plan: $59.99/month
- Business Plan: $74.99/month
11.3 What We Do Not Store
Izaz Iqbal Ltd does NOT store, access, or process:
- Full credit or debit card numbers
- CVV / security codes
- Bank account details All card data is entered directly into Stripe's secure environment.
11.4 What We Do Store
We retain the following billing data on our systems:
- Subscription plan type and billing cycle
- Subscription status (active, trial, cancelled, past due)
- Invoice history and amounts charged
- Stripe Customer ID (a reference identifier only)
11.5 Auto-Renewal
All paid subscriptions (monthly) automatically renew at the end of each billing period. You will receive advance email notice of any renewal charge. Subscriptions can be cancelled at any time from the Niftact dashboard to stop future renewals.
11.6 Plan Changes
Upgrades take effect immediately. Downgrades apply at the end of the current billing period.
11.7 Billing Record Retention
Billing and invoice records are retained for a minimum of 6 years in accordance with UK financial and tax regulations (HMRC requirements).
12. Analytics & Tracking
12.1 Google Analytics
We use Google Analytics (provided by Google LLC) on www.niftact.com to understand how visitors use our website. Data collected includes:
- Pages visited, time spent, and navigation paths
- Referring websites and search terms
- Device type, browser, and operating system
- Approximate location (derived from anonymised IP address)
- Feature engagement and conversion events
Your IP address is anonymised before being transmitted to Google. We do not combine analytics data with your personal account data.
- Google Analytics Privacy Policy: https://policies.google.com/privacy
12.2 Opt-Out of Google Analytics
You can opt out at any time by installing the browser add-on at: https://tools.google.com/dlpage/gaoptout
12.3 Analytics on the App
We may use anonymised usage analytics on app.niftact.com to understand how Customers use the platform's features. This is used solely to improve the product and is never linked back to individual End Users.
12.4 No Advertising Tracking
Niftact does not use advertising or retargeting pixels. We do not serve ads, and we do not share data with advertisers.
13. Cookies
13.1 What are Cookies
Cookies are small text files stored on your device when you visit a website. They help us deliver, secure, and improve our Service.
13.2 Cookies We Use on www.niftact.com
Essential Cookies (Always Active)
Required for the website to function. Cannot be disabled.
- Session authentication cookies (keeping you logged in)
- Security and CSRF protection cookies
- Load balancing cookies
Analytics Cookies (Google Analytics)
Help us understand how the website is used. Data is anonymised.
_ga— Distinguishes unique users (expires 2 years)_gid— Distinguishes unique users (expires 24 hours)_gat— Throttles request rate (expires 1 minute)
Functional Cookies
Remember your preferences to improve your experience.
- Theme/display preference cookies
- Language and region preference cookies
13.3 The Niftact Chat Widget (on Customer Websites)
When our Customers embed the Niftact chat widget on their websites, the widget may set its own session cookies on that website. Our Customers are responsible for disclosing the widget's cookies in their own cookie policies and obtaining consent from their visitors where required by law.
13.4 Cookie Consent Banner
We are in the process of implementing a cookie consent banner on www.niftact.com. Until this is live, by continuing to use our website you acknowledge the use of cookies as described in this section.
13.5 Managing Cookies
You can control and delete cookies via your browser settings:
- Chrome: https://support.google.com/chrome/answer/95647
- Firefox: https://support.mozilla.org/en-US/kb/cookies
- Safari: https://support.apple.com/guide/safari/sfri11471 Note: Disabling essential cookies will prevent Niftact from working.
14. Third-Party Integrations
14.1 HubSpot Integration (Business Plan)
Business plan Customers can integrate Niftact with their HubSpot CRM account to sync leads directly from the chat widget into HubSpot.
When this integration is enabled:
- Lead data collected via the chat widget (name, email, contact info) is transmitted to the Customer's HubSpot account
- This transfer is initiated and controlled by the Customer
- Izaz Iqbal Ltd acts as Data Processor in facilitating this transfer
- Customers are responsible for ensuring their use of HubSpot complies with applicable data protection law
- HubSpot Privacy Policy: https://legal.hubspot.com/privacy-policy
- HubSpot may process data in the United States.
14.2 Google Sign-In
Customers can register and log in using their Google account via OAuth. We receive name, email, and Google account ID from Google. We do not receive or store your Google password.
- Google Privacy Policy: https://policies.google.com/privacy
14.3 Vapi Voice Platform
See Section 8 for full details on Vapi voice integration.
14.4 Vercel (Hosting)
Our platform is hosted on Vercel, Inc., which processes data on our behalf as a Data Processor.
- Vercel Privacy Policy: https://vercel.com/legal/privacy-policy
- Vercel operates infrastructure across UK/EU and US regions.
14.5 Stripe (Payments)
See Section 11 for full details on payment processing via Stripe.
15. Marketing & Newsletter Communications
15.1 Transactional Emails (Current — Always Sent)
We currently send the following service-related emails which are necessary for the operation of your account:
- Account registration confirmation
- Password reset emails
- Team member invitation emails
- Subscription confirmation and renewal notices
- Billing receipts and invoices
- AI-to-human escalation alert notifications
- Important service or policy update notifications
You cannot opt out of transactional emails while you have an active Niftact account, as they are essential to service delivery.
15.2 Newsletter (Website Subscribers)
Visitors to www.niftact.com can subscribe to our newsletter via the subscription form in the website footer. By entering your email and subscribing, you consent to receiving product updates and news from Niftact. This is entirely optional.
15.3 Promotional Emails (Planned)
We plan to introduce optional promotional and marketing emails for registered Customers in the future, including new feature announcements, offers, and tips. When launched, these will be:
- Opt-in only — sent only to those who explicitly consent
- Compliant with UK PECR (Privacy and Electronic Communications Regulations)
15.4 How to Unsubscribe
Every newsletter and marketing email will include a clear, one-click unsubscribe link. You may also unsubscribe at any time by emailing support@niftact.com with the subject line "Unsubscribe".
Unsubscribing from marketing or newsletter emails will NOT affect transactional emails related to your account or subscription.
16. Data Retention & Deletion by Plan
We retain personal data only for as long as necessary for its purpose or as required by applicable UK law.
16.1 Chat Conversation History (Plan-Specific)
Free Plan ($0)
- Chat history is automatically and permanently deleted after 30 days.
- Customers can manually delete individual conversations at any time from the Niftact dashboard.
Pro Plan ($59.99/month)
- Chat history is automatically and permanently deleted after 90 days.
- Customers can manually delete individual conversations at any time from the Niftact dashboard.
Business Plan ($74.99/month)
- Chat history is retained indefinitely with no automatic deletion.
- Only the Business Customer (or their authorised team members) can delete conversations, either individually or in bulk, from the Niftact dashboard.
- Izaz Iqbal Ltd does not proactively delete Business plan chat data.
- Business Customers are responsible for managing their own data retention obligations under applicable law.
16.2 Voice Recordings & Transcripts
Voice data is subject to the same retention rules as chat history based on the Customer's plan (see 16.1 above). Business plan Customers are responsible for managing retention of voice data.
16.3 Customer Account Data
- Active accounts: Retained for the duration of the account.
- Deleted accounts: Personal data is permanently deleted within 30 days of account deletion via the in-app deletion feature.
16.4 Uploaded Knowledge Base Documents
- Retained for as long as the Customer's account is active.
- Deleted immediately when the Customer removes them from the dashboard.
- Purged from encrypted backups within 90 days of deletion.
16.5 Billing & Financial Records
Retained for a minimum of 6 years from the date of transaction in compliance with HMRC and UK financial regulations.
16.6 Usage & Analytics Data
Retained in anonymised, aggregated form for up to 36 months.
16.7 Support Communications
Retained for up to 3 years from the date of last communication.
16.8 Newsletter Subscriber Data
Retained until you unsubscribe. Upon unsubscribe, your email is removed from our mailing list within 10 business days.
16.9 After Deletion
Deleted data is permanently removed from active systems. Residual encrypted backup copies are purged within 90 days in line with our standard backup rotation schedule.
17. How We Share Your Data
We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:
17.1 AI Providers (as Data Processors)
OpenAI, Google, and our own AI infrastructure process chat data to generate responses. See Section 10 for full details.
17.2 Hosting — VERCEL (as Data Processor)
Vercel hosts and delivers our platform on our behalf. See Section 14.5 for details.
17.3 Payments — STRIPE (as Data Processor)
Stripe processes subscription and payment data on our behalf. See Section 11 for details.
17.4 Analytics — GOOGLE ANALYTICS (as Data Processor)
Google processes anonymised website usage data via Google Analytics. See Section 12 for details.
17.5 Voice — VAPI (as Sub-Processor)
Vapi processes voice call and transcript data when voice is enabled. See Section 8 for details.
17.6 CRM — HUBSPOT (Business Plan, Customer-Initiated)
Lead data is transmitted to a Customer's HubSpot account when enabled. See Section 14.1 for details.
17.7 Niftact Customers (for End User Data)
End User conversation data, lead data, and analytics from the chat widget are made accessible to the Niftact Customer who owns that widget. Customers control this data and are responsible for its lawful use.
17.8 Legal Requirements
We may disclose data if required by UK law, court order, or a regulatory authority such as the ICO or law enforcement. We will only disclose the minimum necessary data.
17.9 Business Transfer
In the event of a merger, acquisition, or sale of Izaz Iqbal Ltd, your data may be transferred. We will notify you by email and on our website before any such transfer and before your data becomes subject to a different privacy policy.
17.10 With Your Explicit Consent
We will not share your data for any other purpose without your explicit, informed consent.
18. International Data Transfers
Izaz Iqbal Ltd is based in the UK. Some of our third-party providers are based in the United States, meaning data may be transferred outside the UK.
| Provider | Location | Purpose | Safeguard |
|---|---|---|---|
| OpenAI | USA | AI processing | UK IDTA / SCCs |
| USA | AI & analytics | UK IDTA / SCCs | |
| Vercel | USA | Hosting | UK IDTA / SCCs |
| Stripe | USA | Payments | UK IDTA / SCCs |
| Vapi | USA | Voice processing | UK IDTA / SCCs |
| HubSpot | USA | CRM (Biz plan) | UK IDTA / SCCs |
All international transfers comply with UK GDPR Article 46 requirements. Safeguards include UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the ICO.
Our infrastructure via Vercel operates across UK/EU and US data centres. We take reasonable steps to process UK user data in UK/EU regions where technically feasible.
You can request a copy of our transfer safeguards by contacting support@niftact.com.
19. Data Security
Izaz Iqbal Ltd implements robust technical and organisational measures to protect your personal data.
19.1 Technical Measures
- SSL/TLS encryption enforced across all of www.niftact.com and app.niftact.com (HTTPS only)
- Encryption of sensitive data at rest
- Secure password hashing — passwords never stored in plain text
- Automated encrypted backups with restoration testing
- Role-based access controls limiting staff access to personal data
- Vercel's built-in DDoS protection and edge security network
- Secure API key management for AI provider integrations
19.2 Organisational Measures
- Regular security audits and vulnerability assessments
- Internal data access restricted on a strict need-to-know basis
- Contractual data security obligations with all third-party processors
- Incident response and breach notification procedures aligned with UK GDPR requirements
19.3 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, Izaz Iqbal Ltd will:
- Notify the ICO within 72 hours of becoming aware of the breach
- Notify affected users without undue delay where there is a high risk to their rights and freedoms
- Notifications will be sent to your registered email address and posted as a notice on www.niftact.com
No system can guarantee 100% security. We cannot guarantee absolute security of data transmitted over the internet.
20. Your Rights Under UK GDPR
Under the UK GDPR and the Data Protection Act 2018, you have the following rights (applicable to data for which we are Data Controller):
20.1 Right of Access
Request a copy of all personal data we hold about you, how we use it, who we share it with, and how long we retain it.
20.2 Right to Rectification
Request correction of inaccurate or incomplete personal data.
20.3 Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data. Available in-app via account deletion. May be limited where we must retain data by law (e.g., financial records under HMRC rules).
20.4 Right to Restrict Processing
Request that we limit how we process your data in certain circumstances (e.g., while you contest accuracy of data we hold).
20.5 Right to Data Portability
Receive your data in a structured, machine-readable format and transfer it to another provider. Available in-app via data export.
20.6 Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
20.7 Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based. Withdrawal does not affect lawfulness of prior processing.
20.8 Rights Related to Automated Decision-Making
Not to be subject to solely automated decisions with significant legal effects. Niftact's AI does not make such decisions.
20.9 Right to Lodge a Complaint
If you are unhappy with how we handle your data, you have the right to complain to the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first at support@niftact.com so we can try to resolve your concern directly.
NOTE FOR END USERS: If you interacted with a Niftact widget on a third-party website and wish to exercise your rights over that data, please contact the business operating that website. We will cooperate fully with our Customers to facilitate your rights requests.
21. How to Exercise Your Rights
21.1 In-App (Self-Service — No Contact Needed)
The following can be done directly within your Niftact account:
- Delete your account and all associated data
- Export your personal data in a portable format
- Delete individual or all chat conversations
- Update your profile information (name, email, photo, job title)
- Cancel your subscription
21.2 Contact Us Directly
For access requests, rectification, restriction, or objection:
- Email: support@niftact.com
- Subject: "Data Rights Request — [Type of Request]"
Please include:
- Your full name
- Email address linked to your Niftact account
- A clear description of your request
21.3 Response Timeframe
We will acknowledge your request promptly and aim to fulfil it as quickly as possible. Under UK GDPR, we must respond to Subject Access Requests within 30 days (extendable by a further 2 months for complex or multiple requests, with notice to you).
21.4 Identity Verification
To protect your data, we may ask you to verify your identity before processing your request. We will ask for the minimum necessary information to confirm who you are.
21.5 No Charge
Exercising your data rights is free of charge. We reserve the right to charge a reasonable fee or refuse manifestly unfounded or excessive requests in line with UK GDPR.
22. Children & Age Restrictions
Niftact does not impose a minimum age restriction for use of the platform. We acknowledge our responsibilities under the UK Children's Code (Age Appropriate Design Code) and UK GDPR.
22.1 Niftact Customers Under 13
Where we become aware that a Customer registering for a Niftact account is under the age of 13, we will seek verified parental or guardian consent before processing their data. If consent cannot be obtained, we will delete the account.
22.2 End Users Under 13
Where a Niftact chat widget is deployed on a website that may be accessed by children under 13, the Customer operating that website is responsible for obtaining appropriate parental consent and complying with COPPA (if US-based) or the UK Children's Code.
Izaz Iqbal Ltd applies higher privacy protections by default for any End Users identified as minors, restricting data use to service delivery only and disabling any profiling or lead generation features.
22.3 Parental Concerns
If you are a parent or guardian and believe your child has used Niftact or provided personal data without your consent, please contact us at support@niftact.com and we will promptly review and, where appropriate, delete the data.
22.4 Widget Deployment Responsibility
Customers who deploy Niftact on websites targeted at or likely to be accessed by children are solely responsible for ensuring their use of the platform is compliant with applicable children's data protection laws, including the ICO's Children's Code.
23. ICO Registration
Izaz Iqbal Ltd is in the process of registering with the Information Commissioner's Office (ICO) as a data controller under the Data Protection (Charges and Information) Regulations 2018.
24. Changes to This Privacy Policy
We may update this Privacy Policy to reflect:
- New features or changes to how we process data
- Changes in UK law or regulatory guidance
- Feedback from users, Customers, or the ICO
- Addition of new third-party providers or integrations
24.1 How We Notify You
For material changes, we will:
- Update the "Last Updated" date at the top of this document
- Publish the updated policy at www.niftact.com/privacy
- Send an email notification to all registered Customers
For minor changes (e.g., clarifications, typo corrections), we will update the policy without sending a direct email.
24.2 Your Continued Use
Continued use of Niftact after notification of changes constitutes acceptance of the updated policy. If you disagree, you may delete your account at any time.
24.3 Policy History
Previous versions of this policy are available upon request by emailing support@niftact.com.
25. Contact Us
For any questions, concerns, or requests about this Privacy Policy or how Izaz Iqbal Ltd handles personal data, please contact us:
- Company: Izaz Iqbal Ltd
- Number: 16673806
- Address: Office 14073, 182–184 High Street North, East Ham, London, E6 2JA, United Kingdom
- Website: www.niftact.com
- Email: support@niftact.com
© 2026 Izaz Iqbal Ltd. All rights reserved.
Niftact — www.niftact.com | support@niftact.com
Company No. 16673806 | Registered in England & Wales