Privacy Policy
Last updated: 1 January 2026
1. Introduction
This Privacy Policy explains how SYFT.AI LIMITED (referred to as "we", "us", "our", or "Syft") collects, uses, stores, and protects your personal data when you use our intelligent marketing platform ("the Service").
We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is compliant with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Data Controller
SYFT.AI LIMITED is the data controller responsible for your personal data. Our registered office is in England and Wales. If you have any questions about this Privacy Policy or our data practices, please contact us at:
- Email: privacy@syft.it
- Website: https://syft.it
2. Information We Collect
2.1 Personal Information You Provide
We collect information you provide directly to us, including:
- Account registration information: Name, email address, password, company name
- Profile information: Preferences, settings, and configuration options
- Communication data: Support requests, feedback, and correspondence with us
- Payment information: Billing details (processed by our payment provider)
2.2 User Content
We process and store data you upload to our Service, including:
- Spreadsheet data and files: Product catalogues, pricing data, and inventory information
- Contact lists: Customer email addresses, names, and business information
- Email templates and marketing content: Campaign content you create
- Processing results and exports: Enhanced data and generated files
2.3 Automatically Collected Information
We automatically collect certain information when you use our Service:
- Usage data: Features used, actions taken, file uploads, processing activity
- Device information: Browser type, operating system, device identifiers
- Log data: IP addresses, access times, pages viewed, referring URLs
- Performance data: Page load times, errors, and system diagnostics
3. How We Use Your Information
3.1 Lawful Basis for Processing
Under UK GDPR, we process your personal data based on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing and maintaining the Service | Contract performance |
| Processing your data according to your instructions | Contract performance |
| Sending transactional emails and service notifications | Contract performance |
| Providing customer support | Contract performance / Legitimate interest |
| Improving and developing our Service | Legitimate interest |
| Analytics and performance monitoring | Legitimate interest |
| Error tracking and debugging | Legitimate interest |
| Fraud prevention and security | Legitimate interest |
| Legal compliance and regulatory obligations | Legal obligation |
| Marketing communications | Consent |
4. Beta Testing Programme
Important Notice for Beta Testers: If you are participating in our beta testing programme (using the Service without charge), additional terms apply to your use of the Service.
4.1 Data Collection for Service Improvement
As a beta tester, you acknowledge and agree that we may:
- Track and analyse how you use Syft, including features accessed, workflows followed, and time spent on various functions
- Review the structure and characteristics of data you upload (such as column types, data formats, and file sizes) to improve our data processing capabilities
- Monitor system performance and identify areas for improvement
- Use aggregated and anonymised usage patterns to inform product development decisions
4.2 Data Use Restrictions
We commit to the following restrictions on beta tester data:
- Internal use only: All data collected from beta testers will be used solely for internal purposes to improve Syft
- No third-party sharing: Your data will not be given, sold, or transferred to any third parties for their commercial purposes
- No commercial exploitation: Your business data and customer information will never be used for any purpose other than providing and improving the Service
- Confidentiality: Your data will be treated as confidential and accessed only by authorised personnel
4.3 Lawful Basis
The lawful basis for this enhanced data collection during the beta programme is legitimate interest. We have conducted a legitimate interest assessment and determined that this processing is necessary for developing and improving our Service, the impact on beta testers is minimal, and beta testers have clear expectations of this processing when joining the programme.
5. Artificial Intelligence and Automated Processing
5.1 AI-Powered Features
Syft uses artificial intelligence and machine learning technologies to enhance our Service. These include:
- Product matching: AI algorithms help match your products with online marketplace data (such as Amazon product listings)
- Data enhancement: Machine learning assists in identifying and enriching product information
- Auto-mapping: AI helps automatically map your spreadsheet columns to appropriate data fields
- Content suggestions: AI may assist with template and email content suggestions
5.2 Third-Party AI Services
We use OpenAI's services to power certain AI features. When you use AI-powered features:
- Relevant portions of your data may be processed by OpenAI's systems
- OpenAI processes this data in accordance with their privacy policy and data processing agreement
- We minimise the data sent to external AI services to only what is necessary for the specific feature
- AI processing is used to assist your workflows, not to make automated decisions with legal or significant effects
5.3 Your Rights Regarding AI Processing
Under UK GDPR, you have rights regarding automated processing:
- You can request human review of any AI-assisted decisions
- You can object to automated processing in certain circumstances
- You can request information about the logic involved in automated decisions
6. Cookies and Similar Technologies
6.1 What Are Cookies
Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies to operate our Service effectively.
6.2 Types of Cookies We Use
Essential Cookies (Strictly Necessary)
These cookies are required for the Service to function and cannot be disabled:
- Session cookies: Maintain your login session and remember your authentication status
- Security cookies: Protect against cross-site request forgery (CSRF) attacks
- Preference cookies: Remember your settings and preferences within the application
Analytics Cookies
We use analytics cookies to understand how visitors interact with our Service:
- PostHog: We use PostHog for product analytics to understand feature usage, identify usability issues, and improve the Service. PostHog may collect information about pages visited, features used, and user interactions. For more information, see PostHog's Privacy Policy.
Performance and Error Tracking
- Sentry: We use Sentry for error tracking and performance monitoring. When errors occur, Sentry collects diagnostic information to help us identify and fix issues. This may include browser information, the action being performed, and relevant technical data. For more information, see Sentry's Privacy Policy.
6.3 Managing Cookies
You can control and manage cookies through your browser settings. However, please note that disabling essential cookies may prevent the Service from functioning correctly.
Most browsers allow you to:
- View what cookies are stored and delete them individually
- Block third-party cookies
- Block cookies from specific sites
- Block all cookies
- Delete all cookies when you close your browser
7. Information Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share your information only in the following circumstances:
7.1 Service Providers (Data Processors)
We work with carefully selected third-party service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Render | Cloud hosting and infrastructure | USA (with appropriate safeguards) |
| Amazon Web Services (AWS) | File storage (S3) | EU/UK regions available |
| PostHog | Product analytics | EU (Frankfurt) |
| Sentry | Error tracking and monitoring | USA (with appropriate safeguards) |
| OpenAI | AI-powered features | USA (with appropriate safeguards) |
| Redis (Upstash/Redis Labs) | Caching and session management | Various (configurable) |
All service providers are bound by data processing agreements that require them to protect your data and use it only as instructed by us.
7.2 Legal Requirements
We may disclose information if required by law or in response to valid legal process, including:
- Compliance with court orders, subpoenas, or other legal processes
- Requests from law enforcement or regulatory authorities
- Protection of our legal rights and property
- Prevention of fraud, security threats, or illegal activity
- Protection of the safety of our users or the public
7.3 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and your options regarding your data.
8. International Data Transfers
Some of our service providers are located outside the United Kingdom. When we transfer personal data internationally, we ensure appropriate safeguards are in place:
- Adequacy decisions: We may transfer data to countries that the UK government has determined provide adequate protection
- Standard Contractual Clauses (SCCs): We use UK-approved international data transfer agreements where required
- UK Extension to the EU-US Data Privacy Framework: Where applicable for US-based processors
- Supplementary measures: Additional technical and organisational safeguards where necessary
You have the right to request information about the safeguards we have in place for international transfers.
9. Data Security
We implement appropriate technical and organisational measures to protect your information:
- Encryption: Data is encrypted in transit using TLS/SSL and at rest where appropriate
- Access controls: Strict authentication requirements and role-based access
- Secure infrastructure: Hosted on secure cloud platforms with industry-standard protections
- Regular security assessments: Ongoing monitoring and security reviews
- Employee training: Staff are trained on data protection and security best practices
- Incident response: Procedures in place to detect, respond to, and report security incidents
While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
10. Data Retention
We retain your information only for as long as necessary to fulfil the purposes outlined in this policy:
- Account information: Retained until you delete your account, plus a reasonable period for backup and legal compliance
- Uploaded files and processed data: Retained until you delete them or close your account
- Usage logs and analytics: Up to 2 years for service improvement and security purposes
- Error logs: Up to 90 days for debugging purposes
- Email communication records: Up to 6 years for legal compliance
- Financial records: Up to 7 years as required by UK law
After the retention period, data is securely deleted or anonymised.
11. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation, you have the following rights:
Right to Access
You have the right to request a copy of the personal data we hold about you. We will respond to your request within one month.
Right to Rectification
You can request that we correct any inaccurate or incomplete personal data. You can update much of your information directly through your account settings.
Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected.
Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances, such as while we verify the accuracy of your data.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object
You can object to processing based on legitimate interests, including profiling. You can also object to processing for direct marketing purposes at any time.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You can request human intervention in such decisions.
Right to Withdraw Consent
Where we process your data based on consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@syft.it. We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will inform you if this is necessary.
We may ask you to verify your identity before processing your request. There is generally no fee for exercising your rights, but we may charge a reasonable fee for manifestly unfounded or excessive requests.
12. Right to Complain
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at privacy@syft.it.
13. Children's Privacy
Our Service is intended for business users and is not directed at children under 18 years of age. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us immediately.
14. Email Marketing
When you use Syft to send marketing emails to your customers, you are the data controller for that processing. You are responsible for:
- Ensuring you have the appropriate legal basis (usually consent) to contact your recipients
- Complying with the Privacy and Electronic Communications Regulations (PECR)
- Including accurate sender information and unsubscribe mechanisms
- Honouring unsubscribe requests promptly
Syft acts as a data processor when sending emails on your behalf and will only process recipient data according to your instructions.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last updated" date at the top of this policy
- For significant changes, we will notify you by email or through a prominent notice in the Service
- We encourage you to review this policy periodically
Your continued use of the Service after any changes indicates your acceptance of the updated policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Company: SYFT.AI LIMITED
- Email: privacy@syft.it
- Website: https://syft.it
We aim to respond to all enquiries within 5 working days.
17. Governing Law
This Privacy Policy and any disputes relating to it shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising from or relating to this policy.