Privacy Policy

1. Who We Are and What This Policy Covers

Zylair Ltd ("we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information when you use our AI-powered risk assessment service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, company details, job title
• Profile Data: Industry sector, role, preferences, settings
• Content Uploads: Images, documents, descriptions for risk assessment generation
• Communications: Support requests, feedback, correspondence

2.2 Information We Collect Automatically

• Usage Data: Features used, pages visited, session duration
• Technical Data: IP address, browser type, device information, operating system
• Performance Data: Error logs, system performance metrics, API response times

2.3 Team and Organisation Data

• Team membership: If you create or join a team, your name, email address, and role within the team are visible to other team members and the team owner.
• Billing relationship: Team members' usage is billed through the team owner's subscription. The team owner can see overall usage but not the content of individual assessments.

2.4 Sign-off Data (Third-Party Signatories)

• When a sign-off request is sent to a third party, and that person chooses to sign the assessment, we store their full name, job title, date, and electronic signature as part of the assessment record.
• This data is provided voluntarily by the signatory and is processed on the basis of legitimate interests, specifically maintaining a tamper-evident audit trail for health and safety compliance.
• Signatories may request removal of their data by contacting chris@zylair.com, subject to legal retention requirements.

2.5 Information from Third Parties

• Payment Data: Processed by Stripe (we don't store payment card details)
• Authentication Data: Via email magic link (Supabase Auth)

3. Legal Basis for Processing (UK/EU)

We process your personal data on the following legal bases:

• Contract Performance: To provide the service you've subscribed to
• Legitimate Interests: Service improvement, security, customer support
• Legal Compliance: Tax obligations, regulatory requirements, data retention laws
• Consent: Marketing communications, optional analytics (where required)

4. How We Use Your Information

4.1 Service Provision

• Generate AI-powered risk assessments from your uploads
• Provide cloud storage and collaboration features
• Process payments and manage subscriptions
• Deliver customer support and technical assistance

4.2 Service Improvement

• Analyse usage patterns to improve features (pseudonymised data only)
• Conduct security monitoring and fraud prevention

4.3 Legal and Business Operations

• Comply with legal obligations and regulatory requirements
• Maintain business records and tax compliance
• Respond to legal requests and court orders

4.4 Communications

• Send service updates, security alerts, and account notifications
• Provide customer support responses
• Marketing communications (with consent where required)

5. Data Sharing and Disclosure

5.1 Service Providers (Data Processors)

We share data with trusted third parties who help us operate our service:

• OpenAI: AI processing for risk assessment generation. Image and text data submitted for processing is retained by OpenAI for up to 30 days for safety and abuse monitoring purposes, after which it is deleted. OpenAI does not use API data to train its models. See OpenAI's privacy policy.
• Stripe: Payment processing (subject to their privacy policy). We do not store payment card details.
• Supabase: Database and authentication services (hosted on AWS infrastructure).
• Vercel: Application hosting and serverless infrastructure.

5.2 Legal Disclosures

We may disclose information when required by law:

• Court orders, subpoenas, or legal processes
• Regulatory investigations or compliance requests
• Protection of rights, property, or safety

6. Data Security and Protection

6.1 Technical Safeguards

• Encryption in transit (TLS) and at rest, provided by our infrastructure providers
• Multi-factor authentication used where available on administrative systems
• Periodic review of security practices and access controls
• Secure development practices and dependency management

6.2 Organizational Measures

• Access controls based on need-to-know principles
• Incident response procedures for data breaches
• Third-party providers selected on the basis of their published security standards

6.3 Data Breach Notification

In the event of a data breach:

• UK: ICO notification within 72 hours where required by UK GDPR
• EU: Relevant supervisory authority notification within 72 hours
• Affected individuals notified without undue delay if there is a high risk to their rights and freedoms

7. Your Privacy Rights

7.1 UK GDPR/EU GDPR Rights

• Right of Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal retention)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests

7.2 Exercising Your Rights

Response Time: We will respond to requests within 30 days as required by UK GDPR. Where requests are complex, we may extend this by a further two months and will notify you accordingly.
Identity Verification: May be required to prevent unauthorised access to your data

8. Data Retention

8.1 Retention Periods

• Account Data and Risk Assessments: Retained for the duration of your active account. On account closure, all data is deleted within 30 days.
• Payment Records: 7 years (UK tax law requirement, retained even after account closure).
• Marketing Data: Until consent withdrawn or 3 years of inactivity.
• Technical Logs: 90 days for security logs, 30 days for others.
• Sign-off records: Retained for the duration of the associated risk assessment's lifecycle.

8.2 Deletion Procedures

• Deletion or pseudonymisation of personal data once the retention period expires
• Pseudonymisation used where full deletion is not technically or legally possible
• Backup data may persist for a short period after primary deletion due to our infrastructure providers' backup schedules; we will take reasonable steps to ensure removal within a reasonable timeframe

9. International Data Transfers

Some of our third-party service providers are based outside the UK, which means your data may be transferred and processed internationally. The providers we use and their locations are:

• OpenAI: United States. Data is processed under OpenAI's API terms, which include commitments on data handling and security.
• Supabase: Infrastructure hosted on AWS. Data is stored in regions we have configured; we aim to use EU/UK regions where available.
• Vercel: United States (edge infrastructure may be global). Hosting and serverless function execution only.
• Stripe: United States. Payment data only, processed under Stripe's PCI-compliant terms.

We rely on our providers' standard contractual commitments and applicable adequacy frameworks for these transfers. We do not currently hold separately negotiated International Data Transfer Agreements (IDTAs) with these providers, but we review our transfer arrangements periodically and will update this section if that changes.

If you have concerns about international transfers, please contact us at chris@zylair.com.

10. Cookies and Tracking Technologies

10.1 Essential Cookies

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance

10.2 Optional Cookies

We do not currently use any third-party analytics or tracking cookies. If we introduce analytics tools in future, we will update this policy and obtain consent before setting any optional cookies.

10.3 Cookie Management

• Cookie consent banner for optional cookies
• Cookie preference center for granular control
• Browser settings for cookie deletion and blocking

11. Children's Privacy

Our service is not intended for users under 18. We don't knowingly collect personal information from children. If we become aware of such collection, we will delete the information promptly.

12. Changes to This Privacy Policy

We may update this policy to reflect changes in law, regulation, or our practices. For material changes, we will notify you by email at least 30 days before they take effect. For minor clarifications, we will update the effective date and the policy text without separate notice.

Where a change requires your consent (for example, a new use of your data), we will ask for it separately; we will not treat continued use of the service as acceptance of material changes.

13. Contact Information and Complaints