Legal Document

Privacy Policy

Last updated: 10 March 2026

This Privacy Policy describes how Taylin Digital Ltd (“TaylinAI”, “we”, “our”, or “us”) collects, uses, and protects your personal data when you use our AI operations platform at taylinai.com. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller is Taylin Digital Ltd, a company registered in England and Wales. All data processing is conducted on UK-based Microsoft Azure infrastructure.

2. Personal Data We Collect

2.1 Account and Identity Data

When you create an account or authenticate via Microsoft Entra ID SSO we collect:

  • Full name and work email address
  • Organisation name and job title (if provided)
  • Microsoft Azure Active Directory object ID (SSO users)
  • Profile photograph (if shared by your identity provider)

2.2 Usage and Platform Data

As you use the platform we record:

  • Prompts, agents, and skills you create (stored in your workspace)
  • AI model execution logs — model used, token counts, cost estimate, execution time
  • Governance actions — approvals, rejections, workflow transitions
  • Workspace membership changes and role assignments
  • Feature usage patterns (anonymised for product improvement)

2.3 Technical and Security Data

  • IP addresses (stored as SHA-256 hash — not in plaintext)
  • Browser type, operating system, and device type
  • Authentication timestamps and session identifiers
  • API key usage (keys are hashed with SHA-256 before storage)

2.4 Billing Data

Payment processing is handled entirely by Stripe. We do not store card numbers, CVVs, or full payment instrument details. We store only:

  • Stripe Customer ID and Subscription ID (opaque references)
  • Subscription tier, billing dates, and seat count
  • Invoice history (amounts, dates, status)

2.5 AI Prompt Content

When you execute prompts or agents, the content of those interactions passes through our platform to the selected LLM provider (OpenAI, Anthropic, Azure, etc.). We log metadata (model, tokens, cost) but do not retain full prompt and response content beyond your configured retention window. You control what data enters your prompts.

Processing activityLegal basis (UK GDPR)
Providing the TaylinAI platformContract (Art. 6(1)(b))
Processing payments and managing billingContract (Art. 6(1)(b))
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f))
Compliance and audit loggingLegal obligation (Art. 6(1)(c))
Sending service notificationsContract (Art. 6(1)(b))
Product improvement analytics (anonymised)Legitimate interests (Art. 6(1)(f))
Marketing communicationsConsent (Art. 6(1)(a)) — you may opt out at any time

4. How We Use Your Data

  • To create and maintain your account and workspace
  • To execute AI prompts and agents on your behalf
  • To generate compliance reports and audit trails within your workspace
  • To process subscription payments and manage your billing
  • To send transactional emails (account events, trial reminders, invoices)
  • To monitor platform security and detect abuse or unauthorised access
  • To improve the platform using aggregated, anonymised usage signals
  • To comply with legal and regulatory obligations

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5. Data Retention

Data typeRetention period
Account and profile dataUntil account deletion is requested
Workspace data (prompts, agents, skills)Until workspace is deleted; 30-day soft-delete window
AI execution logs90 days (configurable per workspace)
Security and audit logs12 months
Billing records7 years (legal obligation)
Data after subscription cancellation30-day retention, then hard delete
Anonymised usage analyticsUp to 2 years

6. Data Sharing and Sub-processors

We share data only with the following categories of trusted sub-processors, all bound by appropriate data processing agreements:

Sub-processorPurposeLocation
Microsoft AzureInfrastructure hosting (Cosmos DB, Container Apps, Key Vault)UK (UK South / UK West)
Microsoft Entra IDIdentity and authentication (SSO)UK/EEA
StripePayment processing and subscription managementUSA (Standard Contractual Clauses)
LLM providers (OpenAI, Anthropic, Azure AI, etc.)AI inference — only when you execute prompts/agentsVaries by provider and BYOK configuration
Azure Communication ServicesTransactional email deliveryUK/EEA

When you use Bring Your Own Key (BYOK) to configure a custom LLM provider, your prompt content is sent directly to that provider and is subject to their privacy policy. TaylinAI acts as a conduit only and does not retain the prompt content.

7. International Data Transfers

All primary data storage is in the United Kingdom on Microsoft Azure. Where data is transferred to processors outside the UK/EEA (such as Stripe for payment processing), we rely on:

  • UK International Data Transfer Agreements (IDTAs) where applicable
  • UK adequacy decisions for transfers to approved countries
  • Standard Contractual Clauses (SCCs) with appropriate supplementary measures

8. Security Measures

  • All data encrypted at rest and in transit (TLS 1.2+)
  • All secrets stored in Azure Key Vault — never in code or configuration files
  • All database stores on private endpoints (no public internet access)
  • Azure Front Door Web Application Firewall with custom rule sets
  • IP addresses hashed with SHA-256 before storage
  • API keys hashed with SHA-256 before storage — plaintext never persisted
  • Role-based access control throughout — minimum privilege principle
  • Microsoft Defender for Cloud threat detection and alerting
  • Internal security assessments and penetration testing available on request

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

9. Your Rights Under UK GDPR

As a UK resident (and EEA residents under EU GDPR), you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (“right to be forgotten”), subject to legal obligations
  • Restriction — ask us to restrict processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time
  • Complain — lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, contact us at privacy@taylinai.com. We will respond within 30 days.

10. Cookies

We use only strictly necessary cookies:

  • Authentication session cookies — required to maintain your logged-in state
  • CSRF protection tokens — required for security
  • MSAL authentication state — stored in localStorage (not a cookie), required for Microsoft SSO

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individuals.

11. Children's Privacy

TaylinAI is a B2B platform intended for business use only. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@taylinai.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account holders and/or via an in-platform notice at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance of the updated policy. The “Last updated” date at the top of this page always reflects the most recent revision.

13. Contact Us

Privacy enquiries

privacy@taylinai.com

Data Protection Officer

dpo@taylinai.com

Security issues

security@taylinai.com

Taylin Digital Ltd · Registered in England and Wales