Privacy Policy

Effective Date: January 2025
· Company: Zylair Ltd, Registered in England & Wales
· Company No: 16741348
· Data Controller: Zylair Ltd
· DPO Contact: chris@zylair.com

Manage your cookie preferences

You can adjust or withdraw consent for optional cookies at any time. Use the control below to reopen the consent banner.

1. Who We Are and What This Policy Covers

Zylair Ltd ("we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information when you use our AI-powered risk assessment service.

Geographic Scope:

This policy applies to users worldwide, with specific provisions for UK GDPR, EU GDPR, and US state privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, email address, company details, job title
Profile Data: Industry sector, role, preferences, settings
Content Uploads: Images, documents, descriptions for risk assessment generation
Communications: Support requests, feedback, correspondence

2.2 Information We Collect Automatically

Usage Data: Features used, time spent, click patterns, session recordings (anonymized)
Technical Data: IP address, browser type, device information, operating system
Performance Data: Error logs, system performance metrics, API response times

2.3 Information from Third Parties

Payment Data: Processed by Stripe (we don't store payment card details)
Authentication Data: If using social login (Google, Microsoft)

3. Legal Basis for Processing (UK/EU)

We process your personal data on the following legal bases:

Contract Performance: To provide the service you've subscribed to
Legitimate Interests: Service improvement, security, customer support
Legal Compliance: Tax obligations, regulatory requirements, data retention laws
Consent: Marketing communications, optional analytics (where required)

4. How We Use Your Information

4.1 Service Provision

Generate AI-powered risk assessments from your uploads
Provide cloud storage and collaboration features
Process payments and manage subscriptions
Deliver customer support and technical assistance

4.2 Service Improvement

Analyze usage patterns to improve features (anonymized data)
Develop and train AI models (using aggregated, non-personal data)
Conduct security monitoring and fraud prevention

4.3 Legal and Business Operations

Comply with legal obligations and regulatory requirements
Maintain business records and tax compliance
Respond to legal requests and court orders

4.4 Communications

Send service updates, security alerts, and account notifications
Provide customer support responses
Marketing communications (with consent where required)

5. Data Sharing and Disclosure

5.1 Service Providers (Data Processors)

We share data with trusted third parties who help us operate our service:

OpenAI: AI processing for risk assessment generation (subject to their privacy policy)
Stripe: Payment processing (subject to their privacy policy)
Supabase/AWS: Cloud hosting and database services
Customer Support Tools: For providing technical support

5.2 Legal Disclosures

We may disclose information when required by law:

Court orders, subpoenas, or legal processes
Regulatory investigations or compliance requests
Protection of rights, property, or safety

What We Never Do

• We never sell your personal data
• We never share risk assessment content with unauthorized parties
• We never use your data for advertising to third parties

6. Data Security and Protection

6.1 Technical Safeguards

Encryption in transit (TLS 1.3) and at rest (AES-256)
Multi-factor authentication for administrative access
Regular security audits and vulnerability assessments
Secure development practices and code reviews

6.2 Organizational Measures

Access controls based on need-to-know principles
Regular staff training on data protection
Incident response procedures for data breaches
Data processing agreements with all vendors

6.3 Data Breach Notification

In the event of a data breach:

UK/EU: ICO/supervisory authority notification within 72 hours
Affected individuals notified if high risk to rights and freedoms
US: Notification according to applicable state breach laws

7. Your Privacy Rights

7.1 UK GDPR/EU GDPR Rights

Right of Access: Request copies of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your data (subject to legal retention)
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Receive your data in a portable format
Right to Object: Object to processing based on legitimate interests

7.2 US Privacy Rights (Where Applicable)

California (CCPA/CPRA):

• Right to know what personal information we collect
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt-out of sale/sharing (we don't sell personal information)

Other US States: Similar rights under Virginia CDPA, Colorado CPA, and other applicable state laws.

7.3 Exercising Your Rights

Self-Service

Use account settings for data export, correction, deletion

Contact Us

privacy@zylair.com for complex requests

Response Time: 30 days (UK/EU), as required by applicable US state law
Identity Verification: May be required to prevent unauthorized access

8. Data Retention

8.1 Retention Periods

Account Data: Duration of account plus 30 days
Risk Assessments: 7 years (UK HSE legal requirement)
Payment Records: 7 years (UK tax law requirement)
Marketing Data: Until consent withdrawn or 3 years of inactivity
Technical Logs: 90 days for security logs, 30 days for others

8.2 Deletion Procedures

Secure deletion using industry-standard methods
Anonymization where deletion isn't legally possible
Backup deletion within 6 months of primary deletion

9. International Data Transfers

9.1 Transfer Safeguards

UK/EU to US: Standard Contractual Clauses and adequacy decisions
Other Countries: Appropriate safeguards ensuring equivalent protection
Data Localization: EU customer data stored within EU where technically feasible

10. Cookies and Tracking Technologies

10.1 Essential Cookies

Authentication and session management
Security and fraud prevention
Load balancing and performance

10.2 Optional Cookies (Consent Required)

Analytics and usage statistics (Google Analytics with IP anonymization)
Performance monitoring and error tracking
A/B testing for feature improvements

10.3 Cookie Management

Cookie consent banner for optional cookies
Cookie preference center for granular control
Browser settings for cookie deletion and blocking

11. Children's Privacy

Our service is not intended for users under 18. We don't knowingly collect personal information from children. If we become aware of such collection, we will delete the information promptly.

12. Changes to This Privacy Policy

We may update this policy to reflect changes in law, regulation, or our practices. We will:

Provide 30 days' notice for material changes
Obtain fresh consent where legally required
Update the effective date at the top of this policy

13. Contact Information and Complaints

Data Protection Contact

Email: chris@zylair.com
Address: Zylair Ltd, 27 Vanguard Court, Sleaford, England

Supervisory Authority (UK/EU)

You have the right to lodge a complaint with your data protection authority:
UK: Information Commissioner's Office (ICO) - ico.org.uk
EU: Your local data protection authority

US Privacy Complaints

Contact your state attorney general's office for privacy-related complaints under state law.

Appendix: Data Processing Activities Summary

Purpose	Data Categories	Legal Basis	Retention	Recipients
Service Provision	Account, usage, content	Contract	Account lifetime + 30 days	Service providers
AI Processing	Content uploads	Contract	90 days processing cache	OpenAI
Payment Processing	Billing details	Contract	7 years	Stripe
Legal Compliance	All categories	Legal obligation	As required by law	Regulators
Marketing	Contact preferences	Consent	Until withdrawn	Email service provider

Last Updated: January 2025