Legal

Privacy Policy

Last updated: 2026-04-29 · Effective from the same date
Plain English summary

We collect what we need to run the platform — your account, your tenant data, and basic usage telemetry. We never sell data. We never train models on your content. Sub-processors are listed at /trust. You can export everything or delete your account at any time. Questions: privacy@scarifone.com.

Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy

1. Who we are

Scarif One Ltd (“Scarif One”, “we”, “us”, “our”) is a UK-registered company providing AI-powered marketing software. We are the data controller for personal data submitted through our website (scarifone.com) and accounts. For tenant-uploaded customer data (e.g. Shopify customer lists, brand profile content), we act as a data processor; the customer (you) remains the data controller. See our Data Processing Agreement for the controller/processor split.

Registered office: Hailsham, East Sussex, United Kingdom. UK ICO registration number forthcoming pre-launch.

2. What personal data we collect

2.1 Account data

Email address, hashed password (Argon2id), display name, time zone, account creation timestamp, login IP address, two-factor secret (if enabled), session tokens.

2.2 Billing data (hosted plan only)

Stripe Customer ID, subscription tier, billing email, country, last-4 of payment method (full card details never reach our servers — they live with Stripe). Invoices are stored for the legally-required retention period (currently 6 years for UK tax compliance).

2.3 Usage telemetry

API call counts, feature usage events, error logs, response timings. Used to operate the service, debug issues, and bill against per-plan quotas. We do not log content of generations.

2.4 Tenant content

Brand profile JSON, uploaded brand assets, generated ad / email / review content, integration tokens (encrypted at rest). Treated as your customer data — we are the processor, you are the controller.

2.5 Support correspondence

Email content of support tickets, screenshots / attachments you send us, transcripts of any video calls. Retained for 24 months unless you ask us to delete sooner.

3. Lawful bases (UK GDPR Article 6)

  • Contract (Art 6(1)(b)) — most account and billing processing is necessary to provide the service you signed up for.
  • Legitimate interests (Art 6(1)(f)) — usage telemetry for security, fraud detection, and service operation. We balance this against your privacy interests; opt-out via privacy@scarifone.com.
  • Consent (Art 6(1)(a)) — for non-essential cookies and any marketing emails (you can opt out at any time).
  • Legal obligation (Art 6(1)(c)) — invoice and tax record retention for HMRC compliance.

4. Sub-processors

We share specific personal data with third-party sub-processors who help us operate the service. The full list, with purpose and location, is at /trust. Sub-processor changes are announced 30 days before they take effect via email.

5. International transfers

Some sub-processors (Google Cloud / Gemini, Stripe) may transfer data to countries outside the UK / EEA, including the United States. These transfers rely on UK International Data Transfer Agreements and / or the EU-US Data Privacy Framework adequacy decision (where applicable), with Standard Contractual Clauses as a fallback. Contact us for documentation.

6. Retention

  • Account data: while your account is active, plus 30 days after deletion (the “cooling-off” window in case you change your mind).
  • Billing data: 6 years after the relevant tax year, per HMRC requirements.
  • Usage telemetry: 90 days raw; aggregated indefinitely (no longer attributable to you).
  • Tenant content: deleted within 14 days of your account deletion request, except where you have an active export in progress.
  • Support correspondence: 24 months from the last interaction.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (one-click JSON export from your dashboard).
  • Rectification of inaccurate data.
  • Erasure (one-click tenant deletion from /security in the dashboard, or by emailing privacy@scarifone.com).
  • Restriction of processing in certain circumstances.
  • Data portability (the JSON export covers this).
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.

We respond to data subject requests within 30 days.

8. Security

We implement technical and organisational measures including TLS 1.3 transport encryption, Argon2id password hashing, encrypted-at-rest databases, per-tenant data isolation, audit logging, role-based access control, and rate limiting. Full breakdown at /trust. No system is perfectly secure; we will notify affected users and the ICO within 72 hours of becoming aware of a personal data breach.

9. Children

Scarif One is a B2B product. We do not knowingly collect data from anyone under 16. If we discover otherwise, we will delete the data and close the account.

10. Marketing communications

We send transactional emails (sign-up, billing, security notifications) on the basis of contract — these can’t be opted out of without closing your account. Marketing emails (product updates, blog posts) are opt-in only. Unsubscribe at any time via the link in every marketing email.

11. Changes to this policy

Material changes are announced 30 days before they take effect via email to your notification address. Non-material changes (typo fixes, link updates) are silent. The “Last updated” date at the top of this page reflects the most recent change.

12. Contact

Privacy questions, DSAR requests, complaints: privacy@scarifone.com.
General correspondence: hello@scarifone.com.
Postal address available on request.

Questions about this document? Email privacy@scarifone.com for privacy / DPA questions, hello@scarifone.com for everything else. Tom replies within a few hours during UK office hours.